17129338 internal-audit-manual

4,323 views
4,214 views

Published on

Published in: Education
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,323
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
294
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

17129338 internal-audit-manual

  1. 1. ABC Company InternalAudit Manual1|Page
  2. 2. General DefinitionofInternalAuditInternalAuditis a central administrative unit ofABC Company. InternalAuditreports operationallyto theVice PresidentFinance withdotted linerepresentation to the ABC CompanyBoardof Directors. InternalAudits coverageand service extendstoall company entities. InternalAudit is also acontrol whichfunctionsbyexaminingand evaluating the adequacyandeffectivenessof othercontrolsthroughout ABC Companyfor managers, the Board of Directors, and external auditors.Finally,InternalAudit providesassistance to the external auditors in their performance of the annual auditsof ABCCompanyfinancial statements.CHARTERINTRODUCTIONABC Companysupports InternalAuditas an independent appraisalfunctionto examine and evaluateABC Companyactivities asa serviceto management andtotheBoardof Directors.The missionof InternalAuditis to support managers of ABC Companyinthe effective discharge of their responsibilities.To thisend, InternalAuditwillfurnish themwith analyses, recommendations, counsel,andinformation concerning the activitiesexamined.ORGANIZATIONAND BOARD REPORTINGTheDirector of InternalAuditshallreportto theVice PresidentFinance withdotted line reporting to theAuditCommittee.TheAudit Committeeshallhave final approval of the hiring, firing, and salarychangesfor theDirector ofInternalAudit.Annually,the Director of InternalAuditshall submit to the Boardof Directors a written report on the internal auditactivityduring the preceding fiscalyear.TheDirector shall also make an oral report to the Audit Committee.TheDirector of InternalAuditshallmakea written reportto the Audit Committee whenever there is evidenceof defalcations orother problems exceeding€25,000. In addition,if the circumstanceseverwarrantsuch action, the Director of InternalAuditmaycircumventnormal ABC Companyreporting lines and communicate directlywith theAudit Committee.AUTHORIZATIONAND RESPONSIBILITIESInternalAudithas the authoritytoaudit all parts of ABC Companyandshall have full and completeaccessto anyof theorganizationsrecords, physical properties, and personnel relevant tothe performance of anaudit. Documents and informationgivento internal auditors during a periodicreviewwill be handled in the same prudent manneras bythose employeesnormallyaccountable for them.InternalAuditshall have no direct responsibilityor authorityfor anyof the activitiesor operations theyreview.Theyshouldnotdevelopand installprocedures,prepare records, or engage in activities that would normallybe reviewed byinternalauditors.Furthermore, an internal audit does not inanywayrelieve other persons in ABC Companyof theresponsibilitiesassignedtothem.REPORTING RESPONSIBILITIESAwritten reportshallbe prepared and issued bytheDirector of InternalAuditatthe conclusion of everyaudit. Copiesof thereportshall be distributed as appropriate.The managerof theentityreceiving the reportshallrespond withinthirtydaysandforwarda copy of the response tothose included on thedistributionlist.Theresponseshall indicate what actions were takenregardingspecificreport findings and recommendations Themanager receiving the report is responsiblefor ensuringthatprogress is made toward correcting anyunsatisfactoryconditions.InternalAudit is responsiblefor determiningwhether theactiontakenis adequate to resolve auditfindings. If the actionis not adequate, Internal Auditshallinform ABCCompanymanagement of the potential risk and exposure in allowing the unsatisfactoryconditionsto continue.2|Page
  3. 3. MISSION OBJECTIVEInternalAudits objectivesin accomplishing its mission shallinclude the following: Determine the accuracyand proprietyof financial transactions Evaluatefinancial andoperational procedures for adequacyof internal controls and provide advice andguidance on control aspectsof new policies, systems, processes, and procedures Verifythe existence of ABC Companyassetsand ensurethatproper safeguardsare maintained to protect themfromloss Determine the level of compliance withABC Companypolicies and procedures,and laws and regulations Evaluatethe accuracy,effectiveness, and efficiencyof ABC Companys electronic information andprocessingsystems Determine the effectivenessand efficiencyof the auditedentitiesinaccomplishing their mission and identifyoperational opportunitiesfor costsavings and revenue enhancements Coordinate audit efforts with, andprovide assistance to, the external auditors Investigate fiscal misconductSTANDARDSAND ETHICSIn all of its activities, InternalAudit will adhere to GenerallyAcceptedAuditingStandards and the Code of Ethics adoptedbythe Institute of InternalAuditors.MISSION STATEMENT/OBJECTIVES/VALUESMISSION STATEMENTInternalAuditexists to support theBoard of Directorsin the effective dischargeof their responsibilities.Using ourknowledgeandprofessional judgement,we willprovide an independent appraisalof ABC Companys financial, operational, andcontrol activities.We willreport on the adequacyof internal controls, the accuracyand proprietyof transactions, the extent towhichassets areaccounted for and safeguarded, and the level of compliance with companypolicies and government lawsandregulations.Additionally,we willprovide analyses, recommendations, counsel, and informationconcerning theactivitiesreviewed.OUR OBJECTIVES INACCOMPLISHING OUR MISSIONINCLUDETHE FOLLOWING: Determine the accuracyand proprietyof financial transactions Evaluatefinancial andoperational procedures for adequacyof internal controls and provide advice andguidance on control aspectsof new policies, systems, processes, and procedure Verifythe existence of ABC Companyassetsand ensurethatproper safeguardsare maintained to protect themfromloss Determine the level of compliance withABC Companypolicies and procedures,laws and regulations Evaluatethe accuracy,effectiveness, and efficiencyof ABC Companys electronic information andprocessingsystems Determine the effectivenessand efficiencyof audited entitiesinaccomplishingtheir mission and identifyoperational opportunities for cost savings and revenue enhancements Provide assistance and a coordinated audit effort with the external auditors Investigate fiscal misconductVALUESIn carryingout our mission, we share certain beliefs and values. Our primaryfocus is toprovide excellent service toABC Company. Our examinations shall be performedin3|Page
  4. 4. accordance withapplicable GenerallyAcceptedAuditing Standards. Weare committed tothe highest degree of fairness,integrity,andethical conduct in the performanceof our mission.Wewilladhere to the Code of Ethics as established by the Institute of InternalAuditors. Furthermore, we willnot issue a reportwithoutfirst allowing the recipient the opportunityto review,challenge, question, and respond to our findings and conclusions. Our relationships with ABC Companyemployees willbe characterised byrespect, helpfulness,sharing,patience, and openness. Weare committed tomaintaining our professionalismas internal auditors through continuance of our education and training. Although we area part ofABC Companywe are committed tomaintaining our independence indefining the scope andobjectives of our examinations.GENERALLYACCEPTEDAUDITINGSTANDARDS100 INDEPENDENCEInternal auditorsshouldbe independent of the activities theyaudit. Internal auditorsare independent when theycan carryout their work freelyand objectively.Independence permits internal auditorstorender the impartial and unbiasedjudgments essential to the properconductof audits. It is achieved through organizational status and objectivity.110 ORGANIZATIONALSTATUSThe organizationalstatusof theinternal auditing department should be sufficient to permitthe accomplishment of its auditresponsibilities. Internal auditorsshouldhave the supportof managementand of the board of directors so that theycan gain the cooperation of audited entitiesand performtheir work free from interference. 1. The director of the internalauditing departmentshouldbe responsible to an individual in the organizationwithsufficient authorityto promote independence andto ensure broad audit coverage, adequate consideration of audit reports, and appropriate action on audit recommendations. 2. The director should have direct communicationwith the board. Regular communication withthe board helps assure independence and providesa means for theboard and the director to keep each other informed on matters of mutual interest. 3. Independence is enhanced when theboard concurs in the appointmentor removalof thedirector of the internal auditing department. 4. The purpose, authority,and responsibilityof theinternal auditing department shouldbe defined in a formal written document (charter).Thedirector should seek approval of the charter bymanagement as wellas acceptance bythe board.The charter should (a)establish the departments positionwithinthe organization; (b) authorizeaccess to records, personnel,and physical properties relevant tothe performance of audits;and(c) define the scope of internal auditing activities. 5. The director of internal auditing should submitannuallyto management for approval and to the board for its information a summaryof the departments audit work schedule, staffingplan, and financial budget.The director should also submitall significant interimchangesfor approval and information.Audit work schedules, staffing plans,and financialbudgets shouldinform managementand the board of the scope of internal auditing work and of any limitations placed on that scope. 6. The director of internal auditing should submitactivityreports to management and to the board annuallyor morefrequentlyas necessary.Activityreports shouldhighlight significant audit findings and recommendations and should inform management andthe boardof anysignificant deviationsfromapproved audit work schedules, staffing plans, andfinancial budgets, and thereasons for them.120 OBJECTIVITYInternal auditorsshouldbe objective in performingaudit. Objectivityis an independent mental attitude whichinternal auditors should maintain in performing audits.Internal4|Page
  5. 5. auditorsare not tosubordinate their judgmenton audit matters to that of others. Objectivityrequiresinternal auditorstoperformaudits in such a manner that theyhave an honest belief intheir work productand that no significant qualitycompromises are made.Internal auditorsare not tobe placed in situations in whichtheyfeel unable to makeobjective professional judgments. 1. Staff assignments should bemadeso that potential and actual conflicts of interest and bias are avoided.The director should periodicallyobtain fromthe audit staff information concerning potential conflictsof interest and bias. 2. Internal auditorsshouldreport to the director anysituationsinwhicha conflict of interest or bias is presentor mayreasonablybe inferred.The director should then reassignsuch auditors. 3. Staff assignments of internal auditorsshouldbe rotatedperiodicallywhenever it is practicable to do so. 4. Internal auditorsshouldnot assumeoperating responsibilities. But if on occasion managementdirectsinternal auditorstoperformnon-auditwork, it shouldbe understood that theyare notfunctioning as internal auditors. Moreover, objectivityis presumedto be impaired when internal auditors audit anyactivityfor which theyhad authorityor responsibility.This impairment shouldbe considered whenreporting audit results. 5. Persons transferredto or temporarilyengaged bythe internal auditing departmentshouldnot be assignedtoaudit those activities theypreviously performeduntil a reasonable period of timehas elapsed.Such assignments are presumed toimpairobjectivityand should beconsideredwhen supervisingthe audit work andreporting auditresults. 6. The resultsof internal auditing work should be reviewed before the related audit report is releasedtoprovide reasonable assurancethatthe work was performedobjectively. The internal auditorsobjectivityis notadverselyaffectedwhen the auditor recommends standardsof controlfor systems or reviewsproceduresbeforetheyare implemented. Designing,installing, and operating systems arenot audit functions. Also, the drafting of proceduresfor systems is not an audit function. Performing such activities is presumed toimpairaudit objectivity.200 PROFESSIONALPROFICIENCYInternal auditsshouldbe performedwith proficiencyanddue professional care. Professional proficiencyis the responsibilityof theinternal auditingdepartment and each internal auditor.Thedepartment should assign toeachaudit those persons who collectivelypossess thenecessaryknowledge,skills, and disciplinesto conduct the audit properly.210 STAFFINGThe internal auditing departmentshouldprovide assurance that the technical proficiencyand educational background ofinternal auditorsare appropriate for the auditstobe performed. The director of internal auditing should establish suitable criteria of education and experience for filling internal auditing positions, giving dueconsideration to scope of work andlevel of responsibility. Reasonable assurance should be obtainedas toeach prospective auditors qualifications and proficiency.220 KNOWLEDGE,SKILLS,AND DISCIPLINESThe internal auditing departmentshouldpossess or shouldobtain the knowledge, skills, and disciplines needed to carryout itsaudit responsibilities.5|Page
  6. 6. The internal auditing staff should collectivelypossess the knowledgeand skills essential to the practice of the profession withinthe organization.Theseattributes include proficiencyinapplyinginternal auditing standards, procedures,and techniques. The internal auditing departmentshouldhave employees or use consultants who are qualified in suchdisciplines as accounting, economics, finance, statistics,electronic data processing,engineering, taxation, and law as needed to meet audit responsibilities.Each member of thedepartment,however,need notbe qualifiedin all of thesedisciplines.230 SUPERVISIONThe internal auditing departmentshouldprovide assurance that internal audits are properly supervised. The director of internal auditing is responsible for providing appropriate audit supervision. Supervisionis acontinuing process, beginningwith planning and ending with the conclusion of the audit assignment. Supervisionincludes: 1. Providing suitable instructions tosubordinates atthe outset of the audit and approving the audit program. 2. Seeingthat the approved audit programis carried out unless deviationsare both justified andauthorized. 3. Determining that audit working papers adequatelysupport theauditfindings, conclusions,andreports. 4. Making sure that audit reports areaccurate, objective, clear, concise, constructive, and timely. 5. Determining that audit objectives are being met. Appropriate evidenceof supervisionshould be documented and retained. The extent of supervisionrequired willdepend on the proficiencyof the internal auditorsandthe difficultyof the audit assignment. All internal auditing assignments, whetherperformedbyor for the internal auditing department,remainthe responsibilityof its director.240 COMPLIANCEWITH STANDARDS OFCONDUCTInternal auditorsshouldcomplywithprofessional standardsof conduct. The Codeof EthicsofTheInstitute of InternalAuditorssets forth standardsof conduct and provides abasis for enforcement amongits members.The Code calls for high standardsof honesty,objectivity,diligence, and loyaltyto whichinternal auditors shouldconform.250 KNOWLEDGE,SKILLS,AND DISCIPLINESInternal auditorsshouldpossess the knowledge,skills, and disciplinesessential to the performance of internal audits. Each internal auditor should possess certain knowledge and skillsas follows: 1. Proficiencyin applying internal auditing standards,procedures,and techniques is required in performinginternal audits. Proficiencymeansthe abilityto apply knowledge tosituations likelyto be encountered and to deal with themwithout extensive recoursetotechnical researchandassistance. 2. Proficiencyin accounting principles and techniques is required of auditors who work extensivelywith financial records and reports. 3. An understanding of management principlesis required torecognizeand evaluate the materialityand significance of deviations from good business practice.An understanding means the abilityto applybroad knowledgeto situations likelyto beencountered,to recognizesignificant deviations, and to be able to carryout the researchnecessaryto arrive at reasonable solutions. 4. An appreciation is required of the fundamentalsof such subjects as accounting, economics, commercial law,taxation, finance, quantitative methods, and computerizedinformationsystems.An appreciation means theabilityto recognizethe existence of problems or potential problems and to determine the further research to beundertaken or the assistance to beobtained.6|Page
  7. 7. 260 HUMAN RELATIONSAND COMMUNICATIONSInternal auditorsshouldbe skilled in dealing withpeopleand in communicating effectively. Internal auditorsshouldunderstand humanrelations and maintain satisfactory relationships with audited entities. Internal auditorsshouldbe skilled in oral and written communications so thattheycan clearlyand effectivelyconveysuchmatters as auditobjectives, evaluations, conclusions,andrecommendations.270 CONTINUING EDUCATIONInternal auditorsshouldmaintain their technical competence throughcontinuing education. Internal auditorsare responsible for continuing their education in orderto maintain their proficiency.Theyshouldkeep informed aboutimprovements and current developments ininternal auditing standards,procedures, and techniques. Continuing education maybe obtained throughmembershipand participation in professional societies; attendance at conferences, seminars, college courses, andin-house training programs; andparticipation in research projects.280 DUE PROFESSIONALCAREInternalAuditors should exercisedueprofessional care in performing internal audits. Dueprofessional care calls for the application of the care and skill expected of a reasonablyprudent and competent internal auditor in the sameor similar circumstances.Professionalcareshould, therefore, beappropriate to the complexities of the audit being performed.In exercising due professionalcare,internal auditors shouldbe alert tothe possibilityof intentional wrongdoing, errors and omissions, inefficiency,waste,ineffectiveness, andconflicts of interest.Theyshould alsobe alert to those conditions andactivities whereirregularities are mostlikelyto occur. In addition, theyshouldidentifyinadequatecontrolsand recommendimprovements to promotecompliance with acceptable proceduresand practices. Duecareimplies reasonable careand competence, not infallibilityor extraordinary performance. Due care requiresthe auditor to conduct examinations and verifications to a reasonable extent,but does not require detailed auditsof all transactions. Accordingly,the internal auditor cannot give absolute assurancethat non-compliance or irregularities do not exit. Nevertheless, the possibilityof material irregularitiesor non-compliance shouldbe considered whenever the internal auditor undertakes an internal auditingassignment. When an internal auditor suspects wrongdoing,the appropriate authorities within the organizationshouldbe informed.The internal auditor mayrecommendwhatever investigationis considerednecessaryin the circumstances.Thereafter,the auditor shouldfollow up to seethat the internal auditing departments responsibilitieshave been met. Exercising due professionalcaremeans using reasonable audit skill and judgment in performingthe audit.To this end, the internalauditorshould consider: 1. The extent of audit work needed to achieve audit objectives 2. The relative materialityor significance of mattersto which audit procedures are applied 3. The adequacyandeffectiveness of internal controls 4. The costof auditing in relationto potential benefits 5. Dueprofessional care includes evaluatingestablished operating standardsand determiningwhether those standardsare acceptable and are beingmet.When suchstandardsare vague,authoritative interpretationsshould besought.If internal auditors are required tointerpret or select operating standards,they shouldseek agreementwithaudited entitiesas tothe standardsneeded to measureoperating performance.7|Page
  8. 8. 300 SCOPEOFWORKThe scope of the internalauditshould encompass the examinationand evaluationof the adequacyand effectivenessoftheorganizations systemof internal control and the qualityof performance in carrying outassignedresponsibilities. The scope of internal auditing work, as specified in thisstandard,encompasses what audit work should beperformed. Itis recognized, however, that management and the board of directors provide generaldirection as to the scope of work and theactivities to be audited. The purpose of the reviewfor adequacyof thesystemof internal control is to ascertain whether the systemestablished provides reasonable assurance that the organizations objectivesandgoals willbe metefficientlyand economically. The purpose of the reviewfor effectiveness of thesystemof internal control is to ascertain whether the systemis functioning as intended. The purpose of the reviewfor qualityof performance is to ascertainwhether the organizations objectivesand goals have been achieved. The primaryobjectives of internal control are to ensure: 1. The reliabilityand integrityof information. 2. Compliance with policies, plans, procedures, laws, and regulations. 3. The safeguarding of assets. 4. The economical andefficient use of resources. 5. The accomplishmentof established objectives and goals for operations or programs.310 RELIABILITYAND INTEGRITYOFINFORMATIONInternal auditorsshouldreviewthe reliabilityand integrityof financial and operating information andthe meansusedtoidentifymeasure, classify,and reportsuch information. Information systems providedatafor decision making, control, and compliance with external requirements.Therefore, internal auditorsshouldexamineinformation systems and, as appropriate, ascertain whether: 1. Financial andoperating records and reports containaccurate, reliable, timely, complete,and useful information. 2. Controlsover recordkeeping and reporting are adequate and effective.320 COMPLIANCEWITH POLICIES, PLANS, PROCEDURES, LAWS, AND REGULATIONSInternal auditorsshouldreviewthe systems established to ensure compliance with those policies, plans, procedures,laws andregulations which couldhave asignificant impacton operations and reports, and should determine whetherthe organizationisincompliance. Management is responsible for establishing the systems designedto ensurecompliance with such requirements as policies, plans, procedures,and applicable laws and regulations. Internal auditors are responsible for determiningwhether the systems are adequate and effective andwhether the activities audited are complyingwith the appropriate requirements.330 SAFEGUARDING OFASSETSInternal auditorsshouldreviewthe means of safeguardingassets and, as appropriate, verify the existence of suchassets. Internal auditorsshouldreviewthe means used to safeguardassetsfrom various types of losses such as those resulting fromtheft, fire, improper or illegal activities, and exposure to the elements. Internal auditors,when verifying theexistence of assets,should use appropriate audit procedures.340 ECONOMICALAND EFFICIENTUSE OFRESOURCES8|Page
  9. 9. Internal auditorsshouldappraisethe economyand efficiencywithwhich resourcesare employed. Management is responsible for setting operating standardsto measurean activitys economical and efficient useof resources.Internal auditorsare responsible for determiningwhether: 1. Operatingstandardshave been established for measuringeconomyand efficiency. 2. Established operating standardsareunderstood and arebeing met. 3. Deviations from operating standardsareidentified, analysed, and communicated to those responsible for corrective action. 4. Corrective action has been taken. Audits related tothe economical and efficient use of resourcesshould identifysuch conditions as: 1. Underutilised facilities. 2. Non-productive work. 3. Procedureswhich arenot cost justified. 4. Overstaffing or understaffing.350ACCOMPLISHMENTOFESTABLISHED OBJECTIVESAND GOALS FOR OPERATIONSORPROGRAMSInternal auditorsshouldreviewoperations or programs to ascertain whether resultsare consistent with establishedobjectivesand goals and whether the operations or programs are being carried out as planned. Management is responsible for establishing operating or programobjectives and goals, developing and implementingcontrol procedures,and accomplishing desiredoperating or programresults. Internal auditorsshouldascertain whethersuchobjectivesandgoals conformtothose of theorganizationandwhether theyare being met. Internal auditorscan provide assistance tomanagers who aredeveloping objectives, goals, and systems bydetermining whether the underlying assumptions are appropriate;whether accurate, current,and relevant informationis being used;and whether suitable controls havebeen incorporated into the operations or programs.400 PERFORMANCE OFAUDITWORKAudit work shouldinclude planning the audit, examiningand evaluating information, communicating resultsandfollowingup. The internal auditor is responsible for planning and conductingthe audit assignment, subjectto supervisoryreviewandapproval.410 PLANNINGTHEAUDITInternal auditorsshouldplan each audit. Planningshould bedocumented and should include: 1. Establishing audit objectivesandscope of work. 2. Obtaining background informationabout the activities to beaudited. 3. Determining the resourcesnecessarytoperformtheaudit. 4. Communicating with all who need toknow abouttheaudit. 5. Performing, as appropriate, an on-site surveyto becomefamiliar with the activities and controls to be audited, to identifyareasfor audit emphasis, and to invite audited entitycomments and suggestions. 6. Writing the audit program. 7. Determining how, when, and towho audit resultswill be communicated. 8. Obtaining approval of the audit work plan.420 EXAMININGAND EVALUATING INFORMATION9|Page
  10. 10. Internal auditorsshouldcollect, analyse, interpret, and document informationto support audit results. The process of examiningand evaluatinginformation is as follows: 1. Information should be collected on all matters related to the audit objectives and scope of work. 2. Information should be sufficient, competent, relevant, andusefulto provide a sound basis for audit findingsand recommendations. Sufficient informationis factual, adequate,and convincingso thata prudent, informed person would reach the sameconclusionsas theauditor.Competent information is reliable and the best attainable throughthe use of appropriate audit techniques. Relevant informationsupports audit findings and recommendations and is consistent with the objectives for theaudit. Useful information helps the organization meetits goals. 3. Audit procedures,including the testing andsampling techniques employed, shouldbe selected in advance, wherepracticable, and expanded or altered if circumstanceswarrant. 4. The process of collecting, analysing, interpreting, and documenting information should besupervisedto provide reasonable assurance that the auditorsobjectivityis maintained andthat auditgoals are met. 5. Workingpapers that documenttheauditshould be preparedbythe auditor and reviewed bymanagementof the internal auditing department.Thesepapers shouldrecord the information obtained and the analysesmadeand should supportthe bases for thefindings and recommendationstobe reported.430 COMMUNICATING RESULTSInternal auditorsshouldreport the resultsof their audit work. Asigned, written reportshouldbe issued after the audit examination is completed. Interimreports maybe written or oraland maybetransmittedformallyor informally. The internal auditor shoulddiscuss conclusions and recommendations at appropriate levels of managementbefore issuing final written reports. Reportsshould be objective, clear, concise, constructive,and timely. Reportsshould presentthe purpose, scope, and results of the audit;and, where appropriate, reports should contain an expressionof theauditorsopinion. Reports mayinclude recommendations for potential improvements and acknowledge satisfactoryperformance and corrective action. Theaudited entitys views aboutaudit conclusionsor recommendations maybe included in the audit report. The director of internal auditing or designee should reviewandapprove the final audit report before issuanceandshoulddecide to whom thereport will be distributed.440 FOLLOWING UPInternal auditorsshouldfollow up to ascertainthatappropriate action is taken on reported audit findings. Internal auditing should determinethat correctiveaction was taken and is achievingthe desired results,or that management or the board has assumedtherisk of not taking corrective actionon reportedfindings.500 MANAGEMENTOFTHEINTERNALAUDITING DEPARTMENTThe director of internal auditing should properlymanagethe internal auditing department. The director of internal auditing is responsible for properlymanaging the department so that: 1. Audit work fulfilsthegeneral purposes and responsibilitiesapproved by managementand accepted bythe board. 2. Resourcesof the internal auditing departmentare efficientlyandeffectively employed. 3. Audit work conforms to GenerallyAcceptedAuditing Standards.510 PURPOSE,AUTHORITY,AND RESPONSIBILITYThe director of internal auditing should havea statementof purpose,authority,and responsibilityfor theinternal auditingdepartment. The director ifinternal auditingis responsible for seekingthe approval of management and the acceptance bythe boardof a formalwritten document(charter) for the internal auditing department.520 PLANNING10 | P a g e
  11. 11. The director of internal auditing should establish plans tocarryout the responsibilitiesof the internal auditingdepartment. Theseplans should beconsistent with the internal auditing departments charter and with the goals of theorganization. The planning process involvesestablishing: 1. Goals. 2. Audit work schedules. 3. Staffing plansand financialbudgets. 4. Activityreports. The goalsof the internal auditing departmentshouldbe capable of being accomplished withinspecifiedoperating plans and budgets and,to the extent possible, should be measurable.Theyshould beaccompanied bymeasurement criteria and targeteddatesof accomplishment. Audit work schedulesshould include (a)whatactivities are tobe audited;(b) when theywill be audited; and (c) the estimatedtimerequired, taking into account the scope of the audit work planned and the natureand extent of audit work performed byothers. Matterstobe considered in establishing audit work schedulepriorities shouldinclude (a) thedateand resultsof thelastaudit; (b) financial exposure; (c) potential loss and risk; (d) requestsbymanagement;(e) major changesinoperations,programs, systems, and controls; (f) opportunities toachieveoperating benefits; and (g) changes to and capabilities of theaudit staff.The work schedulesshould be sufficientlyflexible to cover unanticipated demands on theinternal auditing department. Staffing plansand financialbudgets, including the number of auditors and the knowledge, skills, and disciplines required to performtheir work, should be determinedfrom audit work schedules, administrative activities,education and training requirements, andaudit researchanddevelopment efforts. Activityreports should besubmitted periodicallyto management and to the board. Thesereports should compare(a) performance with the departments goals andaudit work schedules and (b) expenditures withfinancial budgets.Theyshould explain the reasons for majorvariances and indicate anyaction taken or needed.530 POLICIESAND PROCEDURESThe director of internal auditing should provide written policies and proceduresto guide the audit staff. The formand content of written policies and procedures shouldbe appropriate to the sizeandstructureof the internal auditing department andthe complexityof its work. Formal administrative and technical audit manuals maynotbe needed byall internal auditing departments.Asmall internal auditingdepartment maybe managed informally.Its auditstaffmaybe directed and controlledthrough daily,close supervision and written memoranda.In a largeinternal auditing department, more formaland comprehensivepoliciesandproceduresareessential to guide the audit staff in the consistent compliance with the departments standardsof performance.540 PERSONNELMANAGEMENTAND DEVELOPMENTThe director of internal auditing should establish a programfor selecting anddeveloping the human resourcesof theinternalauditing department. The programshould provide for: 1. Developing writtenjob descriptions for eachlevel of the audit staff. 2. Selecting qualified and competent individuals. 3. Training and providing continuing educational opportunities for each internal auditor. 4. Appraising each internal auditors performance at leastannually. 5. Providing counsel to internalauditorson their performance andprofessional development.550 EXTERNALAUDITORSThe director of internal auditing should coordinate internal and external audit efforts.11 | P a g e
  12. 12. The internal and external audit work should be coordinated to ensure adequateaudit coverage and to minimise duplicate efforts. Coordination of audit efforts involves: 1. Periodic meetings to discuss matters of mutual interest. 2. Accessto eachothers auditprograms and working papers. 3. Exchange of audit reports and management letters. 4. Common understanding of audit techniques, methods, and terminology.560 QUALITYASSURANCEThe director of internal auditing should establish and maintain a qualityassuranceprogramto evaluate the operations of theinternal auditing department. The purpose of thisprogramis to provide reasonable assurancethat audit work conformstotheseStandards,the internal auditing departments charter, and other applicable standards.Aqualityassurance program shouldinclude the following elements: 1. Supervision. 2. Internal reviews. 3. External reviews. 4. Supervisionof thework of theinternal auditors should be carried out continuallyto assureconformance with internal auditing standards,departmentalpolicies, and audit programs. 5. Internal reviewsshould be performed periodicallybymembers of theinternal auditing staff to appraise thequalityof the audit work performed.Thesereviewsshould be performedin the same manneras anyotherinternal audit. External reviews of the internalauditing departmentshouldbe performedto appraise the qualityof the departments operations.Thesereviews shouldbe performedby qualified persons who are independent of the organization and who do not haveeither a real or an apparent conflict of interest. Such reviewsshould be conducted at least once everythree years. On completion of the review,a formal,written report should be issued.The report should express an opinionas to the departments compliance with theGenerallyAcceptedAuditingStandards and,as appropriate, should include recommendations for improvement.12 | P a g e
  13. 13. CODE OFETHICSSTANDARDS OFCONDUCT 1. Internal auditorsshall exercisehonesty,objectivity,and diligence inthe performance of their dutiesandresponsibilities. 2. Internal auditorsshall exhibitloyaltyin all matters pertaining to the affairs of ABC Companyor towhomever theymayberenderinga service.However, internal auditors shall not knowinglybe apartyto anyillegalor improper activity. 3. Internal auditorsshall not knowinglyengage in acts or activities whichare discreditable to the professionof internal auditing or to ABC Company. 4. Internal auditorsshall refrain fromentering into anyactivitywhichmaybein conflict with the interest of ABC Companyor whichwouldprejudice their abilityto carryout objectivelytheir dutiesandresponsibilities. 5. Internal auditorsshall not accept anythingof value from an employee,client, customer,supplier,or business associate of ABC Companywhich would impair or be presumed toimpairtheir professional judgment. 6. Internal auditorsshall undertake onlythose serviceswhichtheycanreasonablyexpect to complete with professionalcompetence. 7. Internal auditorsshall adopt suitable means to complywith GenerallyAcceptedAuditing Standards. 8. Internal auditorsshall be prudent inthe use of informationacquired in the course of their duties.Theyshall notuse confidentialinformation for anypersonalgain nor in anymannerwhich would be contrarytolaw or detrimental tothe welfare of ABC Company. 9. Internal auditors, whenreporting on the resultsof their work, shallreveal all material factsknown to themwhich, ifnot revealed, could either distort reports of operations under reviewor concealunlawfulpractices. 10. Internalauditorsshall continuallystrivefor improvementin their proficiency,andin the effectiveness andqualityof their service. 11. Internalauditors, in the practice of their profession, shallbe evermindfulof their obligation to maintainhigh standardsof competence, moralityand dignity.INDEPENDENCE/OBJECTIVITY/CONFIDENTIALITY/CONDUCTINDEPENDENCE/OBJECTIVITYTo be effective in performingauditsthe internalaudit staff mustbe independent andobjective both in actualityandperception.Wemaintain our independence byour organizationalposition(Including reporting line to the Board) and our BoardapprovedAUTHORIZATIONAND RESPONSIBILITIES(seeCHARTER).In order to maintain objectivity,auditorsshall immediatelyinformtheDirector ofAuditingof anyfactorsthatmaybe perceived asimpairing their objectivityon anassignedaudit.Also, auditorswill take great careto prevent even a perception ofpartialitybymaintaining a professional distance fromthe staff of an audited entitywhileperformingan audit. Questionsconcerning anyrelationshipswithaudited entitiesor potentialaudited entities(i.e.,preparing tax returns,attending parties, etc.)shouldbe brought tothe attention of the InternalAudit Department. Finally,auditors will not accept anything of value fromanemployee, supplier,or business associate ofABC Companywhich would impair or beperceivedto impair their professionaljudgementor objectivity.Anygifts accepted will be immediatelyreported tothe InternalAuditDepartment.CONFIDENTIALITYMuchof the informationavailable to internal auditorsis of asensitive or confidential nature. Auditors shouldbe prudent in theiruse of information acquired inthe courseof theirduties or information whichis available to them.Theywillnot discussanymatters pertaining to the auditsperformed bythedepartments inother then an official manner.Auditors shall not useconfidential information for anypersonal gain or in a manner which wouldbe detrimental to ABCCompanyor anyemployeeof ABC Company. (Seethe Code of Ethics).Auditors willtake adequate measures to prevent the unauthorizedrelease of confidential materialsor information inanymediumincluding paper copies, microfiche, or computer files. Such materialsshouldbe adequatelysecuredfrom theft,reproduction, or casual observation.13 | P a g e
  14. 14. Confidential materialsincludeanyinformation (except public information)associated with employeenames,socialsecuritynumbers, or identification numbers. Examples of confidential information include,but are not limitedto thefollowing: 1. Employeemedical or psychological records. 2. Employeebenefitor payroll information. 3. Anyinformation which could causeABC Companyembarrassment or liability.CONDUCTThe following guidelines areestablished regarding personal conduct and the confidentialityof audit or businessinformationacquired through audit assignments.As a memberof the InternalAudit staff, youarerepresenting the highest level of management.Conductyourselfin a manner thatreflectsfavourablyupon yourselfand those yourepresent.You are expected to exercise professionalskill, integrity,maturityofbehaviour, and tact inyourrelations with others. In general, youareencouraged to be friendlywithall ABC Companyemployeeswithout affecting your objectivity.You should guard against any conduct or mannerisms which permitan impressionthatyouconsideryourself an"expert"sent to check on employees.As far as possible, take the position of an independent/objective analystand advisor.Avoid theimageof policing.In the courseof yourassignments, youwillbe in contact with personnelat all levels of authorityandposition.At alltimes,independence in mental attitudeis to be maintained. Reportsresulting from your efforts should alwayscontain full andunbiaseddisclosure of all but minoraudit findings.Althoughyoureport totheInternalAudit Department, youhaveresponsibilitiestoboth managementand the personnelbeing audited.Muchof yourwork is confidential; therefore, be discreet on and off thejob indiscussing current or past auditsor yourpersonalassessments of audited entities. Judgmentshould be exercised in the securityof auditworking papers, programs,records, and informationat all times.Never indiscreetlydiscuss anyinformation youobtain during audits. Avoid extremes of dress or personal grooming.AUDITPROCESSPLANNINGThe assessment of audit risk is anintegral part of our planning process.Theaudit planning process encompasses allactivitiesrelated to the development of the internal audit plan and schedule and the determination of the audit scope andobjectives,timing,designof detailed procedures,and audit recourse planning for the individual auditable entities.The primary objective ofthe audit planning process is to design our audit approach to ensurethat auditsare performedin the mosteffective andefficientmanner. In undertaking this process we attemptedthe following: Definethe potential audit universeat ABC Company Definefactors to be used inassessing risk Quantifythepotential risk associated with each of the defined audit areas Schedule auditsand allocate InternalAudit resourcesaccordingto the priorities established and the current leveland expertise of internalauditorsPLANNING-RESEARCH,SCHEDULING,ANDAUDITSInternalAudits schedulingprocess begins with requestsfor audit services (requests,or suggestions, comefrom several sources).One obvious sourceis our own InternalAudit staff. Our in-depth knowledge of ABC Companygivesus a unique perspectiveon the types of projects in which we canreduceABC Companys risk. Hence,someof our projects originate in our own groupor as a resultof the annual audit of ABC Companyas a whole,whichis conducted bythe external auditors.Several factorsinfluence the selectionand scheduling of projects:the degree of risk or exposure to loss; typeof audit; currentand planned work in othermajor audit projects requiring substantial timecommitments of InternalAudit staff;the availabilityofstaff in entitiesselected for review;andthe availabilityof InternalAuditstaff with theappropriate skills.14 | P a g e
  15. 15. An analysiswillbe performedannuallyin order toquantifyrisk and schedule audits.This analysis willcombinefactualinformation andInternalAudit Departments judgment in the selection, ranking, and weighing of the various audit riskfactors. It should be emphasised that the final determination as to which areasshouldbe included in the audit plan cannotbebased solelyon theresultsof thisauditrisk assessment.Rather,the performance of the assessment is a tool for usebyInternalAuditDepartment.Types ofAudits1.AUDIT Operational - Refers to acomprehensive examination of an entityto evaluate its performance, as measuredbymanagements objectives.An operational auditfocuses on the efficiency,effectiveness,and economyof operations. Financial - Determine the accuracyand proprietyof financial transactions. Compliance -Theobjective of these auditsis to determinewhether, andto what degree, an audited entityconforms to certain specific requirements of policy, procedures,standards, or laws and regulations.Theauditor must know preciselywhat policies, procedures,standards,etc.are required. Usually,compliance audits require little preliminarysurveywork or reviewof internal controls, except to outline preciselywhat requirementsare being audited.The auditfocuses almost exclusively upon detailedtestingof conditions. AssetVerification -An independent appraisal of ABC Companyoperations is provided throughthe verification of accountability,physical safeguards, and valid use of ABC Companyassets.This is oftenperformedin conjunction with an audit.2. LOSS Loss/fraud investigations- Conducted to determineexisting control weaknesses,assist ABC CompanyRisk Managementin determiningthe amount of the loss/fraud,and assisttheaudited entitybyrecommendingcorrective measuresto prevent subsequent recurrences. Investigation of allegations mayalso be conducted.3. INFORMATION SYSTEMSAUDIT The primarymissionof the Information Systems audit function of InternalAudit is to supportthe internal audit function in the evaluation of the accuracy,effectiveness, and efficiencyof ABC Companys electronic and information processingsystems which are inproduction or under development.4. MISCELLANEOUS Consultant Services - Information,encouragement, andreviewwill be provided on issues concerningABC Companypolicies, procedures,andinternal controls.Withthe addition of an informationsystems audit function consultation services are expanded to include: 1. Assistanceon evaluationof backup proceduresand contingencyplanning 2. Assistanceon whetheradefinedarchitecture has proper controls 3. Information on computer controls 4. Assistanceon implementation of internal financial system ComputerSystemDesign and Enhancement- InternalAuditactivelyparticipatesin the development of new systems or enhancementsto current systems to promotethe design of adequate internal controlspriorto implementation and reduce the need for corrective measures at alater date. OtherDepartmental Duties - Such as organisingthe annual retreat, preparingthe annual report, etc., as assignedbytheDirector.5. ADMINISTRATIVE REVIEWS Pre-approvedprograms are used to audit accuracyandproprietyof expenditures and payrolltransactions. Incomewillbeaudited if the amountis material.Thesereviews mayalsoinclude assetconfirmations.6. FOLLOW-UPREVIEW Follow-up reviewsareperformed toappraise management of post audit actions and provide assurance that15 | P a g e
  16. 16. implemented changesadequatelyresolvedaudit findings.These reviewsalso ensure that uppermanagementhas beenproperlynotified of ABC Companyexposure related to unresolved audit findings.16 | P a g e
  17. 17. 7. CASH COUNT Acash countis performed todeterminecustodial fund accountabilitywhichmay include one or moreof the following types of funds: pettycash fund, change fund, or revolving fund.Apre-approvedcash countaudit programis used for this typeof audit.AuditAssignmentAll audits/taskswillbe authorizedbytheInternalAudit Departmentusingan audit assignment sheet.Theobjective of this processis to assure thatwork is performed on onlyauthorized activity.This formwillprovide sufficient information on the audit/taskscope, objectives, and resourcerestrictions(allocated hours, expected completion date) so the assignedauditor(s)willhave a clear understanding of InternalAudit Departments expectations for their particular assignment.DefinitionofTerms on theAssignment Sheet Task Number:Afive digit numberusedto identifytheproject Type:The typeof projectindicated on the assignmentform: o A=audit; o L=loss; o C=cashcount; o F=follow-up; o M=miscellaneous; o T=continuing education- no trackable hours; o E=continuing education; o D=information Systems audit; o X=taskcancelled; o R=administrative review. Location of audit: o BRU=Brussels; o PAR=Paris; o BLN=Berlin; Title of Project:Ashort description of the project Assignment Date: Beginning date that hours canbe chargedto the project Allocated Hours:Timebudgetedfor this project.Anydeviationfrom thesehours must be approvedbytheInternalAudit Department Expected Completion Date:Thedate the report is expected to be issued in final Assigned Staff:Names of theReviewer,ProjectManager,Assigned Staff, Project Consultant, Participant,Instructor, andNon-active staff shouldbe listed on assignment sheet withprojecthours thatare assignedto each Scope & Objectives:Ashort descriptionof the scope andobjectives that will be covered FiscalYear:Fiscal yearto be audited17 | P a g e
  18. 18. Scope and ObjectivesThe scope sectionshalldefine the limitationsof the audit/task assignment.Thescope will generallyincludeatimeperiod, andwhatrecords, processes,funds, transactions,policies, controls,etc., we shallbe reviewing. Scopelimitationsthatverynarrowlyrestrict audit work shouldbe mentionedin the audit report. (Example:We didnot testactual expenditure transactions.)The objectives willexplain whatthe audit is trying to accomplish.Auditobjectives will generallyinclude oneormore of the following: 1. Determine the accuracyand proprietyof financial transactions; 2. Evaluatefinancial andoperational procedures for adequacyof internal controls and provide advice and guidance on control aspectsof new policies,systems, processes,and procedures; 3. Verifythe existence of ABC Companyassetsand ensurethatproper safeguards are maintained to protect themfrom loss; 4. Determine the level of compliance withABC Companypolicies and procedures,laws and regulations; 5. Evaluatethe accuracy,effectiveness, and efficiencyof ABC Companys electronic information andprocessingsystems; 6. Determine the effectivenessand efficiencyof audited entitiesinaccomplishing their mission and identifyoperational opportunitiesfor costsavings and revenue enhancements; 7. Provide assistance and a coordinated audit effort withtheexternal auditors; 8. Determine ifa loss occurred, ifso theamountof the loss and circumstances (control weaknesses) that contributed to it.Duties/Responsibilities INTERNALAUDITDEPARTMENT o InternalAuditDepartment, theDirector andAssociate Director of Internal Auditing, willberesponsible for ensuring that audit resourcesareefficiently and effectivelyemployedand that the audit work performed fulfils the mission of the department. AUDITMANAGER o The auditor incharge of the task will normallybe an audit manager andwill have the followingdutiesand responsibilities: 1. Attendentrance and exit interviews 2. Discuss, direct, advise, etc., the assignedauditors during thecourse of the assignment including writing the report 3. Will be responsible for assuringthe audit programsteps accomplish the objectives,address major risk and exposures, and reasonablyassure the completionof the assignment within allocated resources.Finalapproval of the audit programwillbe done byInternalAudit Department 4. Review, edit, and approve the draft report 5. Assure theaudit is performed according todepartmentstandards, staying within the scope and resourceallocationlimits (hours and dates),andmeetstated assignedobjectives. ASSIGNEDAUDITOR(S)18 | P a g e
  19. 19. o Assigned auditor(s) willbe responsible for performing theaudit and will have the following duties and responsibilities: 1. Perform thepreliminaryreview, including the internalcontrol evaluation,with guidance from theAuditManager 2. After discussionswith theAudit Manager,prepare an audit program and time estimate for each programsection 3. Perform all assignedactivitiesinconformance with department standards,stayingwithinthe scope and resourceallocation limits of the assignedactivityor programsection 4. Write the draft audit report o An assignedauditor who is also theAuditManagerof theproject will have the additional dutiesofAuditManager. REVIEWER o All working papers should beindependentlyreviewed to ensurethereis sufficient evidence to support conclusions and that all audit objectiveshave been met.Adetailed review will be conducted bytheAudit Managerfor assignedstaffs working papersand a less comprehensivereview willbe conducted bydepartmentadministration or an assignedstaff person. Initialling workingpapers (see "review/approval form") signing the "review/approval form," and filing "cleared" reviewnotes inthe current working papers will serve as documentation of thereviewprocess. o The reviewer should: 1. Determine working papers compliance to the department working paper standards; 2. Reviewfromaudit programsteps to thereferenced working papers ensuring cross- referencing is proper, theworking papers support the steps performed,and all steps have beencompleted; 3. Reviewworking papers from the report(s) tothe Digestof Significant Findings to the workingpaper summaries to the detailed working papers to ensure that all findingsare stated adequatelyand documented and support theopinions, findings, andrecommendationsstatedin the report; 4. Ensure that working papers "standalone"in that theyclearlystatewhat work was performed,how and from where samples were selected, the purposeof the working paper,what findingsweremade,etc. 5. Documentreviewcomments on review notes form; 6. After all audit reviewnoteshave been resolved,sign off on working paper section of final working paper/report approval form; 7. Determine report(s)compliance with thedepartment report standards; 8. Sign off on report(s) section of final workingpaper/report approval form; 9. Determine PermanentAudit Filescompliance with department standards. PROJECTCONSULTANT o The projectconsultantsprimarydutiesand responsibilitiesare to advise and provide guidance tothe assignedauditors.The projectconsultant does not take an active role in the project, butwillbe on callto answer questionsor volunteer suggestionsas applicable. REPORTREVIEWER19 | P a g e
  20. 20. o The Report Reviewer primaryresponsibilityis to provide a final independent reviewof audit reports tohelp ensurethatproper grammar, spelling, and formathave beenused.The Report Reviewerwill also performor supervise the: 1. Print reviseddraft copies for Directorsapproval 2. Print final report copyfor auditorsand director signature 3. Mailfinal report copy 4. Filing of electroniccopyon LAN 5. UpdateWorking Papers files: markcomplete, recommendation categories, markcomplete, create follow-up when necessary,etc. 6. Mailing feedback questionnaire 7. Updating feedback spreadsheet when feedback received 8. Addingresponseto electronic copyof reportand filing paper copywith final report 9. Creating follow-up working papers, trustee report, electronic copyof report on LAN, etc. 10. UpdatingDirectors report20 | P a g e
  21. 21. Announcement LetterTheaudited entityshall be informedof the audit projectthroughan announcementletter from the InternalAuditDirector.However,InternalAudit will not provide advance notifications for cash counts andfraudinvestigations.Additionally,InternalAudit maynot send an announcement letter for requested consulting services.The announcementlettershallcommunicate the scope and objectives of the audit, the period covered, and the auditor(s)assignedto the project.InternalAudits mission statementshall also be enclosed for theaudited entity’sinformation.Preliminary ReviewThe objective of the PreliminaryReview is to gainsufficient knowledge of the entitybeing reviewed so theauditor can designanaudit programtoaccomplish theassignedobjectives. The review willhelp the auditor to determineif the assignedobjectivesareattainable with the allocated resourcesand what audit procedures shouldbe performed,based on assessed risks andexposures, to achieve the objectives.The preliminaryreviewwork canbe broken down intofour distinct phases: 1. Familiarization 2. Identification of potential problemareas 3. Evaluationof internal controls 4. Planningthe detailed auditOneof the problems in performing an effective preliminaryreviewis thefailure to complete all phases of thereviewbeforepreparing the formalaudit programand beginning the fieldwork.Initial Research (Familiarization)Before meetingwith the audited entity, theassigned auditor(s)shall obtain abasic understanding of the operation orsystemunder review.Thisreviewwill normallyinclude: Reviewof PermanentAudit File (if one exists) Reviewof PreviousAuditWorkingPapers, Reports,Management letters(ifavailable) Reviewof department financial statements (transactions) includinghistorical trends ifavailable Reviewof department organization and staffing (payroll/personnel listing) Reviewof department equipmentlistingConsultations with otherauditorsthat have been involved in similarauditsor are familiarwith this department, relatedANAELfiles, systems, etc. Reviewdepartmentfocus Reviewdepartments missionstatement, organizationchart and other information requested in the "announcementletter" Reviewandresearch for applicable laws, regulations, anddepartmental policies and procedures Conductthe initial meeting withaudited entityIdentificationofPotential ProblemAreasAn objective of the preliminaryreviewis theidentificationof potential problemareas. Oneof the first steps indeterminingproblemareasis to identifythose programs, activities,and functionswhichare significant.Thesecan be identified as those programs or activities: Which are susceptible to fraud,abuse, or mismanagement In which there is a large volumeof transactions or largeinvestments in assetswhich are subject toloss ifnot carefullycontrolled Aboutwhich concernshave been expressedbymanagement In which prior audits have disclosed major weaknessesor deficienciesThis phase of thepreliminaryreviewshould identifythesignificant activitiesof the area and what inherent risksexist.Oncetheseactivities and risks havebeen identified, thenext step is to evaluate controls.21 | P a g e
  22. 22. The auditor is responsiblefor determininghow muchreliance can be placed on the entitys controlstoprotect its assets,assureaccurate information, assure compliance with applicable laws and regulations, promote efficiencyand economy,andproduceeffective results produceeffective results.Acomplete reviewof all controls is not alwaysnecessarybecause some controls maybe irrelevantto basicissues which arethesubject of the audit effort.Therefore, theauditormust identifythose controls which arethe mostimportant and critical to theoperationand concentrate on them. Somecontrolswhichcan normallybe identified as critical are those which aredesigned toprotectagainst: Substantial financial losses Program violations Mismanagement Legal violations Adversepublicity Lack of programor missionaccomplishmentThe auditors evaluation should include identification of areasin which essential controls appear to be weak, non-functioning,or missing.Vast amounts of data are storedelectronically.InternalAudithas alibraryof standardized ANAEL queries thatwillassistinobtaining some of this information.Reviewand Evaluationof InternalControl EnvironmentThe auditor will reviewtheaudited entitys internal control structure. In doing this,the auditor uses avarietyof tools andtechniques,including flow charts,interviews,data gathering, and analysis.Thereviewof internal controlshelps the auditordesign teststobe performedin the fieldworksection of the audit.The evaluation of the systemof internal controls should providereasonable, but not absolute, assurance that the fundamentalelements of the systemare sufficient to accomplish their intended purpose.The studyand evaluation should beadequatelydocumentedand properly supported byresultsof tests,observations, and inquiries.Theuse of electronic dataprocessing methods that can affect the reliability,accuracy,or usefulnessof financial or statistical data, and reports shouldbeincluded as part of the studyand evaluation.Internal controlsare evaluated throughout the audit examination.AuditManagers should prepare the programto assistassignedauditors in performing this aspect of the audit work. Generally,theguidelines are incorporated into an audit programin theform of internal control questionnaires, checklists, and specific audit testsandprocedures.Although the written auditguidelines (programs) areinvaluable aids,Audit Managersmustensure that each assigned auditor is familiarwith the scopeandobjectivesof the internalcontrolreview.The review of the systemof internal controls is performedbydiscussing the control procedures, methods, and planoforganizationwithaudited entity’sofficials.Theauditor may useinternal control questionnaires or checklistsas wellas writtennarrative memoranda, flow charts,atransactionwalk through,and other applicable techniquesindeterminingthe adopted controlproceduresand the methodand plan of organization.Thesetechniques arepreferred becausetheyprovideadequatedocumentation.In addition todiscussions withauditcustomer officials, auditors make inquiries and performobservationsrelating to thesystemof internal controls.Theseinquiries and observations, andresulting findings and conclusionsare also documentedintheworking papers.This documentation includesidentifyingcontrol strengths and weaknessesand cross-referencingthemtothe audit testsand proceduresconcerned with substantive testing.22 | P a g e
  23. 23. To assist in evaluating the system of internal control the auditor should consider the following: Typesof errors andirregularities that could occur. Controlprocedures to prevent or detect such errors andirregularities. Whether the procedures have beenadopted and are being followedsatisfactorily. Weaknesses whichwouldenable errors and irregularities to pass through existingcontrol procedures. The effect these weaknesses haveon the nature, timing,and extent of auditing procedurestobe applied. Audit methods usedto studyand evaluate existing internal controls include: Internal ControlQuestionnaires-Theseguide the auditor to queryresponsiblemanagersregardingspecific or generalinternal controls.Thequestionnaires aredesignedso that a negativeresponse indicates a potential internal control weakness.A negative response willcausethe auditor to determinewhether compensating controls are inexistencewhich would offset thenegative response. Narratives -Thesedescribe the systemof internal control. Flow Charts-Aflow chart is beneficial because it visuallydepicts processesdesigned or intended for control purposes. Flow-charting provides the auditor with agood understanding of the process beingevaluated. Documentationsupports theauditorsunderstanding of the internal controls.Audit workingpapersprovide the support for theconclusionsreached bytheauditor regarding the studyand evaluation of internal controls.Onlythoseinternal control functions,whichare deemed critical or important to the strengthwithin a particular transaction cycle, should betestedand evaluated.Working papers should be prepared to highlight the internalcontrolattributes within the processesto beevaluated. Tests of compliance are performedto obtain sufficient evidence that the systemis operating in accordance with the understanding the auditor obtained fromthe review. Theseareperformedfor those control proceduresor methods upon whichtheauditor has chosen to rely.Conversely,whenthe auditor determines that certain controls cannot be relied upon;testsof compliance arenot ordinarilyperformed. The nature, timing, andextent of testsof compliance arecloselyrelated to the control proceduresand methods studiedbythe auditor.Additionally,the auditor mustconsider the availabilityof evidence andthe audit effortrequiredto testcompliance. In considering the required audit effort, the auditor assesses whetherprecludingcertain testsof compliance will reducethe reliance on the controls and procedures,and whether such reduced reliance significantlyaffects subsequent audit testsand procedures.FlowchartingThe primarypurpose of preparinga flow chart is to identifythe keycontrol attributes - those attributesthat achievecontrolobjectives.This canefficientlypoint out casesof under/over control and processingredundancy.Clarityand simplicityinpresentation are essential.Mistaken use of extreme detail maytend to conceal rather than exposekeypoints.Complexitiessuch as exception controlscan be better explained in attached memoranda.However,narrativeexplanations shouldbe kept brief. In mostcases,the combination of the flow chartand a narrativedescription tends to be farsuperior toeither documentalone.Onlytransactions/documents with control significance should be shown (i.e., control over authorization, recording,safeguarding, reconciliation, and valuation).This cangenerallybe accomplishedbyincluding onlythose activitieswithin anapplication wheredatais initialised, changed, or transferredtoother departments.For aprocess tobe flow charted, it must bebroken down into its componentparts, namelyactions and decisions.Also, thename(s) and position(s) of thepeople performingthe transactions should be indicated for each action.The names of each document should also beincluded withinthe documentsymbols.The auditor usuallyobtainsinformation necessaryfor preparing or updating flow chartsby interviewingpersonnel at each siteabout procedures followed,andbyreviewingprocedure manuals,existing flow chartsand other systemdocumentation. Sampledocuments are collected and each departmentinvolvedis questioned about its specific duties. Inquiriescan bemadeconcurrentlywiththe performanceof transactionreviews,particularlywhen flow chartsarebeing updated. If possible,theauditor should observe theprocess.23 | P a g e
  24. 24. InternalControl QuestionnairesThe primarypurpose of completing theinternalcontrol questionnaire is toidentifycritical areas,strengths,andweaknessesinprocess.PLANNINGTHEDETAILEDAUDITThe elements of materialityandrelative risk mustbe considered in performing theaudit.The due professionalcarestandardsdonotimplyunlimitedresponsibilityfor disclosureof irregularities and otherdeficiencies.Theauditorsprincipal effort should beinthose areas wheresignificant problems or deficiencies mayexist,rather thanin areasthat are relativelyunimportant.Timeshould not bespentexamining or developingevidencebeyond what is necessaryto afforda sound basis foraprofessional opinion.The resultsof the preliminaryreviewshould beanalysedto determinethe need for a detailed audit and the specific areastobecovered.Thedetailed audit programshould be prepared allocating the projectbudget timeestablished for the fieldwork tothespecific areastobe covered in the audit.Statement of Risk and Exposure Rationale: o Arisk/exposureanalysiswillbe performedto prioritise audit testing that must be performedto achieve the audit objectives.Thisdetermination is essential for providing reasonable assurance that internal audit resourcesaredeployedin an optimal manner (i.e.the mosttimeis spent examiningareaswith the greatest risk exposure). o The three types of risks thatwillbe considered are:  Inherent Risk -Therisk related to the fundamental characteristics of the assignedarea (i.e., anareathat receives income inthe formof currency and coin has a greater inherent risk of theft of that incomethenone that receives internal billingincomeform another department).  ControlRisk -Therisk that the assignedareas internal control system wouldfail to prevent or detect asignificant intentional or unintentional error in the process.  Detection Risk -Therisk thatthe internalauditwould fail to detect errors thathad occurred. o Exposure is thepotential loss or liabilitytoABC Company. Itis not onlyloss of moneybutalso ABC Companys reputation, etc. o ARisk/Exposureanalysiswillinvolve determining the highestpossible combinedfactors.(highrisk/highexposureas opposed tohigh risk/low exposure or low risk/highexposure) Policy: o Duringthe preliminaryreview/internalcontrolevaluation stage of the audit, the auditor will makea determination of what areascontain the greatest risks and potential exposures.This determination will be discussedwith theInternal Audit Departmentbefore the audit programis written. Process: o Duringthe preliminaryreview/internalcontrolevaluation stage of the audit, the auditor will complete a schedule detailingthe greatest risks and potential exposures and discuss withInternalAuditDepartment.PermanentAudit FilesApermanent file should givethe auditor general knowledge abouttheaudited entity.The information inthe file is notexpectedtochange significantlyfrom year-to-year, butit is pertinent tothe current years audit.Prior years financialstatements wouldaidthe auditor in gathering general knowledge abouttheaudited entity. Itmightalso be useful incomparingthe current year to theprior yearor performinganalyses.Apermanent file should onlybe prepared for auditsthat we continuallydo or if the areaauditedis a systemsuch as payroll, accounts payable,etc.Before a permanentfile is established, consultwiththeAuditManager andInternalAudit Department. If a permanent file is notprepared,usefulinformation can be filed in section D of the workingpapers.24 | P a g e
  25. 25. AUDITPROGRAMPreparation of theauditprogramconcludes the PreliminaryReviewphase.Theaudit program outlines the necessarysteps toachieve the objectivesof the audit withinthe defined scope as listed on the assignment sheet.Theaudit programis adetailedplan for thework tobe performedduring the audit.Awell-constructed programis essential tocompleting the audit project in anefficient manner.Awell-constructedprogramprovides: Asystematic plan for each phase of the work that can becommunicated to all audit personnelconcerned Means of self-control for the audit staff assigned Means bywhichthe audit supervisor/managercan review and compareperformance with approvedplans Assistancein training inexperienced staff members andacquainting themwiththe scope, objectives,andwork steps of anaudit An aid to supervisor/managermakingpossiblea reduction inthe amount of direct supervisoryeffort needed Assistancein familiarisingsuccessiveaudit staff with thenature of work previously carried outThe programconsistsof specific directions for carryingout the assignment.It should contain a statementof the objectives of theoperationbeing reviewed. For eachsegment of the audit the programshould (1) listthe risks that must be covered in thatsegment;(2) show for each risk the controls that existor that are needed to protect against theindicated risk; (3) show for eachof the listed controls the work steps requiredto test the effectivenessof those controls, or set forth the recommendations thatwillbe required to install needed controls; and (4) provide space for referencingthe relatedauditworking papers.Standardizedaudit programs are available andshouldbe used or modified to achieve the audit objectives.Theauditorshallinclude anestimate of the hours necessaryto complete the project.InternalAudit Departmentreviewstheauditors work to-date (preliminaryreview work) andthen discussesanyconcernsor proposed programchanges.ObjectivesThe audit program shallcontain astatement of the objectivesof the area being reviewed.The statementof objectives in the auditprogramshallcorrespond withthe audit objectives stated in the assignmentsheet.Theseobjectives shouldbe achievedthroughthe detailed audit programsteps.Audit StepsAwell-constructedauditprogramprovides specific, detailed steps (procedures)for achieving the audit objectives.Standardizedaudit programs with specific audit steps for achieving objectivesare available and should be used or modified.Time BudgetAproject time budget provides overall guidelinesfor the performance of the audit. In addition, it enablesthe audit manager tocontrol the audit work inprocess. It is essential that we control our timecarefullyinorder that it maybe used inthemosteffective manner possible.The detailed projecttimebudget should be completed at the conclusion of thepreliminaryreview.Each projectwillhave a timebudget that will be approved bythe audit manager andInternal Audit Department.This budget willinclude all time necessaryto complete the audit, from assignmentthrough issuanceof the finalreport.Thepreliminaryreviewphase should be completedwhen no more than 25 percent of the totaltimebudget has beendepleted.The budget process willbebroken down into two phases.Aportion of the budget should be allocated for the planningprocess.This will provide the necessarycontrol overthis phase of audit work.25 | P a g e
  26. 26. Near thecompletion of the planning process, the remainingbudget should beallocated to the rest of theaudit and recorded ontheTimeBudgetSummary.For purposes of overallcontrol, the timebudget should be broken down into the followinggeneralcategories (more maybe usedif warranted): Planning- initial planning, preliminarysurvey,audit program Fieldwork- allocated to the various segments of the audit project Audit report and wrap-up - audit managers review, qualityassurancereview, report writing and editing, reportreview, audited entitys review,exit conference, etc.) Preparation andApproval-The projecttimebudget should bepreparedbytheaudit managerand approvedbyInternalAuditDepartment. BudgetRevisions- Anyrevisions to theprojecttimebudgetshouldbe discussedwith InternalAuditDepartmentatthe earliest possible time and,whenapproved byInternal Audit Department, documented on theTimeBudgetSummary.FIELDWORKEvidential MatterEvidential matter obtained during the courseof the audit provides the documented basis for the auditors opinions, findings,andrecommendationsas expressedin the audit report.As internal auditors, we are obligated byour professional standardstoactobjectively,exercise due professionalcare,and collect sufficient, competent, relevant, andusefulinformationto provide asoundbasis for audit findings andrecommendation (see examiningand evaluating information).Audit SamplingAudit sampling is performingan audit test on less then 100 percent of apopulation. Insampling theauditor accepts the risk that some or all errors willnot be found andthe conclusionsdrawn (i.e.all transactionswere proper and accurate) maybe wrong.Types of Sampling:Statistical or probabilitysampling allows the auditor tostipulate, with agiven level of confidence, the condition of alargepopulation byreviewing onlyapercentage of the total items. Several sampling techniques are available to the auditor. Attribute sampling- Isused when theauditor has identifiedthe expected frequencyor occurrence of an event. Variables sampling - Is used when the auditor samples for valuesina population which varyfromitemto item. Judgment sampling - Is used when it is notessential to have a precise determination of the probable condition of the universe,or whereit is not possible,practical, or necessaryto use statistical sampling.The typeof samplingusedand the number of items selected should bebased on the auditors understanding of the relative risksand exposures of the areas audited.Policy/Process:All audit testing willinclude sampling.The typeand samplesizeshallbe described in the programandapprovedbytheInternalAuditDepartment.Testing andWorkingPaperDocumentationPolicy/Purpose:Workingpapers serve both as toolsto aid the auditor in performing his work, and as written evidence of the work donetosupport the auditorsreport. Informationincluded in working papers should be sufficient, competent, relevant, andusefultoprovide a sound basis for audit findings and recommendations.GenerallyAcceptedAuditingStandards define sufficient,competent,relevant,and useful as follows: Sufficient information is factual, adequate, and convincing so that a prudent, informed person wouldreachthe sameconclusionsas theauditor. Competent informationis reliable and the best attainable through the use of appropriate audit techniques. Relevant informationsupports audit findings and recommendations and is consistent with the objectives for theaudit.26 | P a g e
  27. 27. Usefulinformation helpsthe organization meetits goals.In addition to serving as a reference for thepreparerwhen called upon to report findings or answerquestions,other individualsmayfindit necessaryto use the working papers.The InternalAudit Departmentwilluse the papers to review thequalityof the audit project and to evaluate the audit staffassignedto the work.The manager whose entityis beingaudited may usedetails included in the workingpapers to help implementcorrective actionto a problemor refute the assertion that a problemexists.ABC Companymanagement or other individuals who mayhaverequested the audit require timelyreports.Well-organisedworking papers help to accomplish this goal.External auditors reviewthework performed bythe Department andevaluate the effect that its activities had on ABCCompanys systemof internal control.In fulfilling their public responsibility,certain regulatoryagencies monitorABC Company operations, and the Departmentsworking papers maybe subjected to their review. Solid workingpaper documentation is essential for questions from theseandother potential outside reviewers.Qualities of GoodWorking PapersGood working papersshouldbe: Complete -Workingpapers must be able to "standalone."Thismeans that all questions must beanswered,all points raisedbythe reviewer must be cleared, and a logical, well-thoughtout conclusion must be reached for each audit segment. Concise-Workingpapers must be confined to those that serve a useful purpose. Uniform-Allworkingpapers shouldbe of uniformsizeand appearance. Smaller papers should be fastened to standard workingpapers, and largerpapers should be folded toconformtosizerestrictions. Neat -Workingpapers shouldnot be crowded.Allow for enough spaceon each schedule so that all pertinentinformation can be included in alogical and orderly manner.At the sametime,keep working papers economical. Forms and procedures shouldbe included onlywhen relevant to the audit or to an audit recommendation. Also, tryto avoid unnecessarylisting and scheduling.All schedulesshould havea purposewhichrelates to the audit proceduresor recommendations.Working PaperTechniquesDescriptiveHeadings -Allworkingpapers shouldinclude the audit stamp,titleof the audit, audit projectnumber,title of theworking paper,preparersinitials, date prepared, sourceof information, andpurposeof the working paper.Tick-marks-The auditor makesfrequentuse of avarietyof symbols to indicate work that has been done.Thesesymbols arecommonlyreferred toas tick-marks.Asthesetick-marks have no special or uniform meaning inthemselves,an explanationofeachtick-markshould be madeon the schedule on which it appears.Cross-referencing - Cross-referencing within working papers should becomplete and accurate.Working papers shouldbecross-referenced totheAudit Findings.AuditFindings shouldbe cross-referenced to the exit conference memoand/or theaudit report,to indicate final disposition of the item. Cross-referencingshould be done inthe margins of audit reportdrafts.Thesereferencesreadilyprovidedirect access tothe working papers.Indexing -Thesystemof indexing audit workingpapers should be simple, yetleave roomfor flexibility.Acapital letter should beused to identifyeachsegment of the audit, andArabic numeralsusedto identifyscheduleswithinthe segments.Carry forward -The auditor should makefulluse of the working papers developed in the prior audit. Flowcharts,systemdescriptions,andother data maystill be valid.Those papers which remain useful should bemadea part of thecurrent workingpapers.Theyshould be updated with current information, renumbered, referenced, initialled,and dated bythecurrent auditor.27 | P a g e
  28. 28. Types of Working PapersAll working papers should be maintained in binders. Schedules, analyses, documents, flow charts, and narratives should befiled in a standard binder. Documentation which is not of standard size should be mounted on standard size paper orreferenced to a non-standard binder. 1. Schedules and Analyses Schedules and analyses are useful for identifying statistical trends, verifying the accuracy of data, developing projections or estimations, and determining if tasks or records have beenproperly completed. Each record review, data schedule, or analyses should include the following items: An explanation of its purpose (reference audit step) The methodology used to select the sample, make the calculation, etc. The criteria used to evaluate the data The source of data and time frame considered A summary of the results of the analyses The auditors conclusion 2. Documents Copies or actual samples of various documents can be used as examples, for clarification, andas physical evidence to support a conclusion or prove the existence of a problem. Thesedocuments can be memos, reports, computer printouts, procedures, forms, invoices, flowcharts, contracts, or any of numerous other items. Any copied document should serve a usefulaudit purpose. The following suggestions are offered for preparation of working papers using documentsrather than the auditors notes: Indicate both the person and/or file that the document came from (source). Copy and insert only that portion of the report, memo, procedure, etc., which is neededfor purposes of explanation or as documentation of a potential finding. Do not includethe entire document in the working papers unless absolutely necessary. Fully explain the terms and notations found on the document, as well as its use. This isespecially true when including maps, engineering drawings, or flow charts in thepapers. These explanations may be made on an attached preceding page or on the faceof the document itself. Each document should be cross-referenced either to the page or separate analysiswhere it was discussed. No document should be included in the working papers without an explanation of whyit was included. Documents larger than A4 size should be reduced when practicable. 3. Process Write-ups and Flow charts In many audits, it is necessary to describe systems or processes followed by the audited entity.Describe such procedures or processes through the use of write-ups or flow charts or somecombination of the two. The choice of which method to use will depend on the relativeefficiency of the method in relation to the complexities of the system being described. Write-ups are often easier to use, and should be used, if the system or process can bedescribed clearly and concisely. However, when write-ups would be lengthy, and descriptionof related control points difficult to integrate in the narrative, flow-charting (or a combinationof write-ups and flow-charting) is an appropriate alternative. Flow charts convenientlydescribe complex relationships because they reduce narrative explanations to a picture of the system. They are concise and may be easier to analyse than written descriptions. 4. Interviews Most verbal information is obtained through formal interviews conducted either in person orby telephone. Formal interviews are most desirable because the interviewees know they areproviding input to the audit; however, impromptu interviews, or even casual discussions canoften provide important information. Any verbal information which is likely to support aconclusion in the audit working papers should be documented. Interviews are useful inidentifying problem areas, obtaining general knowledge of the audit subject, collecting datanot in a documented form, and documenting the audit customers opinions, assessments, orrationale for actions. Interview notes should contain only the facts presented by the personinterviewed, and not include any of the auditors opinions.28 | P a g e
  29. 29. In preparing interviews for working papers, consider the following suggestions: Be sure to include the name and position title of all persons from whom informationwas obtained. This includes data gathered during casual conversations. Indicate when and where the meeting occurred. Organise notes by topic wherever possible. Identify sources of information quoted by interviewee. 5. Observations What the auditor observes can serve the same purposes as interviews. If observations can beused to support any conclusions, then they should be documented. They are especially usefulfor physical verifications. Observations used as supporting documentation should generally include the following items: Time and date of the observations Where the observations were made Who accompanied the auditor during the observations What was observed (when testing is involved, the working papers should include thesample selections and the basis of the sample) 6. Findings All audit findings must be documented in a SECTION SUMMARY (see next section)schedule in the working papers. Unfavourable findings shall be summarised on a Digest ofSignificant Findings working paper whether or not they are to be included in the audit report.All findings should be documented immediately by the auditor discovering the situation.STATING FINDINGS/CONCLUSIONSUpon the conclusion of the fieldwork, theauditor shallsummarisethe audit findings,conclusions,andrecommendationsnecessaryfor preparation of the audit report discussion draft. Each audit finding willhavedocumented in the SECTION SUMMARYthefollowing ATTRIBUTES 1. Statementof Condition (Whatis!) 2. Criteria (What should be!) 3. Effect (So what?) 4. Cause(Whydid it happen?) 5. Recommendation (What should be done?)1. Statement of Condition The conditionidentifies thenatureand extent of the findor unsatisfactorycondition. It often answers thequestion: "What was wrong?" Normally,a clear andaccurate statementof condition evolves from the auditors comparisonor results with appropriateevaluation criteria.2. Criteria This attribute establishes the legitimacyof the finding byidentifying the evaluation criteria and answers the question: "Bywhat standardswas itjudged?" In financial andcompliance audits,criteria could be accuracy,materiality,consistency,or compliance withapplicable accounting principlesandlegal or regulatoryrequirements. In auditsof efficiency,economy,and programresults(effectiveness),criteria mightbe defined in mission, operation,or function statements; performance,production, and cost standards; contractual agreements; programobjectives; policies, procedures,andother command media; or other external sourcesof authoritative criteria.3. Effect This attribute identifiesthe real or potential impact of the condition and answers the question: "What effectdid it have?" The significance of a condition is usuallyjudgedbyits effect. In operational audits,reduction in efficiencyand economy,or not attaining programobjectives (effectiveness),areappropriate measures of effect.Thesearefrequentlyexpressedin quantitative terms;e.g., value, number of personnel,unitsof production, quantities of material, numberof transactions, or elapsed time. If therealeffect cannot be determined, potential or intangible effectscan sometimes be useful in showing29 | P a g e
  30. 30. thesignificance of the condition.4. Cause The fourthattribute identifies theunderlying reasons for unsatisfactoryconditions or findings, and answers the question: "Whydidit happen?" If the conditionhas persisted for a longperiod of time or is intensifying,the contributing causesfor thesecharacteristicsof the condition should also be described. Identification of the causeof an unsatisfactorycondition or finding is aprerequisite to making meaningful recommendations for corrective action.The cause maybequite obvious or may be identified bydeductive reasoning if the audit recommendation points outa specific and practical wayto correct the condition. However,failure to identifythe cause in a finding may also meanthe cause was notdeterminedbecauseof limitation or defects in audit work, or was omitted to avoid direct confrontation with responsibleofficials.5. Recommendations This final attribute identifiessuggestedremedial action and answers thequestion: "What shouldbe done?" The relationship between the audit recommendation and the underlying causeof the condition shouldbe clear and logical. If a relationship exists,the recommended action will most likely be feasible and appropriatelydirected. Recommendations in the audit report should state preciselywhat needsto be changed or fixed. How the change will be madeis the auditedentitys responsibility.More generalised recommendations (e.g., greater attention be given, controlsbere-emphasised, astudymade, or consideration be given) should not beusedin the audit report, but theyare sometimes appropriate insummaryreports todirect top managements attention to compliance-type findings disclosed in several areas. Unless benefits of taking the recommended actionare obvious, theyshouldbe stated.The cost of implementing andmaintaining recommendations shouldalwaysbe compared torisk. Recommendations shouldbe directed to an individual capableof taking action.6. Policy/Process Audit findings will include: the nature of the findings, the criteria used todetermine the existence of the condition; the causeof the condition; the significance of its impact; and what the auditors thinkshouldbe done to correctthe situation.QUALITYASSURANCEThe purpose of "qualityassurance"is to provide reasonable assurance that audit work performedbyABC Company-InternalAudit conforms toGenerallyAcceptedAuditing Standards.QualityAssurancePolicyAll working papers shallbe independentlyreviewed to ensure there is sufficient evidence to supportconclusions,document theextent of audit work performed,and ensurethat all audit objectiveshave been met, as wellas substantiate compliance withapplicable auditing standards.Adetailed reviewshallbe conducted bytheAuditManagerfor assignedstaffs working papers.Aless comprehensivereviewshallbe conducted byInternalAudit Departmentor an assignedQualityAssurance staff person. EXCEPTION:If theAuditManageris the onlystaff memberassignedto the audit/taskthen the detailed review shall be performedbydepartmentadministration or an assignedQualityAssurancestaffperson.Initialling (Director/QualityAssurancestaff person and theAudit Manager)workingpapers (Section Summaries,AuditPrograms, Draft Report)and completing the "QualityAssurance Reviewform,"willserve as documentation of thereviewprocess andwillbefiledwith the workingpapers.NOTE:Auditors areencouraged to performan "informal" self-reviewof their working papers. However,this reviewwouldbe fortheir benefit onlyandtherefore this document SHALL NOTbe apart of the working papers.30 | P a g e

×