29

Download as pdf or txt
Download as pdf or txt
You are on page 1of 141

MANUAL ON INTERNAL AUDITING

CA.Rajkumar S. Adukia
rajkumarfca@gmail.com
+91 93230 61049
INDEX
Section 1: Foundation of Internal auditing
1.1 What is internal auditing?
1.2 History and background
1.3 Purpose of internal auditing
1.4 Scope of internal auditing
1.5 Role of auditors
1.6 Organisational Independence and Objectivity
1.7 Professionalism

Section 2: Types of internal Auditing


2.1 Financial Audits.
2.2 Operational Audits.
2.3 Grant Audits
2.4 Project Audits
2.5 Information System Audit
2.6 Compliance Audits
2.7 Investigative Audit
2.8 Due diligence

Section 3: Managing Internal Audit


3.1 Organising the department
3.2 Audit Staff
3.3 Managing the Audit
Audit Planning
Risk Management
Engagement memorandum

Section 4: Audit programme and procedures


4.1

Field survey

4.2

Audit programme

4.3

Audit procedures

4.4

Evaluation of internal control system

4.5

Audit sampling

4.6

Audit Tests

4.7

Specimen letters

Section 5: CAATs
5.1

Definition

5.2

Need

5.3

Techniques

5.4

Commonly used Audit Software

Section 6 : Audit Work papers


6.1 Importance
6.2 Functions
6.3 Organisation
i. Document organisation
ii. CAAT work papers

6.4 Review of work papers


6.5 Retention and Custody

Section 7: Audit Reports and Communication


7.1 Purpose of Audit Report
7.2 Types of Audit Report
7.3 Form and content of audit report
7.4 Style and Attributes
7.5 Audit Reporting Cycle
7.6 Evaluation and Follow up
7.7 Specimen Internal audit report
Section 8 : Relationship Management
8.1

Internal Audit and Audit Committee

8.2

Relationship with management

8.3

Working with External Auditors

8.4

Relationship with regulators

Section 9 : Overview of Standards in Internal Audit


9.1 Standards on Internal Audit (SIA) issued by ICAI
9.2 Internal Audit Standards issued by IIA

Section 1. Foundation of internal auditing

1.1 What is internal auditing?


1.2 History and background
1.3 Purpose of internal auditing
1.4 Scope of internal auditing
1.5 Role of auditors
1.6 Organisational Independence and Objectivity
1.7 Professionalism

1.1 What is internal auditing?


Internal auditing is an independent, objective assurance and consulting
activity designed to add value and improve an organisations operations. It helps an
organisation accomplish its objectives by bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of risk management, control and governance
processes.
Internal Auditor can make:

an objective assessment of operations and share ideas for best practices.

provide guidance for improving controls, processes and procedures,


performance, and risk management.

Thus, internal audit activity can play an important role and support the board
and management in fulfilling an essential component of their governance mechanisms.
The internal auditor furnishes analysis, appraisals, recommendations, counsel and
information concerning the activities reviewed. The internal auditor can suggest ways

for reducing costs, enhancing revenues, and improving profits.

A Partnership...

It is worth remembering that internal audit works in partnership with management


and provides the board, the audit committee and executive management assurance that
risks are held at bay and the organizations corporate governance is strong and
effective. They work in the same team and want the organisation to be and remain
successful.
.

1.2 History and background


In 1930s, growth and expansion made it increasingly difficult for organizations to
maintain control and operational efficiency. The World War further expanded
organizations responsibilities for scheduling, managing with limited materials and
labourers, complying with government regulations, and an increased emphasis on cost
finding. It was difficult for management to observe all the operating areas or be in touch
with everybody. Then, special staff was appointed to report on happenings in the
company who later came to be known as Internal Auditors.

The internal auditing function varied greatly between organisations and a number of
internal auditors pushed vigorously for greater understanding and recognition of the
internal auditing function. One such person was John B. Thurston, head of the internal
auditing function at the North American utility company. He is credited with being the
person most responsible for the creation of The Institute. He was joined by Robert B.
Milne, general auditor of the Columbia Engineering Corporation, and Victor Z. Brink,
a former auditor and Columbia University educator who authored the first major book
on internal auditing. They gathered friends and associates from the utilities industries,

public accounting firms, and other industries, 25 of whom agreed to participate in


forming a new organization for internal auditors.

On November 17, The IIAs Certificate of Incorporation was filed which officially
established The Institute of Internal Auditors name; recognized The Institute as a
membership corporation; and identified corporations specific purposes

1.3 Purpose of Internal Auditing


Its the responsibility of the Board to ensure that risks are managed and controlled. This
task is delegated to the executive management which

Determines the risk appetite of the organisation

Establishes the risk management framework

Identifies potential threats and assesses risks

Decides on response to risks like implementation of control

monitors and coordinates the risk management processes and the outcomes,

provides assurance on the effectiveness of risk management processes

This assurance from the management is fundamental. There is a need for additional
assurance from a different source. Internal audit can be the key source providing
objective assurance that all the significant risks have been identified, risk management
process is working effectively and efficiently, risks are being reported and controls are
effective. As part of this work, the internal audit activity will provide advice, coaching
and facilitation services to assist executive management in carrying out their
responsibilities.

1.4 Scope of Internal Auditing

The external auditors have to express an opinion on accuracy and fairness of financial
information. The scope of internal audit is much wider than statutory/external audit. It
should ideally cover all the organisations activities. They include:

Financial audit accuracy, completeness and fairness of financial


statements

Operational audit- effectiveness and efficiency of operations

Safeguarding of assets

Review of projects

Management audit

Fraud detection- developing fraud exposures for every audit and


detecting red flags

Review of effectiveness of internal control

Compliance with laws, regulations, policies and procedures

Preservation of ethical culture monitor the ethical climate and report on


red flags that may compromise ethics

Providing advise on reducing waste or inefficiency

1.5 Role of Auditors


The auditors opinion on the truth, fairness, accuracy etc. of the financial statement
imposes a larger responsibility on the auditor, which transcends the relationship with
the client. The external auditor has to maintain total independence from the client. The
auditor is supposed to be a watchdog. Government, creditors, investors and the
business and financial community rely on the independence, objectivity and integrity of
the auditors for maintaining confidence in operations of a company.
Roles & responsibilities of auditors
Responsibilities of Internal Auditor

Internal Audit is a service to management. Its functions include examining and


evaluating internal control and providing assurance to the management. It is a part of
the organisation's system of internal control and its scope includes ALL aspects of
internal control, not just financial control. The scope of internal audit is much wider
than statutory/external audit as discussed in detail above. It should ideally cover all the
organisations activities.
Responsibilities of External Auditor
External auditors have to express an opinion on accuracy and fairness of financial
information. An external audit programme encompasses a full-scope financial
statement audit, an attestation of internal controls over financial reporting, or other
agreed-upon external audit procedures.
A typical report includes inter alia , information on :

Whether they have obtained all the necessary information

Whether the companies has kept all the requisite books of accounts

Whether the financial statements are in conformity with books of accounts

The financial statements present a true and fair view of the state of affairs

Proper records for assets, inventory, loans etc. have been maintained by the
company

Adequacy of internal control procedures

Existence of internal audit system commensurate with nature and size of


business.

Details of statutory dues and matters under litigation

Although internal and external auditors have different and clearly defined roles they do
share the same broad purpose of serving the public by helping to ensure the highest

standards of regularity and propriety for the use resources and in promoting efficient,
effective and economic administration.

1.6 Organisational Independence and Objectivity


The internal audit activity should be independent from the activities it audits. It
should also be free from interference in determining the scope of its work, in
performing its duties and in communicating the results. To maintain its independence,
it should have solid-line reporting relationship to the audit committee with a dottedline reporting relationship to a senior executive in the organization for administrative
purposes i.e. it should report functionally to those responsible for governance (which
can be the audit committee, the board of directors, or another appropriate body) and
administratively to an appropriately senior level within the organisation.
The audit committee should safeguard internal audit independence by regularly
reviewing and approving the internal audit charter and mandate.
Administrative matters relate to the organisations management structure; and
the reporting line for them should facilitate the activitys day-to-day operations. The
chief audit executive should have the appropriate seniority in the organisation so that
the person has sufficient authority. This will reinforce the organisational status of
internal auditing and support its unrestricted access to staff and information.

The activity has to safeguard its independence by getting involved in functional


activities like setting the risk appetite for the organisation, decision-making, and
implementation of responses. It can play the role of facilitator but should not be
accountable for implementation of organisations response to risks or any other
operational responsibility.

1.7 Professionalism

In the current scenario, the demands for professionalism, knowledge and integrity has
increased manifold. To be effective, auditors must serve as objective assurance
providers and advisors to the other participants in the governance process like Board of
Directors and the audit committee; provide guidance on improving operational
efficiency and control; evaluate risk and advise the management on risk identification,
risk tolerance and risk management.
The scope on internal audit has widened and may cover the whole gamut of
organisations activities. It is the internal auditor's task to operate within the framework
of professionalism to assist the company in achieving the highest-quality results and
long-term objectives. This calls for clear and concise guidance that can be readily
adopted and followed regardless of the industry, audit specialty, or sector.

Proficiency
Internal auditors need to have the knowledge and skills to perform their
individual responsibilities. If the knowledge, skills, or other competencies needed to
perform all or part of the engagement are not available within the internal audit staff,
then the chief audit executive should obtain competent advice and assistance from
outside the activity.
Though the internal auditors are not expected to have the expertise of a person whose
primary responsibility is detecting and investigating fraud, they should have sufficient
knowledge to identify the indicators of fraud.

Due Professional Care


The internal auditor is expected to apply due professional care which is expected from a
reasonably prudent and competent internal auditor. The internal auditor should
exercise due professional care by considering the:

10

Extent of work

Adequacy of risk management, internal control procedures

Probability of errors, misstatements or irregularities.

Cost incurred in relation to expected benefits

Continuing Professional Development


Internal auditors should enhance their knowledge, skills, and other competencies
through continuing professional development.

Professional Behaviour
Internal auditors need to act professionally and maintain the good reputation of
the profession. The organisation should benefit from the internal audit activity in its
risk management and internal control process.
An auditors responsibility is not limited to satisfy the needs of an individual
employer. The standards of the accountancy profession are heavily determined by the
public interest, for example - Internal auditors provide assurance about a sound internal
control system which enhances the reliability of the external financial information of the
employer. Accountancy and audit bodies like IIA and IFAC have formulated some
important principles of behaviour.

Independence
Professionalism entails a heavy responsibility. It means subscribing to a Code of
Conduct. The professional internal auditor needs to have independence to provide an
objective, unbiased opinion. They can never have complete independence but they need
sufficient independence.

11

The Institute of Internal Auditors Code of Ethics provides internal auditors with
sufficient mechanism for reporting of audit results, findings, opinion or information.
The auditor can report to the appropriate level of management and there should be no
need to report in an unauthorized manner to anyone outside the organisation.
Only if the matter is not resolved satisfactorily, or the services of auditor are terminated
due to that, he should secure the advice of outside counsel.

12

Section 2-Types of Internal Audit

2.1 Financial Audit


2.2 Operational Audit
2.3 Grant Audit
2.4 Project Audit
2.5 Information system audit
2.6 Compliance Audit
2.7 Investigative Audit
2.8 Due diligence

2.1 Financial Audit


This type of audit involves a thorough review of a departments records and reports, in
order to check that assets and liabilities are properly recorded on the balance sheet, and,
all profits and losses are properly assessed.
In financial audits, significance or materiality is usually defined as a monetary value
Consequently, planning decisions mainly involve the intended degree of audit
assurance and the extent of audit work required to provide it. The requirements will
vary from one organisation to another and applicable laws and regulations. Some
activities common to most audits:
o Risk assessment
o Defining Materiality
o Financial statement assertions
o Financial analysis of cash flow statement
o Compliance and substantiative procedures

13

o Analytical procedures
Meeting these objectives involves verification of:
o Revenue
o Sales
o Bank deposits
o Bank reconciliation
o Accounts payable
o Accounts receivable
o Disbursements
o Petty cash transactions
o Loans & Advances
o Assets

2.2 Operational Audit


This type of audit involves a thorough review of a departments operating procedures
and internal controls. They deal with broad performance issues, focusing on whether
funds and resources have been economically, efficiently and effectively managed to fulfill
the mission and objectives. An operational audit includes elements of a compliance audit,
a financial audit, and an information systems audit. In particular, management audits
examine and report on matters related to any or all of the following:

the adequacy of management systems, controls and practices, including those


intended to control and safeguard assets, to ensure due regard to economy,
efficiency and effectiveness;

the extent to which resources have been managed with due regard to economy
and efficiency; and,

14

the extent to which programs, operations or activities of an entity have been


effective.

Conducting operational audit


1. Scope-Unlike financial audit, the objectives and scope of operational audit are

not so clear or well defined. The first step would be to brainstorm along with the
client and define the scope and objectives of audit. It is also necessary to decide
the exclusions to the scope.
2. Set audit objectives -The second step would be to set audit objectives.

Appropriate audit evidence can be gathered only when objectives are clear.
Three elements need to be identified-criteria, cause and effect. They will be
concerned with whether the operating objectives will be met.
Review and update the audit objectives after the preliminary survey.

3. Set scope- To manage expectations on what will be achieved by the audit by

setting the boundaries of what will and will not be included.


4. Gathering information: The sources would be

a. Operating standards
b. Organisation chart
c. Nature of operations
d. Operating reports
e. Senior management
f. Prior audit papers, if available
g. Internet
h. Industry, trade journals and publications
i. Files and papers
5. Preliminary survey: preliminary survey is essential to gain a working

15

knowledge of the operation to be audited, to logically investigate and evaluate


all information. It would be something like:
a. Information on overall business operations.
b. Develop a questionnaire for discussions with staff
c. Interview people within the operation
d. Learn the objectives, goals, and standards of the operation.
e. Ascertain any initial opportunities for improvement.
f. Understand the inherent risks and internal controls.
g. Learn about the people performing the operation key personnel, job
descriptions, evaluation methods
h. Physically inspect operations by touring the entitys facilities
i. Focus on possible cost savings from inefficiencies
j.

Present the survey results


Update (or create) audit objectives based on this larger information bases.

Make the audit plan - time , resources and expertise required, audit programme,
audit tests and identify audit risks

6. Review of Internal Controls: To determine what level of reliance can be placed

on internal controls. This step takes place throughout the audit process. Methods
to review would include
a.

Responses of interviewing staff to control questions in the Internal


Control Questionnaire would indicate areas of control weakness to
concentrate on

b. Prepare flow charts or narrative descriptions


c. Walk-through and limited system testing
d. Evaluate policy and procedures manuals
Results of Internal Control Review: This will provide information regarding
e. Identification of the controls that the auditor will rely on during detailed
testing

16

f. Analysis of the controls


g. Evaluation of the appropriateness of the controls
h. Risk Assessment
7. Existence of controls: It is important to consider whether there are any factors

which might render controls ineffective.


a. Accidental or deliberate avoidance
b. Management override
c. Inadequate Backup and recovery
d. Environmental impact
e. Access control over computer systems
A re-analysis of risk and budget time will need to be done at this stage..
8. Detailed

testing: Carry out sufficient audit tests of compliance and

substantiation to gain sufficient evidence on the objective of the audit. The


testing is aimed at significant controls that have previously been assessed as
adequate to evaluate their effectiveness, and those controls assessed as
inadequate to verify that the required results are not being consistently achieved.

9. Report: the report should inform the recipients of the issues or opportunities for

improvement and provide constructive means of achieving the goals.


.
2.3 Grant Audit
Grant audits include financial and operational elements, but the focus is on compliance
with the financial terms of grant agreements. Usually, when the grant is given, the
receiver is obligated to review grants to determine whether funds are spent for the
purpose for which the funds have been received.
VERIFICATION OF GRANTS:

17

1.

Obtain copies of the Grant application and award documentation (grant file) which
specify the purpose and scope of work to be done with the funds provided.

2.

Review the reporting requirements, if any, included in the grant/sponsorship


agreement. Determine whether the record keeping/reporting process satisfies the
requirements. Note discrepancies.

3.

Determine whether there are limitations on the use of these funds and test to see if
they were observed. Note any exceptions.

4. Verify that the amount of the grant noted in the above documentation was actually
received and deposited in the bank account maintained for that purpose. Note any
exceptions.
5.

Ensure that any unused funds and/or interest earned are returned to the granting
agency. Test to determine compliance with such requirements. Note discrepancies.

2.4 Project Audit


Project audits include review of project cost and performance terms. Usually, project is
a large and complex activity and the entity may not have the appropriate internal
expertise to negotiate and manage these contracts.

Whether it is a commercial business, government entity or a non-profit organisation, all


of them face potential financial hazards of fiscal irresponsibility, theft, scams,
substandard materials or labour. While the organisation finds it difficult to manage the
project , it is the core competency of the contractors who have dedicated staff who help
them secure best terms and maximise returns. As a result, many owners end up with
ineffective expenditure controls for these projects and place too much reliance on their
contractors.
Here the auditors come in. They work with project owners and advise the project owner
through the lifecycle of the project as well as audit transaction documentation for

18

compliance with the terms of the contract. They help in negotiating owner favourable
contract , design and improve expenditure processes and controls; ensure the accuracy
and proper documentation of

for payment; ensure full value is received through

monthly monitoring and on-site inspections; and reduce overall project costs.
Guidelines to project audit
Each organization is unique, and the audit would be based on assessment of internal
controls and the limitations of the audit scope. However, certain issues such as
economic justification, regulatory requirements, policies, and controls over contractor
selection etc. should also be part of the audit package. Given below are few guidelines
that can help auditors to reduce costs and minimize risks to their organizations.
1. Doing a cost benefit analysis: It is necessary that the auditor ask for documented
evidence justifying the project to ensure that it is not the result of poor planning
or wrong assumptions.
2. Regulatory requirements: It is essential to find out regulatory requirements
affecting the project. The auditor should see that all clearances and certifications
are obtained.
3. Administration of project: presence of internal control would go a long way in
efficient management of construction activities.The auditor should see that
following control issues are addressed
a. Review and approval process
b. Project documentation and reporting
c. Construction administration process, including a right-to-audit
clause, change orders, substitutions, project overruns, and lien
waivers.
d. Bid and award process, including project size; contractor solicitation,
reference, and selection; and controls over bid opening
e. Management involvement and risk management

19

4. Bid bonds: A bid bond guarantees that the contractor is insurable and can obtain
a performance bond, which is procured after the bid is awarded. A contractor
who does not have the financial strength to secure a bid bond will be unable to
obtain a performance bond.
5. Adequate coverage by performance bond: In case the contractor fails to perform
in accordance with a contract, the insurance company will reimburse the
organization for the unfulfilled contract amount. If the contractor goes bankrupt,
the proceeds of the bond are available to the owner to finish the project. Certain
things need to be ensured in a performance bond:
a. Whether there is a policy based on acceptable level of risk regarding
performance bond based on acceptable level of risk (which is usually
a monetary amount)
b. Review whether bonds are for adequate amount and contract has not
been broken into smaller parts to circumvent the requirement of
bonds.
c. Review whether senior management is consulted regarding
performance bonding coverage limits.
6.

Review liability coverage and other details: Ensure that the contractor has taken
liability insurance. This provides the organisation protection if an accident or
damage occurs as a result of action of any contractors employee.
a. Ensure that certificate of insurance is taken before the contractors
commence work and retained till completion of project.
b. Ensure that Certificate is current and has not expired
c. Review a sample COI for compliance with coverage in contract
document
d. Confirm that :
i. General liability limits are adequate
ii. Workmens compensation limits are appropriate
iii. Comments and exclusions section is appropriate.

20

iv. the organization is named as the certificate holder.


v. The certificate is signed by the insurance company.
vi. The organization is listed as an additional insured under the
"remarks section" of the COI. Being listed as an additional insured
gives the organization added protection against an independent
third party should someone be injured or property be damaged as a
result of the contractor's operation on the organization's premises.
vii. The insurance coverage minimums or limits stated in

bid and

contract documents are reasonable. Also determine when these


documents were last updated. The risk management department,
senior management, insurance agent, and legal counsel should
periodically evaluate the insurance coverage requirements.
viii. All organizational areas where contracted work can occur are
identified
7.

Monitor or attend relevant meetings: Problems or significant issues can often be


spotted in the minutes of the meetings.
Internal auditors should try to obtain invitations to as many relevant meetings as
possible as direct observations can reveal much more than minutes, which may
be filtered by the manager. Additionally, some safety issues may be prevalent,
and the risk management or legal departments may have discouraged
documentation of certain issues for legal purposes.

8. Look for accounting irregularities -- both intentional and unintentional: Find out
how projects are being coded in the general ledger account and determine
whether the project should remain active. Coding to the wrong project, whether
intentional or unintentional, can result in management decisions that are based
on inaccurate data. Intentional coding to another construction project may be
contrived to avoid scrutiny of a project-cost overrun and requisite approval and
reporting.

21

Obtain construction project management reports and review contracted


amounts, paid-to-date, and cost-to-complete to determine whether all liabilities
have been properly recorded. A payment may have been made for materials that
have not been received.
9. Guard against bid-related internal control breakdowns
Competitive bidding helps to ensure a wider choice of suppliers and products
and higher quality goods and services at lower prices. A request for proposal,
purchase order, or contract document provides adequate authorization for the
purchase, clarifies the expectation of goods and services, and outlines the proper
segregation of duties. This documentation also guarantees that a purchase
decision analysis is made and documented for future reference.
Adherence to a sound system of internal control has never been more important, and
the risks may never have been greater. Internal auditors should not be content to look
only at contract payments. They should assess project-related exposures and
implications from a broad perspective and act to protect and strengthen their
organisations.
2.5 Information Systems Audit
This audit consists of determining whether information systems adequately safeguard
assets, maintain data and systems integrity, achieve organisational goals and internal
controls are adequate to assure that business, operational and control objectives will be
met and unwanted events will be prevented or detected and corrected in time.
Information System reviews include the following:

Reviews of existing or new systems, before and after implementation, to ensure


their security and that they meet the needs of users;

22

Project management reviews to ensure controls are in place to mitigate project


risks or to identify the strengths and improvements required for future projects;

Organizational or operational reviews to ensure the organizations goals and


objectives will be achieved; and,

Specific technology reviews to ensure security and controls are in place

2.6 Compliance Audit


Various programmes and contracts and grants have specific rules and regulations that
must be followed in order to maintain funding. Audits in these areas are usually
restricted to verification that recipients are in compliance with the established
guidelines. Compliance audit would include compliances with:

Laws and regulations

Policies

Standards

Contracts

Compliance audit would entail:

Gathering

information

about

laws,

regulations,

and

other

compliance

requirements.

Understanding limitations of auditing in detecting illegal acts and abuse.

Assessing the risk that significant illegal acts could occur.

The auditor would design and perform procedures based on risk assessment that
would provide reasonable assurance of detecting significant illegal acts.

23

Factors affecting risks

complexity of laws and regulations

newness of laws and regulations

effectiveness of internal control in preventing and detecting illegal acts and acts
of non-compliance.
Sources of obtaining information about Laws, Regulations, and Other

Compliance Requirements

Auditors' training and experience

Auditors understanding of the programme being audited may provide a basis


for recognition that some acts coming to their attention may be illegal.

Auditors cannot determine whether an act, in fact, is illegal. However, auditors


are responsible for being aware of vulnerabilities to fraud associated with the
area being audited in order to be able to identify indications that fraud may have
occurred.

Taking the help of an expert: Auditors may seek help of legal counsel in

designing tests of compliance with laws and regulations

evaluating the results of those tests

Auditors also may find it necessary to rely on the work of legal counsel when
audit objectives require testing compliance with provisions of contracts or grant
agreements.

2.7 Investigative audits


Investigative assignments scrutinize allegations of wrongdoing or breaches of standards
of conduct. Allegations may be internal or external to the organisation and may examine
the records of individuals, organizations and firms with agreements between them and
the organisation
Reasons for conducting Investigation:

24

Internal theft,

misappropriation of assets,

conflicts of interest

Co-ordination for this audit is usually at the highest level in the organisation like with
senior management or security department.

Investigative audits differ from other

audits because they are normally conducted without first notifying the personnel who
may be affected by the findings.

2.8 Due diligence


Due diligence involves investigation and evaluation of a management team's
characteristics, investment philosophy, and terms and conditions prior to committing
capital. The entire process of research , analysis and investigation which has to be
undertaken in advance of an investment, takeover, or business partnership is called
due diligence. The potential investor usually takes the help of the internal audit team or
hires consultants to investigate the background of the target company.
The team doing the due diligence reviews regulatory and press filings ,media reports ,
legal and regulatory issues ,checking for existing and pending lawsuits and other
litigation involving the entity.

The consulting firm may also look for conflicts of

interest, insider trading and other problems. The investigative results may be prepared
in a "due diligence report".
In addition to identifying risks and implications of an investment, due diligence may
include data on a company's solvency and assets., due diligence is the responsibility
you have to investigate and identify issues, and due care is doing something about the
findings from due diligence

25

Section 3- Managing the Internal Audit Function

3.1

Organising the internal audit function

3.2

Audit Staff

3.3

Managing the audit


3.3.1 Preliminary survey
3.3.2 Audit Objectives
3.3.3 Risk Management
3.3.4 Engagement memorandum

3.1 Organising the internal audit function


The internal audit function may be provided by in-house staff or an outsourced team.
Whether internal audit is a part of the organisation or not its structure would depend on:
o Business of the organisation
o Geographical locations
o Culture of the organisation
o Control risks
o Environment
To be effective it needs a strong leader who has the support of both the authorising body
(audit committee, in most cases) and senior management. The Chief Audit Executive
must be a person who understands the overall organisation and has the qualities of a
leader:

26

o Keeps the vision clear


o Co-ordinate activities
o Mediate conflicts
o Identify needed resources
o Manage the budget
o Assure that goals are achieved on time and on budget
The first step a chief auditing executive should take to establish an internal auditing
organisation is to reach an understanding with management and the board of directors
on the rules that will apply to the internal auditing organisation. This understanding
should be in writing in the form of a charter.
3.2 Audit Staff
Audit is a service oriented job, its biggest assets are its people . The firm needs to have
policies and procedures to provide reasonable assurance that they have the sufficient
personnel, with the capabilities, competence and the principles to perform their
assigned responsibilities.
It should have policies to address recruitment, performance evaluation, professional
advancements, compensation and career development.
Hiring
The firm needs to recruit personnel with appropriate characteristics to meet their needs.
Given below are certain illustrative procedures which the department/firm may adopt:

27

1. Designate an appropriately qualified person to manage the human resource


function
2. Establishing criteria to evaluate personal characteristics such as integrity,
competence, and motivation.
3. Having additional procedures for hiring experienced personnel like reference
checks.
4. Deciding on methods of recruitment like media ads, professional institutions or
universities or recruitment agencies and coordinating with them.
5. Training the interviewers and others participating in the recruitment process on
the expectations and requirements of the firm.
Engagement Assignment

The responsibility for each engagement should be assigned to a specific partner.


The partner assigned to the work has the capability, competence and time to
handle the engagement and the workload and availability of the partners is
monitored so that they can provide devote adequate time to discharge the
responsibility There should be policies and procedures requiring that:
1.

Team members: The members should be assigned based on factors such


as:
o

Engagement size and complexity.

Specialized experience and expertise required.

Personnel availability and involvement of supervisory personnel.

Timing of the work to be performed.

Continuity and rotation of personnel.

Opportunities for on-the-job training.

28

2.

The firm should assign appropriate staff with the necessary capabilities,
competence and time to perform engagements in accordance with
professional standards and regulatory and legal requirements.

3. The capabilities and competence considered when assigning engagement


teams, and in determining the level of supervision required, would include:
1. An understanding of, and practical experience with, engagements of
a similar nature and complexity through appropriate training and
participation.
2. Knowledge of professional standards and regulatory and legal
requirements.
3. Appropriate technical knowledge
4. Knowledge of client industry.
5. Ability to apply professional judgment.
6. An understanding of the firms quality control policies and
procedures.

Continuing Professional Education


The firm to make arrangements so that personnel can participate in general and
industry-specific continuing professional educations and professional development
activities.
Promotion and career advancement
While selecting personnel for advancement, the firm should ensure that the person
selected has the necessary qualifications to fulfill the responsibilities they will be called
on to assume. Some procedures, which the firm may have:
1. Designating an appropriate person to frame the firms policy regarding the
qualifications necessary to fulfill responsibilities at each professional level

29

2. Assigning responsibility to one of its partners for making advancement and


termination decisions for staff and recommendations for manager level
advancements and terminations to the firms designated group of partners or
managing body.
3. Counseling personnel regarding their progress and career opportunities.

3.3 Managing the Audit

Internal Audit needs a mission statement or audit charter outlining the purpose,
objectives, organisation, authorities, and responsibilities of the internal auditor, audit
staff, audit management, and the audit committee. A big part of the management
profession is creating and enforcing policies and procedures. Policies interpret and tailor
laws that apply to an organisation; serving as a written record for good practices the
management wants to emphasize and enforce in the organisation, whether or not there
are legal implications. While policies are general, procedures are specific.
3.3.1 Audit Planning
Every audit assignment should be planned carefully prior to its start. Circumstances may
occur which might call for unscheduled reviews or there might be pressures to begin
special audit without delay. However, a properly planned audit will almost always have
better audit results. A long-range audit plan should be developed which should be
reviewed at regular intervals.
Pre engagement activity Matters to be considered before accepting new assignment
would be:
i.

Gathering information on the integrity, competence of the management

30

ii.

Past experience, if any with the management

iii.

Communication with previous auditors

iv.

Significant accounting policies of the client

v.

Assessment of Managements ability to have effective and efficient internal


control

vi.

Financial viability of the entity

The auditor should consider the following matters while planning:


o Nature of work
o Knowledge of business
o Policies and procedures of the entity
o The methods used by the entity to process significant accounting information,
including the use of service organisations, such as outside service centers.
o Preliminary judgment about materiality levels for audit purposes.

i.

Understanding the nature of work: The various sources would be:


- Likely impact of applicable accounting and auditing pronouncements
- Financial statements of the entity
- Prior internal audit reports, external audit reports and reports of any special
audits or investigation of the area assigned.
- Discuss with auditee:
-

Changes in accounting methods or policies

Changes in information processing methods

Timing of preliminary audit work, confirmation procedures,

Assistance required from client personnel

Records required

Facilities required like physical space, computer systems etc.

31

ii.

Knowledge of business
- review the prior audit reports
- policy and procedure manual, org chart, flowcharts etc.
- review financial statements or reports filed with various agencies or regulatory
bodies
- minutes of meetings of stockholders, the board of directors and relevant
committees
- effect of various laws and regulations on financial statement of auditee
- information about nature of entitys business
- client correspondence file
- gain an understanding of type of business, products & services, capital structure,
offices/branches/factories
- obtain knowledge of auditees industry like economic condition, government
regulations, competition, financial trends.
- Other external sources such as industrial publications, ICAI standards and
guidance etc.

iii. Methods used by entity to process information: The methods used need to be
considered as the methods influence the design of internal control. The extent of
computer processing and the complexity of processing will influence nature, timing
and extent of audit procedures.

iv. Determining audit objectives: Objectives based on managements needs, nature of


prior work, available resources and time is an important aspect of planning. General
objectives would be part of audit plan and they should be re-examined before each
audit and defined in detail before each audit.

32

v. Audit Scheduling: on the basis of annual plan and preliminary survey the
manpower requirements and time budgets need to be fixed. The following factors
need to be considered.
-

nature of audit

complexity of work

staff availability

special skills required

audit period

vi. The auditor should consider whether specialized skills are needed for any area such
as the effect of computer processing on the audit, to understand the controls, or to
design and perform audit procedures. If specialized skills are needed, the auditor
should seek the assistance of a professional possessing such skills.

Annual Audit Plan


1. Prepare Annual Internal Audit Plan
o

Conduct a preliminary risk assessment in cooperation with the


senior and line management.

Prepare a Draft Annual Internal Audit Plan based upon the results
of the risk assessment process.

Discuss with audit committee and get a formal approval.

Review the plan on a quarterly basis to ensure that focus remains


on high risk areas.

2. Communicate Annual Internal Audit Plan

33

Distribute the Annual Internal Audit Plan to senior and line


managers.

Keep senior and line managers informed of any changes to the


Annual Internal Audit Plan.

Specific Audit Plan

Notify auditee of audit and arrange for a meeting.

Identify information or documents required initially

Find out whether there are areas which management would like to be
included in the audit

Discuss, finalise and inform auditee


o Audit period
o Estimated start date and duration
o Names of audit staff
o Facilities required like space, computer systems etc.

3.3.2 Preliminary survey


A. The objective of preliminary survey is to get familiar with the areas being
audited. Some of the methods would be :
a. Information about structure and activities of areas being audited:
i. Organisational chart
ii. Key Personnel and their major areas of responsibility
b. Financial information
i. Sources of revenue
ii. Nature of expenditure

34

c. Prior working papers and audit reports and information about past
activities
d. Information about any separate audit in the area being audited.
e. Review any departmental policies and procedures manuals, flowcharts, or
control narratives that may exist.
f. Any activity /area which the management requests to be included

B. Prepare audit planning memorandum containing:


a.

Planned audit scope

b.

Audit objectives

c.

Audit period and estimated start and completion date

d.

Resources necessary for audit

e.

Areas to be reviewed and reasons for exclusions of any area.

3.3.3 Audit objectives


Determining an audits objectives is the most crucial step in planning an internal audit.
Audit objectives refer to the specific goals of the audit. An audit may have several audit
objectives.
Objectives are based on managements needs, nature of prior work, available resources
and time is an important aspect of planning. General objectives would be part of audit
plan and they should be re-examined before each audit and defined in detail before each
audit. Audit objectives should be reviewed with the management or those who have
requested the audit.
Audit objectives often focus on substantiating that internal controls exist to minimise
risks These audit objectives include assurance with regard to:
o Reliability and integrity of financial and operational information.

35

o Effectiveness and efficiency of operations.


o Safeguarding of assets.
o Compliance with laws, regulations, and contracts

3.3.4 Risk management


Risk is a concept used to express uncertainty about events and/or their
outcomes that could have a material effect on the goals of the organisation.
Every company that is in business has to take risks. In order to progress, a business
entity has to identify risks, evaluate them, decide if they are at an acceptable level and,
if they are not, design controls to respond to those risks. After controls have been
identified to mitigate risks, the effectiveness of controls has to be evaluated on a regular
basis. This is risk management.
Risk management has to be integrated into the organisations culture and
embedded in all its day-to-day and periodic activities. Enterprisewide risk
management is a structured, consistent and continuous process across the whole
organisation. The overall responsibility for risk management lies with the Board.

Internal auditing activitys role with regard to Risk Management is to provide


objective assurance to the board on the effectiveness of an organisation's ERM activities
in managing key business risks and that the system of internal control is operating
effectively. The Chief Audit Executive (CAE) has to ensure that the internal audit
activity maintains its independence and objectivity when providing assurance and
consulting services.
The Institute of Internal Auditors (IIA) position paper The Role of Internal
Auditing in Enterprise-wide Risk Management provides guidance to the internal
auditor as to what roles internal auditing should and should not play throughout the
ERM process. The internal audit activity can be involved in providing assurance that
risks are identified, reported, evaluated, mitigated and reviewed regularly.

36

The roles which auditing should NOT undertake

Setting the risk appetite.

Imposing risk management processes.

Management assurance on risks.

Taking decisions on risk responses.

Implementing risk responses on management's behalf.

Accountability for risk management.

Internal auditors should provide advice, and challenge or support management's


decisions on risk, as opposed to making risk management decisions. The nature of
internal audit activitys responsibilities should be documented in the audit charter and
approved by the audit committee.

3.3.5 Engagement letter / engagement memorandum


Prepare an engagement memorandum or auditee that communicates final objectives
and any changes to planned completion of audit.
The internal auditor should send a letter of engagement to the management stating:

Objectives of Internal Audit

Management responsibility for preparation of the financial statements

Scope of the Internal Audit

Management's responsibility for selection and consistent application of


appropriate

accounting policies, including implementation of the applicable

accounting standards along with proper explanation relating to material

37

departures from those accounting standards.

Unrestricted access to relevant records, documentation and other information


requested in connection with the audit.

The fact that the audit process may be subjected to a peer review under the
Chartered Accountants Act, 1949.

Section 4: Audit programme and procedures

4.1

Field survey

4.2

Audit programme

4.3

Audit procedures

4.4

Evaluation of internal control system

4.5

Audit sampling

4.6

Audit Tests

4.7

Specimen letters

4.1 Field survey


This is very critical step as it allows auditor to determine the scope and extent of audit
effort. It is done in advance of detailed testing and analysis work. The auditors can
familiarise themselves with the system and control structure. Typically the audit team
would consider:

The organisational structure and the responsibilities of key members.

Manuals of policies and procedures and applicable regulations.

Management reports and minutes of meeting.

Walkthrough of activity

Discussions with key personnel

38

The field survey is the initial contact point and might take one or two days depending
on the size of the audit.
The completion of field survey helps the auditor to understand key systems and
processes. If the information during preliminary audit planning is imperfect , the audit
team can make adjustments to planned audit scope .
4.2 Audit programme
After the conclusion of preliminary survey, the auditor has a fair idea of the audit
objectives and the control systems. At this stage the audit programme should be made
providing the proposed procedures, budgeting and basis for controlling the audit. The
audit programme will prevent the auditor from going off the scope pursuing irrelevant
items and help in completing the audit project in an efficient manner.
Things to be considered while preparing audit programme

Needs of potential users of the audit report.

Legal and regulatory requirements

Management controls

Significant findings and recommendations from previous audits that could affect
the current audit objectives. Also determine whether corrective action has been
taken and earlier recommendations implemented.

Potential sources of data that could be used as audit evidence and consider the
validity and reliability of these data.

Consider whether the work of other auditors and experts may be used to satisfy
some of the audit objectives.

Provide sufficient staff and other resources to do the audit

Criteria for evaluating areas under audit.

39

Framing the programme:

Review the results of preliminary survey with audit supervisor

The audit team holds a meeting with the audit supervisor to decide on the priority
/ high risk areas and tests to be conducted.

Provide a general overview of the auditee's operations. Include in the narrative


statistical and monetary information, locations, authority, staffing and main duties
and responsibilities.

The programme should consist of detailed directions for carrying out the
assignment.

Prepare draft audit programme and document transaction flows.

Audit programmes should be consistent. Some organisations may have


standardised audit programmes.

It should contain an estimate of the time necessary to complete the project

Number the audit programme steps consecutively.

Have the final programme reviewed by Audit supervisor and Audit manager.

All major changes must be documented in writing and the reason documented.

The audit programme should contain a statement of the objectives of the area
being reviewed. These objectives would be achieved through the detailed audit
programme procedure. Objectives should fit within the overall scope of the audit.

Every audit procedure should help answer one of the objectives and every
objective should be addressed in the procedures or steps.

40

The tests have to be designed in such a manner that they achieve their objectives.
Use imagination, ingenuity and intelligence in creating audit steps responsive to
objectives.

The goals should be made amply clear by prefacing major steps with : to test
whether . . .; or, to determine that . .

TIME BUDGET

At the planning phase an estimated time budget should be prepared to control


the audit and complete it efficiently. The detailed project time budget should be
completed at the conclusion of the preliminary review. The time budget should
be approved by the audit manager and audit administration. This budget will
include all time necessary to complete the audit, from assignment through
issuance of the final report.

Planning should continue throughout the audit. Audit objectives, scope, and
methodologies are not determined in isolation. They have to be determined together, as
the considerations in determining each often overlap.
Audit Evidence
Evidential matter obtained during the course of the audit provides the documented
basis for the auditor's opinions, findings, and recommendations as expressed in the
audit report.
Types of audit evidence
Evidence may be categorized as physical, documentary, testimonial, and analytical.

Test of Evidence

41

Internal auditors are obligated by professional standards to collect sufficient,


competent, relevant, and useful information to provide a sound basis for audit findings
and recommendations.
They would usually hold true but they might not be valid in all cases.
a. Evidence obtained from a credible third party is more reliable than that secured
from the auditee.
b. Evidence developed under an effective system of management controls is more
competent than that obtained where such controls are weak or nonexistent.
c. Evidence obtained by the auditors themselves through direct physical
examination, observation, computation, and inspection is more competent than
evidence obtained indirectly.
d. Original documents provide more competent evidence than copies.
e. Person providing the evidence: Information obtained from a person having
knowledge of the area would be more reliable
f. Objective evidence would be more reliable than the evidence which require
judgment.

The sufficiency, competence and relevance of evidence depends on the

source of

information.
4.3 Audit procedures

Programme step procedures should be in enough detail so that an experienced auditor


could carry out the task with normal supervision. An audit causes disruption and
interruptions in the day-to-day operations of an enterprise and it is advisable that the
auditors provide a tentative schedule of the planned audit work (unless it is a surprise

42

audit ). Documentation should be kept for each step that would generally be in the form
of working papers.
Review and Evaluation of Internal Control Environment
The auditor will have to review the internal control structure .The effectiveness and
efficiency of the internal control will determine the extent of tests to be performed. This
evaluation will also provide assurance on whether the systems are functioning
properly. The auditor should provide for tests in the audit programme which could be
in the form of interviews, internal control questionnaires , checklists, audit tests.
Matters to be considered while evaluating internal controls

Identification of risks

Internal control structure put in place to prevent, detect, correct undesired events

Whether the control structure is functioning as desired

Identification of weaknesses in the structure and their effect on auditing


procedures .

Procedures to evaluate internal controls:

Description of system of internal control

Flowcharts

Internal Control Questionnaires

Tests of compliance are performed to obtain sufficient evidence that the system is
operating in accordance with the understanding the auditor obtained from the
review. The nature, timing, and extent of tests of compliance are closely related
to the control procedures and methods studied by the auditor.

4.4 Audit sampling

43

The auditor can meet the audit objectives through detailed review of the audit evidence.
Review of the entire population is not possible where the auditor has to examine large
number of items .The internal auditor needs a consistent approach to draw a sample
from the data and draw conclusions from that sample. The challenge here is that the
sample should be representative of the entire population. Any situation in which one
has to draw conclusions based on an inspection of part of a population should consider
using statistical sampling techniques.
Any form of sampling, whether statistical or judgmental, is an application of a
procedure to less than 100% of the population. Under sampling there is always a risk
that some or all errors will not be found and the conclusions drawn (i.e. all transactions
were proper and accurate) may be wrong.
Audit sampling can be of two types-statistical and non-statistical. Statistical sampling is
a mathematical based method of selecting a sample representative of the population
while non statistical sampling or judgmental sampling is not based on mathematics.
The type of sampling used and the number of items selected should be based on the
auditors understanding of the relative risks and exposures of the areas audited. The
description of the methods used and reason for selection should be documented in the
audit programme and approved by audit administration.
Sample Selection Techniques
The manner in which the population is filed or distributed will determine the kind of
selection techniques to be used to select the sample. Several techniques are available :
1. Estimation Sampling : There are two types of estimation sampling.

Attributes Sampling.

Variables Sampling.

44

2.Acceptance Sampling
3. Discovery Sampling
4. Judgment Sampling
Sampling selection technique
The more commonly used sampling selection techniques are :
1. Unrestricted Random Number.
2. Interval Sampling
3. Stratified Sampling.
4. Cluster Sampling.
Evaluation of Results
Whatever sampling plan or selection technique is used conclusion has to be drawn from
the test results. The auditor should keep in mind few rules for better evaluation:
1. Findings for each characteristic being tested should be evaluated separately
2. The auditor has to decide upon the "acceptable error rate" after a full study of the
surrounding circumstances.
3. When significant errors are found , the auditor should extend the examination or
apply other procedures to attempt to determine the cause and effect of the
exception.

4.6 Audit Tests

45

The Auditor performs tests to validate processes and controls. This would include
performance of substantive testing which tests the efficiency of internal control to
ensure completeness, accuracy or validity of the accounts or transactions .
Given below are the various tests that the auditor would perform:
Tests involving continuing interaction with client staff and other parties

Facilitated meetings

Interviewing

Questioning

Surveys

Confirmation/Representation

Tests carried on by audit team

Observation and Inspection

Documentation Review

Analytical review

Data Analysis

Vouching & Verifying

Reconciliation

Recalculation & Valuation

Facilitated Meetings
Inquiry involves meeting of concerned officials from different departments and key
stakeholders affected like customers and vendors. This method requires lot of efforts in
organising such a meeting. A facilitator is required so that the group does not diverge

46

from its objectives Example: meeting of purchasing , accounts payable ,stores and user
department to understand the cycle of purchases
Interview: Direct interaction facilitates greater understanding of the business processes
as the interviewer can seek clarifications and details on the spot. It has all the
advantages of face-to-face communication like establishment of rapport, personal
opinions on issues and solutions.
The type of information received depends on the skills of the interviewer. The
interviewer has to make the person feel at ease and glean significant information.

Questioning:This is the most pervasive technique and should be used with care so that
the auditee is not needlessly alienated .The auditor may seek management reaction
through questioning in case of deficiencies or error.

Surveys:Surveys are commonly used to gauge perceptions of a business activity. They


are an efficient method of reaching a large number of people .The administrator does
not require any special training and the responses can be quantified.
It requires lot of time and skills to create the survey document. People may give
inappropriate or inaccurate replies, as there is less sincerity in filling up survey forms.
Confirmation/ Representation: Usually there are standard formats for confirmation
which are sent by the auditor to the relevant party. The responses are mailed
directly to the auditor.
Observation and Inspection: These methods are used to understand processes and
activities. Observing involves a careful, knowledgeable look at documents
processed, activities and assets. These tests need to be corroborated with other
evidence as it would be time consuming or even impossible to observe large

47

number of activities. Also random observation will not provide adequate


evaluation.

Documentation Review: This is the most widely used method and a large number of
data can be objectively verified. This involves a review of existing reports and
documents to identify controls, to understand the business or process, and to provide
evidence in supporting audit conclusion.
Analytical review: Analytical auditing procedures provide an efficient and effective
method of comparing relationship among data. As the relationship among data is
compared against a pre-defined expected relationship which is expected to continue in
the absence of unusual or non recurring transactions.
Some Analytical tests are trend analysis, benchmarking and ratio analysis

Data analysis & exception tests: This involves analysis and query of historical data files
to identify trends, exceptions. It can be used to understand volume or magnitude of
events to understand whether they are significant. It is used for identifying duplicates
or gaps in sequences or aging summary of receivables

Vouching & Verifying:It is another very popular method .The transactions or events
are verified against supporting documents for accuracy and validity. Examination of
accounting transactions against bills, attendance register against wage payments are
some examples.

Reconciliation :It is an audit test to match two sets of data which provides similar
information and analyse the variances between them. It may help in detecting frauds or
errors.

48

Recalculation & Valuation tests: The auditor may recalculate certain figures like
interests or instalments payable on a loan to verify the accuracy .the auditor may also
take the help of an external expert to revalue certain expensive assets.

4.7 Specimen letters

49

Information request list


The following information is requested to facilitate our understanding of your
departmental operations and activities. This list is not intended to be all-inclusive.
Additional information or questions may be required throughout the course of the
audit. . Please feel free to advise us of any additional information/documentation not
listed below that may be useful to us in the conduct of this audit.

Departmental organizational chart.

List of all accounts (numbers and account titles) maintained by your unit.

Statement of Account and annual statements for the three fiscal years for the
department.

Operating and/or comparative analysis reports prepared or issued by your


department on an annual basis for the past three fiscal years.

Key departmental productivity and performance measures for the past three
fiscal years i.e., productivity measures used for budgeting purposes, etc.

Description of significant departmental processes (include flowcharts if


available).

Internal policies and procedures manual.

Copies of external regulations applicable to the department.

50

Reports, surveys, etc. issued by external entities to the department.

51

Audit notification to Auditee

<On the letterhead of Chartered Accountant >


June 20, 200X

Mr. <Name>
CEO, <Company Name> Limited
<Address>
Dear Mr. <CEO>

A routine conformance audit of <Company Name> is scheduled for the period


<dates>, 200X. This audit will include the main office at <office name>as well as the
two sub-branches at <location1> and <location2>.

The objective of this audit is to conduct an analysis of <Company Name>


Limiteds policies and procedures to ensure that legislative requirements are met and
an acceptable level of internal control is maintained. Standard audit procedures will be
used including interviews with key personnel, facility inspections and a review of your
companys approved programmes and manuals. A detailed audit plan, including the
estimated hours required and names of audit team members and their areas of
responsibility will be sent prior to the actual review.

We would like to schedule a pre-audit meeting with your management


personnel before June XX at a time and date convenient to you and an exit meeting 20
days from the beginning of the review process. The pre-audit meeting will help in
introducing the audit team to company management, provide a review of the audit

52

process and inform the management of the audit process and regulatory
responsibilities. The exit meeting will summarize the audit results and identify specific
post-audit responsibilities where applicable.

The review will emphasise on the controls in the recently implemented financial
system. We will need to access your financial accounting system and its reports. We
plan to use some automated testing on your files .Please arrange for the system access
and working space for our audit team.

Should you require any further information or clarification, please contact the audit
manager<name>, at <number>.

Yours truly,
<Name>
<Designation>
Membership No. <Number>

53

Section 5 -Computer Assisted Audit Techniques


5.1.Meaning
5.2 Need for CAATs
5.3 Determining the need for CAATs
5.4 Types of CAATs
5.5 Commonly used Audit Software

5.1 Meaning of Computer Assisted Audit Techniques


Internal auditors require audit evidence to support their audit conclusions. With
automation, it is a challenge to internal auditors to review, and understand these
paperless documents and procedures to support their audit conclusions. It is not
enough to audit around the computer or select and review items from output reports
and display screens. Internal auditor can have greater reliance and independence if they
use their own specialized file retrieval procedures. This can be achieved by using
computer assisted auditing techniques. A CAAT is auditor controlled and can be run on
production data to test, summarise or analyse data on computer files.

5.2 Need for Computer Assisted Audit Techniques


Auditors make use of computer-assisted audit techniques (CAATs) to improve audit
coverage by reducing the cost of testing and sampling procedures that otherwise would
be performed manually. With the widespread use of computerized financial and other
record keeping, using CAATs has now become a necessity for audit of most
organisations. CAATs provide reasonable evidence required to support audit

54

conclusions in paperless environment. They provide a more efficient and reliable


method to review items recorded in computer files.
CAATs may be used in performing various audit procedures like:
Tests of transactions and balances, such as recalculating interest;
Analytical review procedures, such as identifying inconsistencies or significant
fluctuations;
Compliance tests of general controls and application controls;
Sampling programs to extract data for audit testing;

Penetration testing.
5.3 Determining the need for CAAT
One thing however needs to be considered- CAATS might not always increase audit
efficiency or be cost effective. Certain processes may not be right for CAAT.

Need for CAAT depends on:


Audit Objective
Nature of data to be reviewed
Availability of requisite CAAT tools
Availability of skilled audit staff

5.4 Types of Computer Assisted Audit Techniques.


CAATs include many types of tools and techniques, such as generalized audit software,
utility software, test data, application software tracing and mapping, and audit expert
systems. CAATs may be:

55

Developed by internal programming staff or by outside programmers


with audit department supervision;

Purchased generalized audit software, e.g., audit packages offered by


CPA firms or software vendors;

Developed by IT auditors; or

Acquired from equipment manufacturers and software houses to analyze


machine, programmer, and operations efficiency.

Whatever the source, audit software programs should remain under the strict control of
the audit department. For this reason, all documentation, test material, source listings,
source and object program modules, and all changes to such programs, should be
strictly controlled. In installations using advanced software library control systems,
audit object programs may be catalogued with password protection. Computer
programs intended for audit use should be documented carefully to define their
purpose and to ensure their continued usefulness and reliability.

Types of computer audit software


Generalised Audit software tools
Specialised audit test and analysis software
Utility software
Test data techniques
Expert systems
Embedded audit procedures

With the use of Audit Software, auditors can directly obtain evidence to the quality of
records produced and maintained by clients systems. Various software whether off the
shelf, specialized or customized are a useful tool in the hands of the auditor to gain

56

access to manipulate the data maintained in the computer systems to achieve audit
objectives.

Reasons for using Generalised Audit Software

Computerized information systems faced by auditors may be different.


Companies have different hardware, software, record functions, and different
processing functions. With the resource required for customized programs, it is
not possible to develop specific programs to extract, manipulate, process and
report on the data.

Audit objectives are constantly changing. Newer areas may be required to be


audited; different approach may have to be used.

Auditor may have a broad understanding of systems but they do not have
specific knowledge or experience with particular hardware, software being used.

Functions of Audit Software

100% data

File access :The file access functions enable different file structures to be
accessed.

File reorganization: Sorting data, merging data, comparing data can be done

Selection: Extraction of data based on certain criteria.

Statistical: Selection of random data for different types of sampling

Arithmetic: Checking arithmetic accuracy of data, control totals etc.

Stratification and frequency analysis Different types of Stratification, frequency


and ageing analysis can be undertaken.

Detection of Fraud

File creation and updating

Reporting: Comprehensive reports can be produced with the data automatically.

Specialised audit test and analysis software

57

Used to review specialised computer files


Manufacturing, production & material scheduling software packages contain
reporting sub systems
CASE
Test data techniques
Series of test transactions are checked with copy of live production system to
determine if controls are adequate
Helps in general understanding of complex system
Tests whether valid transactions are correctly processed
Tests whether invalid transactions are identified and flagged
Audit tasks
Audit software can help in the accomplishment of various audit tasks:

Examining the quality of data

Examine the system processes

Do analytical reviews

5.5 Some commonly uses Audit software


CAATs provide a complete picture of a system and/or an organizations
transactions. This is beneficial both to the auditors as well as the clients.

Auditors can be sure of the thoroughness and correctness of their analysis while
arriving at conclusions.

It provides an acceptable level of comfort

All the variables that might possibly affect revenue can be considered to ensure
there is nothing unusual in any sub-categories

Audit provides value addition to the client by providing them new information
which is not available with them in the first place.

58

Some of the software which are widely used are

ACL

CaseWare IDEA

Microsoft Access

59

Section 6-Audit Work papers


6.1 Importance
6.2 Functions
6.3 Organisation
5.3.1 Document organisation
5.3.2 CAAT workpapers
6.4 Review of work papers
6.5 Retention and Custody

6.1 Importance of workpapers


The work performed is documented in workpapers. The workpapers serve as the
connecting link between the audit assignment, the auditor's fieldwork, and the final
report. Workpapers contain the records of planning and preliminary surveys, audit
procedures, fieldwork, and other documents relating to the audit. Most importantly, the
workpapers document the auditor's conclusions and the reasons those conclusions were
reached. As each Audit Step in the Audit Procedures is satisfied, the audit supervisor
should request review of the related workpapers.

6.2 Functions
Workpapers should be economical to prepare and to review. It is important to achieve a
proper balance of completeness and conciseness. Only what is essential should be
included.

Working papers record the information obtained and the analyses made during
the audit process.

Working Papers serve the following purpose

60

Aid in the planning, performance, and review of audits

Document whether the audit objectives were achieved

A support for audit reports

Record information

Document audit findings and accumulate evidence

Basis for supervisory review

Support and evidence for issues like fraud, lawsuits

Basis /reference for subsequent audit

Document whether the audit objectives were achieved

Facilitate third-party reviews

Aid to peer review

Provide a basis for evaluating the Internal Audit's quality assurance


programme

Aid in the professional development of the Internal Audit staff

Among other things, workpapers may include:


o Planning documents and audit procedures;
o Controls questionnaires, flowcharts, checklists and narratives;
o Notes and minutes resulting from interviews;
o Organisational data, such as charts and job descriptions;
o Copies of important documents;
o Information about operating and financial policies;
o Results of control evaluations;
o Letters of confirmation and representation;
o Analysis and test of transactions, processes, and account balances;
o Results of analytical review procedures;
o audit reports and management responses; and
o audit correspondence that documents the audit conclusions reached.

61

Workpapers should be clear and understandable. Anyone reviewing the workpapers,


without referring to documents outside of those included in the workpapers and
without asking questions, should be able to tell what the auditor set out to do, what
they did, what they found, and what they concluded. Conciseness is important; but
clarity should not be sacrificed just to save time and space.
Some important things to remember in preparation of workpapers
SCANNED DOCUMENTS :Scanned documents should include a reference to the
source and the purpose of the document when relevant to understanding or
appreciating the actual audit work performed. Such information needs to be included
only when it is not provided elsewhere in the workpapers.
WEBLINKS
When using references to websites in workpapers, to help ensure the site can be
readily accessed in the future, both the name of the site and a hotlink to the website
should be included. If specific information from a website was referenced, the web
page should be saved to a file and attached to the workpapers.
TICKMARKS
Tick marks must be consistent throughout a particular workpaper. Tick mark
explanations must be a part of the workpaper.
CROSS-REFERENCING
Workpapers should be prepared using the appropriate cross-referencing. A reference
from the Audit Procedures to the primary workpaper provides a reference to where
the work was performed. The primary workpaper will then contain reference to other,
supporting workpapers, which provide additional information regarding the audit
procedures performed, results, conclusions reached, and audit observations.

62

Specimen:

Workpaper Header
ABC Associates
Client ___________________
Period __________________
Prepared by ____________________

Date ____________________

Reviewed by ____________________

Date ____________________

(in-charge)
Reviewed by ____________________

Date ____________________

(Manager)

Sample Audit File Index

A. Audit control papers


A1

Financial statements

A2

Audit completion checklist

A3

Review schedules

A4 Time record and budget


B.

Overall audit plan

C. Intangible assets
D. Tangible non-current (fixed) assets
E.

Investments

F.

Stock

63

G. Receivables
H. Advances
I.

Cash

J.

Payables

K. Provisions and contingencies


L.

Taxation

M. Capital & reserves


N. Income statement
O. Revenue
P.

Purchases

Q. Wages & salaries


R.

Any other item

6.3 Organisation
Auditors today use a wide variety of formats to prepare workpapers. Audit workpapers
may be in the form of paper, tape, disk, diskette, film, or other media. Regardless of the
media used workpapers should provide a standard framework for documenting
internal audit activities. If the audit workpapers are in the form of media other than
paper, consideration should be given to generating backup copies. If the Internal
Auditor is reporting on financial information, the audit workpapers should document
whether the accounting records agree or reconcile with such financial information.
The Internal Auditor should establish standard audit workpaper files, stationary,
indexing, and other related matters. Standardized audit workpapers, such as
questionnaires and audit programmes, may improve the efficiency of an audit and
facilitate the delegation of audit work.

6.3.1 Document organisation

64

An audit requires large number information to be collected .The form and content of
workpapers depend on the nature of activities reviewed and the audit performed. They
can be broadly classified into

Permanent files

Administrative files

Audit procedure files

Bulk files

Audit reports

Permanent files: Some audits may be conducted on a periodic basis

and have repetitive procedures. Also in case of continuing audits there might be
information of continuing importance. All this data of historical or continuing
nature should be filed in permanent files.

Administrative files: These might be required for large or complex

audits where there might be large number of workpapers or files.

Audit procedure files:

The content of these files are totally

dependent on the type and nature of audit and audit procedures used by the
auditor.

Bulk files: Audit may require large number of evidential material

that may be quite bulky and not required to be retained in primary workpapers.
Such papers may be filed in bulk files.

6.3.2 Computer Assisted Audit Technique workpapers

Workpapers for computer assisted audit techniques follow a different approach than
conventional audit. An auditor may use different automated procedures to perform

65

audit. CAAT uses specialised auditor -developed or controlled routines to perform


audit test and analysis procedures.
The CAAT workpapers should have detailed description of CAAT procedures, timing,
problems encountered. Some requirements would be:
o Description of application and process being tested
o Audit objectives, files to be accessed, cut off dates
o Description of software being used
o Documentation of CAAT tests performed
o Schedule of CAAT processes with documentation.

6..4 Review of workpapers


All workpapers should go through an independent internal review process. The overall
responsibility of the review is with the Chief Audit Executive but it is usually delegated
to supervisory members of the internal audit function. The following need to be
confirmed:

There was compliance with workpaper guidelines.

Review the preliminary survey to ensure that objectives are defined.

Review the audit procedures to ensure that they are adequate to accomplish the
objectives.

Review the referenced workpapers to ensure they support the procedures


performed and all procedures have been completed.

Determine that the workpapers adequately document the conclusions reached in


the report and the conclusions are reasonable and valid

Ensure that all the workpapers are relevant and useful.

Workpapers sufficiently provide an evidence of the work performed.

66

Confirm that all observation forms prepared have been discussed with the
appropriate member of management, and that the disposition of the audit
concern is documented.

Documentation

obtained

and

not

relevant

to

the

audit

should

be

returned/destroyed upon the completion of the audit.


There should be evidence of the supervisory review which would consist of reviewers
initials and dates on each worksheet reviewed. The reviewer might make review notes
and raise questions that may arise during the review process and give it to the auditor
responsible for resolution. Review questions should be resolved promptly and all
questions should be resolved prior to issuing the final report.

6.5 Retention and Custody


Audit workpapers are the property of the organization. They are considered as
confidential. Audit workpaper files should generally remain under the control of
Internal Audit and should be accessible only to authorized personnel. Workpapers
often contain sensitive information or data that must be protected from unauthorized
use or review. Management and other members of the organization may request access
to audit workpapers. Such access may be necessary to substantiate or explain audit
findings or to utilize audit documentation for other business purposes. The Internal
Auditor should approve these requests. It is common practice for internal and
independent outside auditors to grant access to each other's audit workpapers. The
practice of granting the independent outside auditor access to audit workpapers should
be approved by the Internal Auditor.
There are circumstances when requests for access to audit workpapers and
reports are made by parties outside the organisation other than the independent outside
auditor. Prior to releasing such documentation, the Internal Auditor should obtain the
approval of senior management and/or legal counsel, as appropriate.

67

The Internal Auditor should develop retention requirements for audit workpapers.
These retention requirements should be consistent with the organisation's guidelines
and any pertinent legal or other requirements. The guidelines could relate to:
o Time period during which files to be kept in current documents
o Subsequent movement of files to archive files.
o Movement of electronic workpapers to an electronic storage media like tape, CD
ROM.
o Separate guidelines for workpapers related to investigative audit or a lawsuit.
o Removal or deletion of workpapers.

Audit workpapers and audit reports are key tangible outputs of the audit process. As
the audit report is supported by the workpapers, it is essential that adequate
workpapers are available to support the report. The best way to establish a level of
confidence is that internal audit management performs adequate levels reviews of all
workpapers

Section 7- Audit Reports and Communication

7.1 Purpose of Audit report


7.2 Types of Audit Report
7.3 Form and content of audit report
7.4 Style and Attributes
7.5 Audit Reporting Cycle
7.6 Evaluation and Follow up
7.7 Specimen Internal Audit report

68

7.1 Purpose of audit report


An audit report is the only output of the Internal Auditors work, which people outside
the Internal Audit function get to see. It is a formal document summarizing the work
done and reports the findings and recommendations. It is a means of communicating all
of the auditor's work to management. The report must concisely present the total
essence of the audit effort. Findings must be supported by sufficient evidence and be
within the audit's scope and objectives. Each recommendation must fit the facts of the
finding and materially reduce the potential risk as indicated by the facts of the finding.
It is not important what an auditor believes; the important thing is what the auditor can
prove. Auditor beliefs, without proper documentation will not be carried to the report.
Whether audit report is a formally written document or an informal one it should have
the following information:
o Findings
o Description of findings
o Suggestions and Recommendations
o Documentation of plans and Views of auditee

6.2 Types of Report


With todays technology and ever changing requirements, audit results can be reported
in a wide spectrum of formats. Certain common approaches to reporting are presented:

Oral Reports

Interim reports

Descriptive (regular) reports

Summary audit reports

69

Oral Reports:

This mode of communication should be supplementary to written

reports. This mode might be used for reporting any findings, which may need
emergency action, or as an oral presentation as a prelude to the formal written report.

Interim reports: When management or other recipients of report have to be informed of


significant developments or problems for which prompt action needs to be taken, an
interim report can be issued.

Regular reports: in most audit assignments a detailed descriptive report is given at the
conclusion. A general format of such a report is given under Form and content of audit
report.

Summary Audit report: Such reports summarise the audit report and describe the range
of content. Such reports could be a summary of more than one report.

7.3 Format and content of audit report


The format of report would be guided by the company procedures and nature of work.
A general format is suggested below:

Cover Page - A cover page showing the department name, audit title, audit number and
audit date should be on each report. Lengthy reports may have an index.
Cover Letter - A letter should be written and signed by the Director /partner and made
a part of the audit report. It will be as brief as possible.
Introduction - Describe the type of engagement (regular scheduled, special request,
etc.) and the authority of the audit (agenda, special request). The name of the
organization or activity being audited and provide any background information
necessary. This can include nature and goals, volume or value, activities, location,
staffing, etc.

70

Statement of Objectives - The audit objectives are stated in the report and are the same
ones that appeared in the detailed audit programme.
Statement of Scope - This section should describe the depth and coverage of audit
work conducted to accomplish the audit's objectives. It would contain the calendar
dates for the test work and a date for the evaluation of internal controls.
Statement of Methodology - The statement on methodology should clearly explain the
evidence gathering and analysis techniques used to accomplish the audit's objectives.
Statement of Auditing Standards - The report should include a statement that the audit
was made in accordance with auditing standards and disclose when applicable
standards were not followed.
Audit Conclusions - The auditor must conclude on the stated audit objectives in the
order in which they appeared in the report. The auditor should conclude in the negative
or affirmative on each objective.

Findings and Recommendations - Each recommendation should be supported by a set


of facts that make up an audit finding. The following are the elements of a finding.
1) Facts
2) Criteria

3) Effect - This is also known as risk (either actual or potential). Describe or show the
actual or potential effect on the condition. The risks could be inaccuracy,
inefficiency, loss to assets. Provide a monetary value to the effect. If this is not
possible, say so and emphasize the potential.

4) Cause The cause needs to be mentioned only when it is not obvious or it is


something other than obvious one.

71

5) Recommendations - Set out in simple, yet specific language, a remedy that


management can follow to effectively correct the condition. In multiple part actions,
a numbered step by-step solution assists in breaking down the recommendation into
an easily understandable process. Emphasize that solutions other than those
presented may be acceptable if it minimizes the condition stated in the finding.

Auditee Responses - All recommendations will be followed by the auditee's response.


Auditor's Comments - These comments are used as necessary to evaluate the quality of
the auditee's written responses.

General Comments - This section is reserved for points of interest that are of lesser
magnitude than findings, but of interest to management.

7.4 Attributes of a report


The audit report must be written in a neutral tone and flawless in its accuracy, logic,
clarity, grammar and spelling. It is the only output of the auditor's professional efforts,
which is seen by outsiders.

ACCURACY - Reports must be completely and scrupulously factual; every condition


and recommendation must be based on evidence that is supportable in the work file.
The evidence must be sufficient to support the findings and recommendations and at
the same time, be in agreement with the stated objectives of the audit.

CLARITY - Means making the reader understand what the auditor is trying to say
while writing the report.

CONCISENESS - This means cutting out what is superfluous. Eliminate what is


irrelevant and immaterial. The content of the report depends on the report reader. The

72

report cannot supply both sufficient details for the operating manager and a summary
for the executive. The report is written for senior management. The Internal auditor can
either provide a separate report to the operating management or details for the
operating manager/supervisor can be provided upon request.

TONE - The report should be courteous and factual. It should not be petty, but should
sound like the voice of management.

GRAMMAR AND SPELLING - All auditors are expected to use acceptable grammar,
sentence structure and context. Additionally, spelling should be accurate.

7.5 Audit Reporting Cycle


It is desirable that during the course of the audit, a framework of the final report is
developed so that the needed information is obtained on time. This will prevent delays
in the report writing process. Important and sensitive findings should be shared with
responsible managers immediately upon verification by the audit staff; memo reports
may be used in this process.
As findings are completed, they are inserted in the proper sections of the report. The
audit report is a process in itself, which starts with identification of findings,
preparation of draft report, discussions of findings with the concerned people,
management responses to audit findings and issuance of final report. An internal audit
function may alter or skip any of the steps outlined below to suit its needs and purpose.

Outline Audit findings

Preparation of Audit report - First draft

Discussion with client

Preparation of Final Audit report draft

Closing conference

73

Issuance of Final report

A. Outline Audit findings


a. Document all findings
b. Determine whether there is sufficient support for all findings
c. Determine whether there is pattern of deficiencies, which could mean
procedural changes are required.

B. Preparation of First Draft


a. The draft report should state that the findings, conclusions and
recommendations set forth are preliminary in nature.
b. The draft report should follow standard format.
c. Ensure that figures and facts have been checked and cross-referenced to
relevant workpapers.
d. Review that the workpapers provide adequate support for items of
significance
e. Check for tone, spelling and punctuation.
f.

Issue report (stamped "DRAFT") to management for review.

C. Discussion with client


a. Determine whether the management was aware of the issues and taking
corrective action on the same.
b. There should be no surprises - everything in the draft should have been
discussed during the fieldwork.
c. Be sure you can easily find supporting documentation for findings in the
working papers in case questions arise at the meeting.
d. Ascertain the causes for the deficiencies /problems. Find out whether
there are any constraints or limitations for the shortcoming.

74

e. Get the client comment on the draft report, and any inaccuracies or
impractical recommendations resolved to the extent possible.
f. Get managements agreement on the facts and wording of the report.
g. Ask management for written responses (give specific due date for
responses).

D. Preparation of Final Audit report draft


a. Ensure that managements/auditees viewpoint has been considered.
b. Determine whether the report is well written and in a manner that all
intended recipients may understand.
c. Ensure that audit staff who wrote the report agree with the changes made.
d. Make sure that managements /auditees viewpoint has been rightly
stated and adequately rebutted, if necessary.

E. Closing conference
a. Provide the management or appropriate staff adequate opportunity to
study the report.
b. Departmental administrators and managers have the opportunity to
informally provide additional information, question findings, or challenge
conclusions. On the basis of those discussions, the final report may be
modified.
c. Try to anticipate potential questions/conflicts.
d. Inquire from the managers or appropriate staff whether they have any
questions about the opinion or background or the audit process.
e.

Normally, only the administrators of the department being reviewed


attend the closing conference to allow the parties most affected by the
report to more freely and confidentially express their views, and to ensure
the accuracy of the final audit report.

f. Obtain current plans of follow up from the management /auditee.

75

F. Issuance of Final report


a. The final report should include modifications and changes discussed and
agreed to at the closing conference, if held, in addition to the auditee's
written responses.
b. The auditee's written responses will be reviewed by the staff auditor and
the Audit Supervisor and evaluated in writing, if necessary.
c. When differences of opinion persist even after the final draft, the report
will be issued although it may be modified to reflect the position of the
audited department or higher-level management.
d. Before release, the report will be signed by all those responsible for the
audit, which would normally be the Audit Director, Audit Supervisor and
appropriate staff auditor.
e. All changes to the report must be documented in the work file and signed
off on by the staff auditor, Audit Supervisor and the Audit Director.
f. Try to provide a balanced presentation by including departments' or units'
notable strengths to credit staff for correcting past deficiencies and to
recognise superior management.
g. Make a final reading of the report for content, clarity, consistency and
compliance with professional standards.
h. File final report in project binders and cross-referenced to supporting
working papers; provide explanations for comments deleted or changed
significantly since original draft.

G. Dissemination of report
a. The persons to whom the report is to be delivered will vary from
organisation to organisation and from one assignment to another. Some of
the recipients could be the Corporate Vice President, for Administration

76

or the Vice President for Business and Finance, the Department Head, the
CFO, the CEO, the Board of directors and the Audit Committee.
b. In some organisations the BOD and the Audit committee may be
presented with sAudit Committee with periodic summaries of audit
findings, with access to summaries or full reports if requested.
c. In certain organisations the report is published on the website. In that
case, Copy the report file to the share drive for eventual publication on the
web page. Take the original paper copy of the letter to the management
and the signature page from the report to the webmaster. Those two pages
will be scanned and converted into a PDF format document and inserted
into the report posted on the share drive.

7.6 Evaluation and Follow up


At the completion of each audit, the cognizant audit manager will send an evaluation
survey form to the primary clients of the audit. These should be completed and
returned to the Director of Internal Audit, in order to ensure continuous improvement
of these procedures and the internal audit function.
After receiving the response determine whether responses address the issues described
in the findings, promise action that will correct the weakness reported, and include a
reasonable completion date.

Follow up
Each organisation /department may have its own time limits for replying to the report
and the internal audit department may have its own rules for follow up. Some internal
audit function may conduct a follow up after six months or one year to and ascertain
the status of open recommendations.

77

Internal auditing should determine that corrective action was taken and is achieving the
desired results, or that management or the board has assumed the risk of not taking
corrective action on reported findings.

7.7 Specimen letter/report

Audit report cover letter


<On the letterhead of Chartered Accountant >
July 14, 200X
Report No. <Number>

Mr. <Name>
CEO, <Company Name> Limited
<Address>
Dear Mr. <CEO>

The audit team has concluded an operational review of the internal control
structure and the recently implemented financial system SAP. The objective of our
review was to evaluate controls in the financial system, compliance with policy &
regulations and the effectiveness and efficiency of the current organisation authority
structure.

The review covered operations of the period <date> to <date>. Please find
enclosed two copies of the Audit Report of <Company Name> Limited completed on

78

June XX, 200X. I am pleased to inform you that the review found that the financial
department is well managed with generally good controls. However, controls need to
be strengthened in few areas and documentation policies need to be more strictly
enforced for travel expenses. A summary of the most significant audit findings are
provided in Part II of the report.

The company must respond in writing to each audit finding. The proposed
Corrective Action Plan should detail both short term corrective action to correct the
specific deficiencies cited and, where applicable, long term corrective action. Long term
corrective action should focus on modifying the system to prevent recurrence of similar
deficiencies in the future.

We wish to express our appreciation for the co-operation extended to the audit
team by you and your staff during the audit.
Yours truly,
Yours truly,
<Name>
<Designation>
Membership No. <number>

79

Specimen Internal audit Report


AUDIT NAME
AUDIT REPORT
TABLE OF CONTENTS
PAGE

INTRODUCTION

Background
Audit Perspective
Scope & Objectives

EXECUTIVE SUMMARY

INTERNAL AUDIT OPINION

DETAIL REPORT INCLUDING AUDITEE RESPONSES

I.
II.
III.

APPENDIX

80

AUDIT NAME
DATE
INTRODUCTION

Background
Audit Perspective
Present audit status -

Recent past audits -

External audit coverage -

Scope & Objectives


The scope of the (audit or review)
The scope statement should be brief and should include the timing, type and
purpose of the work and the standards used when conducting the audit. Types
of audits or reviews are financial, operational, compliance and EDP.
(E.g., The scope of the audit was financial and operational in nature .This routine
audit was conducted on AAA Foods Limited during the period of (month)
(year). The audit covered the period from dd-mm-yyyy to dd-mm-yyyy . The
audit was performed to ensure that financial data was properly recorded and
adequate operational procedures exist in all the operational areas. The audit was
conducted in accordance with the applicable Accounting & Auditing Standards.
Included reviews in the following areas:
29 hbintauditpro.doc
Page 81 of 141

a) Royalty payments;
b) Rent received from sub tenants;
c) compliance with Food safety and hygiene regulations ;
d) Cash receipts; and
e) Credit card receivables .

The last day of fieldwork was ___________________.)

The objectives of the audit were as follows:

Determine that cash receipts were recorded correctly as to account,


amount and period and are deposited promptly (recording,
safeguarding).

Verify that credit card receivables were correctly accounted,


applied and payments received from the credit card company.

Determine whether food safety inspections have been regularly


carried out at various locations and appropriate hygiene levels are
maintained.

Review inspection reports- internal and external and steps taken to


correct shortcomings, if any.

Whether royalty has been calculated correctly and has been paid to
the brand owners timely.

29 hbintauditpro.doc
Page 82 of 141

Whether contract has been drawn up with sub tenants and floor
space, rent and facilities has been has been agreed upon.

Note: Audit is used in the report when actual tests are performed to
corroborate the opinion. Review is used in the report when no tests are
performed to corroborate the opinion. Comment should speak directly as
to what was done, i.e., if a test was performed, the word test should be
used. If a review was performed, the word review should be used.
Company - General
AAA Foods Limited
Provide information on background of company and its operations .Provide
details of functions and personnel in departments. Mention whether any major
change in the organisation since the last audit. (E.g. the company has opened
new food centres at 12 more locations. The staff strength has risen to 15,000. The
company is now undertaking a massive exercise to centralize its processing and
accounting at the main office).

Audit Synopsis
Mr. R. Xyz, senior partner of XYZ associates was in charge of the audit. The
audit was conducted in accordance with auditing standards and policy &
procedures detailed in the AAA Food Limiteds manual .These techniques
included interviews with key personnel, review of approved documents,
sampling of relevant files, and random inspections throughout AAA Food
Limiteds system.

The audit entry meeting was held in AAA Food Limiteds

main office on

<date>. During this meeting, the audit manager briefed the operators
29 hbintauditpro.doc
Page 83 of 141

management on the audit process and the team's audit plans. The officials of the
company were regularly updated on audit progress and of all audit findings
submitted. The audit was completed and the exit meeting was held in AAA Food
Limiteds main office on <date> with the senior officials namely<name>.

Corrective Action Plan


Audit Findings identify a situation where a company policy, procedure, or
activity does not conform to policies & procedures specified in the companys
internal audit manual or to the applicable regulatory standard. The company
must respond in writing to each audit finding, detailing short term corrective
action to correct the specific examples listed, and long term systemic corrective
action to prevent recurrence of similar situations.
XYZ Associates will monitor implementation of AAA Food Limiteds Corrective
Action Plan through the audit follow-up process

29 hbintauditpro.doc
Page 84 of 141

EXECUTIVE SUMMARY

Purpose & Limitations


The executive summary is intended to provide an overview of the audit
process, and summarise the significant findings (discussed in the detailed
audit report) and the conclusions reached. The reader should not frame an
opinion solely on the basis of this summary. The detailed report should be
read to obtain the complete understanding of the background, ramifications,
and recommendations.
General
The audit examined AAA Foods Limiteds operations and finance divisions
using applicable checklists referenced from the Internal Audit Manual. A total of
xx operations and xy finance audit findings are reported. . These findings
identified examples of non-conformance to the standards, regulations AAA
Foods Limiteds policies or procedures. A number of the findings were
administrative in nature and can be easily corrected, whereas others were
systemic and will require particular attention to ensure that corrective actions are
effective in addressing the identified system faults.
Audit Opinion
As discussed more fully in our opinion on page ______ of this report,

Relevant Findings

29 hbintauditpro.doc
Page 85 of 141

List a summary of each finding (without ramification/implication statement).


Cross reference to detail section of report.

29 hbintauditpro.doc
Page 86 of 141

AUDIT NAME
INTERNAL AUDIT OPINION

In our opinion, we found the _________________________________ to be


adequate, or inadequate (detail of inadequacies to follow the word inadequate).

We

have

identified

opportunities

to

improve

the

controls

of

the

(offices/areas/departments) involved in the... as discussed in this report.

AUDITOR-IN-CHARGE

(E.g.

DATE

In our opinion, we found the financial transactions were properly


recorded and the operational procedures adequate for the period under
audit.

However, there is still some scope for improving operating

efficiency and effectiveness which are discussed in this audit report.


In our opinion, we found the financial transactions to be properly
recorded, but the operational procedures inadequate for the period
under audit. We have made some recommendations on improvement of
efficiency and effectiveness of certain operating procedures as
discussed in this audit report.

29 hbintauditpro.doc
Page 87 of 141

The areas requiring immediate attention are: <area>, which currently lack
some essential elements; <area>, which require a detailed system to
ensure that all requirements have been met; and procedures to monitor
and report on <area> activities.

The above deficiencies notwithstanding, the review revealed that AAA


Foods Limited is maintaining strict quality control standards and that a
knowledgeable, competent management team has been assembled to
oversee its staff and employees that have the ability and desire to operate
within the regulatory framework. The companys response upon learning
of any deficiency was immediate and indicative of their focus on quality
control.

29 hbintauditpro.doc
Page 88 of 141

AUDIT NAME
DETAIL REPORT
Overview
Pages X through XX outlines the specific findings resulting from our substantive
audit testing.

These issues are discussed in detail in our report and are

categorized first on the basis of departments .Within each division, the major
primary findings (significant internal control deficiencies and items potentially
having a significant or adverse effect on the units operations) are mentioned first
and then other matters (items of a lesser nature requiring attention, but not likely
to have a significant or adverse effect on the units operations).

Primary Findings
I.

COMMENT
Insert summary of the finding included in the Executive Summary
Finding

Ramifications/Implications

Recommendation(s)

29 hbintauditpro.doc
Page 89 of 141

Auditee's Response

Other Matters
II.

COMMENT
Insert summary of the finding included in the Executive Summary
Finding

Ramifications/Implications

Recommendation(s)

Auditee's Response

29 hbintauditpro.doc
Page 90 of 141

Section 8- Relationship management

8.1 Internal Audit and audit committee


8.2 Relationship with management
8.3 Working with the statutory auditors
8.4 Relationship with regulators

In todays world, the internal auditors need to have a variety of skills to be


successful. Not only do they have to be good in their traditional area of
competency like financial and governance expertise, analytical skills, risk
assessment but also be business savvy, have an eye towards creating value, and
provide a larger perspective. Soft skills are becoming crucial. Operating
managers are requesting assistance from internal audit staff to improve
effectiveness and efficiency of operations. Findings are not treated as deficiencies
but as practices that can be improved by modification jointly developed by client
and auditor working together.
To top it all and ensure that internal audit is effective, communication is
most crucial. Sound governance requires effective interaction among the board,
management, the external auditor, and the internal auditor.

8.1 Internal Audit and audit committee


The audit committee should be composed of board members who have
the knowledge and experience of the organisations business. They should have
the skills to evaluate financial and management controls, and the ability,
experience, and willingness to act for the good of the organisation and its

29 hbintauditpro.doc
Page 91 of 141

stakeholders. They should have the time to find out enough about the
organisation so that they can effectively challenge the executive management.

A professional internal audit activity is a major source of information to


the board and its special committees. It provides assurance on the effectiveness
of governance, risk management and internal control processes, covering
strategic, market, credit, operational and financial risks.
The audit committee and the internal audit team need to maintain a
strong positive relationship.
The chief audit executive has to report on its findings to the audit committee any
deficiencies that have been detected and the audit committee also has to enquire
in depth from internal audit into complex issues. The internal audit activity is
answerable to the audit committee and not management.
The chief audit executive should attend audit committee meetings and
discuss the charter, review the audit plan, staffing requirements, audit findings
and status of implementation of recommendations.
The audit committee has to assess the performance of the internal audit team to
review whether the activity is effective and capable to be the agent of the of the
audit committee in the organization. It may also act as facilitator between the
internal audit, executive management and the statutory auditors to ensure
proper allocation of work and ensure good corporate governance.

8.2 Relationship with executive management


Maintaining a balanced relationship with the executive management is
most crucial and difficult for the internal auditor. For internal audit to be
effective, the relationship with executive management has to be constructive. The
29 hbintauditpro.doc
Page 92 of 141

relationship has to be based on mutual confidence but it should not be too


friendly. Nowadays, operating managers are requesting assistance from internal
audit staff to improve effectiveness and efficiency of operations. Findings are not
treated as deficiencies but as practices that can be improved by modification
jointly developed by client and auditor working together.
The chief audit executive should have frequent meeting with the
management to share information.

Reports
Within the management, there are different levels. The audit report has to be
designed to suit the interest, needs and requirements of different levels of
management. All the levels need to know as to what is happening in the areas of
their concern and internal audit report can serve as one of the vehicles of
information. However the degree of detail required by each is different. The local
office needs an in- depth report with all the details and documentation so that
follow up actions /rectifications can be taken. The regional offices would need
general information on the operations and performance of the local office. The
top management needs to be informed of serious issues and frauds and
information on problems across offices etc. Thus, as the levels go up the details
required are less.
For easy readability and distribution, the report could have an executive
summary,

main

report

divided

by

functional

areas

and

lastly

recommendations. Thus, each level gets focused information according to their


needs.
Oral communications
Formal written communications are necessary and but informal communications
cannot be ignored altogether. It can help draw managements attention towards
important issues. Debriefings minimise the chance of something important
29 hbintauditpro.doc
Page 93 of 141

passing unnoticed because of other priorities and pressures.


Overview
An audit report consists of details of the audit assignment of the audited unit. At
some point it also needs to see things from a larger perspective- to focus on the
forest rather than the trees. On the basis of recurring observations and trends, it
would be possible to identify areas which need more attention, policy changes or
guidance.

8.3 Working with the statutory auditors


Internal audit and statutory audit have different objectives. The primary
objective of statutory auditors is to express an opinion on accuracy and fairness
of financial statements. The focus of the report is on objectivity, accuracy and
brevity. They focus on historical financial data. The objectives of internal audit
are much wider. They are involved in operational audits, management audits,
review of processes, practices & procedures and other assignments.
However, the statutory auditors need to understand the functioning and
operations of the enterprise and the internal control systems. Not only that, they
have to include in their report an opinion on the state of internal controls in the
organisations. Thus, if they co-ordinate their efforts there would not be any
overlapping nor would there be any gaps. Every aspect of the organisation
could be covered without duplication of work and improve service to
management and the audit committee. Internal and external auditors both are
equally important.
There should be sufficient liaison between the auditors .Both should share
information regarding scope, audit programme and audit findings. However,

29 hbintauditpro.doc
Page 94 of 141

several factors determine the type of relationship. Some chief audit executives
(CAEs) are of the opinion that the relationship should be arms-length
relationship while others feel that there should be a close working relationship.
It is finally up to the organisation and the auditors to decide as to what type of
relationship best fits an organization taking into account its resources and time
and issues.
Benefits of co ordination
Varied strengths increase effectiveness
By the nature of their responsibilities, internal auditors spend a lot of time
working for the same company. This gives them a better understanding of the
culture and working of the organisation. The external auditors on the other hand
have exposure to wider variety of financial issues as they have multiple clients.

Increase in efficiency
Coordination increases efficiency. When the audit is not properly coordinated,
external auditors may duplicate work already performed by the internal
auditors.

Better audit coverage


It is expected that elimination of redundant work will leave time and resources
for better audit coverage.

Cost reduction
Coordination reduces the time and efforts which the external auditor would
expend on redundant work thus, reducing the audit fees.

29 hbintauditpro.doc
Page 95 of 141

Better understanding of each others work


Coordination would imply that the auditors communicate and consult with each
other their plans and findings. This will lead to clearer understanding of
respective audit roles and requirements and a better understanding by each
group of auditors.
Building co-operation
Approval

External and internal auditors owe allegiance to different set of people .The
internal auditor is accountable to the management. When the external auditor
needs assistance from the internal auditor, he has to first inform the management
/governing body and seek their approval.
Commitment
As discussed earlier, both the auditors work with different objectives and
responsibilities. Given this situation when the need for coordination arises, it
requires commitment. They have to adjust and plan the work to satisfy each
others needs.
Communication

Communication is sine qua non for success of any coordination process. . There
should be frequent and open communication between internal and external
auditors. They should decide on timing and nature of communication-it may be
written or electronic or face to face or telephonic or combination of whatever
format is suitable.
29 hbintauditpro.doc
Page 96 of 141

Trust

There needs to be mutual confidence between both groups of auditors. This


confidence is enhanced when the auditors are members of professional bodies
and are bound by their professional standards and code of conduct. When the
external auditor requires direct assistance or needs to rely on the work in certain
area, he may conduct procedures to get specific assurance. There also needs to be
confidence that any information exchanged is treated professionally and with
integrity.

Areas of co-operation

Internal control

Corporate governance

Reporting and financial statements

Compliance with laws

Anti Fraud measures

Performance indicators

Testing
o systems
o programs

Liaison between company and external auditors


o Ensure that all information, documentation is provided to internal
auditor
o Audit of dispersed organizations
o Follow up on audit issues and implementation of recommendations

29 hbintauditpro.doc
Page 97 of 141

8.4 Relationship with regulators


Internal Audit is gaining more importance with the regulators. The role of
Statutory Auditors is confined to reporting on financial accuracy and application
of accounting principles and standards. Market regulators are interested not only
in financial results but also concerned that business operations are conducted in
a manner so that all foreseeable risks are addressed by appropriate internal
control mechanism and three are no revenue leakages.
Internationally, the relationship with regulators is significant in the financial
services sector due to the Basel Committee on Banking Supervision. In India,
increasing number of regulators are demanding internal audit of entities under
their supervision. RBI, NSE, NSDL, SEBI all insist on internal audit of operations
of entities under them. Not only that The Companies (Auditors) Report Order,
2003 states that,
Internal Auditing is applicable to: -

1. Listed Company

2. Unlisted Companies whose paid up capital & reserves as at the


commencement of the financial year exceeds Rs.50 Lakhs or the average
annual turnover for immediately 3 preceding financial years exceed Rs.5
crores.

Only the internal audit activity can provide a objective assurance to the market
regulator that

the operations are in compliance with laws and regulations set up by


them,

29 hbintauditpro.doc
Page 98 of 141

internal control exists in all the key risk areas,

internal control framework is functioning effectively and

gaps if any are identified reported and prompt action is taken to rectify
the same.

Section 9 -Overview of Standards on Internal Audit

9.1 Standards on Internal Audit (SIA) issued by ICAI


9.2 Internal Audit Standards issued by IIA

9.1 Standards on Internal Audit issued by ICAI


Institute of Chartered Accountants have issued 16 Standards on Internal Audit
(SAI) since 2006 which are required to be applied while conduct of internal audit
functions by a chartered accountant. An overview of the standards is discussed
below.
SIA 1 Planning an Internal Audit Issued in May, 2006.
The basic objective of the SIA is to establish standards and provide guidance in
respect of planning an Internal and helping in achieving the objectives of an
Internal Audit function. Adequate planning ensures that appropriate attention is
devoted to significant areas of audit, potential problems are identified, and that
the skills and time of the staff are appropriately utilised. Planning also ensures
that the work is carried out in accordance with the applicable pronouncements of
the Institute of Chartered Accountants of India. Planning should also be based on
the knowledge of the entitys business.

29 hbintauditpro.doc
Page 99 of 141

SIA 2 Basic Principles Governing Internal Audit Issued in August, 2007


The purpose of this Standard on Internal Audit (SIA) is to establish standards
and provide guidance on the general principles governing internal audit. This
Standard explains the principles, namely, Integrity, objectivity and
independence, Confidentiality, Due professional care, skills and competence,
Work performed by others, Documentation, Planning, Evidence and Reporting
which governs the internal auditors professional responsibilities

SIA 3 Documentation Issued in August, 2007.

The purpose of this Standard on Internal Audit is to establish Standards and


provide guidance on the documentation requirements in an internal audit.
Adequate documents act as basis for the planning and performing the internal
audit. Documents provide the evidence of the work of the internal auditor. This
Standard provides guidance regarding the form and content of the internal audit
documentation, detention and retention of the same and identification of the
preparer and reviewer.

SIA 4 Reporting Issued in August, 2008


The purpose of the Standard on Internal Audit (SIA) 4, Reporting is to establish
standards on the form and content of the internal auditors report issued as a
result of the internal audit performed by an internal auditor of the systems,
processes, controls including the items of financial statements of an entity. This
SIA describes the basic elements of an internal audit report such as opening,
objectives, scope paragraphs, and executive summary. This SIA also deals with
the different stages of communication and discussion of the report and describes
the reporting responsibilities of the internal auditor when there is a limitation on
29 hbintauditpro.doc
Page 100 of 141

the scope. The Standard also lays down the reporting responsibilities of the
internal auditor when there is restriction on usage and circulation of the report.

SIA 5 Sampling Issued in August, 2008.

The Standard on Internal Audit (SIA) 5, Sampling provides the guidance


regarding the design and selection of an audit sample and also on the use of the
audit sampling in the internal audit engagements. This SIA also deals with the
evaluation of the sample results. This Standard also provide guidance on the use
of sampling in risk assessment procedures and tests of controls performed by the
internal auditor to obtain an understanding of the entity, business and its
environment, including mechanism of its internal control. The areas covered by
the SIA include design of sample, tolerable and expected error, selection of
sample, evaluation of sample results, analysis of errors in the sample, projection
of errors, reassessing sampling risk. This also describes the internal auditors
documentation requirements in the context of the sampling.

SIA 6 Analytical Procedures Issued in August, 2008.

The Standard on Internal Audit (SIA) 6, Analytical Procedures provides the


guidance regarding the application of analytical procedures during internal
audit. The SIA deals with the aspects such as, the nature and purpose of
analytical procedures, analytical procedures as risk assessment procedures and
in planning the internal audit, analytical procedures as substantive procedures,
analytical procedures in the overall review at the end of the internal audit, extent
of reliance on analytical procedures and investigating unusual items or trends.
SIA 7 Quality Assurance in Internal Audit Issued in August 2008.

29 hbintauditpro.doc
Page 101 of 141

The Standard on Internal Audit (SIA) 7, Quality Assurance in Internal Audit


establishes standards and provide guidance regarding quality assurance in
internal audit. A system for assuring the quality in internal audit should provide
reasonable assurance that the internal auditors comply with professional
standards, regulatory and legal requirements so that the reports issued by them
are appropriate in the circumstances. This Standard provide the guidance to the
person entrusted with the responsibility for the quality of the internal audit
whether in-house internal audit or a firm carrying out internal audit. This
Standard also provide the extensive knowledge about the internal quality
reviews, external quality reviews and communicating the results thereof.
SIA 8 Terms of Internal Audit Engagement Issued in November, 2008
The Terms of engagement defines the scope, authority, responsibilities,
confidentiality, limitation and compensation of the internal auditors. Terms of
Internal Audit Engagement lay down clarity between the internal auditors and
the users of their services for inculcating professionalism and avoiding
misunderstanding as to any aspect of the engagement. This Standard on Internal
Audit (SIA) 8, Terms of Internal Audit Engagement provides guidance in respect
of terms of engagement of the internal audit activity whether carried out in
house or by an external agency. This SIA describes the elements of the terms of
engagement viz, scope, responsibility, authority, confidential, limitations,
reporting, compensation and compliance with Standards.
SIA 9 Communication with Management Issued in January, 2009
The Standard on Internal Audit (SIA) 9, Communication with Management
provides a framework for the internal auditors communication with
management. It identifies some specific matters to be communicated with the
29 hbintauditpro.doc
Page 102 of 141

management as described in the terms of engagement like the internal auditors


responsibilities in relation to the terms of engagement, planned scope and timing
of the internal audit, significant findings from the internal audit. The Standard
also provides the extensive knowledge about the communication process to
make the two-way communication effective like the forms and timing of
communication process. This Standard also provides the guidance the
documentation of the same.
SIA 10 Internal Audit Evidence Issued in January, 2009
The purpose of this Standard is to establish standards on the basic principle that
the internal auditor should obtain sufficient appropriate audit evidence through
compliance and substantive procedures to substantiate his checking and findings
and enable him to draw reasonable conclusions there from. The SIA also explains
the concept of sufficient appropriate internal audit evidence, procedures to be
performed to obtain internal audit evidence namely, inspection, observation,
inquiry and confirmation, Computation and Analytical review.

SIA 11 Consideration of Fraud in an Internal Audit Issued in January, 2009


As the name indicates the purpose of this Standard is to establish Standards on
consideration of fraud in an internal audit. This Standard provides guidance on
the designing and implementation of the internal controls in an entity that would
also help the internal audit to assess the risk of frauds. The Standards also
establishes the responsibilities of the internal auditor relating to the fraud
prevention and detection. The SIA also provide guidance regarding the
communication and documentation of fraud.
SIA 12 Internal Control Evaluation Issued in February, 2009
29 hbintauditpro.doc
Page 103 of 141

The purpose of this Standard on Internal Audit is to establish standards and


provide guidance on the procedures to be followed by the internal auditor in
evaluating the system of internal control in an entity and for communicating
weaknesses therein to those charged with governance. The Standard also
extensively deals with aspects such as meaning and inherent limitations of
internal controls, control environment, risk assessment, tests of control and
communication of weaknesses. The SIA also describes role of the internal auditor
in evaluating internal controls.
SIA 13 Enterprise Risk Management Issued in February, 2009
The purpose of this Standard on Internal Audit is to establish standards and
provide guidance on review of an entitys risk management system during an
internal audit or such other review exercise with the objective of providing an
assurance thereon. The Standard establishes process of enterprise risk
management and the role of the internal auditor. This Standard also provides
guidance regarding the internal audit plan and information which internal
auditor should provide in his report.
SIA 14 Internal Audit in an Information Technology Environment Issued in
February, 2009
The purpose of this Standard on Internal Audit is to establish standards on
procedures to be followed when an internal audit is conducted in an Information
Technology (IT) Environment. This Standard describes skills and competence
needed by the internal auditor to conduct an internal audit in an information
technology environment, factors to consider while planning such an internal

29 hbintauditpro.doc
Page 104 of 141

audit, matters that may effect audit in an IT environment, assessment of risk,


audit procedures, review of the IT environment and Documentation.
SIA 15 Knowledge of the Entity and Its Environment Issued in February, 2009
The purpose of this Standard is to establish standards and provide guidance on
what constitutes the knowledge of an entitys business, its importance to the
various phases of an internal audit engagement and the techniques to be adopted
by the internal auditor in acquiring such knowledge about the client entity and
its environment, prior to commencing an internal audit engagement and
subsequently therafter, at all stages of the internal audit process. This Standard
also sets out the guidelines regarding the application, usage and documentation
of such knowledge by the internal auditor.
SIA 16 Using the Work of an Expert Issued in February, 2009
The purpose of this Standard is to establish standards and provide guidance
where the internal auditor uses the work performed by an expert. The Standard
also explains situations in which the need for using the work of an expert might
arise, factors to consider when deciding whether to use the work of an expert or
not, evaluating the skills and competence and objectivity of an expert,
procedures for evaluating the work of an expert, references to an expert in the
internal auditors report, etc.

9.2 INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE


OF INTERNAL AUDITING (STANDARDS)

These are the standards issued by the Institute of Internal Auditors. Standards

29 hbintauditpro.doc
Page 105 of 141

are principle-focused and provide a framework for performing and promoting


internal auditing. The Standards are mandatory requirements consisting of:
Statements of basic requirements for the professional practice of internal
auditing and for evaluating the effectiveness of its performance. The
requirements are internationally applicable at organizational and
individual levels.
Interpretations, which clarify terms or concepts within the statements.
It is necessary to consider both the statements and their interpretations to
understand and apply the Standards correctly. The Standards employ terms that
have been given specific meanings that are included in the Glossary.

Attribute Standards
1000 Purpose, Authority, and Responsibility
The purpose, authority, and responsibility of the internal audit activity must be
formally defined in an internal audit charter, consistent with the Definition of
Internal Auditing, the Code of Ethics, and the Standards. The chief audit
executive must periodically review the internal audit charter and present it to
senior management and the board for approval.
Interpretation:
The internal audit charter is a formal document that defines the internal audit
activity's purpose, authority, and responsibility. The internal audit charter
establishes the internal audit activity's position within the organization;
authorizes access to records, personnel, and physical properties relevant to the
performance of engagements; and defines the scope of internal audit activities.
Final approval of the internal audit charter resides with the board.
29 hbintauditpro.doc
Page 106 of 141

1000.A1 The nature of assurance services provided to the organization


must be defined in the internal audit charter. If assurances are to be
provided to parties outside the organization, the nature of these
assurances must also be defined in the internal audit charter.

1000 C1 The nature of consulting services must be defined in the internal


audit charter.
1010 Recognition of the Definition of Internal Auditing, the Code of
Ethics, and the Standards in the Internal Audit Charter
The mandatory nature of the Definition of Internal Auditing, the Code of Ethics,
and the Standards must be recognized in the internal audit charter. The chief
audit executive should discuss the Definition of Internal Auditing, the Code of
Ethics, and the Standards with senior management and the board.
1100 Independence and Objectivity
The internal audit activity must be independent, and internal auditors must be
objective in performing their work.
Interpretation:
Independence is the freedom from conditions that threaten the ability of the
internal audit activity or the chief audit executive to carry out internal audit
responsibilities in an unbiased manner. To achieve the degree of independence
necessary to effectively carry out the responsibilities of the internal audit activity,
the chief audit executive has direct and unrestricted access to senior management
and the board. This can be achieved through a dual-reporting relationship.
Threats to independence must be managed at the individual auditor,
engagement, functional, and organizational levels.
29 hbintauditpro.doc
Page 107 of 141

Objectivity is an unbiased mental attitude that allows internal auditors to


perform engagements in such a manner that they believe in their work product
and that no quality compromises are made. Objectivity requires that internal
auditors do not subordinate their judgment on audit matters to others. Threats to
objectivity must be managed at the individual auditor, engagement, functional,
and organizational levels.

1110 Organizational Independence


The chief audit executive must report to a level within the organization that
allows the internal audit activity to fulfill its responsibilities. The chief audit
executive must confirm to the board, at least annually, the organizational
independence of the internal audit activity.

1110.A1 The internal audit activity must be free from interference in


determining the scope of internal auditing, performing work, and
communicating results.
1111 Direct Interaction with the Board
The chief audit executive must communicate and interact directly with the board.

1120 Individual Objectivity


Internal auditors must have an impartial, unbiased attitude and avoid any
conflict of interest.
Interpretation:
Conflict of interest is a situation in which an internal auditor, who is in a
position of trust, has a competing professional or personal interest. Such
competing interests can make it difficult to fulfill his or her duties impartially. A
29 hbintauditpro.doc
Page 108 of 141

conflict of interest exists even if no unethical or improper act results. A conflict of


interest can create an appearance of impropriety that can undermine confidence
in the internal auditor, the internal audit activity, and the profession. A conflict
of interest could impair an individual's ability to perform his or her duties and
responsibilities objectively.

1130 Impairment to Independence or Objectivity


If independence or objectivity is impaired in fact or appearance, the details of the
impairment must be disclosed to appropriate parties.

The nature of the

disclosure will depend upon the impairment.


Interpretation:
Impairment to organizational independence and individual objectivity may
include, but is not limited to, personal conflict of interest, scope limitations,
restrictions on access to records, personnel, and properties, and resource
limitations, such as funding.
The determination of appropriate parties to which the details of an impairment
to independence or objectivity must be disclosed is dependent upon the
expectations of the internal audit activitys and the chief audit executives
responsibilities to senior management and the board as described in the internal
audit charter, as well as the nature of the impairment.
1130.A1 Internal auditors must refrain from assessing specific operations
for which they were previously responsible. Objectivity is presumed to be
impaired if an internal auditor provides assurance services for an activity
for which the internal auditor had responsibility within the previous year.

29 hbintauditpro.doc
Page 109 of 141

1130.A2 Assurance engagements for functions over which the chief audit
executive has responsibility must be overseen by a party outside the
internal audit activity.
1130.C1 Internal auditors may provide consulting services relating to
operations for which they had previous responsibilities.
1130.C2 If internal auditors have potential impairments to independence
or objectivity relating to proposed consulting services, disclosure must be
made to the engagement client prior to accepting the engagement.
1200 Proficiency and Due Professional Care
Engagements must be performed with proficiency and due professional care.

1210 Proficiency
Internal auditors must possess the knowledge, skills, and other competencies
needed to perform their individual responsibilities. The internal audit activity
collectively must possess or obtain the knowledge, skills, and other competencies
needed to perform its responsibilities.

Interpretation:
Knowledge, skills, and other competencies is a collective term that refers to the
professional proficiency required of internal auditors to effectively carry out their
professional responsibilities. Internal auditors are encouraged to demonstrate
their proficiency by obtaining appropriate professional certifications and
qualifications, such as the Certified Internal Auditor designation and other
designations offered by The Institute of Internal Auditors and other appropriate
professional organizations.

29 hbintauditpro.doc
Page 110 of 141

1210.A1 The chief audit executive must obtain competent advice and
assistance if the internal auditors lack the knowledge, skills, or other
competencies needed to perform all or part of the engagement.

1210.A2 Internal auditors must have sufficient knowledge to evaluate


the risk of fraud and the manner in which it is managed by the
organization, but are not expected to have the expertise of a person whose
primary responsibility is detecting and investigating fraud.

1210.A3 Internal auditors must have sufficient knowledge of key


information technology risks and controls and available technology-based
audit techniques to perform their assigned work. However, not all internal
auditors are expected to have the expertise of an internal auditor whose
primary responsibility is information technology auditing.

1210.C1 The chief audit executive must decline the consulting


engagement or obtain competent advice and assistance if the internal
auditors lack the knowledge, skills, or other competencies needed to
perform all or part of the engagement.
1220 Due Professional Care
Internal auditors must apply the care and skill expected of a reasonably prudent
and competent internal auditor. Due professional care does not imply
infallibility.

29 hbintauditpro.doc
Page 111 of 141

1220.A1 Internal auditors must exercise due professional care by


considering the:

Extent of work needed to achieve the engagements objectives;

Relative complexity, materiality, or significance of matters to which


assurance procedures are applied;

Adequacy and effectiveness of governance, risk management, and


control processes;

Probability of significant errors, fraud, or noncompliance; and

Cost of assurance in relation to potential benefits.

1220.A2 In exercising due professional care internal auditors must


consider the use of technology-based audit and other data analysis
techniques.
1220.A3 Internal auditors must be alert to the significant risks that might
affect objectives, operations, or resources. However, assurance procedures
alone, even when performed with due professional care, do not guarantee
that all significant risks will be identified.
1220.C1 Internal auditors must exercise due professional care during a
consulting engagement by considering the:

Needs and expectations of clients, including the nature, timing, and


communication of engagement results;

Relative complexity and extent of work needed to achieve the


engagements objectives; and

Cost of the consulting engagement in relation to potential benefits.

29 hbintauditpro.doc
Page 112 of 141

1230 Continuing Professional Development


Internal auditors must enhance their knowledge, skills, and other competencies
through continuing professional development.
1300 Quality Assurance and Improvement Program
The chief audit executive must develop and maintain a quality assurance and
improvement program that covers all aspects of the internal audit activity.
Interpretation:
A quality assurance and improvement program is designed to enable an
evaluation of the internal audit activitys conformance with the Definition of
Internal Auditing and the Standards and an evaluation of whether internal
auditors apply the Code of Ethics. The program also assesses the efficiency and
effectiveness of the internal audit activity and identifies opportunities for
improvement.
1310 Requirements of the Quality Assurance and Improvement Program
The quality assurance and improvement program must include both internal and
external assessments.

29 hbintauditpro.doc
Page 113 of 141

1311 Internal Assessments


Internal assessments must include:

Ongoing monitoring of the performance of the internal audit activity; and

Periodic reviews performed through self-assessment or by other persons


within the organization with sufficient knowledge of internal audit
practices.

Interpretation:
Ongoing monitoring is an integral part of the day-to-day supervision, review,
and measurement of the internal audit activity. Ongoing monitoring is
incorporated into the routine policies and practices used to manage the internal
audit activity and uses processes, tools, and information considered necessary to
evaluate conformance with the Definition of Internal Auditing, the Code of
Ethics, and the Standards.

Periodic reviews are assessments conducted to evaluate conformance with the


Definition of Internal Auditing, the Code of Ethics, and the Standards.

Sufficient knowledge of internal audit practices requires at least an


understanding of all elements of the International Professional Practices
Framework.
1312 External Assessments
External assessments must be conducted at least once every five years by a
qualified, independent reviewer or review team from outside the organization.
The chief audit executive must discuss with the board:

The need for more frequent external assessments; and

29 hbintauditpro.doc
Page 114 of 141

The qualifications and independence of the external reviewer or review


team, including any potential conflict of interest.

Interpretation:
A qualified reviewer or review team consists of individuals who are competent
in the professional practice of internal auditing and the external assessment
process. The evaluation of the competency of the reviewer and review team is a
judgment that considers the professional internal audit experience and
professional credentials of the individuals selected to perform the review. The
evaluation of qualifications also considers the size and complexity of the
organizations that the reviewers have been associated with in relation to the
organization for which the internal audit activity is being assessed, as well as the
need for particular sector, industry, or technical knowledge.

An independent reviewer or review team means not having either a real or an


apparent conflict of interest and not being a part of, or under the control of, the
organization to which the internal audit activity belongs.
1320 Reporting on the Quality Assurance and Improvement Program
The chief audit executive must communicate the results of the quality assurance
and improvement program to senior management and the board.

29 hbintauditpro.doc
Page 115 of 141

Interpretation:
The form, content, and frequency of communicating the results of the quality
assurance and improvement program is established through discussions with
senior management and the board and considers the responsibilities of the
internal audit activity and chief audit executive as contained in the internal audit
charter. To demonstrate conformance with the Definition of Internal Auditing,
the Code of Ethics, and the Standards, the results of external and periodic
internal assessments are communicated upon completion of such assessments
and the results of ongoing monitoring are communicated at least annually. The
results include the reviewers or review teams assessment with respect to the
degree of conformance.

1321 Use of Conforms with the International Standards for the Professional
Practice of Internal Auditing
The chief audit executive may state that the internal audit activity conforms with
the International Standards for the Professional Practice of Internal Auditing
only if the results of the quality assurance and improvement program support
this statement.
1322 Disclosure of Nonconformance
When nonconformance with the Definition of Internal Auditing, the Code of
Ethics, or the Standards impacts the overall scope or operation of the internal
audit activity, the chief audit executive must disclose the nonconformance and
the impact to senior management and the board.

29 hbintauditpro.doc
Page 116 of 141

Performance Standards
2000 Managing the Internal Audit Activity
The chief audit executive must effectively manage the internal audit activity to
ensure it adds value to the organization.
Interpretation:
The internal audit activity is effectively managed when:

The results of the internal audit activitys work achieve the purpose and
responsibility included in the internal audit charter;

The internal audit activity conforms with the Definition of Internal


Auditing and the Standards; and

The individuals who are part of the internal audit activity demonstrate
conformance with the Code of Ethics and the Standards.

2010 Planning
The chief audit executive must establish risk-based plans to determine the
priorities of the internal audit activity, consistent with the organizations goals.
Interpretation:
The chief audit executive is responsible for developing a risk-based plan. The
chief audit executive takes into account the organizations risk management
framework, including using risk appetite levels set by management for the
different activities or parts of the organization. If a framework does not exist, the
chief audit executive uses his/her own judgment of risks after consultation with
senior management and the board.

29 hbintauditpro.doc
Page 117 of 141

2010.A1 The internal audit activitys plan of engagements must be based


on a documented risk assessment, undertaken at least annually. The input
of senior management and the board must be considered in this process.

2010.C1 The chief audit executive should consider accepting proposed


consulting engagements based on the engagements potential to improve
management of risks, add value, and improve the organizations
operations. Accepted engagements must be included in the plan.
2020 Communication and Approval
The chief audit executive must communicate the internal audit activitys plans
and resource requirements, including significant interim changes, to senior
management and the board for review and approval. The chief audit executive
must also communicate the impact of resource limitations.

2030 Resource Management


The chief audit executive must ensure that internal audit resources are
appropriate, sufficient, and effectively deployed to achieve the approved plan.

29 hbintauditpro.doc
Page 118 of 141

Interpretation:
Appropriate refers to the mix of knowledge, skills, and other competencies
needed to perform the plan. Sufficient refers to the quantity of resources needed
to accomplish the plan. Resources are effectively deployed when they are used in
a way that optimizes the achievement of the approved plan.

2040 Policies and Procedures


The chief audit executive must establish policies and procedures to guide the
internal audit activity.

Interpretation:
The form and content of policies and procedures are dependent upon the size
and structure of the internal audit activity and the complexity of its work.

2050 Coordination
The chief audit executive should share information and coordinate activities with
other internal and external providers of assurance and consulting services to
ensure proper coverage and minimize duplication of efforts.

2060 Reporting to Senior Management and the Board


The chief audit executive must report periodically to senior management and the
board on the internal audit activitys purpose, authority, responsibility, and
performance relative to its plan. Reporting must also include significant risk
exposures and control issues, including fraud risks, governance issues, and other
matters needed or requested by senior management and the board.
Interpretation:
The frequency and content of reporting are determined in discussion with senior
management and the board and depend on the importance of the information to
29 hbintauditpro.doc
Page 119 of 141

be communicated and the urgency of the related actions to be taken by senior


management or the board.

2100 Nature of Work


The internal audit activity must evaluate and contribute to the improvement of
governance, risk management, and control processes using a systematic and
disciplined approach.
2110 Governance
The internal audit activity must assess and make appropriate recommendations
for improving the governance process in its accomplishment of the following
objectives:

Promoting appropriate ethics and values within the organization;

Ensuring

effective

organizational

performance

management

and

accountability;

Communicating risk and control information to appropriate areas of the


organization; and

Coordinating the activities of and communicating information among the


board, external and internal auditors, and management.
2110.A1 The internal audit activity must evaluate the design,
implementation, and effectiveness of the organizations ethics-related
objectives, programs, and activities.
2110.A2 The internal audit activity must assess whether the information
technology governance of the organization sustains and supports the
organizations strategies and objectives.

29 hbintauditpro.doc
Page 120 of 141

2110.C1 Consulting engagement objectives must be consistent with the


overall values and goals of the organization.

2120 Risk Management


The internal audit activity must evaluate the effectiveness and contribute to the
improvement of risk management processes.
Interpretation:
Determining whether risk management processes are effective is a judgment
resulting from the internal auditors assessment that:

Organizational objectives support and align with the organizations


mission;

Significant risks are identified and assessed;

Appropriate risk responses are selected that align risks with the
organizations risk appetite; and

Relevant risk information is captured and communicated in a timely


manner across the organization, enabling staff, management, and the
board to carry out their responsibilities.

Risk management processes are monitored through ongoing management


activities, separate evaluations, or both.

2120.A1 The internal audit activity must evaluate risk exposures relating
to the organizations governance, operations, and information systems
regarding the:

Reliability and integrity of financial and operational information.

Effectiveness and efficiency of operations.

29 hbintauditpro.doc
Page 121 of 141

Safeguarding of assets; and

Compliance with laws, regulations, and contracts.

2120.A2 The internal audit activity must evaluate the potential for the
occurrence of fraud and how the organization manages fraud risk.
2120.C1 During consulting engagements, internal auditors must address
risk consistent with the engagements objectives and be alert to the
existence of other significant risks.

2120.C2 Internal auditors must incorporate knowledge of risks gained


from consulting engagements into their evaluation of the organizations
risk management processes.
2120.C3 When assisting management in establishing or improving risk
management processes, internal auditors must refrain from assuming any
management responsibility by actually managing risks.
2130 Control
The internal audit activity must assist the organization in maintaining effective
controls by evaluating their effectiveness and efficiency and by promoting
continuous improvement.
2130.A1 he internal audit activity must evaluate the adequacy and
effectiveness of controls in responding to risks within the organizations
governance, operations, and information systems regarding the:

Reliability and integrity of financial and operational information;

Effectiveness and efficiency of operations;

29 hbintauditpro.doc
Page 122 of 141

Safeguarding of assets; and

Compliance with laws, regulations, and contracts.

2130.A2 Internal auditors should ascertain the extent to which operating


and program goals and objectives have been established and conform to
those of the organization.
2130.A3 Internal auditors should review operations and programs to
ascertain the extent to which results are consistent with established goals
and objectives to determine whether operations and programs are being
implemented or performed as intended.
2130.C1 During consulting engagements, internal auditors must address
controls consistent with the engagements objectives and be alert to
significant control issues.
2130.C2 Internal auditors must incorporate knowledge of controls
gained from consulting engagements into evaluation of the organizations
control processes.
2200 Engagement Planning
Internal auditors must develop and document a plan for each engagement,
including the engagements objectives, scope, timing, and resource allocations.
2201 Planning Considerations
In planning the engagement, internal auditors must consider:

The objectives of the activity being reviewed and the means by which
the activity controls its performance;

29 hbintauditpro.doc
Page 123 of 141

The significant risks to the activity, its objectives, resources, and


operations and the means by which the potential impact of risk is kept
to an acceptable level;

The adequacy and effectiveness of the activitys risk management and


control processes compared to a relevant control framework or model;
and

The opportunities for making significant improvements to the


activitys risk management and control processes.

2201.A1 When planning an engagement for parties outside the


organization, internal auditors must establish a written understanding
with them about objectives, scope, respective responsibilities, and other
expectations, including restrictions on distribution of the results of the
engagement and access to engagement records.
2201.C1 Internal auditors must establish an understanding with
consulting engagement clients about objectives, scope, respective
responsibilities,

and

other

client

expectations.

For

significant

engagements, this understanding must be documented.


2210 Engagement Objectives
Objectives must be established for each engagement.
2210.A1 Internal auditors must conduct a preliminary assessment of the
risks relevant to the activity under review. Engagement objectives must
reflect the results of this assessment.

29 hbintauditpro.doc
Page 124 of 141

2210.A2 Internal auditors must consider the probability of significant


errors, fraud, noncompliance, and other exposures when developing the
engagement objectives.
2210.A3 Adequate criteria are needed to evaluate controls. Internal
auditors must ascertain the extent to which management has established
adequate criteria to determine whether objectives and goals have been
accomplished. If adequate, internal auditors must use such criteria in their
evaluation. If inadequate, internal auditors must work with management
to develop appropriate evaluation criteria.
2210.C1 Consulting engagement objectives must address governance,
risk management, and control processes to the extent agreed upon with
the client.
2220 Engagement Scope
The established scope must be sufficient to satisfy the objectives of the
engagement.
2220.A1 The scope of the engagement must include consideration of
relevant systems, records, personnel, and physical properties, including
those under the control of third parties.
2220.A2 If significant consulting opportunities arise during an assurance
engagement, a specific written understanding as to the objectives, scope,
respective responsibilities, and other expectations should be reached and
the results of the consulting engagement communicated in accordance
with consulting standards.

29 hbintauditpro.doc
Page 125 of 141

2220.C1 In performing consulting engagements, internal auditors must


ensure that the scope of the engagement is sufficient to address the
agreed-upon objectives. If internal auditors develop reservations about the
scope during the engagement, these reservations must be discussed with
the client to determine whether to continue with the engagement.
2230 Engagement Resource Allocation
Internal auditors must determine appropriate and sufficient resources to achieve
engagement objectives based on an evaluation of the nature and complexity of
each engagement, time constraints, and available resources.

29 hbintauditpro.doc
Page 126 of 141

2240 Engagement Work Program


Internal auditors must develop and document work programs that achieve the
engagement objectives.
2240.A1 Work programs must include the procedures for identifying,
analyzing,

evaluating,

and

documenting

information

during

the

engagement. The work program must be approved prior to its


implementation, and any adjustments approved promptly.
2240.C1 Work programs for consulting engagements may vary in form
and content depending upon the nature of the engagement.
2300 Performing the Engagement
Internal auditors must identify, analyze, evaluate, and document sufficient
information to achieve the engagements objectives.
2310 Identifying Information
Internal auditors must identify sufficient, reliable, relevant, and useful
information to achieve the engagements objectives.
Interpretation:
Sufficient information is factual, adequate, and convincing so that a prudent,
informed person would reach the same conclusions as the auditor. Reliable
information is the best attainable information through the use of appropriate
engagement

techniques.

Relevant

information

supports

engagement

observations and recommendations and is consistent with the objectives for the
engagement. Useful information helps the organization meet its goals.
2320 Analysis and Evaluation
29 hbintauditpro.doc
Page 127 of 141

Internal auditors must base conclusions and engagement results on appropriate


analyses and evaluations.
2330 Documenting Information
Internal auditors must document relevant information to support the conclusions
and engagement results.
2330.A1 The chief audit executive must control access to engagement
records. The chief audit executive must obtain the approval of senior
management and/or legal counsel prior to releasing such records to
external parties, as appropriate.
2330.A2 The chief audit executive must develop retention requirements
for engagement records, regardless of the medium in which each record is
stored. These retention requirements must be consistent with the
organizations guidelines and any pertinent regulatory or other
requirements.
2330.C1 The chief audit executive must develop policies governing the
custody and retention of consulting engagement records, as well as their
release to internal and external parties. These policies must be consistent
with the organizations guidelines and any pertinent regulatory or other
requirements.

29 hbintauditpro.doc
Page 128 of 141

2340 Engagement Supervision


Engagements must be properly supervised to ensure objectives are achieved,
quality is assured, and staff is developed.
Interpretation:
The extent of supervision required will depend on the proficiency and
experience of internal auditors and the complexity of the engagement. The chief
audit executive has overall responsibility for supervising the engagement,
whether performed by or for the internal audit activity, but may designate
appropriately experienced members of the internal audit activity to perform the
review. Appropriate evidence of supervision is documented and retained.
2400 Communicating Results
Internal auditors must communicate the engagement results.
2410 Criteria for Communicating
Communications must include the engagements objectives and scope as well as
applicable conclusions, recommendations, and action plans.
2410.A1 Final communication of engagement results must, where
appropriate,

contain

internal

auditors

overall

opinion

and/or

conclusions.
2410.A2 Internal auditors are encouraged to acknowledge satisfactory
performance in engagement communications.
2410.A3 When releasing engagement results to parties outside the
organization, the communication must include limitations on distribution
and use of the results.
29 hbintauditpro.doc
Page 129 of 141

2410.C1 Communication of the progress and results of consulting


engagements will vary in form and content depending upon the nature of
the engagement and the needs of the client.
2420 Quality of Communications
Communications must be accurate, objective, clear, concise, constructive,
complete, and timely.
Interpretation:
Accurate communications are free from errors and distortions and are faithful to
the underlying facts. Objective communications are fair, impartial, and unbiased
and are the result of a fair-minded and balanced assessment of all relevant facts
and circumstances. Clear communications are easily understood and logical,
avoiding unnecessary technical language and providing all significant and
relevant information. Concise communications are to the point and avoid
unnecessary elaboration, superfluous detail, redundancy, and wordiness.
Constructive communications are helpful to the engagement client and the
organization

and

lead

to

improvements

where

needed.

Complete

communications lack nothing that is essential to the target audience and include
all

significant

and

relevant

information

and

observations

to

support

recommendations and conclusions. Timely communications are opportune and


expedient, depending on the significance of the issue, allowing management to
take appropriate corrective action.

29 hbintauditpro.doc
Page 130 of 141

2421 Errors and Omissions


If a final communication contains a significant error or omission, the chief audit
executive must communicate corrected information to all parties who received
the original communication.
2430 Use of Conducted in Conformance with the International Standards
for the Professional Practice of Internal Auditing
Internal auditors may report that their engagements are conducted in
conformance with the International Standards for the Professional Practice of
Internal Auditing, only if the results of the quality assurance and improvement
program support the statement.
2431 Engagement Disclosure of Nonconformance
When nonconformance with the Definition of Internal Auditing, the Code of
Ethics or the Standards impacts a specific engagement, communication of the
results must disclose the:

Principle or rule of conduct of the Code of Ethics or Standard(s) with


which full conformance was not achieved;

Reason(s) for nonconformance; and

Impact of nonconformance on the engagement and the communicated


engagement results.

2440 Disseminating Results


The chief audit executive must communicate results to the appropriate parties.
Interpretation:

29 hbintauditpro.doc
Page 131 of 141

The chief audit executive or designee reviews and approves the final engagement
communication before issuance and decides to whom and how it will be
disseminated.
2440.A1 The chief audit executive is responsible for communicating the
final results to parties who can ensure that the results are given due
consideration.
2440.A2 If not otherwise mandated by legal, statutory, or regulatory
requirements, prior to releasing results to parties outside the organization
the chief audit executive must:

Assess the potential risk to the organization;

Consult with senior management and/or legal counsel as


appropriate; and

Control dissemination by restricting the use of the results.

2440.C1 The chief audit executive is responsible for communicating the


final results of consulting engagements to clients.
2440.C2 During consulting engagements, governance, risk management,
and control issues may be identified. Whenever these issues are significant
to the organization, they must be communicated to senior management
and the board.
2500 Monitoring Progress
The chief audit executive must establish and maintain a system to monitor the
disposition of results communicated to management.

29 hbintauditpro.doc
Page 132 of 141

2500.A1 The chief audit executive must establish a follow-up process to


monitor and ensure that management actions have been effectively
implemented or that senior management has accepted the risk of not
taking action.
2500.C1 The internal audit activity must monitor the disposition of
results of consulting engagements to the extent agreed upon with the
client.
2600 Resolution of Senior Managements Acceptance of Risks
When the chief audit executive believes that senior management has accepted a
level of residual risk that may be unacceptable to the organization, the chief audit
executive must discuss the matter with senior management. If the decision
regarding residual risk is not resolved, the chief audit executive must report the
matter to the board for resolution.

29 hbintauditpro.doc
Page 133 of 141

Glossary
Add Value
Value is provided by improving opportunities to achieve organizational
objectives, identifying operational improvement, and/or reducing risk exposure
through both assurance and consulting services.
Adequate Control
Present if management has planned and organized (designed) in a manner that
provides reasonable assurance that the organizations risks have been managed
effectively and that the organizations goals and objectives will be achieved
efficiently and economically.
Assurance Services
An objective examination of evidence for the purpose of providing an
independent assessment on governance, risk management, and control processes
for the organization. Examples may include financial, performance, compliance,
system security, and due diligence engagements.
Board
A board is an organizations governing body, such as a board of directors,
supervisory board, head of an agency or legislative body, board of governors or
trustees of a nonprofit organization, or any other designated body of the
organization, including the audit committee to whom the chief audit executive
may functionally report.
Charter
The internal audit charter is a formal document that defines the internal audit
activitys purpose, authority, and responsibility. The internal audit charter
29 hbintauditpro.doc
Page 134 of 141

establishes the internal audit activitys position within the organization;


authorizes access to records, personnel, and physical properties relevant to the
performance of engagements; and defines the scope of internal audit activities.
Chief Audit Executive
Chief audit executive is a senior position within the organization responsible for
internal audit activities. Normally, this would be the internal audit director. In
the case where internal audit activities are obtained from external service
providers, the chief audit executive is the person responsible for overseeing the
service contract and the overall quality assurance of these activities, reporting to
senior management and the board regarding internal audit activities, and followup of engagement results. The term also includes titles such as general auditor,
head of internal audit, chief internal auditor, and inspector general.
Code of Ethics
The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles
relevant to the profession and practice of internal auditing, and Rules of Conduct
that describe behavior expected of internal auditors. The Code of Ethics applies
to both parties and entities that provide internal audit services. The purpose of
the Code of Ethics is to promote an ethical culture in the global profession of
internal auditing.
Compliance
Adherence to policies, plans, procedures, laws, regulations, contracts, or other
requirements.
Conflict of Interest

29 hbintauditpro.doc
Page 135 of 141

Any relationship that is, or appears to be, not in the best interest of the
organization. A conflict of interest would prejudice an individuals ability to
perform his or her duties and responsibilities objectively.
Consulting Services
Advisory and related client service activities, the nature and scope of which are
agreed with the client, are intended to add value and improve an organizations
governance, risk management, and control processes without the internal auditor
assuming management responsibility. Examples include counsel, advice,
facilitation, and training.
Control
Any action taken by management, the board, and other parties to manage risk
and increase the likelihood that established objectives and goals will be achieved.
Management plans, organizes, and directs the performance of sufficient actions
to provide reasonable assurance that objectives and goals will be achieved.
Control Environment
The attitude and actions of the board and management regarding the significance
of control within the organization. The control environment provides the
discipline and structure for the achievement of the primary objectives of the
system of internal control. The control environment includes the following
elements:

Integrity and ethical values.

Managements philosophy and operating style.

Organizational structure.

Assignment of authority and responsibility.

Human resource policies and practices.

29 hbintauditpro.doc
Page 136 of 141

Competence of personnel.

Control Processes
The policies, procedures, and activities that are part of a control framework,
designed to ensure that risks are contained within the risk tolerances established
by the risk management process.
Engagement
A specific internal audit assignment, task, or review activity, such as an internal
audit, control self-assessment review, fraud examination, or consultancy. An
engagement may include multiple tasks or activities designed to accomplish a
specific set of related objectives.
Engagement Objectives
Broad statements developed by internal auditors that define intended
engagement accomplishments.
Engagement Work Program
A document that lists the procedures to be followed during an engagement,
designed to achieve the engagement plan.

29 hbintauditpro.doc
Page 137 of 141

External Service Provider


A person or firm outside of the organization that has special knowledge, skill,
and experience in a particular discipline.
Fraud
Any illegal act characterized by deceit, concealment, or violation of trust. These
acts are not dependent upon the threat of violence or physical force. Frauds are
perpetrated by parties and organizations to obtain money, property, or services;
to avoid payment or loss of services; or to secure personal or business advantage.
Governance
The combination of processes and structures implemented by the board to
inform, direct, manage, and monitor the activities of the organization toward the
achievement of its objectives.
Impairment
Impairment to organizational independence and individual objectivity may
include personal conflict of interest, scope limitations, restrictions on access to
records, personnel, and properties, and resource limitations (funding).
Independence
The freedom from conditions that threaten objectivity or the appearance of
objectivity. Such threats to objectivity must be managed at the individual
auditor, engagement, functional, and organizational levels.
Information Technology Controls
Controls that support business management and governance as well as provide
general and technical controls over information technology infrastructures such
as applications, information, infrastructure, and people.
29 hbintauditpro.doc
Page 138 of 141

Information Technology Governance


Consists of the leadership, organizational structures, and processes that ensure
that the enterprises information technology sustains and supports the
organizations strategies and objectives.

Internal Audit Activity


A department, division, team of consultants, or other practitioner(s) that
provides independent, objective assurance and consulting services designed to
add value and improve an organizations operations. The internal audit activity
helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of governance,
risk management and control processes.
International Professional Practices Framework
The

conceptual

framework

that

organizes

the

authoritative

guidance

promulgated by The IIA. Authoritative Guidance is comprised of two categories


(1) mandatory and (2) strongly recommended.

Must
The Standards use the word must to specify an unconditional requirement.
Objectivity
An unbiased mental attitude that allows internal auditors to perform
engagements in such a manner that they have an honest belief in their work
product and that no significant quality compromises are made. Objectivity
requires internal auditors not to subordinate their judgment on audit matters to
others.

29 hbintauditpro.doc
Page 139 of 141

Residual Risk
The risk remaining after management takes action to reduce the impact and
likelihood of an adverse event, including control activities in responding to a
risk.
Risk
The possibility of an event occurring that will have an impact on the achievement
of objectives. Risk is measured in terms of impact and likelihood.
Risk Appetite
The level of risk that an organization is willing to accept.

Risk Management
A process to identify, assess, manage, and control potential events or situations
to provide reasonable assurance regarding the achievement of the organizations
objectives.

Should
The Standards use the word should where conformance is expected unless,
when applying professional judgment, circumstances justify deviation.
Significance
The relative importance of a matter within the context in which it is being
considered, including quantitative and qualitative factors, such as magnitude,
nature, effect, relevance, and impact. Professional judgment assists internal
auditors when evaluating the significance of matters within the context of the
relevant objectives.
Standard
29 hbintauditpro.doc
Page 140 of 141

A professional pronouncement promulgated by the Internal Audit Standards


Board that delineates the requirements for performing a broad range of internal
audit activities, and for evaluating internal audit performance.
Technology-based Audit Techniques
Any automated audit tool, such as generalized audit software, test data
generators, computerized audit programs, specialized audit utilities, and
computer-assisted audit techniques (CAATs).

***

29 hbintauditpro.doc
Page 141 of 141

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy