For Internal Audit Function Government of Samoa

INTERNAL AUDIT MANUAL

For Internal Audit Function

Government of Samoa

Prepared with the assistance of the Asian Development Bank's technical assistance TA 6507-REG: Strengthening Public

Financial Management in Pacific Developing Member Countries And collaboration with the

Internal Audit & Investigation Division, Ministry of Finance

With compliments of

Internal Audit and Investigation Division Ministry of Finance

FOREWORD

Improved governance is a key strategic goal of the Government (Goal 6 Strategy for the Development of Samoa 2012 – 2016). The role of Internal Audit has increasingly become important given the drive for best practice and improved governance across Government service. There has been a rise in irregularities in the management of Government resources because of weak systems and controls. Improved internal audit oversight can minimise these risks and therefore cut down the costs of mismanagement. This Internal Audit Manual provides the necessary tools, techniques and the audit methodology for completing Internal Audit assignments. In addition, a Practice Guide supplements this manual by providing practical information on how to complete an audit assignment. The Manual has been developed in accordance with the International Professional Practice Framework (IPPF) of the International Institute of Internal Auditors and therefore represents international best practice in internal auditing. All Internal Auditors will adopt these resources across the Government. Their use will provide the Government with assurance that all Internal Auditors are complying with the IPPF. This will enable Internal Auditors to raise the standard of professionalism of the services they provide to Chief Executive Officers and Audit Committees. The Manual and Practice Guide have resulted from a large investment by the Government and its development partners: the Asian Development Bank (ADB) and the Pacific Island Technical Advisory Centre. The Technical Assistances provided with the assistance of the ADB has developed this Internal Audit Manual with collaboration with the Assistant Chief Executive Officer (ACEO), Internal Audit and Investigation Division (IAID) within the Ministry Of Finance. To enable internal auditors to educate themselves and their staff with the Manual, the Practice Guide and its use in their audits, the ACEO IAID is leading and coordinating a Continuing Professional Development Group (CPDG) through the established Internal Audit Forum. The role of this CPDG is to hold training sessions in the use of the Manual and Practice Guide, with the aim of the standards being fully implemented in the internal audit of the Government of Samoa by 2015.

…………………………………………. Lavea Tupa’imatuna Iulai Lavea Chief Executive Officer Ministry of Finance

Table of Contents Introduction .................................................................................................. 9

ORGANISATION OF THE MANUAL .............................................................................................................. 9

STANDARDS ADOPTED ............................................................................................................................. 9

THE AUDIT PROCESS ............................................................................................................................. 10

THE STEPS IN THE AUDIT PROCESS ........................................................................................................... 11

Section 1: The Role and Context of Internal Audit ........................................ 13

INTRODUCTION .................................................................................................................................... 13

INTERNAL AUDIT DEFINITION .................................................................................................................. 13

INTERNAL AUDIT STANDARDS ................................................................................................................. 14

ATTRIBUTE STANDARDS ......................................................................................................................... 15

PERFORMANCE STANDARDS ................................................................................................................... 16

LEGISLATION / CHARTER ........................................................................................................................ 16

TYPES OF AUDITS .................................................................................................................................. 18

INTERNAL AUDIT RELATIONSHIPS ............................................................................................................. 21

Section 2: Strategic and Operational Planning ............................................. 24

STRATEGIC PLANNING ........................................................................................................................... 24

CONTENTS OF INTERNAL AUDIT STRATEGIC PLAN ....................................................................................... 24

ANNUAL AUDIT PLAN ............................................................................................................................ 27

Section 3: Internal Controls ......................................................................... 30

MANAGEMENT SYSTEMS ....................................................................................................................... 31

FINANCIAL SYSTEMS .............................................................................................................................. 31

FOCUSING ON INTERNAL CONTROL .......................................................................................................... 32

INTERNAL CONTROL EXAMINED ............................................................................................................... 32

CONTROL THEORY................................................................................................................................. 33

THE ROLE OF MANAGEMENT IN INTERNAL CONTROL .................................................................................. 36

THE ROLE OF INTERNAL AUDIT IN INTERNAL CONTROL ................................................................................ 39

CONTROL ENVIRONMENT ....................................................................................................................... 42

CONTROL ACTIVITIES ............................................................................................................................. 42

Risk Assessment .......................................................................................... 45

INHERENT RISK ..................................................................................................................................... 46

CONTROL RISK ..................................................................................................................................... 47

DETECTION RISK ................................................................................................................................... 47

SAMPLING RISK .................................................................................................................................... 47

NON-SAMPLING RISK ............................................................................................................................ 47

Materiality ................................................................................................... 48

MATERIALITY BY VALUE ......................................................................................................................... 48

MATERIALITY BY NATURE ....................................................................................................................... 48

Section 4: Assignment Planning ................................................................... 51

BACKGROUND ...................................................................................................................................... 52

AUDIT APPROACH ................................................................................................................................. 53

ASSIGNMENT OBJECTIVES ...................................................................................................................... 53

AUDIT SCOPE ....................................................................................................................................... 54

AUDIT RISKS ........................................................................................................................................ 54

RESOURCE ALLOCATION ......................................................................................................................... 54

TIME BUDGETING ................................................................................................................................. 55

STAFF PLANNING MEETING .................................................................................................................... 55

COMMUNICATION WITH MANAGEMENT ................................................................................................... 55

AUDIT SUPERVISION .............................................................................................................................. 56

AUDIT PROGRAMME ............................................................................................................................. 56

AUDIT PLANNING MEMORANDUM .......................................................................................................... 56

Section 5: Audit Documentation .................................................................. 57

WORKING PAPERS ................................................................................................................................ 57

TYPES OF WORKING PAPERS .................................................................................................................... 58

FORMAT OF WORKING FILES ................................................................................................................... 58

FILING AUDIT WORKING PAPERS ............................................................................................................. 60

THE PERMANENT AUDIT FILE .................................................................................................................. 60

CURRENT AUDIT FILES ........................................................................................................................... 61

Section 6: Audit Fieldwork Techniques ........................................................ 62

UNDERSTANDING THE SYSTEM ................................................................................................................ 63

1. INTERVIEWING .................................................................................................................................. 64

2. FLOWCHARTING ................................................................................................................................ 68

3. ANALYTICAL REVIEW.......................................................................................................................... 71

4. AUDIT SAMPLING .............................................................................................................................. 73

5. CONTROLS TESTS .............................................................................................................................. 79

6. SUBSTANTIVE TESTS .......................................................................................................................... 82

7. AUDIT PROGRAMME(S)...................................................................................................................... 84

Audit Evidence ............................................................................................. 87

PROCEDURES FOR OBTAINING AUDIT EVIDENCE ......................................................................................... 87

RELIABILITY OF EVIDENCE ....................................................................................................................... 89

Section 7: Computers in the Audit Process ................................................... 90

INTERNAL CONTROLS IN A COMPUTERISED ENVIRONMENT .......................................................................... 90

GENERAL CONTROLS ............................................................................................................................. 91

APPLICATION CONTROLS ........................................................................................................................ 92

ACCESS CONTROLS ................................................................................................................................ 93

COMPUTER ASSISTED AUDIT TECHNIQUES (CAATS) ................................................................................... 94

Section 8: Internal Audit and Fraud ............................................................. 95

EXAMPLES OF FACTORS PERMITTING FRAUD ............................................................................................. 96

EXAMPLES OF COMMON FORMS OF FRAUD .............................................................................................. 97

Section 9: Audit Reporting ........................................................................... 98

THE REPORTING PROCESS ...................................................................................................................... 98

INCORPORATE MANAGEMENTS VIEWS ................................................................................................... 100

SAMPLE ASSIGNMENT REPORTING TEMPLATE ......................................................................................... 101

QUALITY OF COMMUNICATIONS ............................................................................................................ 101

AUDIT FOLLOW UP .............................................................................................................................. 101

Section 10: Performance Assessment and ...................................................102

Quality Assurance .......................................................................................102

KEY PERFORMANCE INDICATORS ........................................................................................................... 102

MANAGEMENT INFORMATION SYSTEM .................................................................................................. 103

INTERNAL AUDIT ANNUAL PERFORMANCE REPORT ................................................................................... 104

IMPLEMENTING KPI’S .......................................................................................................................... 105

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM ............................................................................... 105

QUALITY ASSURANCE (QA) MANUAL ..................................................................................................... 108

APPLICATION OF THE QA MANUAL ........................................................................................................ 109

Glossary: .....................................................................................................110

Appendices: ................................................................................................112

APPENDIX 1: STRATEGIC PLAN - INTERNAL AUDIT RESOURCE ALLOCATION ................................................... 112

APPENDIX 2: STRATEGIC AUDIT PLAN - AUDIT COVERAGE ......................................................................... 113

APPENDIX 3: AUDIT RESOURCES ALLOCATED TO AUDIT ACTIVITIES ............................................................. 114

APPENDIX 4: CONTROL ENVIRONMENT ASSESSMENT ................................................................................ 115

APPENDIX 5: AUDIT PLANNING MEMORANDUM TEMPLATE ....................................................................... 116

APPENDIX 6: SAMPLE WORKING PAPER ................................................................................................. 120

APPENDIX 7: SAMPLE PERMANENT FILE CHECKLIST .................................................................................. 121

APPENDIX 8: SAMPLE INTERVIEWING QUESTIONS .................................................................................... 122

APPENDIX 9: FLOWCHART SHAPES ......................................................................................................... 124

APPENDIX 10: STAGES IN DRAWING A FLOW CHART................................................................................. 125

APPENDIX 11: EXAMPLE OF A CROSS FUNCTIONAL FLOWCHART FOR PROCURE TO PAY .................................. 126

APPENDIX 12: EXAMPLE AUDIT PROGRAMME (PAYROLL – CONTROL TESTS) ................................................ 128

APPENDIX 13: EXAMPLE AUDIT PROGRAMME (PAYROLL – SUBSTANTIVE TESTS) ........................................... 132

APPENDIX 14: EXAMPLE QUALITY CONTROL – ASSIGNMENT PLANNING CHECKLIST ....................................... 134

APPENDIX 15: EXAMPLE QUALITY CONTROL - PLANNING REVIEW CHECKLIST ............................................... 137

APPENDIX 16: EXAMPLE QUALITY CONTROL - AUDIT FIELDWORK CHECKLIST ................................................ 138

APPENDIX 17: EXAMPLE QUALITY CONTROL - AUDIT REPORTING CHECKLIST ................................................ 140

APPENDIX 18: EXAMPLE KEY PERFORMANCE INDICATORS ......................................................................... 141

APPENDIX 19: EXAMPLE CLIENT SATISFACTION SURVEY ............................................................................ 142

APPENDIX 20: MODEL CHARTER OF INTERNAL AUDIT .............................................................................. 143

REFERENCES ...................................................................................................................................... 148

Acronyms

ADB Asian Development Bank

APC Audit Planning Checklist

APM Audit Planning Memorandum

AR Audit Risk

CAATs Computer Assisted Audit Techniques

CIS Computer Information System

COSO Committee of Sponsoring Organizations

CR Control Risk

DR Detection Risk

DST Direct Substantive Testing

GRN Goods Received Note

HoIA Head of Internal Audit

HRM Human Resource Management

ICQ Internal Control Questionnaire

IFAC International Federation of Accountants

IFMIS Integrated Financial Management and Information System

IIA Institute of Internal Auditors

INTOSAI International Organization of Supreme Audit Institutions

IPPF International Professional Practices Framework

IR Inherent Risk

ISACA Information System Audit and Control Association

ISPPIA International Standards for Professional Practicing of Internal Audit

IT Information Technology

KPI Key Performance Indicator

MTEF Medium Term Expenditure Framework

PFTAC Pacific Financial Technical Assistance Center

QA Quality Assurance

SoFR Summary of Findings and Recommendations

ToR Terms of Reference

VFM Value For Money

This internal audit manual will provide internal audit staff of the Government of Samoa practical guidance, tools and information for managing an internal audit function. This includes guidance on planning, performing, and reporting on internal audit assignments. Internal audit has been active across the Government for many years, with an Internal Audit and Investigations Division of the Ministry of Finance and Internal Audit Managers in several Ministries and in other Public Bodies. While this manual incorporates good practice for the internal audit function it is expected that the manual will require updating as internal audit evolves and matures through time. Updates will be formally organised in collaboration with all internal auditors across the Government and one Internal Audit Manual will be issued for use by all.

Introduction

Organisation of the Manual There are 10 sections in this manual, which display the necessary tools, techniques and the audit methodology for completing internal audit assignments. The tools and techniques outlined in this manual are those referred to by the Institute of Internal Auditors in their standards and practice advisories, and are applicable for agencies implementing internal audit in public sector entities within the Government of Samoa.

The appendices of the manual contain a glossary of commonly used terms as well as templates, forms and other guidance required for completing various aspects of audit management and audit assignments.

Electronic templates can be obtained from the ACEO, IAID in the Ministry of Finance.

Standards Adopted

This manual adopts the International Standards for the Professional Practice of Internal Auditing as established by the Institute of Internal Auditors (IIA). These standards are documented in the International Professional Practice Framework (IPPF). This framework comprises of

A definition of internal auditing,

A code of ethics,

International standards for the professional practice of internal auditing,

Practice advisories,

Practice guides, and

Position papers.

In some circumstances where detailed explanation is not given by the IPPF, guidance has been taken from international audit and internal controls standards stipulated by:

The International Organisation of Supreme Audit Institutions (INTOSAI),

The International Federation of Accountants (IFAC),

The Committee of Sponsoring Organisations and (COSO), and

The Information System Audit and Control Association (ISACA).

The Audit Process The purpose of performing internal audits is to provide CEOs, their senior managers and other stakeholders with assurance on the:

Accuracy of financial information,

The effectiveness of the risk management process,

Reliability of internal controls, and

Compliance with laws and regulations.

In order to achieve these objectives, an internal audit service should follow best practice in:

Planning audit assignments to ensure maximum output from the audit resources available,

Evaluating internal controls and assessing compliance with the controls,

Testing controls and transactions, and

Reporting audit findings in a concise, accurate, timely and constructive manner.

The following sections in this manual will provide the necessary guidance to internal auditors on how to successfully complete these activities in a methodical and structured manner.

The diagram below illustrates the various stages of the audit process with each stage examined in the later sections of this Manual.

The Steps in the Audit Process The audit process can be broken down into a number of steps which are covered in more detail in the various sections of this manual, as outlined in the table below:

Step Description Section

Step 1

Familiarization with the entity to be audited

Understand the accounting and internal control systems

Understand the system under review

Review previous audit work performed, results of spot checks and investigations into irregularity reports

Sections 4 – Primary section

Section 6 – Provides guidance on audit techniques for gathering information

Section 7 - Applicable if IT systems are under review

Step 2

Preliminary planning

Document system under review identifying major controls

Perform a walk through test

Meet responsible officers (s)

Section 3 – Provides practical information on internal controls activities

Section 5 – Introduces the necessity of the auditor to maintain documentary evidence of work completed

Section 6 – As in step 1

Section 7 - As in step 1

Section 8 - Applicable if fraud is suspected

Step 3

Confirmation of

Audit objectives, and

Audit scope

Section 4 – Primary section

Step 4 Assess risk and materiality Section 3 – Primary section

Step 5

Determine the audit strategy, the resource requirement and the timing of the assignment

Sections 3 – Primary section, discusses system based audit

Section 4 – Discusses resource requirements when planning

Sections 7 & 8 - IT and fraud issues create additional resources issues

Step 6 Prepare audit programmes based on audit planning conclusions

Sections 4 – Discusses the preparation of audit programmes in the planning stage of the audit

Step Description Section

Section 6 – Discusses the audit techniques and knowledge required to prepare the programmes

Step 7 Finalise the Audit Planning Memorandum Section 4 – Primary section with APM

template in appendix 5

Step 8 Commence the audit fieldwork - Introductory meeting with Auditee

Section 6 – Discusses audit techniques to assist when completing fieldwork and evidence collection

Step 9

Perform and document compliance tests (tests of controls)

Sections 5 – Discusses the need and the process for documenting audit work

Section 6 – Provides guidance on completing compliance tests and gathering evidence

Step 10 Evaluate test results and design substantive test procedures if necessary


Step 11 Evaluate substantive test results Section 6 – Primary section

Step 12 Summarize findings and audit conclusions in the audit report and prepare a draft report for discussion

Section 9 – Primary Section

Section 5 – Guidance on preparing audit files

Step 13 Discuss findings/recommendations with a responsible officer and agree action plan


Step 14

Review and assess the audit file Section 5 – Primary Section

Section 10 – Guidance on quality assurance and appendices 14-17 providing checklists for completion of audit activities

Step 15 Finalise and issue audit report Section 9 – Primary section

Step 16

Follow up auditee progress on implementation of recommendations


Section 10 – Determine the number of recommendations implemented by management

Introduction

Section 1: The Role and Context of Internal Audit

The work of internal audit may vary considerably within and among Ministries and other Public Bodies. This is because the functional and structural arrangements of the Ministries and other Public Bodies themselves differ and this is reflected in the services to be delivered by internal audit. These variations exist for a number of reasons including the nature of the public services delivered, the size, complexity and level of development in each entity being audited. Good practice indicates that a well-resourced and effective internal audit function has a key role to play in improving governance arrangements within Ministries and other Public Bodies.

The internal audit and investigations function provides the CEO with assurance that the systems, standards, policies and procedures in place are operating as intended and providing value to the community. Indeed the key function of the internal audit activity is to evaluate and contribute to risk management, improvements in internal controls and governance processes.

The internal audit function in its position within government and with the activities it performs will have contact with key external stakeholders. These may include the Samoa Audit Office, Ombudsman, the Parliament of Samoa, standard setting bodies and other oversight bodies in both public and private sectors. It is therefore an important function which requires a significant, independent status within a designated government Ministry or Public Body along with an appropriately skilled individual(s) to lead the function.

Internal audit does not operate in isolation, it is important that the role of internal audit is considered in the context of external audit and other review functions e.g. performance reviews and management reviews and that internal audit complements rather than duplicates the work that is being performed by such functions. It is equally important that the role of internal audit is not displaced or superseded and that is it is given adequate authority when completing its activities. It is therefore very important that a strong relationship between internal and external audit is developed to maximize the use of limited resources.

This manual will provide operational direction to internal auditors on:

Managing the internal audit function,

Completion of assurance audits of the financial and management systems in operation.

Internal Audit Definition The definition provided by the Institute of Internal Auditors (IIA) on internal auditing states the fundamental nature, purpose, and scope of internal auditing1

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a

systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes”.

1 The Institute of Internal Auditors. 2009. International Professional Practice Framework. www.theiia.org/guidance/standards-and-guidance

http://www.theiia.org/guidance/standards-and-guidance�

The key elements of the definition are that internal audit is:

1. Independent and objective,

2. Engages in assurance and consulting activities,

3. Adds value and improves operations,

4. Has a systematic and disciplined approach, and

5. Evaluates risk management, control, and governance processes.

Each of these elements will be dealt with throughout the manual however it is worth noting point 2 on assurance and consulting activities and clearly defining these terms at this time.

Assurance Services:

These involve the internal auditors providing an objective examination of evidence for the purpose of providing an independent assessment of risk management, control and governance processes of an organization. Examples include financial, performance, compliance and system security engagements.

Consulting Services:

These are advisory and auditee related service activities, the nature and scope of which are agreed with the auditee and which are intended to add value and improve the organisation’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation and training.2

Assurance services involve the traditional audit work performed by the internal audit function on historical information whereby the auditor selects an area for audit and forms an opinion on the internal controls, risk management or governance processes in place making recommendations for improvements where required. This manual envisages that the majority of internal work performed in the Government of Samoa initially will fall under assurance work as defined by the IIA.

Internal Audit Standards The standards followed in this manual for performing internal audits are those embodied by the Internal Auditing Standards Board. The internal audit function must follow these standards to ensure:

Consistency and better quality in the audit work performed,

That auditors have the necessary guidance when completing audits,

The efficient and effective delivery of audit services, and

That a benchmark exists, against which audit work can be measured.

The standards provide practical guidance and interpretation on the provision of internal audit services to a range of diverse clients. The standards are separated into distinct categories:

Attribute standards, and

Performance standards.

Both attribute and performance standards are applied in the performance of internal audit activities regardless of the activity being performed, whether assurance or consulting. 2 The Institute of Internal Auditors UK and Ireland. 2004. The role of Internal Audit in Enterprise-wide Risk Management

Attribute Standards Attribute standards relate to the attributes of the internal auditing and investigations division of the Ministry of Finance, and each internal audit unit within Ministries and other Public Bodies or attributes personal to the internal auditor including:

Independence and objectivity,

Proficiency and due professional care,

Continuous professional development, and

Quality assurance and improvement programme.

The principle attribute standards are discussed below. If the internal audit function is to perform its activities, the employment of these standards is necessary.

Independence and Objectivity

Internal auditors and investigators are independent of the management and staff of each government entity. They report directly to the Audit Committee and CEO. This permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of audit assignments. To provide for the independence of the internal auditing and investigations function, internal audit and investigations staff to the ACEO, IAID or the Internal Audit Manager, who reports administratively to the CEO and functionally to the board and audit committee in a manner outlined in the section on Accountability. The CAE will include as part of the annual internal audit and investigations report to the audit committee a regular report on internal audit resources and the continuing professional development of personnel.

Internal auditors are independent when they carry out their work freely and objectively. Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of audit assignments. The internal audit activity should be free from interference in determining the scope, performing work, and communicating results. Objectivity is an unbiased mental attitude that allows the internal auditor to perform their work to a high standard.

If independence or objectivity is impaired in fact or appearance, disclosure is required to the appropriate parties. Impairment may occur for various reasons e.g. the internal auditor may be completing the audit of an area for which they were previously responsible.

Proficiency and Due Professional Care

Internal auditors should possess the knowledge, skills and other competencies required to perform their individual responsibilities. The internal audit activity is required to obtain the knowledge, skills and other competencies required to perform their activities.

The head of internal audit should have the necessary skills to perform an audit assignment. Internal auditors should have sufficient knowledge to evaluate the risk of fraud and to identify the characteristics of fraud (discussed in section 8); however, they are not expected to have the expertise of a person whose primary responsibility is detecting and reporting fraud.

Internal auditors should exercise due professional care by considering the:

Extent of worked needed to fulfil the objectives of an audit assignment,

Complexity and materiality of the areas under review,

Adequacy, effectiveness of governance, risk management; and control processes,

Probability of errors, fraud; and non-compliance, and

Cost of assurance in relation to potential benefits.

Continuing Professional Development

Internal auditors should enhance their knowledge, skills and other competencies through continuous professional development. This is achieved through the conscious updating of professional knowledge by keeping abreast of professional standards updates and any other emerging issues within the internal audit profession. The CPD Programme is the responsibility of the Audit and Investigations CPD Group. The ACEO, IAID Ministry of Finance will distribute information on monthly CPD activities to all internal auditors and investigators.

Quality Assurance and Improvement Programme

The quality assurance and improvement programme for internal audit across Government assists internal auditors to comply with this Manual. It also includes regular internal and external reviews as well as the ongoing support provided to internal auditors in completing their activities.

Internal reviews are completed through scheduled performance reviews of the internal audit function on an ongoing basis and external reviews completed by independent reviewers. These include the regular Public Expenditure and Financial Accountability Assessment (PEFA) undertaken by donors, as well as scheduled external peer review of the Internal Audit Function of the Government of Samoa. Both are completed at least once in a 3-5 year period. (See section 10 of this manual)3

Performance Standards

Performance standards are applicable to the performance of work completed by internal audit and address managing the internal audit processes, assessing risk, control and governance processes, planning audit assignments, testing and analyzing information, evaluating evidence and communicating audit results.

This Manual provides processes that assist internal auditors to comply with those standards.

Legislation / Charter The authority of the internal audit function is section 13 (o) of the Public Finance Management Act 2001 and section 8.2 of the Public Bodies (Performance and Accountability) Regulations. It is also defined in individual internal audit charters approved by CEOs.

The purpose, authority and responsibility of the internal audit activity is formally defined in an audit charter, consistent with the definition of internal audit, the code of ethics, and the audit standards. The internal audit manager must periodically review the charter and present it to senior management for their formal approval.4

The internal audit charter establishes the position of internal audit within the Ministry / PUBLIC BODY, it authorizes access to records, personnel, and physical properties relevant to the performance of audit assignments and it defines the scope of internal audit activities. The charter is developed in consultation

3 The attribute standards listed have been taken from the IIA, however this is not a complete list of the attribute standards given by the IIA 4 The Institute of Internal Auditors. 2009. Practice Advisory 1000-1 Internal Audit Charter

with the main stakeholders to ensure that all stakeholder needs and expectations can be met and that any gaps can be addressed as part of the development process. The CEO and Internal Audit Manager sign the Charter after consultation with the Audit Committee.

Contents of the Internal Audit Charter

Title Content

Purpose of Internal Audit Clearly state the purpose of Internal Audit e.g. to complete assurance assignments, review internal controls etc

Independence

Addresses organisational independence, reporting arrangements to senior personnel and meeting with review bodies and other stakeholders

Authority and Confidentiality

Authority to obtain information which it deems necessary to fulfill its obligations, specifying that information obtained will be dealt with confidentially and only used for audit purposes

Scope of Internal Audit Activity

Defines the programmes, activities, organisations, systems, processes that are and (are not) subject to internal audit review

Role and Responsibility of Internal Audit

In relation to audit activities, audit support activities and non-audit activities (if any) to be undertaken

Standards Specify the professional and other standards to be followed

Relationship with External Audit

Specify how internal and external audit will work together, to ensure no duplication and coordination when dealing with audit findings

Planning

Development of strategic and annual work plans for the internal audit function. Develop individual assignment plans in line with the activities outlined in the annual plan

Reporting

The annual report produced by the internal audit function addressing the main issues across the government

Prepare assignment reports for management based on assignment objectives

Administrative Arrangements

Develop and update an internal audit manual and an internal audit protocol

Develop key performance indicators for the internal audit function to assess performance and

Provide for independent reviews of the internal audit function

Review of Charter Regular review of the charter by the head of internal audit function and updating as required, with approval for updates sought at the appropriate level.

Types of Audits The type of audit performed is determined by the audit objectives of a particular assignment, indeed many assignments will fulfil more than one objective. However, no matter what type of audit is performed the internal audit function should always be alert to opportunities to optimise internal controls, identify non-compliance and improve performance during the execution of its activities.

Due to the early stage of development of internal audit in the Government of Samoa this manual focuses on assurance activities. The four main assurance type activities completed by an Internal audit function are discussed below:

Financial,

Compliance,

Performance, and

IT audits.

Skills on environmental auditing may also be developed to address environmental risks.

Financial Audit

This involves the audit of historic financial information usually provided by an accounting system and its sub systems. When performing this audit there will also be a review of internal controls over the various systems as well as compliance with applicable laws, regulations, and rules.

Internal audit is primarily concerned with the operation of internal controls in the accounting system to ensure that information processed through that system is accurate and reliable. When performing this type of audit, the auditor will be required to assess materiality and risk and make judgments on the assessments performed. These assessments will assist the auditor to plan and perform an audit assignment.

The audit of financial information may adopt the cycle approach to internal accounting control (a cycle is a group of transactions from creation to completion) e.g. a purchasing cycle may include:

Processing a purchase request,

Issuing a purchase order,

Receiving goods and services,

Processing supplier invoices,

Processing payments,

Ensuring creditor accounts are updated with transactions posted to proper accounts.

Alternatively, an audit risk model or an audit assertions model maybe adopted when completing the audit of financial systems, each of which are consistent with cycle auditing.

Performance Audit

A performance audit is a review or examination of any aspect of the operations of an entity or person. They are performed to assess the economy, efficiency and effectiveness of entities, operations or management in the use of public resources. Performance audits can also include the examination of governance issues such

as risk management, control structures, resource use, information systems, performance measures and monitoring systems as well as legal compliance5

To ensure that public resources are being properly managed,

.

The objectives of performance audit are:

To ensure that managers are adopting good management practice when managing the resources, and

To make suggestions for the improvement in management practices which will lead to better economy, efficiencies and effective use of public resources.

Auditing Economy, Efficiency, and Effectiveness

What does the auditing of economy, efficiency and effectiveness actually mean?

Economy – Keeping costs low

According to audit standards, economy means minimizing the cost of resources for a particular activity but not to the detriment of the quality of the product or service. Audits of economy will address the following questions:

Do the inputs chosen (equipment, people etc) represent the most economical use of public resources?

Have those inputs been used economically? and

Have management performed their functions based on sound management practices and principles?

Efficiency – Making the most of available resources

Efficiency is directly related to economy, the main question is whether the resources have been put to optimal use to achieve the maximum output in terms of quality and quantity. Audits of efficiency would address the following issues:

Have public resources been used and managed efficiently?

Are activities in government entities consistent with stipulated objectives and requirements?

Are public services of good quality, client orientated and delivered on time?

Are the objectives of government programmes reached cost effectively?

Effectiveness – Achieving the stipulated aims or objectives

Effectiveness is a goal attainment concept, which is concerned with objectives, outputs and impact. The question of effectiveness comes in 2 parts

1. Have the policy objectives been achieved?

2. Are the impacts observed really the result of the policy pursued and not a result of other circumstances?

The first question can be answered if clearly defined objectives are in place to allow the assessment to take place; it is very difficult to assess vague, abstract programme objectives.

The second question will require a comparison to be made between the situation prior to the introduction of the policy and the situation after the policy was introduced. Such studies are often very difficult to complete in practice due to the lack of necessary information.

5 International Organisation of Supreme Audit Institutions (INTOSAI). 2004. Implementation Guidelines for Performance Auditing

Audits of effectiveness would look at the following issues:

Assess whether government programmes have been effectively prepared,

Assess the effectiveness of the organisational structures, decision making processes and management systems for programme implementation,

Assess whether the programme supplements, duplicates, overlaps or counteracts other related programmes,

Assess whether the quality of the public services meets the people expectations,

Assess the adequacy of the system measuring, monitoring and reporting on programme effectiveness.

Compliance Audit

Compliance audits can be performed separately but more often than not they will form part of another audit most commonly a financial audit and to a lesser extent a performance audit. Compliance audits deal with the degree to which audited entities follow rules, laws and regulations, policies, established codes or agreed upon terms and conditions.

In general the purpose of a compliance audit is to provide assurance to intended users about the outcome of the evaluation or measurement of a subject matter against suitable criteria.

When performing compliance audits there are 2 matters of significance6

1. Regularity – activities, transactions and information pertaining to an audited entity, process or activity are in accordance with the corresponding legislation,

:

2. Propriety – sound principles of public sector financial management and the conduct of public sector officials in performing their functions.

IT Audit

IT audit is the process of collecting and evaluating evidence to determine whether a computer system has been designed to maintain data integrity, safeguard assets, allow organisational goals to be achieved effectively and uses resources efficiently. An effective information system leads the organisation to achieve its objectives and an efficient information system uses minimum resources in achieving the required objectives.

Internal Auditors should have expertise in internal control, but to successful undertake audits of computer systems, internal auditors require further knowledge and experience. This will include practical knowledge of auditing computer-based systems. There is also a need for auditors to be aware of the computer controls that should be in place in such systems.

The principles relating to internal control are the same in a computerised environment as in a manual environment. However, there are additional considerations to address when auditing computer systems.

The main controls in computerised applications consist of:

Application controls - relate to the transactions and standing data for each computer-based application and are therefore specific to each application, for example, there will be specific application controls for a computerised payroll system.

6 International Organisation of Supreme Audit Institutions (INTOSAI). 2009. General Introduction to Guidelines on Compliance Audit

General Controls - relate to the environment within which computer-based systems are developed, maintained, and operated. Thus, they are generally applicable to all computer systems within an organisation.

Environmental Audit

Environmental issues can be addressed during a financial audit, a compliance audit and a performance audit. Performance auditing of environmental matters may include ensuring that:

o Indicators of environmentally related performance (contained in accountability reports) fairly reflect the performance of the Ministry / Public Body.

o Environmental programs are conducted in an economical, efficient, effective manner.

o Audits of sustainable development may be approached in ways similar to those described above.

o Types of environmental audits are:

Performance audit of the implementation of environmental programs

Evaluate impacts or effects of existing environmental programs

o Evaluate impacts or effects of proposed environmental programs.

o Audit environmental effects of non-environmental programs.

o Audit compliance with environmental laws and regulations by Ministries and other Public Bodies.

o Audit compliance by the government with international obligations and commitments which the government has signed.

o Audit government environmental management systems.

Consulting Services

Consulting services are provided to answer specific questions about the capability, systems and procedures of the Ministry / Public Body and to aid in developing required capability.

Section 7 of this manual deals with the above types of audit in more detail. There are more aspects to IT audit e.g. auditing the system design and development process; however, this is beyond the scope of this manual. Environmental audit issues are addressed by the INTOSAI’s Working Group on Environmental Auditing. Further guidance can be obtained from: http://www.environmental-auditing.org/

Internal Audit Relationships Relationships with Management

Internal Audit provides a service to management. Its strategy, planning and delivery should aim to maximize the benefit for management without jeopardizing internal audit’s responsibilities. Management and staff at all levels should have complete confidence in the integrity, independence and capability of internal audit. The relationship between internal auditors and line managers is a privileged one, and information gained in the course of audit work should always remain confidential.

Co-operative relationships with line management enhance the ability of internal audit to achieve its objectives effectively. Audit work should be planned in conjunction with management as far as possible, particularly in respect of the timing of audit work (except where unannounced visits are essential to ensure the achievement of the audit objectives).The head of internal audit should have regular meetings with line management to discuss any issues arising from its operations or its ability to meet its objectives.

Relationship between Internal and External Audit

Internal and external audit activities may be coordinated to help ensure the adequacy of overall audit coverage and to minimize duplication of effort. Establishing a professional working relationship between internal audit and the external auditor should deliver benefits to both parties. It is important that internal audit seeks input from the Controller and Chief Auditor in developing the internal audit strategic plan and the annual work plan. It is also important that internal audit consult with the Audit Office during the planning phase of individual audits that address key financial and operating systems that underpin the Ministry’s/ Public Body’s financial statements or relevant areas of proposed performance audit coverage. By engaging the Audit Office audit in this way, potential overlaps and gaps in overall audit coverage can be identified and addressed, and it will assist in maximizing the extent to which the Audit Office is able to rely on the work of internal audit when undertaking its work.

Internal audit will often be responsible for liaising with the Audit Office on behalf of the Ministry/Public Body and be tasked with coordinating external audit activity in a Ministry/Public Body. This role can be a useful way for internal audit to be aware of planned, and actual external audit coverage, while at the same time being cognizant of Audit Office’s need for access to individuals and records to enable them to meet their own audit responsibilities.

Management determines the role of internal audit; its objectives differ from those of the Controller and Chief Auditor appointed to report independently on the financial statements and compliance with the Constitution. The internal audit functions and objectives differ according to management's requirements. The Audit Office’s primary concern is whether or not the financial statements are free of material misstatements, and whether or not the Ministry / PUBLIC BODY has complied with all the applicable laws and regulations. The table below lists the difference between internal and external audit

Table 1: Differences between internal and external audit

Issue Internal Audit External Audit

Accountability Reports to the Audit Committee/CEO

detailing performance against the annual internal audit plan.

Reports to Parliament, and ultimately the taxpayer.

Status

Employed directly by the Ministry/ Public Body. Independence achieved through organisational status and objectivity.

Independent from implementing Ministry / Department.

Mandate and scope

Legislation / Regulations

Internal Audit Charter, and approved Internal Audit Strategy.

Audits are carried out under a constitutional mandate, and other pronouncements.

Concept of risk

Assists the management of the Ministry/ Public Body in managing risk.

Evaluates the effectiveness of the risk management system during the course of internal audit assignments, and assists in improving the risk management process.

Performs risk assessments to identify focus areas for audit purposes.

Use risk assessment to determine the effectiveness of controls that reduce the inherent risk of material misstatement of those aspects on which an opinion is expressed.

Reporting

Could include monthly and annual progress reports, interim reports, special reports, and reports on completion of audit projects.

Reports are submitted to the CEO and Audit Committee. Reports focus on adequacy and effectiveness of internal control and governance processes.

At the end of the audit the auditor prepares a written report expressing an opinion regarding the fair presentation of financial statements and compliance with relevant laws and regulations.

The audit report on the financial statements at national level is submitted to Parliament.

Assurance Should be consulted to review and

advise on systems development to ensure efficient outcomes.

Evaluate system development as part of the audit process.

Scope of work

The scope will depend on the limits, if any, set upon it by the CEO and the internal audit strategy or in some cases on specific statutes, and cover all aspects of internal controls, including operational, financial and compliance control.

The scope of the work is contained in the statute and includes matters of regularity (financial and compliance) and performance auditing.

A realistic action plan for the internal audit and investigations units within the Government takes into consideration the human and material resources available. The internal audit function plans its audit work in advance to ensure that it can discharge its responsibilities to management when auditing the accounting, financial and operating controls of a Ministry /constitutional authority /or other Public Body.

The plan is developed at two levels:

Section 2: Strategic and Operational Planning

The strategic plans set out the long term plans (five years) for the internal audit function. They are consistent with the direction of the Ministry / Constitutional Authority / Corporation / Public Body and the strategic direction of the government as a whole, and

The annual audit plans gives detailed operations for the year, consistent with the strategic plan and direction of the internal audit function.

Strategic Planning The internal audit strategy outlines the strategic direction of the internal audit function over a five-year period. It describes in broad terms the operations, programmes and processes that are priority for audit coverage indicating the types of audits performed in those areas. The strategic plan should also illustrate how the internal audit function will achieve its stated objectives.

This plan: Identifies the areas of the Samoa Development Strategy given priority by the government. Internal

auditors will work with CEOs of these areas to ensure their management systems provide accurate and reliable information with which to report against the achievement of these strategic goals.

Identifies the key internal control systems of the Ministries and Public Bodies to be audited Balances the coverage of audit in the period 2012 - 2016 across significant areas Identifies the resources necessary to achieve the stated objectives Gives direction to and identifies the priorities of the Internal Audit Managers Provides a basis from which to measure the performance of the internal audit function.

Developing a Strategic Internal Audit Plan

The head of internal audit is responsible for developing a draft strategic plan, which receives the approval of the senior management / key stakeholders. The plan is developed in conjunction with the key stakeholders to ensure adequate consideration is given to emerging programmes, activities and risks that the head of internal audit may not be aware of. The planning period is determined by the size, complexity, and volume of the activities to be completed by the internal audit function.

Contents of Internal Audit Strategic Plan While developing a strategic plan the internal audit function considers:

The objectives of the internal audit function, linking them to the strategic environment to be audited,

The structure of the internal audit function,

The resources available,

A risk assessment for the areas to be covered in the audit plan addressing the risk management framework in place if applicable,

Performance measurement of the internal audit function.

The strategic plan is considered as a working document, updated annually on a rolling basis as audit needs and resources change. Within the framework of the strategic plan, the head of internal audit prepares a strategic plan illustrating the allocation of available audit days to different systems over the period of the plan.

Strategic Objectives

This section will provide a statement of the broad business objectives and directions for internal audit over the period of the plan. It will focus on both audit and management goals and be consistent with the internal audit charter. The objectives are developed in conjunction with the key stakeholders and take into consideration the strategic environment in which the internal audit function operates and therefore should summarise the goals, objectives, and major initiatives of the entity.

The strategic objectives may fall under the following categories:

Operational - the activities that the internal audit function will provide over the period, e.g. type and frequency of audits and the outputs from those activities,

Personnel Development – developing the skills of the staff employed in this function,

Function development – developing and increasing the professional approach adopted by the internal audit function through performance measurement, documented procedures and improved methodology, technology and techniques.

Structure of the Internal Audit Function

The internal audit function will require an adequate structure if it is to perform the tasks required of a modern internal audit service, this will involve:

Clearly identifying functional responsibility of the internal audit service,

Ensuring adequate reporting relationships with the key stakeholders,

Outlining the role and function of the head of internal audit, and

Identifying the staffing numbers and grades, for the internal audit service to perform its function effectively.

Internal Audit Resources

The resources made available for the internal audit function are determined by the necessity of the function as gauged by the major stakeholders, the perceived value or savings the function can make, and the volume of activities that it will be expected to perform.

The starting point for determining the required resources of the internal audit function is to identify all the issues, activities that the stakeholders would like to have addressed; this is the starting point for identifying the financial and human resource requirement.

Internal Audit Budget

The factors that influence the internal audit budget include:

The number and type of audits included in the annual work plan,

The complexity of the annual work plan including the requirement of expert skill,

The geographical spread of the work including the cost of travelling to the islands,

The inclusion of audit support and non-audit activities to be performed by the internal audit function.

The head of the internal audit function should provide the proposed internal audit budget along with the strategic and annual plans for approval. A work paper for financial and human resource budget calculations is included in appendix 1.

Risk Assessment

There are two elements for the internal audit to consider when looking at a risk assessment,

1. Organisation risks, the risks posed to an entity, system or activity that they intend to audit, and

2. The risks that may prevent the internal audit function from achieving its own objectives.

This section describes the high-level risks identified as part of the entity’s risk management framework

Organisation risks 7

Changes to major operations,

and discussions with key stakeholders. It should be noted that risk management procedures within organisations may or may not be formally defined and that some organisations may have no risk management processes in place. If this is the case, the internal audit function should make management aware of this. This will affect the risk assessments completed by the internal auditors when planning audit assignments.

The aim of this section is to identify those risks that arise out of the entity’s environment and future direction that may be addressed by internal audit and to provide a link between the proposed direction and priorities of internal audit and the risks of the entity. They may include:

Changes in key personnel or increased personnel numbers,

Special management interest in specific areas,

Historic susceptibility to misuse, misappropriation, or fraud ,

Stringent compliance requirements of particular areas,

High monetary value of systems or processes,

A large volume of transactions processed through a system,

Competence of management and staff in particular areas,

Weak system of internal controls,

Results of previous audits, (internal and external)

Lack of supervision over outlying islands.

Non-allocation of staff on a regular / full-time basis,

Risks to the Internal Audit Strategy

The major risks that may prevent internal audit from achieving its objectives include:

Failure to provide adequate resources for internal audit activities,

Newly formed internal audit function does not receive adequate management support,

7 A Risk Management Framework is the structures, methodology, procedures and definitions that an organization has chosen to help identify the risks facing the organization and by doing so, increasing the likelihood of successfully achieving organization objectives. The risk management process involves identifying the risks that surround the organization activities, assessing the likelihood of an event occurring and understanding how to respond to such events. The risk management process will result in putting systems in place to reduce the occurrence of such events, dealing with their occurrence and monitoring the effectiveness of the approach adopted.

High turnover of personnel in the newly formed function, and

Failure to distinguish clearly the respective roles of internal and external audit.

Internal Audit Work Strategies

The purpose of this section is to demonstrate how the proposed work of internal audit will assist the entity to manage its current and emerging strategic risks.

The section could usefully discuss issues such as:

The audit topics that will be undertaken over the period of the plan and how they address the risks facing the entity, including risks that might otherwise remain undetected,

Determining the proportion of the different types of audit to be completed, and

Prioritizing work areas given available resources of the internal audit function.

Audit Coverage

This section will describe where the audit effort will be concentrated and the areas that will receive little, or no, audit attention. It should describe the subject matter that will be addressed as well as the types of audits and the implementing units and/or geographical location of audit coverage. A working paper is attached in appendix 2 which should be completed when completing the audit coverage for the strategic plan.

Performance Measurement

This section will list the performance measures used to measure the performance of internal audit and any changes in measures or targets over time. The performance of internal audit should be assessed against:

The annual audit plan,

Stakeholders views of the work performed,

The views of internal audit staff, and

The overall contribution of the internal audit function to the organisation,

Performance measurement is discussed in section 10 with an example of internal audit performance indicators attached in appendix 18.

Annual Audit Plan The head of internal audit is responsible for establishing annual operational plans, which addresses the priorities of internal audit function consistent with the strategic objectives of the government as well as those of the internal audit function.

The planning process involves:

Identifying the activities of the annual work plan,

Preparing the assignment work schedules,

Developing staffing plans and financial budgets, and

Completing activity reports for the internal audit function.

Activities to meet the Strategic Objectives

These should be achievable within the specified operating plans and budgets, and to the extent possible, they should be measurable. They should also be accompanied by measurement criteria with target completion dates.

Example The collection of revenue is identified as a high risk and material area for strategic planning purposes, which consequently results in a strategic objective to ensure that an operational audit of revenues is completed annually. When developing the annual plan, it must provide for the audit of revenues, the timing and resources to complete the audit. It may also indicate the location of the audit if there is more than one possible location.

While the internal audit function is developing the majority of its annual work plan is likely to incorporate the review of key financial systems and sub systems as well as human resource management and governance arrangements in government departments. These activities can be broken down by geographic location based on the level of perceived risk to the government / implementing unit. Some examples include but are not limited to:

The accounting system,

The budget system,

Human resource management,

Payroll payments,

Revenue collection,

Procurement, and

Purchasing systems.

Assignment Work Schedules

Assignment work schedules include the activities to complete, the timing of the audits, and the estimated time required to perform them taking into account the scope of the planned work, and the nature and extent of related work performed by others if applicable.

Matters to consider when establishing work schedule priorities include:

The dates and results of the last audit assignment,

Updated assessments of the internal control processes in place,

Any special request from the Secretary or other senior managers, or external stakeholders e.g. Office of the Prime Minister, the External Auditor or the Development Partners,

Opportunities to avail of operational improvements,

Major changes to the operations, systems and internal controls,

Changes to key personnel in the organization.

The identification of assignment work priorities can be summarised as follows:

Input Based – Why audit? Output – What are you trying to achieve?

Monetary Value High value therefore potentially large savings

Significance to the Ministry / Stakeholder Important Issue for Ministry / Stakeholder

History of Error (s) Address External Audit and Management Concerns

Poor Controls - Known Improve Internal Controls

Special Requests Political Importance

Staffing Plans and Financial Budgets

The head of Internal Audit should ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. The head of internal audit is responsible for ensuring that the strategic and annual operational plans for the Internal Audit function are fulfilled and therefore must communicate with senior management concerning the needs and status of resources. (Resources may include employees, external resources or a combination of the two).

Annual resource plans will contain more details than the strategic plan. The annual plan will consider:

The size of the audit universe (the total number of auditable entities, systems, processes) that is covered and over a defined period of time,

The coverage of high priority areas in the plan,

The geographic coverage of the audit assignments,

The capacity to undertake unplanned projects,

The nature and extent of the work to be performed and expertise required if necessary.

There are a number of options for illustrating the allocation of internal audit resources in the internal audit annual work plan. A sample table is included in appendix 3.

Activity Reports

The head of internal audit should submit activity reports to the Chief Executive Officer at least annually (See section 10). Activity reports should:

Highlight significant assignment observations and recommendations,

Analyze recommendations from previous audits not implemented,

Inform senior management and the board of any deviations from approved work schedules, staffing plans and financial budgets.

The Internal Auditor should submit activity reports to senior management periodically. Activity reports highlight the significant engagement observations and recommendations and inform senior management of significant deviations from the approved engagement work schedules, staffing plans and financial budgets and the reasons for the deviations as well as action taken or needed.

The frequency and content of the reporting are determined in discussion with senior management. Activity reports are prepared in addition to individual audit assignment reports.8

Confidentiality of Audit Plans

Strategic and annual audit plans are confidential to the head of internal audit and the senior management. Audit Planning Memoranda are known only to them and to the particular head of the unit concerned. Where surprise audit visits are planned, they will be kept confidential by the head of internal audit until the particular day when the audits are to be completed.

The introduction of Systems Based Auditing (SBA) is a major initiative for Samoa. This is the corner stone of the modern audit approach, and provides a stepping stone to some of the more advanced approaches, such as risk based auditing and performance auditing.

The key stages of SBA are:

Section 3: Internal Controls

1. The identification of individual financial, accounting and operational systems,

2. The identification of system objectives,

3. The identification of desired control objectives,

4. The identification, evaluation and testing of key controls, and

5. Recommending improvements to systems of control to management.

The steps in a system based audit are outlined in section one of the manual, this section explores the relationship with internal controls, the control environment and the main control activities that management can implement in order to ensure business processes produce the desired outcomes. The role of the internal auditor is essentially to determine if the internal controls in place are adequate and functioning as desired.

Systems Identified

The first stage in planning a systems based audit is the identification of and classification of all systems in use. Broadly, systems fall into two categories:

Management systems, and

Financial systems,

8 The Institute of Internal Auditors. 2009. Standard 2060 – Reporting to Senior Management and the Board

Management Systems Management systems are those which influence the overall control environment. These include:

Overall governance arrangements,

The budget cycle,

The performance management system, and

Human resource policies and strategies.

Financial Systems These are the accounting systems which lead to the recording of transactions in each department’s financial records and statements. Controls over these may be exercised by both originating departments / line Ministries’ and by processes centralized through the Ministry of Finance. An important part of the audit planning process is to:

Categorize the accounting system by the type of transaction processed e.g. wages, payments, etc

Identify control procedures exercised by the central units / departments, and

Identify the controls exercised by implementing units.

Overall Audit Philosophy

Through time the audit philosophy in Samoa will be “system-based” to encompass modern audit thinking on the performance of audit work. The focus in systems audit is control, the reason for this is:

To confirm the adequacy of the control procedures which have been established in the design of the systems; the preliminary evaluation or theoretical evaluation of control, and

To confirm that the people performing the procedures which establish control or performing control procedures, have carried out those procedures correctly.

In both these instances we are not so much auditing the processes carried out by the systems, rather auditing the recorded actions of people, as the audit work confirms that implementing units have:

Established sound control procedures encapsulated in operating arrangements and operating policies,

Communicated those control procedures and policies to all those people who need to know them in detailed operating instructions,

Trained people to understand the reason for procedures and policies and trained them in the methods to be used for carrying out control procedures and complying with policies,

Defined performance criteria or benchmarks against which to assess each operatives performance, and

Designed controls and checks to confirm that arrangements and policies are being complied with.

It will also assist in determining if operatives have:

Accepted and fully understood the process and control procedures that they are expected to perform,

Carried out the processes and policies in accordance with management’s instructions.

At all levels, audit work is aimed at confirming that people have been adequately performing the work which the Government expects of them in relation to control procedures and compliance with the necessary financial standards and legislation.

Focusing on Internal Control The emphasis of a systems based audit is to assess the adequacy of internal controls in operation and ensure that the controls in place are cost effective given the associated risks. Internal control in the public sector is defined by the International Organisation of Supreme Audit Institutions (INTOSAI)9

Fulfilling accountability obligations,

as an integral process that is affected by an entity’s top management and personnel and is designed to address risks and to provide reasonable assurance that in pursuit of the entity’s mission, the following general objectives are being achieved:

Complying with applicable laws and regulations,

Executing orderly, ethical, economical, efficient and effective operations,

Safeguarding resources against loss, misuse and damage.

Internal Control Examined A system is a set of interacting components that operate together to accomplish a purpose

A system is a collection of people, machines and methods organised to complete a set of specific functions. Inputs are received and processed to produce outputs; achieving the system objectives.

Systems do not operate in isolation but rather they are in constant contact with the external environment. Systems theory helps individuals understand what is happening in a business process in logical steps and it helps in the monitoring of activities, behaviour, and interaction with sub systems.

9 International Organisation of Supreme Audit Institutions (INTOSAI). 2001. Guidelines for Internal Control Standards in the Public Sector

Input Output Process

Environment

Feedback / Control Feedback / Control

Control Theory System control is necessary to keep it and the information that it produces steady and reliable.

Control systems are formal attempts to guide individuals, departments, divisions, people and organisations towards the appropriate behaviour and desired performance.

Organisations operate control systems to:

To organise people and processes,

To measure performance against predetermined targets,

To assist in the identification of problems,

To protect against fraudulent and illegal activity,

To assist effective and efficient management of financial and other resources,

To help meet the needs of all concerned stakeholders,

Control systems can be finance and non-financial based with non-financial control systems often as important to ensure a balanced approach in achieving organisational control.

Example of Financial and Non Financial Controls in a System – Personnel

People in an organisation need to be properly managed so that their behaviour and performance is satisfactory. There are many financial and non-financial ways of controlling personnel within an organisation. (See Figure 1 below)

Figure 1: Personnel Financial and Non-Financial Controls

Key Point Management are responsible for ensuring proper systems of internal control are operational within an organisation. People at every level of the organisation affect internal control.

Effective internal control helps an organisation achieve its operations, financial reporting and compliance objectives, it is an in-built part of the management process (Plan, Organize, Direct and Control) but cannot provide an absolute guarantee that organisational objectives will be achieved

Employee Controls

Staff Budgets

Hierarchy / Structure

Incentive Schemes Targets

Standards / Procedures

Performance Appraisals

Job Descriptions

Behavior Controls

Figure 2: Internal Control at Various Levels in the Organisation

Transaction Based Controls Transaction Based Controls

Internal Control Systems Internal Control Systems

Performance Based Management Systems


Governance Governance

Head of Government Ministry of Finance Line Ministry Management Auditor General

Chief Executive Officer Senior Managers External Influence , Prime Minister’s Office Ministry of Finance

Operational Managers

Line Staff

Daily Daily

Monthly Monthly

Annualy Annualy

Annual / Tri Annual

Annual / Tri Annual

When When Who Who

Governance Constitution

PFM Act 2001

Reporting Structures

Access to Information Terms of Reference

For Scrutiny of Public Accounts

Auditor General Internal Audit Service


Budget Cycle Financial Reporting

Management Information Systems

Performance Measurement Performance Reviews

Value for Money Studies Human Resources Policy

Risk Management System

Transaction Based Controls

Authorisation of Transactions

Data Entry Controls Physical Access Controls

Review of Output reports Compliance with

Regulations Checking Payment Vouchers Checking Payroll Payments

Checking Cash Receipts Verification of Fixed Assets Stores / Inventory Checks

Surprise Visits

Internal Control Systems

Policies , plans and procedures

Management and Supervision

IT Environment Computer Based Controls

Bank Reconciliations , Trial Balance

System Controls for Purchasing Payments

Payroll Receipts

Fixed Assets Stock Management

The Role of Management in Internal Control Management control processes generally fall into two categories

Imposed Control,

Self Control.

Imposed Control

Traditional mechanical approach consisting of measuring performance against standards and then taking corrective action through predetermined individuals.

The major drawback with this approach is that corrective action tends to take place after the performance has taken place; hence, it is reactive rather than proactive.

Organisational structures,

Self Control

Self Control evaluates the entire process of management and the functions performed and attempts to improve the process rather than simply correct the specific performance of the concerned manager. Management by objectives is a good example of this.

The following means of control are available to management for their implementation:

Policies,

Procedures,

Personnel,

Accounting ,

Budgeting, and

Reporting.

Organisational Structure

Factors to consider when examining the organisational structure include:

Structures should be as simple as possible,

There should clear reporting lines and lines of authority,

There should be proper segregation of duties so that no single person controls all phases of a transaction,10

Management has authority to discharge responsibilities efficiently and effectively,

Individual responsibility should be clearly defined so that it cannot be side stepped nor exceeded,

An individual who assigns or delegates responsibility should have an effective system of follow up,

Individuals are accountable to their superior for the manner in which they have discharged their functions,

10 It is acknowledged that proper segregation of duties may not be possible in some Pacific countries due to limited personnel or the geographic remoteness of some islands. If this is the case the auditor should try to suggest some compensating controls to mitigate the lack of segregation of duties.

Organisation charts and manuals should be prepared as they highlight the chain of authority and the assignment of responsibilities.

Policies

A policy is any stated principle that requires, guides or restricts action. Policies should follow certain principles:

Policies should be clearly stated in writing, in systematically organized handbooks, manuals, and other publications and properly approved in line with government legislation / procedures,

Policies should be clearly communicated to all officials and appropriate employees of the organisation,

Policies should conform to applicable laws are regulations – they should also be consistent with objectives and general policies at higher levels,

Policies should provide a degree of assurance that organisation resources and assets are adequately safeguarded,

Policies should be reviewed periodically and revised when circumstances change.

Procedures

Procedures are methods employed to carry out activities in conformity with prescribed policies. The principles that apply to policies are also applicable to procedures. In addition, procedures should:

Reduce the possibility of fraud and error as they should be so coordinated that one employees work should be checked by another independent employee performing separate prescribed duties,

Prescribed procedures should not be so detailed as to stifle the use of judgment,

Prescribed procedures should be as simple and as inexpensive as possible,

Procedures should not overlap, duplicate or conflict,

Procedures should be reviewed periodically to ensure they are still applicable,

Procedures should be made freely available to all staff for reference.

Example – Difference between policy and procedures

Accounting policies generally state the necessity to prepare accurate, relevant, reliable accounts, on a cash or accruals basis through adopting Generally Accepted Accounting standards or principles

The accounting procedures are those tasks which are specifically outlined in the Government Accounting and procedures manuals which should ensure that the policy is achieved, e.g. how to process a payment or how to perform a bank reconciliation.

Personnel

The best form of control over individuals is supervision therefore high standards of supervision should be established. The following practices help improve control:

Recruitment processes should be open and competitive,

New employees should be screened to ensure honesty and reliability,

Training should be provided in order to keep employees up to date with procedures and provide the opportunity for improvement,

Employees should be informed of their role in the organisation and how it fits into the organisation as a whole,

Employee performance should be periodically reviewed and superior performance rewarded,

Conversely, any deficiencies in performance require an improvement plan to be prepared for individual members of staff.

Accounting

The principle means of financial control over the organisation. Accounting standards and practices should be adopted or developed for accounts personnel to implement.

Accurate accounting information is a necessity for management to engage in rational decision making,

Accounting should be based on lines of responsibility,

Financial reports for operating results should parallel the organisational units responsible for carrying out the operations,

Accounting information should be accurately recorded which is achieved through the use of a Chart of Accounts, which should clearly outline the classification structure for financial information.

Most developed governments adopt an Integrated Financial Management Information System (IFMIS) for recording and reporting financial and non-financial information, this comprises of a number of systems and sub systems as shown in the diagram below.

Figure 3: Integrated Financial Management Information System

Procurement Module

Accounts Payable Module

Cash Management

Module

Budget Planning Module

Accounts Receivable

Module HR / Payroll

Interface

Budgetary Reports

Annual Financial

Statements Other

Reports

Chart of accounts

General ledger

Module

Tax and Customs Interface

Other Modules

Data Input

Components of a Typical IFMIS Components of a Typical IFMIS

Reporting Reporting

Budgeting

A budget is a statement of expected results expressed in numerical terms. As a control, it sets a standard for input of resources and what should be achieved as outputs or outcomes. The budgetary process is usually guided by the Ministry of Finance. Budgetary control is dependent on the level of advancement of budgetary systems with the starting point a traditional budget evolving towards Medium Term Budget with a performance management framework.

Control in budgets involves:

Those with responsibility of spending a budget should be involved in its preparation,

Those responsible for meeting a budget should be provided with adequate information that compares budgets with actual events clearly identifying variances,

All subsidiary budgets should be reconciled to the overall budget of the organisation,

Budgets should set measurable objectives, otherwise they are meaningless. Managers should know what targets are expected of them,

Budgets help sharpen the organisation’s focus. Objective budgeting standards are difficult to set in a confused combination of sub systems. Budgeting is therefore a form of discipline and coordination.

Reporting

Management makes decisions based on the reports that they receive. Therefore reports should be timely, accurate, meaningful, economic and user friendly.

Reports should be in accordance with assigned responsibility,

The cost of preparing reports should be measured against the benefit derived from them,

Reports should be as simple as possible and consistent with the subject matter, with common classification and terminology used and “jargon” avoided,

Performance reports should show comparisons with predetermined standards on cost, quality and quantity,

When performance reports cannot be prepared using quantitative information they should be designed to highlight exceptions which require management attention,

Reports need to be timely otherwise management will be unable to take necessary action when required,

Report recipients should be polled periodically to determine if they still require the report or if it needs to be modified to better suit the users needs.

The Role of Internal Audit in Internal Control Where an internal audit function is employed, its responsibilities are generally defined as to review, appraise and report on:

The soundness, adequacy and application of internal controls,

The extent to which the organisation’s controls secure the achievement of department objectives, promote operational efficiency and safeguard assets and interests,

The extent of compliance with policies, plans and procedures,

The integrity and reliability of financial and other management information used by the organisation.

The internal control process consists of five interrelated components as determined by the Committee of Sponsoring Organisations (COSO)11

Control environment,

:

Risk assessment,

Control activities,

Information and communication,

Monitoring,

All five components must be present to ensure that the internal control system is operating effectively.

11 Committee of Sponsoring Organisations – COSO is a voluntary private organisation comprising five professional associations which are The Institute of Internal Auditors, The American Accounting Association, The American Institute of Certified Public Accountants, Financial Executives International and The Institute of Management Accountants. COSO provides guidance on governance, ethics, fraud, risk management and internal controls through developing frameworks based on detailed research and international best practice. COSO is a recognized world leader on internal control frameworks.

Version 2, 7th March, 2012

Figure 4: Elements of the Internal Control System

Management Control Systems

Allow For ...

Internal Controls to

work ...

To achieve organisational objectives Effectiveness and efficiency of

operations Reliability of financial reporting Compliance with applicable laws

and regulations

Elements of an Internal Control System

Control Environment

Performance Reviews

Physical Access

Risk Assessment

Authorizations

Approvals

Verification

Reconciliations

Control Activities

Monitoring

Information and Communication

Internal & External

Segregation of duties

Detective

Preventive & Detective

Preventive

Preventive

Preventive

Detective

Preventive


Control Environment People perform their activities and carry out their control responsibilities in this atmosphere. An effective control environment is an environment where competent people understand:

Their responsibilities,

Limits to their authority,

The right things to do and the right way to do them.

Management is responsible for setting the tone for the organisation.

The control environment is influenced by the extent to which individuals recognize that they will be called to account for internal control failures. The internal audit function will assess the extent to which they feel the control environment is adequate for control activities to operate effectively and hence the extent to which they can place reliance on internal controls when completing audit assignments. They complete this assessment through control environment questionnaires. There is a control environment assessment working paper attached in appendix 4.

Control Activities Control activities are actions supported by policies and procedures, when performed properly in a timely manner they help reduce risks

There are two main types of control activity:

Preventive controls, and

Detective controls.

Preventive controls attempt to deter or prevent undesirable events from occurring, as they are proactive controls that help prevent loss through ensuring:

Separation of duties,

Proper authorization,

Adequate documentation,

Physical control over assets.

Detective controls attempt to detect undesirable acts, they provide evidence that a loss has occurred but do not prevent it from occurring examples of detective control include:

Reviews,

Analyses,

Variance analyses,

Reconciliations,

Physical inventory counts.

Both types of control are important, but from a quality perspective, preventive controls are essential, as they are proactive, detective controls play a crucial role in providing evidence that preventive controls are working.

Control Activities – Approvals (Preventive)

The following approval controls are considered among the most effective:

Written policies and procedures,


Limits to authority,

Proper supporting and retention of documentation,

Questioning unusual items,

No “Rubber Stamps”

No blank signed forms.

Control Activities – Reconciliations (Detective)

Approvals / Authorizations is a major control activity

Approvers should review supporting documentation, question unusual items and make sure that all necessary supporting documentation is available to justify a transaction before they sign it. Signing blank forms should be prohibited.

No one should be able to sign on the approvers behalf and if electronic approval is required the approver must not share the password with another person and the password should be changed regularly.

This control activity helps to ensure the accuracy and completeness of transactions that have been charged to the department accounts. To ensure proper segregation of duties, the person who approves transactions or handles cash receipts should not be the person who performs the reconciliation.

Examples of reconciliations include:

Reconciling cash book balance with the cash in bank balance per the bank statement,

Reconciling petty cash balances with physical cash held,

Reconciling the receipts register with lodgement slips and bank statements,

Reconciling payroll payments with general ledger balances,

Reconciling inventory levels to stock registers,

Reconciling annual leave records from personnel with annual leave in the payroll department.

A critical element of the reconciliation process is to resolve any differences that are discovered; all differences should be investigated and explained with documentary evidence provided.

Control Activities – Reviews (Detective)

Review of performance provides a basis for detecting problems. Management should compare information about current performance to budgets, forecasts, prior periods or other benchmarks to measure the extent to which department objectives are achieved. Some of the main review activities completed include:

Budget to actual(s) comparison (Variance Analysis),

Current to prior year comparison (Trend Analysis),

Measurement against performance indicators and targets,

Follow up on unexpected results or unusual items.


Control Activities – Asset Security (Preventive and Detective)

Security of physical assets,

Physical safeguards,

Perpetual records maintained,

Periodic counts,

Physical inventories,

Compare counts to perpetual records.

Typically access controls are the best way to safeguard assets, e.g. locked door, keypad systems, card key system, badge system, locked filing cabinets, safes, guards, terminal locks, computer passwords and data encryption.

Periodically, the items should be physically counted by a person who is independent of the purchase, authorization and asset custody functions, and the counts should be compared to balances per the perpetual records. Missing items should be investigated, resolved, and analyzed for possible control deficiencies.

Control Activities – Segregation of Duties (Preventive and Detective)

No one person should:

Initiate a transaction,

Approve the transaction,

Record the transaction,

Reconcile balances,

Handle assets, and

Review the output reports.

Segregation of duties is critical to effective internal control; it reduces the risk of both erroneous and inappropriate actions.

In general, the approval function, the accounting/reconciling function, and the asset custody function should be separated among employees. Segregation of duties is a deterrent to fraud because it then requires collusion with another person to perpetrate a fraudulent act.


Example:

Specific examples of segregation of duties are as follows:

The person who requisitions the purchase of goods or services should not be the person who approves the purchase.

The person who approves the purchase of goods or services should not be the person who reconciles the monthly financial reports.

The person who approves the purchase of goods or services should not be able to obtain custody of checks.

The person who maintains and reconciles the accounting records should not be able to obtain custody of checks.

The person who opens the mail and prepares a listing of checks received should not be the person who makes the deposit.

The person who opens the mail and prepares a listing of checks received should not be the person who maintains the accounts receivable records.

An internal audit performed in accordance with Internal Auditing Standards is designed to provide management with reasonable assurance that its systems of internal control are designed and operating efficiently and effectively in order to help the organisation to achieve its objectives. It is therefore important to consider audit risk and materiality in determining the nature, timing and extent of audit procedures, prior to carrying out the audit procedures and in evaluating the results of those procedures.

By determining the level of risk and materiality, the auditor can obtain a reasonable degree of assurance about the effective design and operation of internal control systems, and the correctness of the documents and records examined. Audit risk is concerned with material weaknesses in the design and operation of systems, and as such the risk analysis can only be carried out in the light of the materiality decision, a decision that ultimately affects the level of audit testing.

Risk Assessment

Definition of Audit Risk

Audit risk is defined as the risk that audit procedures will fail to detect an absent, inappropriately designed or ineffectively implemented internal control or management arrangement, which could


result in an unacceptable level of operational risk. (Operational risk is the risk of the organisation failing to meet its objectives).

Given that the result of audit work is expressed in an Internal Audit report, audit risk can therefore also be thought of as the risk that the internal auditor may come to the wrong conclusion in his / her report on the soundness and application of accounting, financial and operational controls of the audited body. In other words, the auditor may erroneously conclude either that the controls are properly designed and applied when in fact they contain material weaknesses or that the controls are not properly designed and applied when in fact they are sufficient to enable the organisation to meet its objectives.

There are three components of audit risk:

1. Inherent risk: The risk of material error occurring in the first place.

2. Control risk: The risk that internal controls fail to prevent or detect material error.

3. Detection risk: The risk that audit procedures fail to detect material error.

Inherent Risk Inherent risk depends upon the nature of the system, transaction or item audited and whether it is susceptible to error. It indicates the amount of assurance required from audit tests; the higher the risk, the greater the extent of audit tests required in order to increase the likelihood of detecting errors if they exist. Factors to be considered in determining the inherent risk might include the following:

The nature of the operations being performed,

The nature of the operation, for instance, cash, inventories or assets,

The likelihood of staff turnover particularly in finance related positions affecting the accuracy of the financial statements,

The competence of staff in performing procedures,

The presence of morale problems with staff,

Past experience of poor operation of control,

Time pressures on staff,

Unnecessarily high degree of management involvement in day-to-day operations,

Opportunity to manipulate the books of account,

Management motive for manipulating books of account,

Recent allegations of misconduct or fraud against the audited body by third parties or regulatory bodies,

Evidence of significant errors in previous years, and

The complexity of activities in the system.

In order to assess these issues the auditor needs to discuss the relevant topics with staff in the department being audited. A good background to the key issues facing each department will also provide useful intelligence to help the auditor make the assessment.


Control Risk Control risk depends on the strength of the audited body's governance arrangements and systems of internal controls, and whether there are effective controls operating to reduce the risk of the organisation failing to achieve its objectives.

Factors to be considered in determining the control risk might include the following:

Management's philosophy and operating style,

The entity's organisational structure,

Methods of assigning authority and responsibility,

Management's control methods for monitoring and following up on performance,

Personnel policies and practices,

Influences external to the entity,

Management's control methods over budget formulation and execution,

Management's control methods over compliance with laws and regulations, and

Management's ability to promptly identify and react to changing conditions.

Detection Risk Detection risk is the risk that the auditor's tests will fail to discover material control weaknesses in accounting, financial and operational systems. There are two components of detection risk:

Sampling risk, and

Non-sampling risk,

Sampling Risk Sampling risk arises from the fact that only a sample is selected for the audit tests, so that items in a population falling outside the selected sample may or may not contain a material error. In other words, conclusions might be reached which could have been different had the whole population been examined. This comprises two possibilities:

Risk of incorrect acceptance, i.e. favorable conclusions might be reached on the basis of a sample, where as a 100% examination may have revealed a material error.

Risk of incorrect rejection, i.e. unfavorable conclusions might be reached on the basis of a sample whereas a 100% examination might have revealed no material error.

Though it is impossible to reduce these risks to zero without testing 100% of transactions, it is possible by sampling to reduce this risk to an acceptable level. Usually auditors use sampling theory to reduce the risk of incorrect acceptance to below 5%. Therefore they can have 95% confidence in their conclusions.

Non-sampling Risk This is the risk that the auditor fails to draw the right conclusion from an item that (s)he has examined. Such a risk often arises from inadequacy of staff-training, failure to exercise due care and diligence, inappropriate audit procedures, inadequate audit supervision, etc. This risk is therefore minimized by proper planning, supervision and review.


This can be dealt with by encouraging staff to undertake formal education and training, providing training courses and encouraging audit managers to provide proper supervision and quality control procedures on the work of their staff.

There are inherent limitations to the levels of satisfaction with controls which can be expressed in any audit. Such limitations include those arising from:

Materiality

The impracticality of examining all items,

The inherent limitations of any accounting and control system,

The possibility of collusion or misrepresentation for fraudulent purposes, and

The fact that most audit evidence is persuasive rather than conclusive.

Auditors recognise that there is a possibility of material weaknesses in the control systems of any organisation, which could lead to losses. Consequently they need to plan their audit with that possibility in mind. This involves a critical examination of the information and explanations provided by management and not assuming that what they have been presented with is necessarily correct.

When examining materiality the auditor should consider the possibility of incurred losses in determining the nature, timing and extent of audit procedures. The auditor can obtain a reasonable degree of confidence regarding the effective design and operation of internal control systems, and the correctness of the documents and records examined when he has completed the planned audit procedures on those systems.

Factors affecting the materiality decision

There are two main factors that have to be considered when determining whether a matter is material; they are:

Value, and

Nature.

Thus it may not always be the value of transactions processed by a system which primarily determines what is material but the nature of the transactions processed by that system. Items may be material individually or in total and certain systems and transactions may be of more interest than others to the management and the public. A brief description of these factors is set out below.

Materiality by Value Broadly speaking, it might be said that the larger the value of transactions dealt with by a system, the more material is the associated control system. However, materiality has to be judged in relative and not absolute terms. What is material in one instance or context may not be material in another instance or context.

Materiality by Nature Regardless of the value, some systems are of significance in their own right. For instance payments of senior officers’ allowances could be immaterial by value, but the controls and transparency of the system for determining and paying allowances is likely to attract a high level of public interest. In


addition, materiality by nature may arise in relation to statutory responsibilities or reporting requirements, where a higher degree of accuracy might be expected than the tolerance level derived from normal materiality by value considerations.

Materiality and Sensitivity

No system of internal control, however elaborate, can by itself guarantee the completeness and accuracy of accounting records; nor can it be proof against human error or fraud. Financial records rarely need to be absolutely correct and a small degree of imperfection in the design and operation of internal control systems can be tolerated. This tolerance is known as “materiality” and it underlies financial reporting, the external audit process and the internal audit process.

While it is worth noting that materiality for an internal audit service is necessarily much smaller than for an external audit service, which has a different role, responsibilities and objectives, the concept must still be borne in mind for internal audit.

Internal audit is a management function that aims to assist in the improvement of systems of internal control and is therefore concerned with the detailed operations of the implementing unit, The reason that internal audit must appreciate the concept of materiality is therefore not that transactions of a certain type or value are unimportant, but that internal audit must have an objective way of directing both its limited resources for investigation, and management’s limited resources to implement recommendations. It is therefore crucial that internal audit work is targeted on the basis of two fundamental principles:

Prioritization, and

Materiality.

Within internal audit, the concept of materiality has been largely undefined. As a result, historically internal audit has tended to try to cover all aspects of an implementing unit’s operations, rather than focus on the identification and reduction of key risks. Assessing materiality is essentially a matter of judgment for an experienced auditor to undertake with reference to standards set by the department. When assessing materiality, the auditor should consider it at both the planning and reporting stages.

Planning Stage

The auditor should have a reasonable expectation of detecting material weaknesses and errors in the design and operation of accounting, financial and other management and operating systems, should they exist. Setting an appropriate planning materiality level together with the analysis of audit priorities should satisfy that expectation. Materiality by value is likely to be the main determinant, although materiality by nature may also contribute.

Suggested criteria for determining materiality by nature are:

The type of service provided by the unit or the system being examined,

The involvement of domestic and international lending financial institutions, and international assistance, e.g. technical assistance given by donor agencies,

The newness of the implementing unit or changes in its conditions, and

Media attention given to the area under review.

Some examples of 'key items', which may be examined in this context, are:

Transactions or balances which individually exceed a pre-determined amount, e.g. travel


allowances paid in excess of allowed amounts,

Significant transactions which are subject to a high degree of management involvement, e.g. procurement and contractual services,

Transactions or balances not in the ordinary course of business,

Suspicious or unusual items, apparent anomalies, etc and

Significant accounts or items where there is known to be a high probability of material error.

Reporting Stage

At the reporting stage, materiality serves as a benchmark against which to evaluate the errors or misstatements uncovered and assist in the consideration of the need for qualification of the audit report. Throughout the audit and at its conclusion, the auditor is required to evaluate the results of his / her tests. Normally, all errors will be aggregated, and extrapolated if appropriate, to give the best estimate of likely weaknesses and errors in the records examined.

Before reports are submitted to senior management for approval, the following key information should be obtained:

A summary of weaknesses and errors disclosed by the audit in the draft summaries of findings and recommendations,

An extrapolation of those errors, estimating the total error in the population from the results of testing the sample, and

Using judgment, the items which should be reported are selected along with those considered to be sensitive by their nature.

Materiality in relation to items reported

All material items will be included in the audit report to the senior management. Weaknesses that are not material, but are considered significant to the operations of the implementing unit, should be included in the report to the Secretary, including (where possible) estimates of the financial value of any errors found. All errors and weaknesses reported, and the recommendations arising from them, should be prioritized in the audit report.


The assignment plan sets out how the specific audit assignment is performed. It identifies the resources, methods and approaches used. The plan also provides a basis of managerial accountability and performance measurement for the internal audit function. It should be flexible, to allow for changes in light of circumstances and emerging knowledge and information gathered during an audit assignment.

Section 4: Assignment Planning

Internal auditors must develop and document a plan for each engagement including engagement objectives, scope, timing and resource allocations12

Good assignment planning particularly the scheduling and allocation of time budgets will help facilitate the communication / reporting process when the assignment is completed.

The level of detail in the assignment plan should be carefully thought out. If too detailed, the plan may become rigid and hence unresponsive to new information emerging during the assignment. Whereas insufficient detail could lead to an absence of discipline and focus and the assignment may ‘drift’ as a result.

12 The Institute of Internal Auditors. 2009. Practice Advisory 2200 – 1 Engagement Planning


The table below sets out the contents of a typical assignment plan.

Assignment Plan Contents

Background: The auditor will research the history of the Implementing Unit, system or activity under review. This will include management structures, reporting relationships and any previous reviews performed.

Approach: The audit strategy will be dependent on the audit objectives and strength of internal controls as assessed in the preliminary survey.

Objectives: Assignment objectives should be established which target the risks identified in the annual planning process.

Scope: The scope identifies the boundaries of the assignment, the internal control activities reviewed as well as geographic coverage.

Risk: The internal auditor should perform an initial assessment of the risks relevant to the activity under review, including a review of management’s assessment of risks.

Resources: Determine appropriate, sufficient resources required to meet the assignment objectives including the number and experience of staff required.

Timing: The timing relates to the number of person days required to complete the assignment, taking into consideration the relevant timing of significant events that may affect the assignment.

Programme: The internal auditor should develop an audit programme that includes methodologies used including technology and sampling techniques.

Background The key activities of this phase are to gain an understanding of the system, activity or business unit under review, it will include:

A review of the structure, reporting relationships and significant locations of the activity, system or issue under review,

Background

Risk

Scope

Objectives

Approach

Resources

Timing

Programmes

P L A N N I N G

M E M O R A N D U M


An examination of the form of the financial records; e.g. the annual accounts prepared, consolidated accounts and monthly statements of expenditure etc, the budget prepared and approved and project accounts if available,

Familiarization with departmental rules, management reports other government rules and legislation that affect the system or activity under review,

A review of the latest published budgets or estimates of the current year, in order to assist in determining which systems are most significant,

Identification of any significant developments since the last audit e.g. major reports on the organisation, organisational restructuring or major systems installations,

Examination of internal procedures manuals concerning the unit’s accounting system and control procedures, firstly to ensure that such documentation exists and secondly to understand how the system is intended to operate,

A review of the matters identified for attention from the previous year's audit report from the external auditor,

The scope of any work to be carried out by other audit sections and plan the supervision and review procedures for such work,

The work completed on each of these activities will assist the auditor when preparing an outline timetable for the audit assignment.

Audit Approach The internal auditor is concerned with gathering relevant, reliable, and sufficient evidence to support the auditors’ conclusions on the different aspects of their work. It is during this planning stage that the auditor will decide on the most economic and efficient audit approach to obtaining the required evidence.

Various audit approaches are available to the auditor. However, this manual will examine the following approaches when completing audit assignments.

i. Systems Based Approach (SBA):

ii.

where the auditor seeks to ascertain and evaluate a unit's systems, performance and its systems of internal control. From this evaluation, the auditor can provide feedback to management on the adequacy of controls, and make recommendations for improvement.

Direct Substantive Testing (DST):

Assignment Objectives

where the auditor forms an opinion on the area under review, this is completed through obtaining evidence by testing transaction details. The auditor uses this approach where controls are either absent or so weak that they cannot be relied upon to produce accurate information for management.

The audit objective is the question that the audit seeks to answer. The audit objective forms the basis of the audit and hence should be carefully developed and clearly stated to enable clarity of conclusions at the reporting stage of the audit.

Assignment objectives: Audit objectives may be generic in nature to focus on key internal audit outcomes e.g. are internal controls operating as intended, or they may be very specific and targeted at specific issues on high-risk areas identified by the auditor e.g. that overtime payments were properly calculated.


Assignment procedures are the means to attain the assignment objectives, assignment objectives and procedures taken together define the scope of the internal auditors work. Objectives and procedures should address the risks associated with the activity under review.

Example of Assignment objective for Purchases and Payments:

To ensure that payments are correctly paid in respect of bona fide purchases, that all purchases and payments have been properly recorded and authorized.

Audit Scope The scope should be sufficient to satisfy the objectives of the assignment. It should state the work the auditor intends to do and how it will be completed. The scope of the assignment should include:

Consideration of relevant systems,

Records to be examined,

Timing of the assignment,

Personnel numbers and skills,

Physical properties including those under control of third parties, and

Geographical spread of activities.

If the internal auditor develops reservations about the scope during the assignment these reservations should be discussed with management to determine if the audit should be continued.

Audit Risks As described in section 3 of this manual the internal auditor will have to complete an assessment of the risk management framework developed by management and specifically the risks identified for the assignment under review. When doing this the internal auditor will consider:

The reliability of management’s assessment of risk,

Managements process for monitoring, reporting and resolving risk and control issues,

Risks in related activities to the activity under review.

Administrative Planning of the Audit

Administrative planning is as important as the technical planning of the audit. There must also be a methodical approach to the planning and control of the planning process itself, including the allocation of staff and the budgeting of time for the audit. The following matters are therefore the responsibility of the planning auditor and must be carried out during the planning stage of an audit.

Resource Allocation In determining the resources necessary to perform the assignment, the following should be considered:

The number of staff available for each audit and the amount of field time they can contribute,

Specific knowledge or skill sets available,

Training required prior to field audit,

External expertise required if not available in house.


This information is also required to determine audit budgets.

Time Budgeting A realistic time budget for the particular audit should be prepared based on the planning auditor's knowledge and experience. Factors to consider when preparing the time budget:

Knowledge and capabilities of the auditors involved,

Extent of the work involved,

Calculation of the time required for each aspect and each stage of the fieldwork, and

The audit completion date.

Variations between actual and budgeted time should be notified to the head of internal audit as soon as they become known. Any changes are noted on the planning memorandum, and can be used for planning future similar audits.

Staff Planning Meeting Before commencement of the detailed audit, the head of internal audit should call a meeting of all staff who will be involved in the audit. The purpose of this meeting will be to brief the staff on the details of the audit strategy that has been determined - in particular:

The nature of the audit,

The strengths and weaknesses of the control systems,

The method(s) of sampling to be adopted,

Particular areas to be verified in depth,

The tasks of each member of the team,

The way in which the work will be supervised and controlled,

The time budgets allowed,

The importance of meeting deadlines for completion of the audit.

An example of an audit-planning checklist is attached in appendix 14. The purpose checklist is to ensure that all sections of the assignment planning have been completed.

Communication with Management All those in management who need to know about the audit should be informed. Meetings should be held with management for the activity under examination. A summary of the conclusions reached and actions to be taken based on discussions should be distributed to appropriate individuals and retained as working papers for the audit file.

Topics discussed with concerned managers may include:

Planned assignment objectives and the scope of work,

The timing of the assignment,

The internal auditors assigned to the task,

The process of communicating throughout the audit, including methods, timeframes and individuals who will be responsible,

Any recent changes in management or major systems under review,


Concerns or any requests from management,

Matters of particular interest or concern for the internal auditor,

Description of the internal audit reporting procedures and follow-up process.

Audit Supervision Supervision is necessary to ensure audit objectives are achieved, quality is assured and audit staff are developed. Supervision is a process that begins with planning, and continues throughout the examination, evaluation, communication, and follows up phases of the assignment, it includes:

Ensuring that auditors have requisite knowledge and other competencies to complete the audit,

Providing appropriate instructions during the planning of the assignment and approving the assignment programme,

Ensuring the assignment programme is completed, including the review of auditor working papers, evidence collected and notes written,

Each auditor completing an assignment worksheet clearly demonstrating the activities they have been working on,

Comparing the actual time taken to complete an audit assignment against the original budget allotted,

A financial budget against which the actual cost of completing the audit is reported, clearly explaining variances.

Audit Programme The product of the planning process will be a series of audit programmes covering the different aspects of the audit to be undertaken. In view of its importance, the methodology of an audit programme is discussed separately and specific guidance is provided in section 6 under fieldwork techniques.

The continuous nature of the planning process

Planning is a continuous process. The matters discussed in this section of the manual may therefore need to be reviewed from time to time as the audit progresses. Thus, the audit strategy and the individual audit programmes maybe amended as necessary. Appropriate notes of such amendments or additions are made at the relevant parts in the assignment plan, together with the initials and dates of those authorising such changes.

Audit Planning Memorandum The outcome of the survey and assignment planning work completed is a summary of the work, termed the audit-planning memorandum. The template for the planning memorandum should be discussed and agreed with the head of internal audit at the latter part of the assignment planning process. An audit planning memorandum template is attached in appendix 5.


The auditor should prepare and maintain audit working papers as evidence of work completed on audit assignments. The form and content of the working papers should be designed to meet the circumstances of the audit.

Section 5: Audit Documentation

Internal auditors must document relevant information to support conclusions and engagement results. Internal auditors prepare working papers. Working papers document the information obtained. The head of internal audit reviews engagement working papers13

Working Papers The information in the working papers is the primary record of the evidence obtained to support the auditor's conclusions, and the work performed by the auditors. Working papers are the link between fieldwork and the auditor's report; and therefore they should document the following aspects of the audit process:

The planning procedures adopted,

The evidence of obtaining an understanding of the accounting and management systems and conducting an evaluation of the systems of internal control,

A record of the audit procedures actually performed, a summary of all significant matters identified and the conclusions reached,

The review procedures carried out by the audit supervisors,

A summary of major recommendations made to the organisation’s management,

A copy of the final audit report issued,

The follow-up action agreed to be taken.

No statement should be included in any audit report, which is not specifically supported by evidence in the audit working papers. A working paper template is attached in appendix 6.

Key Point Working papers are the material prepared by and for, or obtained and retained by, the auditor in connection with the performance of the audit.

13 The Institute of internal Auditors. 2009. Practice Advisory 2330 – 1 Documenting Information


Types of working papers The following are types of audit working papers and should be retained on the audit files in a referenced format:

Draft audit reports,

Organisational structure and legal documents,

Planning memorandum including financial and time budgets,

Quality control checklists,

Audit programmes,

Audit tests performed with conclusions,

System descriptions / flow charts,

Risk assessments completed,

Internal Control Questionnaires (ICQ) and evaluations completed,

Other Questionnaires,

Interview notes,

Letters of confirmation/minutes of meetings,

Query sheets including conclusions,

Documentation obtained from the auditee such as bank statements, internal reports, accounts collected, policies, procedures, budgets etc

Correspondence (including e-mail) concerning significant matters,

Recommendations made by the auditor.

Format of working files Audit working files can be retained in::

Electronic form - for example, specific software such as Team Mate / IDEA, Microsoft Word/Excel.

Hard copy – copies of documents collected as evidence from the client and third parties.

The title of the assignment,

Content of working papers

Each audit working paper should be headed with the following information:

The period covered by the audit,

The subject matter,

The file reference, – [each file in a particular audit is given a unique reference]

The initials of the member of the audit team who prepared it and the date on which it was prepared,

In the case of a working paper prepared by the client, the date received and the initials of the audit team member who carried out the audit work thereon,

The initials of the audit supervisor who reviewed the working paper.

Standardised working papers


Where possible standardised working papers should be used as:

It improves the efficiency of the preparation and review of working papers,

It facilitates the delegation and review of work,

It helps to maintain quality control, ensures consistency and completeness of audit work,

It is useful for routine documentation such as checklists for disclosure purposes and specimen letters.

However, a certain amount of flexibility is essential and it is important that the auditor should always remember the need to exercise professional judgment. It is never appropriate to follow mechanically a standard approach without understanding why the work is performed.

Working papers, which record tests

Conclusions should be documented on audit working papers for all audit tests performed during the audit.

Permanent ink should be used,

General guidelines

The following are general guidelines for the creation of Working Papers:

Descriptions should be given of audit symbols used, for example, ticks and symbols on flowcharts,

All working papers must be prepared neatly and tidily so that they clearly, concisely, and logically show the schedules, results of tests etc.

Always be kept in a secure location by the internal auditor,

Confidentiality

As working papers often contain sensitive information, they should:

Be available only to authorized persons.

Sample Suggested Tick Marks

Ownership

Working papers are the property of the auditors and therefore the auditee has no claim on the audit files.

It is common practice for internal audit staff to use a standard set of tick marks to identify the type of work performed and tests completed. Some of the more common types of tick marks are included below. However, each internal audit function should develop its own complete set of tick marks. If any further tick marks are required, they should be added to the list with a detailed description of their meaning.

1

Vouching of receipts, invoices, bank advice slips, payment vouchers and related documents.

2 © Checking entries in the cashbook with supporting documents and with relevant schedules

3 X Checking postings in the cashbook to the monthly Revenue and Expenditure statement


4

Checking castings and cross-castings (totals) in cashbook, and in other books of accounts, statements and schedules.

5

Check that contra entries agree.

6 B Checking balances and carry-forwards in cashbook, accounts and bank statements.

7

Checking cash balances with bank statements balances and reconciliation’s.

8

Computations agreed.

9 C Confirmation of bank balances.

10 R Reply received for confirmation.

11 P Physical inspection confirms.

12 T Title deeds or ownership certificates seen.

The chief audit executive establishes working paper policies for the various types of engagements performed. Standardised engagement working papers such as questionnaires and audit programmes may improve the engagements efficiency and facilitate the delegation of engagement work. Engagement working papers may be categorised as permanent or carry-forward engagement files (Current files) that contain information of continuing importance14

Filing Audit Working Papers Auditing working papers are usually maintained in two separate files:

Permanent file,

Current file.

The Permanent Audit File Information about the client that is relevant to more than one year is placed in the permanent audit file and this will be referred to from year to year and provide continuity in the planning and carrying out of the audit. Before starting each new audit however, you should ensure that all relevant details in the permanent audit file are up to date e.g. a change in organisational structure will mean a change to the permanent audit file.

14 The Institute of Internal Auditors. 2009. Practice Advisory 2330 – 1 Documenting Information


To document information of recurring value regarding items appearing in the financial statements,

The purposes of the Permanent Audit File are:

To document information of a permanent nature regarding the clients business,

To give audit staff new to the audit, information regarding the organisation or process to be reviewed during future audits.

A brief description of the auditee organisation, organisation charts, lists of senior officials and their job descriptions and specimen signatures,

The main contents of the permanent file are:

Systems notes, internal control questionnaires, flow charts (if any), details of compliance tests (if carried out), and the results of control evaluations (e.g. weaknesses or breakdowns in internal controls),

Information about managerial and financial policies,

Ministerial directives, notes of internal rules and procedures, important management reports,

Copies of important contracts and agreements,

Notes of the composition and activities of management committees.

A sample permanent file contents is attached in appendix 6:

Current Audit Files Information specific to a particular auditee and period is maintained in a current audit file. The current file should enable any person, especially the head of Internal Audit reviewing the audit, to satisfy them that an adequate examination for audit purposes has been made of the auditee affairs.

Procedures followed,

The purposes of the Current Audit File are:

To provide a record of work planned including:

Tests performed,

Information obtained, and

Conclusions reached.

The audit planning memorandum and audit planning checklists,

The main contents of the current file are:

On the planning section:

On the reporting section:

Notes and memorandum arising from interviews with senior officers,

The draft audit report and notes of interviews thereon with the auditee organisation’s management,

Copy of the final audit report, and

Points for following-up actions and points forwarded for next audit.

On the control section:


Audit progress reports,

Lists of audit queries, showing how each item has been resolved,

Review notes of supervising auditors,

Audit completion checklists.

On the audit working papers section:

Audit work on each individual financial, accounting and operating system.

The purpose of completing field techniques is to gather evidence to support the audit conclusions reached. There are a number of audit techniques, which can be used at various stages of the audit assignment, the use of which will be dependent on the assignment objectives and approach. The various field techniques available for internal auditors are set out in the table below where there are also related to the stage of application in the assignment.

Section 6: Audit Fieldwork Techniques

Assignment Stage Field Techniques

Familairisation

Evaluation

Analysis

Recording

Read operating manuals Read rules and regulations Flowchart system as designed Interview personnel

Observe operations Meetings with management

Flowchart system in operation Walkthrough tests

Interviews Surveys

Questionnaires

Analytical review Key control modules Control tests

Walkthrough tests Analyze flowcharts Compilation of survey results

Risk assessments Internal control assessments Overall evaluation scheme

Review of questionnaires


There are many ways to ascertain the information required for recording a process and to present the process information collected. The following techniques are discussed in this manual.

1. Interviewing – used for collection of information from management and system users,

2. Flowcharting – diagrammatical presentation of the process as designed and the process actually being followed,

3. Analytical Review – used for completing indicative tests on different sets of data to examine correlations and consistency on information from different sources,

4. Sampling – the examination of less than 100% of the items from a population,

5. Control Tests – the examination of a system control to determine if it is functioning as desired through, observation, enquiry, inspection and re-performance techniques,

6. Substantive Tests - to test details of particular transactions in the entire sample selected from the population to ensure they are all recorded, they are recorded at the correct value, in the correct period, and that they actually exist,

7. Audit Programme – to provide direction to auditors completing the audit and ensure that the audit work is performed consistently, efficiently and effectively.

Each of the techniques are discussed in detail in this section.

Understanding the System Auditing standards require that auditors obtain and document an understanding of the accounting and internal control system to determine their audit approach. If control risk is to be assessed as less than high, the justification for that assessment must be documented. This understanding can be updated year on year and auditors often perform “walk through” tests, to ensure that their understanding and documentation of the system is correct.

Walk Through Test

This simply involves taking a transaction through the system from source to destination. (often called the cradle to grave approach) Such tests are particularly useful where the auditors are relying on the auditee documentation of the system. A walk through test is a process whereby the reviewer follows in practice, the procedures or operations in a system to verify that they have recorded it properly. However, a walk through test serves another important function - to test for errors of omission.

Errors of omission are a common control problem and relate directly to detection of failure of two internal control objectives.

1. Adherence to Management Policies, and

2. Compliance with Laws, Rules, and Regulations.

Use of Walkthrough Tests

After completing, the draft flowchart of a process under review the auditor will confirm the accuracy and completeness of the chart by performing a walk through test. The procedure is essentially to select at random four or five transactions or documents and, using the flowchart and accompanying narrative as a guide, trace their progress through the system.

If omissions of procedures or controls are detected in the sample this is an indication that some intended procedures are not followed and should be recorded as a finding in working papers.


Further tests should be performed to confirm the extent of the omission as necessary. Walkthrough tests should be recorded in working papers and should include copies of the documents used and references to the transactions assessed.

1. Interviewing Interviewing is a strong tool for collecting evidence of how a system works based on the knowledge of operating personnel. Interviewing is performed at the preliminary survey stage of any audit assignment, and subsequently followed up by further interviews if more detail is required. It is a means of obtaining “Testimonial Evidence” from the auditee, other members of the organisation who have contact with them and independent third parties.

Interviews allow the auditor to clarify testimony or points made previously by the client, it allows the auditor to gain a better understanding of operations and to assist them gaining explanation for unexpected results and unusual events or circumstances. An interview is a secure and personal form of communication.

Key Point Internal auditors should be skilled in dealing with people and communicating effectively, furthermore internal auditors should understand human relations and maintain satisfactory relations with engagement clients whenever possible.

This requires internal auditors to have good interviewing skills.

Interview Considerations

It is a common behavioural characteristic that people do not like to be evaluated hence the internal auditor has a difficulty when engaging a client in the interview process. The internal auditor must be aware that the client may resent even the most constructive criticism; consequently, the internal auditor must gain the confidence of the client by demonstrating:

Fairness,

Empathy,

Competence,

Persuasiveness, and

Self-assurance.

The internal auditor must avoid the pitfall of “Over Criticism”, i.e. an internal auditor who finds no major issues after performing an audit may be insecure about the result, thus becoming over critical about minor issues resulting in an alienation of the auditee. An internal auditor should also comment positively when possible on the auditee activities, e.g. when recommendations made in a previous audit have been implemented.

The interview process involves four steps:

1. Planning the interview,

2. Performing the interview,

3. Documenting the interview, and

4. Closing the interview.


Planning for an Interview

The internal auditor should understand the functions procedures, terminology and personal characteristics of senior managers at the location of the assignment. The auditor should formulate questions on the area they intend to audit. The questions should generally be a combination of:

Indirect - broad questions which seek clarity and may provide unexpected results.

Direct – questions addressing specific issues and looking for specific answers.

1. The auditor should prepare an agenda for the interview,

2. The agenda should determine the topic of the interview,

3. The agenda should clarify the desired outcome of each topic,

4. The agenda should design a process to reach the outcome - Interview questions.

The auditor should schedule any interview appointment well in advance with a dedicated time and place, preferably the interviewee’s office if possible.

A defined duration for the interview should also be given. Common courtesy should prevail when attending an interview such as punctuality, exchange of pleasantries and a brief description on what the interview will cover.

The key ingredient of planning the interview is determining the questions to ask and how the questions should be framed. The table below lists the various types of questions that could be asked, a combination approach will likely be required depending on the level of detail required or the stage of the audit that you are at.

Preparing Interview Questions

Type of Question Description Examples

Open Question • This type of questioning which should be used to encourage interviewees to respond in detail about the topic,

• There is not a ‘yes / no’ answer to an open question,

• This type of questioning also encourages the interviewee to give a longer answer, so the auditor should be aware that they might lose some control over the direction of the interview. However, it may also lead to other information of interest,

• Open questions begin with: what, why, how, describe etc

• Tell me about the operation of the stores issues recording register,

• What are the main procedures followed in the payroll to general ledger reconciliation?

• How does the authorization of invoices for payment work?

• Is there anything else you would like to add regarding the payroll coding?

Closed Question • This type of question should be used to establish specific pieces of information,

The answer to a closed question is always ‘yes’ or ‘no’.

• Is the bank reconciliation completed every day?

• Is the procedure for checking authorization


Type of Question Description Examples

written down in the procedures manual?

Factual Question • This type of question should be used to establish factual information,

• How many members of staff are employed in checking capital register entries?

Leading Question • This should never be used as it leads an interviewee to a particular answer and is not objective as required by the audit attribute of “Objectivity”

• Doesn’t anyone check that all entries in the ledger are correct?

• You deal with all coding enquiries personally don’t you?

Supplementary Question (Can be open or closed)

• This type of question is used as a follow up to an answer to a previously asked question,

• Can you tell me a little more about coding?

Performing an Interview

The interviewer should be

Tactful,

Objective,

Reasonable, and

Interested.

The auditor must not use an accusatory tone or make statements that are not supported by evidence, nor should (s)/he react adversely to hostility shown by the interviewee.

The auditor should follow the agenda but need not follow it rigidly if worthwhile lines of enquiry open up during the interview.

The interviewer should engage in active listening that involves not only listening to what is stated by the interviewee but also observing their body language and asking clarifying questions.

This will involve reflecting on what was said, e.g. can I pick up on the point you made on finalization of monthly payroll in your office

Encouraging the interviewee to ask questions e.g. is there anything you would like to mention or ask us in relation to the audit?

Having awareness of the interviewee feelings, thoughts, and experience. e.g. you have been working in this position for a number of years, do you have any suggestions on how the system can be made more efficient


The interviewer should not ask leading questions (Questions suggesting an answer) nor should they ask loaded questions (Questions with self-incriminating answers). Questions that require an explanatory response are preferable to those that require yes/no answers (open rather than closed questions).

An interviewer should be suspicious of answers that are;

Too smoothly stated (the answer has been rehearsed),

Fit too smoothly with the interviewers own perceptions,

Consist of generalizations,

Contain unfamiliar technical terminology.

The auditor should take care to differentiate statements of fact with statements of opinion.

Recording the Interview

All interviews should be recorded in working paper format clearly stating the name and position of the interviewee as well as date, time and location of the interview. The notes should include significant matters during the interview such as interruptions and emotional outbursts.

The auditor should review the interview notes for further clarity of information gathered and generally for self-improvement. An interview work paper is attached in appendix 8.

File interview notes in the file on the server, and in the appropriate Internal Audit / Investigations file.

Closing the Interview

When finalising the interview the auditor should:

Wrap up the interview by summarising what has been stated - briefly,

Close immediately if hostility emerges,

Try to schedule any follow up meetings that may be required,

Ask the interviewee if they have any questions,

Remind the interviewee of any documents promised,

Thank the interviewee for their time.

Interview types

There tend to be four different types of interviews:

1. A preliminary interview

2.

- performed to promote internal audit, understand the interviewee, gather general information, and serve as the basis of planning,

A fact finding interview

3.

– performed to gain specific details required for an assignment,

A follow-up interview

4.

– performed to answer questions that have been raised based on analysis and gauge interviewee acceptance of new ideas / recommendations,

An exit interview

It is best to document the system from the beginning of the process. It is much easier if employees begin at the beginning. The interviewer should clearly explain the objectives of the interview before

– performed to ensure the accuracy of conclusions, findings and recommendations prior to reporting them.


asking any questions. It is important that the interviewer control the interview and not allow the auditee to deviate from the main line of enquiry.

2. Flowcharting Auditors are required to document business processes for a number of reasons:

To become familiar with processes,

To provide evidence of work completed,

To identify potential areas of weaknesses or system failure, and

To identify areas where improvements can be made in process efficiency.

There are many ways to ascertain the information required for documenting a process and to present the process information collected, however flowcharting is one of the more widely used techniques.

A flow chart is a diagrammatical representation of a business process that is used by the auditors to document systems under review. Symbols represent the flow of documents and books of account, where they are filed, and the accounting operations performed on them. They highlight controls (or their absence) and provide a clear diagrammatic representation of a system.

There are many different types and forms of flowcharts, however for the auditor; the most important is the process flowchart.

2 types of flowcharts will be concentrated on:

Simple process flows, and

Cross-functional flowcharts.

Flowcharting is also a useful tool for analyzing processes. It allows you to break any process down into individual events or activities and to display these in shorthand form showing the logical relationships between them. Constructing flowcharts promotes better understanding of processes, and better understanding of processes is a pre-requisite for improvement.

Benefits of Flowcharting

There are many benefits to flowcharting including:

They display the logical "flow" between tasks,

It is visually successful in communicating the sequence of tasks,

The sequential impact of changes can be easily identified in a process,

Redundant operations and other inefficiencies become obvious,

New employees can easily familiarise themselves with business processes,

Internal control weaknesses can be easily identified,

They help the auditor see the “whole picture”.


Limitations in Flowcharts

Initially flowcharting is a daunting task for those new to the process however, through time and experience many of the limitations can be overcome when drafting skills improve and the auditor becomes more familiar with the techniques involved:

Different levels of detail can easily become confused. As flowcharts become more complex, they can resemble “spaghetti”,

There is no obvious mechanism for proceeding from one level to the next,

The essential story of what is done can easily get lost in the detail of how it is done,

Flowcharts are best used in relatively simple process sequences such as system overview diagrams or user procedures.

Key Ingredients to Successful Flowcharting

It is vital that you start by depicting the process the way it really works, not the way you think it should work.

You need to chart the process as it is,

Later you can chart it as it is supposed to work (by regulation), or

As you would like it to work (your ideal picture of the process).

Steps Description

Start with the Big Picture

Arrange the sequence of steps

Record the process steps

Observe the current process

Draw Flowchart

Start with the big picture. It is best to draw a macro-level flowchart first. After you have depicted this big picture of the process, you can develop other diagrams with increased levels of detail.

Observe the current process. A good way to start the flowcharting process is to walk through the current process, observing it in actual operation.

Record the process steps you observed. Record the steps as they actually occur in the process as it is. Write the steps on index card notes.

Arrange the sequence of steps. Now arrange the cards exactly as you observed the steps.

Draw the flowchart. Depict the process exactly as you observed, recorded, and arranged the sequence of steps, and confirm the accuracy of the chart.

A guide to flowcharting symbols and drawing tips is included in appendices 9 and 10.


Process Flowcharts

Process Flowcharts are a relatively high level, summarised and simplified representation of a system or set of arrangements. They are used to get an understanding of the system and what it is trying to achieve. Process flowcharts can be used to:

Identify decision points,

Identify steps in a process,

Link key processes in a visual way for analysis,

Communicate processes as instructions,

Identify workflow blockages,

Additionally, they can help to identify redundant processes within a system or other issues, which may lead to improvements in efficiency.

Cross-Functional Flowchart

When a flowchart describes a process in which a number of different people, departments, or functional areas are involved, it is sometimes difficult to keep track of who is responsible for each step. A useful additional technique for tracking this, and for analyzing the number of times a process is 'handed over' to different people, is to divide the flowchart into columns.

Head up each column with the name of the person or function involved in the process, and each time they carry out an action showing it in their column. Cross function flowcharts are created using the same approach as process flowcharts with the additional focus on the movement of documents between people or offices.

There is an illustration of a cross functional flowchart in appendix 11 which gives a general overview of a “procure to pay” process. It demonstrates how control of the process passes from the person initiating the purchase, to the purchasing department and then to the supplier.

Interpreting Flowcharts

A flowchart will help you understand your process and uncover ways to improve it only if you use it to analyze what is happening. Interpreting the flowchart will help you to:

Determine who is involved in the process; [are so many people required for this process to operate in a controlled manner],

Form theories about root causes of problems; [are there too many people, are there unnecessary controls, documents, bottlenecks, manual processing, duplication etc],

Identify ways to streamline the process; [remove unnecessary processes, controls, and decision points],

Determine how to implement changes to the process,

Locate cost-added-only steps, [the steps that don’t add value, control]

Provide training on how the process works or should work,

Below is a sequence of steps that will help you through an orderly analysis of your flowchart

Step 1: Examine each process step for the following conditions that indicate a need to improve the process:


Bottlenecks - These are the points where the process slows down. They can be caused by redundant or unnecessary steps, re-work, lack of human or technological capacity, or other factors.

Weak links - These are steps where problems occur because of inadequate training of process workers, equipment that needs to be repaired or replaced, or insufficient technical documentation.

Poorly defined steps – Poor definition results in different interpretations and performance by the process operators or administrators resulting in variation in process delivery.

Cost adding only steps - Such steps add no value to the output of the process and should be earmarked for elimination.

Step 2: Examine each decision symbol. You may want to collect data on how often there is a (yes or no) answer at decision points marked by a diamond-shaped symbol. If most decisions go one way rather than the other, you may be able to remove this decision point.

Step 3: Examine each rework loop. Processes with numerous checks generate rework and waste. Examine the activities preceding the rework loop and identify those that need to be improved. Look for ways to shorten or eliminate the loop.

Step 4: Examine each activity symbol. Does the step help build a key quality characteristics or controls into the production of the service/product? If not, consider eliminating it.

3. Analytical Review Analytical procedures help the auditor understand a Ministry / Department and any changes that have occurred in the department during a financial year or extended period. Analytical review can assist the auditor in identifying areas where further audit procedures are required due to unexpected results in trends or predictable relationships.

Analytical review basically consists of comparing different sets of data and drawing conclusions from data from different sources and analyzing expected outcomes, this includes but is not limited to the following analytical review techniques.

Analytical review is the systematic analysis and comparison of related figures, trends and ratios in order to identify their mutual consistency or inconsistency for creating evidence. However, it should be noted that the evidence provided by analytical review is indicative, rather than conclusive and it should always be corroborated by evidence from another source.

Analytical Review Techniques

Technique Description

Comparison The comparison of figures is perhaps the most frequently used technique. This can be the comparison of figures from different time-periods, budgets against actual, forecast unit costs against actual; or performance targets against outputs within a Ministry.

Ratio Analysis Ratios can be calculated from financial or non-financial data to establish if


Technique Description

the relationship between the figures is as expected or can be benchmarked with similar organisations. The ratios calculated will be dependant on the Ministry under review.

Trend Analysis This is the examination of the same source figure over a period of time or geographical location to establish the direction of change and its extent. Graphical representation is an effective way of presenting this analysis.

Consistency Review This is the examination of directly related figures for uniformity and reliability. For example, if two additional school buildings have become operational in the year, consumption of, say, water and electricity should show an increase in line with this. If new vehicles have been purchased a corresponding increase in fuel may be expected.

Proof in Total This is a predictive, substantive test, which is commonly used by auditors to verify a figure. It may be used where the expected value of a figure can be calculated based on the prior year value or known and verified activity. For example, total revenue from a rental building could be checked by multiplying the rental rate for a unit by the number of units and verified occupancy rates in the building.

Applications of Analytical Review Techniques

Corroboration

It may be used to corroborate the evidence obtained from other tests. If a result is predictable from other evidence gathered, analytical review can be used to corroborate this by performing a calculation. A monthly payroll may be a good example of this. If systems controls have been assessed as adequate it may be possible to calculate an expected outturn figure based on the number of employees and compare this to the figure calculated by the payroll system and posted into the financial ledger. If both figures are similar, this analytical review test can be considered as complementary and corroborative evidence.

Prioritization

This is the identification of higher value or higher risk items and directing assignment resources accordingly. A common practice during an assignment is to compare budget figures with actual and investigate reasons for variances. Significant variances will command more investigative resources to be targeted at those areas.

Significant variances between budget and actual,

Audit Planning

Activities of potential risk can be identified by looking at trends and developing ratios. Some examples could be:

Significant variances between planned and actual activity,

Significant changes in expenditure or income in specific activities year on year,

Unexpected changes in the average pay per employee over time,


Changes in average consumption of goods or services over time, and

Unexpected changes in the costs per service user over time.

A comparison of the costs of similar operations in different Ministries may reveal, for example, the cost of stores operations or fuel consumption may vary significantly in organisations.

Limitations of Analytical Review

The common feature of the application of Analytical Review is that the person performing the test must be able to judge if the outcome of the procedure requires further work or if it provides the outcome that was expected. This is very much a matter of professional judgment.

Analytical Review procedures should be applied with due professional care and the outcome of any procedure must be interpreted carefully given the wide variety of possibilities for using this technique. It should be noted that careful design of the procedure is also very important and that the degree of assurance from analytical review procedures cannot always be measured accurately.

Figures used to develop ratios must have an element of compatibility and a plausible relationship must exist between the figures. For example, comparing the average cost per employee year on year may be a meaningful comparison, but comparing the value of stationery purchased as a percentage of electricity consumed may not, because the two activities are not obviously related.

Evaluation of Results of Analytical Review

After a procedure has been performed and a result obtained, it must be decided if the result met with expectations fully, partially or not at all and determine the implications of the outcome. Due professional care and a degree of caution must be exercised in evaluating and interpreting results. Approaches to evaluation, depending on outcomes, could include:

Reappraisal of the basis, methods and factors used in forming the original expectation of outcome,

Discuss with the management of the activity reviewed, about the variance obtained seeking plausible explanations for the result received,

Evaluate the difference in light of knowledge about the activity reviewed,

Undertake further investigation or analysis to corroborate management responses,

The conclusion of the overall Analytical Review procedure will be that either a significant issue has been identified or it has not. In either case, this would be valuable in corroboration with other evidence. As in all cases, the work performed should be recorded clearly in working papers and any conclusions drawn must be clearly supported by evidence,

In particular, the sources, dates and full descriptions of figures used in the procedure must be clearly stated and it may be helpful to obtain copies of original source documentation to support the working papers.

4. Audit Sampling Auditors do not normally examine all the information available to them as it would be impractical to do so and therefore they use audit sampling when performing tests yielding statistically valid conclusions if properly applied.

“Audit sampling involves the application of audit procedures to less than 100% of the items within a class of transactions such


that all sampling units have an equal chance of selection”

Why Sample?

Sampling is normally appropriate for areas in which there are a large number of similar transactions and where it is not cost effective to test them all.

Examples where sampling is not appropriate:

The auditor is following up an enquiry as a result of previous information,

Populations are too small for valid conclusions to be drawn and it is quicker to test all transactions rather than spend time constructing a sample,

All the transactions in a particular area are material,

The population is not homogenous, (not all transactions contain similar attributes).

Selecting Items for Testing

When designing audit procedures the auditor should determine appropriate means for selecting items for testing. The means available to the auditor are:

1. Selecting all items, (100% of transactions)

2. Selecting specific items,

3. Sampling,

Selection of 100% of Transactions

Never used when completing tests of controls,

Used when there are a small number of transactions,

Used where all the transactions are large and at high risk,

Used where the availability of Computer Assisted Audit Techniques (CAATs) means that large numbers of transactions can be audited efficiently.

Selection of Specific Items

Judgment may be used to select high value or key items, (Items with a history of error)

All items over a specific value,

Items to test for specific controls.

Audit Sampling Approach

Auditors should use a rational basis for planning, selecting and testing the sample and for evaluating the results so that they have adequate assurance that the sample is representative of the population, and that sampling risk is reduced to an acceptable level. Audit sampling can be completed using the following approaches:

• Statistical, or

• Non statistical sampling.

Statistical Versus Non-Statistical Sampling

Statistical sampling involves the use of mathematical procedures, (probability theory) to draw conclusions about the entire population. Non-statistical techniques rely on the auditors’ judgement.


Auditors still use judgement when using statistical procedures, for example, when setting materiality levels.

Explanation It is more likely that non statistical sampling will be used in the tests of controls as you will be testing for mere presence of a control activity whereas statistical sampling would be used in substantive tests to try to quantify the effect of test failure over the entire population

When designing an audit sample the auditor should consider the objectives of the audit procedure and the attributes of the population from which the sample will be drawn as statistical sampling should only be used in homogenous populations. They should also consider the sampling and selection methods.

Sampling Methods

There are many different sampling methods available to the auditor, the auditor must select a method that fulfils the audit objectives and matches the information and resources available. The table below lists some common audit sampling methods.

Method Definition Uses

Judgment Sampling

• Based on deliberate choice and excludes any random process.

• Normal application is for small samples that is well understood and there is a clear method for picking the sample

• It is used to provide illustrative case studies

Random Sampling

• Ensures every member of the population has an equal chance of selection.

• Produces defensible estimates of the population and sampling error

• Simple sample design and estimation

Systematic Sampling

• After randomly selecting a starting point in the population between 1 and n, every nth unit in the population is selected where n equals the population size divided by the sample size

• Easier to extract the sample than in simple random

• Ensures that cases are spread across the population

Stratified Sampling

• The population is subdivided into homogenous groups for example regions, sign or type of establishment

• Ensures units from each main group are included and therefore be more reliably representative

• Should reduce the error due to


Method Definition Uses

• The strata can have equal sizes or you may wish to have a higher proportion in certain strata

sampling

Multi Stage Sampling

• The sample is drawn in two or more stages (e.g. a selection of offices at the first stage, and a selection of claimants at the second stage)

• Usually the most efficient and practical way to complete large audits with extended geographic coverage

The Sampling Process

Steps Description

Determine Objective of Audit Test

Select the Sample

Choose a Sampling Method

Define the Audit Population

Evaluate the Results

Report the Results

Will determine whether you are performing a control test or a substantive test and the type of evidence that you want to collect.

The audit population is the total number of items that the auditor would like to expose to specific audit procedures due to certain characteristics. All the items in the population should contain similar characteristics and each should have an equal chance of selection if sample results are to be valid.

This will depend largely on the size of the population, geographic coverage and range of items in the population, as well as the statistical precision of the results required.

The auditor should select sample items in such a way that the sample is representative of the population using the most appropriate sampling method.

When evaluating results the auditor must ensure that the errors identified are in fact errors. The auditor should also attempt to extrapolate the errors found over the entire population if possible.

When reporting results the auditor should state the sample size, total number of errors found, the sample selection method and the type of errors found.


Sample Size- Key Point:

“Practical limitations will often be the chief determinant of the sample size. A sample size between 50–100 items should ensure that the results are sufficiently reliable for the majority of purposes however there will be occasions when a sample as small as 30 will be sufficient”.

Samples smaller than this fall into the category of case studies where statistical inferences to the population cannot be made, however they can still form part of a valid defensible methodology”15

Selecting your Sample16

How Should I Choose my Sample Method

Is Tight Precision Required

Are Sub Groups

Required

Are Sub Groups

Required

Judgment 1. Random2. Systematic

1. Random2. Systematic Stratified

1. Random2. Systematic3. Stratified4. Multi Stage

Up to 50 50 to 100 50 to 100 per Group 50 to 100 50 to 100 per

Group

Select Select Select Select Select

No No Yes No Yes

No Yes

Assessing Test Results:

The 2 major points when assessing sample results are:

To ensure what has been termed as an error is in fact and error, and

15 The National Audit Office (NAO) UK. 2001. A Practical Guide to Sampling 16 National Audit office UK. 2000. A practical guide to sampling


To determine the effect of the errors which you have found over the population as a whole, this will involve projection / extrapolation of the result.

Reporting the Results

When reporting the results of a sample test it is important to cover the following key facts.

The purpose of reporting the results of compliance tests is to provide information on the operational integrity of systems. Results should be communicated as clearly as possible to help understanding.

Reports should state:

The importance of the control that was tested, (i.e. was it a Key Control)

The type of test conducted, (i.e. was it a Compliance Test or a Substantive Test?)

Test results in a standardized way such as the number of items tested and the number of examples showing compliance or omission,

A firm conclusion, on whether the control was in place and operating (‘Yes’ or ‘No’), the type of error found if any and whether or not there were any compensating controls in operation,

The implication of the test result and conclusion for the effective operation of the organisation.

Control Tests – (Compliance Tests)

Audit Tests

The session builds on concepts already introduced on:

Tests of details – (Substantive Tests)


Designing Audit Tests

5. Controls Tests Control tests are performed when:

An auditor is requested to perform a systems based audit or

The auditor believes it will be feasible to conduct a systems based audit rather than adopting a pure substantive audit approach.

It is important to emphasize that control tests should not be designed unless:

The system design has been documented, evaluated and found to meet the audit control objectives, and

The control operations are listed separately in the audit working papers.

Control Tests should be designed using the following evidence collection techniques:

Enquiry,

Observation,

Inspection and

Re-performance techniques (discussed in the table below)


This is the preferred sequence of test types as the sequence is in the order of their economy in audit time.

Transactions rejected by the clerk,

Collecting Evidence:

The auditor is seeking evidence of the operation of control procedures, for example, the checking of travel claims, which should be prepared in accordance with the financial rules and regulations and recorded in the proper accounting ledger.

In planning tests of control, evidence is required about the satisfactory operation of the control.

The best evidence that the auditor could obtain, is transactions that were in error when they came before the processing clerk, i.e. the errors detected by the clerk whilst conducting the control procedure.

Generally, the only evidence of transaction errors will be:

Transactions amended by the clerk, or

Transactions remaining in the population, in error.

The audit evidence available respectively will be:

Formal records or lists of rejected transactions retained by the clerk,

Alterations on prime documents observed during testing, and

Errors discovered by the auditor during substantive testing.

Some tests of control will also provide substantive evidence. For example re-performing an accounting reconciliation provides evidence that the clerk completed the control function satisfactorily. It also substantiates the cash balance and hence is a dual-purpose test.

Key Point When planning substantive tests, the auditor may use the sample for the control test as part of a representative substantive sample, as long as the evidence from the control test clearly provides substantive evidence.

In addition to this, when recording the programme for control tests, the auditor should clearly specify:

The Population to be examined,

Population size,

Sample size, and

The sample selection method.

The table below provides some examples for evidence collection of control in operation.

Control Objective to be Tested

Suggested Evidence for Control Test

Understand the System

Enquiry: evidence as to whether the clerk knows the procedures and understands them,

Observation: evidence about how the clerk carries out the procedures,




Inspection: check the regulations and circulars (documents), evidence about whether the documents are up to date,

Inspection of the list of authorized signatories to confirm that it is up-to-date,

Re-performance: comparison between the documents and what the auditor has been told,

Test for Completeness - are all travel claims entered into the cash book?


Observation: evidence about how the clerk carries out the entries,

Inspection: check the cash book to assess the travelling claim entries,

Re-performance: comparison of the travelling claim documents with the cashbook to check that t all claims were entered,

Tests for Occurrence (or fact) - are the recorded travel claims real, i.e. not fictitious?


Obtain an understanding of the last time the clerk rejected a claim as evidence that the clerk is checking and rejecting ‘incorrect’ claims,


Inspection: check a sample of travel claims to confirm that the correct claim form has been used, collect evidence that the clerk has rejected unofficial claims,

Inspection: examination of the recorded journeys to confirm that, they are likely to be real, bearing in mind the claimant’s job, NB this is evidence that the auditor believes the journeys appear to be real but does not provide evidence about whether, on the face of it the clerk has satisfactorily completed that part of the job,

Re-performance: comparison of the sample of travelling claim documents with the cash book to substantiate that all claims were entered providing evidence that the clerk has completely entered all the claims.

Tests for Measurement - are all claims measured (calculated) in accordance with the appropriate circular?


Obtain an understanding of the last time the clerk rejected a claim, evidence that the clerk is checking and rejecting claims which were not calculated in accordance with rules and regulations,


Inspection: check a sample of travel claims to confirm the entry of the clerk’s signature indicating that calculations have been checked. This is evidence that the clerk has signed the forms but not that the clerk has




conducted the check,

checking claims and record how many have been amended by the clerk,

Re-performance: comparison of the travelling and subsistence rates in the sample of travelling claim documents with up-to-date circulars to substantiate that the up-to-date rates have been claimed (and no more), This is evidence that the claimants have used up-to-date rates, but not necessarily evidence that the clerk performed the check,

Re-calculate additions and extensions to confirm that these are correct,

This is evidence that the claims are correct, but not necessarily evidence that the clerk actually checked them.

Regularity - have the claims been certified by the responsible officer, i.e. that the travelling expenses were incurred on official business and were necessary for the proper fulfilment of the official’s duties.


Obtain an understanding of the last time the clerk rejected a claim, evidence that the clerk is checking and rejecting claims which were not certified by the responsible officer,

Observation: evidence about how the clerk carries out the checks,

Inspection: check a sample of travel claims to confirm the entry of the clerk’s signature indicating that the certifying officer has been checked,

This is evidence that the clerk has signed the forms but not that the clerk has performed the check,

Re-performance: scrutinize the claim details and confirm that these appear to be regular, bearing in mind the claimant’s job.

This is evidence the auditor believes the claims are regular, but not necessarily evidence that the clerk performed the check,

Disclosure - have the claims been entered in the correct column of the cash book and hence, are correctly coded?


Observation: evidence about how the clerk enters the cash book,

Inspection: check a sample of travel claims to confirm the entry of the clerk’s signature indicating that the claim was entered into the cashbook.

This is evidence that the clerk has signed the forms but not that the clerk has entered the claim,

Re-performance: for a sample of claim forms, confirm that they were correctly entered,

6. Substantive Tests It may be necessary to design substantive tests to meet specific circumstances. A standard approach to designing such tests might well contain the following stages:

Define and record the objective of the test.


State the error condition(s). This applies when the auditor is aware of what can go wrong. The auditor needs to use his / her imagination to identify all of the possible error conditions in a given situation.

The auditor should assess the degree of RISK of occurrence of the identified errors. If there is a low risk of error, it may be wasteful for the auditor to design tests.

An appropriate balance between tests of control, analytical review and the substantive procedures will ensure the most efficient use of audit resources.

As with a control test programme a substantive testing programme should specify the;

Population,

Population size,

Sample size, and

The sample selection method.

This information should be recorded as a working paper and filed in the permanent file.

Examples of Substantive Tests

Cash and Bank procedures

Audit Objective Audit Test WP ref

Completeness: All transactions recorded for the related period.

Observe cash collection at a sample of cash offices ensuring all receipts were recorded.

Check calculation of daily totals of cash receipts.

Check daily totals agree to amounts passed to Treasury and/or banked.

Observe opening of post at the central cashier’s office. Ensure post is opened in the presence of at least two people, and that all cash and checks are accurately recorded.

Measurement / valuation: The recorded transactions, assets and liabilities have been correctly and accurately valued or measured.

Reconcile amounts on bank paying in slips to cash and check totals for the relevant period.

Re perform the bank reconciliation for the latest month, and ensure that all reconciling items are bona fide.

Ensure that all bank reconciliations performed and/or reviewed by appropriate senior accountants not involved in daily cash management.

Security: All assets secure, custody is clearly stated, and access is properly authorised.

Inspect physical security of cash offices, including locks, alarms, windows and safes.

Ensure that cash is banked on a regular basis,


Audit Objective Audit Test WP ref

appropriate to the amount of cash taken and security of cash storage systems.

Review the number of days between cash receipt and cash credited in the bank. Investigate delays in banking significant cash balances.

Substantiation: Recorded assets and liabilities are reconciled with independent financial records.

Get written confirmation from the bank on

All local and foreign currency accounts held,

Full titles and closure of related accounts during the period,

Details of charges or interest charged during the period,

Details of any assets which are currently got bank charges,

7. Audit Programme(s) The audit programme is a crucial part and outcome of the audit process, which should ensure a standard approach to the audit ensuring that all necessary aspects are addressed and documented during the audit.

Objectives

The objectives of preparing audit programme are as follows:

To assist in planning the audit, so that efficient and effective procedures are applied in accordance with the audit strategy and the audit plan,

To provide clear instruction to staff as to the nature, extent and timing of audit procedures,

To provide a record of the work done and the conclusions drawn, as a basis for effective quality control and to meet audit evidence requirements.

The audit programme is a proposed detailed response to the priority areas identified in the planning stage of the audit. It entails sufficient detail to enable the translation of the audit strategy decisions into individual audit tests.

Form of the Audit Programme

Consider the following when preparing the audit programme:

It should describe the nature of procedures in sufficient detail to provide adequate instruction to members of the audit team carrying out the work,

It should indicate the extent of testing and the intended timing of the work,

It should show against each procedure the following:

o A cross reference to the related working papers recording the evidence obtained,

o The initials of the member of the audit team carrying out the work,

o The date on which the work was completed,


o Exceptions discovered during audit testing and action taken.

An audit programme should be prepared for each system where significant audit procedures performed. It should be prepared or updated every year to ensure that they reflect the current threats to systems and processes. The head of internal audit should review and approve each audit programme, ensuring that the nature, extent, and timing of procedures are appropriate to the audit strategy.

Preparing the Audit Programme

When preparing the audit programme the auditor should ensure the following links:

Authority for the Audit

Programme

Establishing the Audit; Programme Objectives

Responsibilities Resources

Procedure and Guidance

Monitoring and Reviewing the Audit Programme

Monitoring and Review Corrective Action

Identifying Preventive Actions Identify Areas for

Improvement

Implementing the Audit Programme

Scheduling Audits Evaluating Auditors

Selecting the Audit Teams Directing Audit Activities

Maintaining Records

Evaluation of Auditors

Audit Activities

Improve the Audit

Programme

Plan

Do

Check

Act


Steps in Audit Programme Preparation

There is a sample audit programme on pay and allowances attached in appendices 12 and 13.


Page 87

The auditor is required to gather evidence to support the conclusions and recommendations arrived at in the audit report. The auditor should obtain sufficient, appropriate audit evidence to be able to draw reasonable conclusions on which to base the audit opinion. Where “sufficient” relates to the quantity of evidence, and “appropriate” relates to the quality, or reliability and relevance or evidence collected.

Audit Evidence

Factors Determining “Sufficient and Appropriate”

The auditor is required to use judgment to decide the quantity and type of evidence required and should consider:

The assessment of risk in the areas under audit,

Materiality of the area under review,

Results of audit procedures,

Source and reliability of evidence available, and

The cost and time needed to obtain the evidence.

Procedures for Obtaining Audit Evidence Gather audit evidence by performing the following:

Risk assessment procedures,

Controls tests,

Substantive tests, and

Analytical Procedures.

Risk assessment is based on the system under consideration e.g. the auditor will assess whether management have adequate risk management procedures in place, identify what they perceive to be the main risks in a system and tests that controls are adequate to mitigate against the risks identified. By completing a risk assessment, this influences the extent and type of audit evidence required.

Control tests are tests which provide audit evidence that internal control procedures are being applied as prescribed hence reducing the risk of material errors. The auditor will require evidence on the strength of the internal control system including its:

Design – that is the extent of prevention and detection controls in the system, and

Operation – how well the internal controls are actually working.

Substantive tests are tests of transactions and balances which seek to provide audit evidence on the completeness, accuracy and validity of the information contained in the accounting records or in the financial statements. Substantive procedures are based on audit assertions.

The mnemonic “COVER MP” is useful for memorizing the tests to complete:

Completeness – to test that all transactions have been recorded correctly,

Occurrence – to test that the transaction occurred during financial year in question,

Valuation – to verify that the balance is recorded at correct value,


Page 88

Existence – to check that an asset or liability exists at the time of audit,

Rights and Obligations – to verify that an asset or liability recorded in the accounts actually belongs to the organisation under review,

Measurement – to check transactions are recorded at the correct amount in the correct period,

Presentation and disclosure – to ensure that information is properly recorded according to accounting policies and regulations.

Example: Substantive Tests in an Accounting System

EXISTENCE Did MoF actually receive

the goods being charged for?

INVOICE

Coding & Recording ACCOUNTS

COMPLETENESS Have all of the transactions

been recorded?

RIGHTS & OBLIGATIONS

Is this the sort of thing that is appropriate

for the MoF to buy

DISCLOSURE Has the nature of the

transaction been accurately captured in

the accounts?

MEASUREMENT Has the transaction

been correctly recorded?


Page 89

Evidence is “Persuasive” not “Conclusive”

Auditors are essentially looking for enough reliable audit evidence. Audit evidence usually indicates what is probable rather than what is definite, that is, audit evidence is usually persuasive rather than conclusive, for the following reasons:

• Auditors do not check every item in the accounting records. This would be too time consuming and not effective in a cost benefit sense. Instead, the auditors complete tests on a sample of items in the population.

• There are limitations in accounting systems and systems of internal control. The auditors are relying on the accounting system and may be relying on internal control. The accounting system may not give the level of detail the auditors require, or that the accounting system is operated by poorly trained staff.

• There is always a possibility that management or staff may not tell the truth or collude in fraud.

• The fact that audit evidence indicates what is probable rather than what is certain.

• Auditors will often not be qualified to make judgments themselves on certain audit evidence. They will need to call on expert assistance.

Reliability of Evidence The following generalisations may help in assessing the reliability of audit evidence:

Audit evidence from external sources, for example, confirmation from a third party, is more reliable than that obtained from the organisations records.

o E.g. bank statements from independent banks confirming bank balances at a particular point in time is considered better evidence than the cash book of the organisation. Statements from suppliers are also considered better evidence of accounts payable and expenditures incurred.

Audit evidence obtained from the entity’s records is more reliable when the related accounting and internal control system operates effectively.

Evidence obtained directly by auditors is more reliable than that obtained by or from the entity.

Evidence in the form of documents and written representations is more reliable than oral representations.

Original documents are more reliable than photocopies, telexes, or facsimiles.

Consistency of audit evidence from different sources will have a corroborating effect, making the evidence more persuasive. Where such evidence is inconsistent, the auditors must determine what additional procedures are necessary to resolve the inconsistency.


Computers (or IT) can provide more effective information systems through rapid and reliable information processing. However, computer systems need adequate internal controls in the same vein as traditional manual systems. The way that computers process data means that there are additional problems of the possibility of a lack of visible evidence and the occurrence of systematic errors.

IT, today is provided by a wide range of facilities, it includes all sizes of computers (from hand-held data capture units, through personal computers (PCs) and local networks, to the largest mainframes and ‘supercomputers’), FAX machines, programmable photocopiers, and printing machines, telephones and communications networks.

Internal auditors need be aware of developments in information systems and computer technology for a number of reasons:

Section 7: Computers in the Audit Process

1. Increasingly large amounts of public resources are being invested in information systems,

2. Ministries are now placing greater reliance on information systems that must be effective if the Ministries are to achieve their objectives. For example, many governments have migrated to computerised accounting systems due to the volume of transactions being processed and to improve transparency of processed transactions.

3. Key management decisions are based on information provided to managers from computerised information systems. Internal auditors need to be aware of how computer systems operate, provide assurance that the information supplied from those systems is correctly processed and, consequently, that decisions have been made on the most appropriate basis.

4. Internal Auditors should have expertise in internal control, however to perform audits of computer systems internal auditors require further knowledge and experience. This will include practical knowledge of auditing computer-based systems. There is also a need for auditors to be aware of the computer controls that should be in place in such systems.

5. Some internal auditors should also be able to review the specifications of proposed computer systems before any development work is undertaken in view of the cost implications of subsequently amending programme to incorporate control requirements.

Internal Controls in a Computerised Environment The principles relating to internal control are the same in a computerised environment as in a manual environment. However, there are additional considerations, which should be taken into account by the internal auditor when auditing computer systems.

Internal auditors need to be aware of the main types of internal controls over computer-based systems. These controls can be divided into two main types:

General controls

Application controls.

This manual provides a brief introduction into how computers impact on the way a government Ministry operates, the impact computers have on internal control and how computers can be used to assist with audit activities.


The use of computers in a process or system have a fundamental impact on the way systems operate, the procedures used to operate the systems, the way transactions are processed, the risks incurred and the ways that those risk are managed.

The following distinctions arise between a manual and computerized system and their impact on internal controls:

Transaction trail

– they will usually only be available in electronic format and may have a short life span for the auditor to view them, however transaction trails in computerised systems often provide more information to auditors such as the person who performed the transaction, date and time it was performed and the sequencing of transactions. This information is more difficult to manipulate in a computerised system.

Uniform processing of transactions

– there is generally a smaller chance of clerical errors when processing transactions through computer systems, however programming or hardware errors may cause problems in processing transactions.

Segregation of functions

– one person may complete more steps in the process than was traditionally the case in manual systems therefore additional controls may need to be developed to compensate for lack of segregation of duties.

Potential for error or fraud

– although transactions should be processed more accurately and efficiently, the lack of personnel involved in a process may make it more vulnerable to fraud.

Potential for increased management Supervision

General Controls

– the volume of information contained in a database allows management many analytical tools to supervise operations and to interrogate the information input into the system in an efficient manner.

These apply to all computer activities. They include the following;

Information security policy

A written policy document should be available to all employees responsible for information security.

Information Security procedures

There should be clearly defined responsibilities for the protection of individual assets and for carrying out specific security processes.

The information security policy should provide general guidance on the allocation of security roles and responsibilities within the organisation. This should be supplemented, where necessary, with a more detailed guidance for specific sites, systems or services which should clearly define responsibilities for individual assets (both physical and information) and security processes, e.g. business continuity planning. This will also contain information on retention storage handling and disposal of records and information

Information Security Education and Training

Users should receive appropriate training in organisational policies and procedures, including security requirements and other controls, as well as training in the correct use of IT facilities, e.g. log on procedures, use of software packages prior to gaining access to IT services.

Reporting Security Incidents

There should be a mechanism, which allows the timely reporting of security incidents through appropriate management channels.


Virus Control

The basis of protection against viruses established on good security awareness and appropriate system access controls. The organisation should establish a formal policy requiring compliance with software licenses and prohibiting the use of unauthorized software, this includes using anti-virus software (including firewall) developed by a reputable supplier.

Business continuity planning should involve identifying and reducing the risks from deliberate or accidental threats to vital services. Develop plans to enable the performance of business operations at alternative locations following failure of, or damage to vital services or facilities at the main location of operations.

Business Continuity Planning

Application Controls These relate to specific tasks performed by the system and are categorised as;

Input controls – relates to the rejection, correction and resubmission of data where initially incorrect,

Processing controls – no unauthorized transactions can be processed,

Output controls – relates to accuracy of processing and the access of output to authorised individuals only,

Input Controls

Some input controls to a computer application include edit checks e.g.

Error listings – each error should be identified and described with a date and time of detection given, the computer application should produce a report on error listings,

Field checks – this control will test the characters in a field to ensure they are correct, some fields should only allow certain characters e.g. numeric or alphabetic. E.g. A payroll number field should only allow numeric data,

Financial totals – this control will ensure that the sum of individual transactions is the same as the control total sum entered for the entire batch of transactions,

Hash totals – a control total e.g. the total number of employees when completing a payroll run, or the total number of invoices when completing a suppliers payment run,

Limit and range checks – this control will be based on known limits e.g. payroll salary scales for employees of a certain grade can only be paid an amount between the lower and upper limit of their salary scale,

Reasonableness (Relationship) tests – ensures the logical correctness of relationships e.g. a percentage of VAT to be calculated from a supplier invoice or a deduction to be made from salary for income tax or pension deduction which is based on a fixed percentage. The information system should be able to calculate these figures automatically from different tables in the database,

Record count – the total number of records processed during the operation of a programme, this is a good control if the total number of records is a fixed known amount e.g. the total number of employees to be paid in a month,


Sequence checks – determine that records are in a certain order, best example is a payroll number to ensure no gaps in payroll IDs issued, it should also ensure that each transaction is given a unique ID number and that no gaps exist between transaction ID numbers,

Sign checks – appropriate arithmetic sign e.g. some fields should always produce a positive figure such as the total number of hours worked in a month while other fields may produce a negative figure,

Validity checks – checks between two independent sources of data e.g. personnel division payroll ID crosschecked with payroll system ID.

Processing Controls

Some processing controls include:

Some input controls are also processing controls e.g. limit, reasonableness and sign checks

Other logic tests include posting, the comparison of data before and after posting e.g. normally the person who enters data on a system will not be responsible for posting the permanent record to the system,

Zero balance checks where all negative and positive balances equal zero, the best example of this is journal entries where the debit should always equal the credit otherwise it cannot be posted as a permanent record,

Audit trails should be created through the use of input / output control logs, error listings, transaction logs and transaction listings,

Output Controls

Some of the more important output controls include:

User review of output reports and distribution lists for outputs from the system – output reports should indicate when output is incomplete or whenever something does not seem reasonable,

Exception reports produced regularly and reviewed by management, an exception report can be a report on any area with the parameters determined by management. Exceptions do not conform to the predetermined outputs of a particular process / activity and should be investigated,

Error log reports stating the number and type of errors in a particular period, with thorough review of any errors to determine the cause of the error,

End of job markers should be included to demonstrate the last page of a particular report and act as proof that the entire report has been received,

Checksums ensure the integrity of data by checking if the data has been changed from one month to the next e.g. standing data in a payroll system should remain reasonably constant, checksums will help determine if data has been changed, when it happened and who done it.

Access Controls Access controls include, software controls, physical access controls and logical access controls:

1. Software controls

2.

– protects files, programmes, data dictionaries and processing etc from unauthorized access,

Physical Controls – limits physical access to a computer lab and protects against environmental hazards such as floods, fires, typhoons, earthquakes etc,


3. Logical Access Controls – these controls ensure that only those persons with bona fide purpose and authorization have access to computer databases and other systems. These controls are more important in large databases and when access to external systems is available. Some examples include:

Passwords and ID Numbers

This is an effective access control when properly enforced, passwords should be held securely and should be sufficiently strong, made up of a combination of letters, numbers and other symbols and more than 8 characters long,

File Attributes

These control access to and the use of files e.g. some individuals have read only access, archive and some fields are hidden from other users,

System access logs

This records all attempts to use the system, the date, time, codes used, mode of access, data involved and mode of intervention are all recorded,

Computer Assisted Audit Techniques (CAATs)

Automatic log-off

Remove the possibility of viewing sensitive data at inactive data terminal.

Internal auditors can use computers to assist them with their audit work. This may include using a computer to help writing audit reports, but also using computer assisted audit techniques to assist with the actual internal audit work process.

The major types of Computer Assisted Audit Techniques are:

Use of audit software i.e. computer programme to examine, perform calculations on and take samples from the contents of a Ministry's computer files,

Use of 'test data' i.e. data used by an internal auditor to test the operation of computer programmes,

At the planning stage of an audit, internal auditors should consider the appropriate use of both CAAT’s and the traditional manual audit procedures. As part of this process, they should consider the following points:

o It is often not practical to perform manual tests in circumstances where computer programmes perform functions for which no visible evidence is available,

o The relative efficiency of the alternatives which are available, having regard to the extent of testing required, the costs and the ability to combine a number of different audit tests with the use of CAAT’s,

o The time scale for the internal audit work,

o The availability of the required computer facilities, files and programmes to enable CAAT’s to be used,

o The technical knowledge that internal auditors will need to be able to use CAAT’s rather than manual audit techniques.


CAAT’s are a useful tool if they are properly utilised and managed by the internal audit staff. CAAT’s are run on specialised audit software packages, which will need to be purchased as determined by the head of internal audit. Two of the most popular audit interrogation software include:

IDEA (Interactive Data Extraction and Analysis) software,

ACL (Audit Command Language) software.

An internal auditor should have sufficient knowledge to identify fraud indicators. The internal auditor however, is not expected to have the expertise of someone whose primary responsibility is detecting and investigating fraud

Section 8: Internal Audit and Fraud

17

What is Fraud?

. Nevertheless, they should be on their guard for unusual or suspicious situations.

Fraud is a range of irregularities and illegal acts characterised by intentional deception or misrepresentation and usually occur for the following reasons:

Opportunity,

Motive,

Rationalization.

An opportunity arises due to a control failing unexpectedly, or the conditions are created to ensure the control fails,

Opportunity

Poor design or lack of key internal controls in a particular system,

Persons in positions of authority override existing internal controls because subordinates or weak internal controls allow them to circumvent the rules.

Pressure – people may succumb to pressure when committing fraud e.g. external pressure from criminal gangs or domestic pressure of mounting debts and financial obligations,

Motive

Greed – people may just suffer from greed and want to satisfy their desires through committing frauds,

Power – People may commit the illegal act just to prove they can do it without getting caught, they are effectively showing a position of power.

Most people consider themselves to be inherently good, therefore they may try to deny an act of fraud or justify it to themselves by stating if senior managers are breaking the rules then it must be all right for others to do so as well,

Rationalization

Some people may be asked to comply with rules that do not make sense to them, e.g. they contradict aspects of their culture, and therefore they ignore them,

17 Institute of Internal Audit Practice Advisories


Some people feel that stealing is justified due to their own personal hardships, financial difficulties, costly addictions etc.

Fraud Prevention

The main deterrents to fraud as described in the COSO framework and include areas already covered in this manual, which are strong control environment, risk management processes, control activities, information and communication and monitoring. Internal audit has a responsibility in assessing the internal control systems and determining their adequacy in preventing frauds, or acting as a deterrent for fraud.

Fraud Detection – Internal Audits’ Responsibilities

Internal auditors have an obligation to exercise due professional care when exercising their duties, this includes performing an audit taking into account the possibility that fraud could occur, this specifically involves:

Considering fraud risks – is it likely given the initial control assessment of the department,

Have knowledge of fraud indicators – characteristics of fraud, fraud schemes and scenarios,

Be alert to the opportunities that could allow fraud – control weakness, poor management and should look for the presence of more than one indicator,

Evaluate the indicators and decide whether an investigation is necessary,

Notify the appropriate authorities of their analysis.

Key Point It is not the responsibility of internal audit to investigate fraud. That should be passed on to an authority, which has detecting and investigating fraud as its primary responsibility.

Examples of Factors Permitting Fraud18

Weak Internal controls such as:

Failure to employ appropriate segregation of duties between those responsible for assets and those responsible for purchasing them and maintaining their records,

Permitting unlimited access to assets increasing the risk of theft,

Failure to maintain adequate records and documentation thus no accountability,

The ability to process transactions without proper authorization,

Failure to complete regular reconciliations between existing assets and records,

Large quantities of cash in use unnecessarily,

Poor monitoring / supervision of staff which allows collusion among staff,

Poorly trained workforce particularly those responsible for operating internal controls,

Poor design and control and maintenance of computer applications and IT security,

18 The examples cited are some pf the more common fraud factors or indictors in the USAID Office of The Inspector General, office of Investigations, fraud indicator Handbook.


Examples of Common Forms of Fraud Stealing merchandise, tools and other equipment,

Removing small amounts of cash funds from daily cash receipts,

Failing to record receipts and pocket the cash,

Overloading expense accounts and targeting advances to personal use,

Lapping customer accounts, i.e. pocketing the first receipt from a customer and off setting the second receipt against the first invoice, the third receipt against the second invoice and so on,

Pocketing payments from the public and issuing fake receipts,

Failure to make daily bank deposits and altering dates on deposit slips,

Ghost employees or paying increased rates or hours to employees for kickbacks,

Carrying employees on the payroll beyond their severance date,

Falsifying additions to payroll through uncontrolled access to the payroll database or through collusion with the payroll database administrator,

Failing to return unclaimed wages,

Increasing the amounts in petty cash vouchers,

Paying false invoices either self prepared or in collusion with suppliers,

Increasing the amount in supplier invoices,

Charging personal expenditure to the Department,

Falsifying inventory records,

Raising cancelled checks to match with fictitious entries in the accounts,

Inserting fictitious ledger sheets in inventory registers,

Deliberately confusing totals in control accounts,

Selling waste and scrap and pocketing the proceeds,

Selling door keys and combinations to safes and vaults,

Obtain blank cheques and forge the signature,

Permitting special prices to certain suppliers for kickbacks.


The audit report is the major means of communicating the findings, conclusions, and recommendations of an audit and much of the work of internal audit is judged on the quality of the final audit report, including its analysis, findings, conclusions, and recommendations. The work of the internal audit function will be judged on the quality of the final report, particularly on the conclusions, which they have drawn, and the recommendations that they make.

Recommendations will be judged on:

Section 9: Audit Reporting

1. Suggestions for improving internal controls and operational performance, and

2. Identification of better practice and lessons learnt during the audit assignment.

The Reporting Process

Debrief the Auditee

Issue Draft Report and Request Management Response

Review Management Response

Discuss Draft Report with Auditee

Prepare Draft Report

Finalise and Issue the Audit report

Effective Reporting

Reports/communications should include:

The assignment objective(s),

The scope of the assignment,

The results /observations of the audit assignment,

Conclusions of the audit work performed,

Recommendations for improving controls and processes, and

An action plan going forward.


Content of Audit Reports

Content of reports may vary by assignment but at a minimum they should include the purpose, the scope and the results of an assignment.

Final communications may include both:

• Background information – identifies the organisational units and activities reviewed, may also include commentary on previous reports and the status of prior recommendations.

• Summaries – If included (which there should be if it a long report) should include balanced representations of the assignment communication contents and what was expected to be achieved.

Purpose statements – this is the audit objective, why was the assignment performed and what did it expect to achieve.

Scope Statement – identifies the activities to be reviewed clearly identifying the boundaries of the assignment and will include information such as the audit procedures and methodology adopted, along with the time period and geographical area of the assignment.

Results – This includes observations (findings), conclusions (opinions) recommendations and action plans.

Observations

Observations should be objective statements of fact, which need to be accurate and evidence based to support the auditors conclusions, they should compare what should be, with what is actually happening. Observations should be based on the following attributes:

Criteria – The standards, measures or expectations used in making an evaluation – what should be?

Condition – The factual evidence the internal audit found during the examination – what is happening?

Cause – The reason for the difference between the expected and actual conditions - why does the difference exist?

Effect – The risk encountered because the condition does not meet the criteria. In determining the degree of risk the internal auditor should consider the effect that their observations and recommendations would have on the operations and financial statements of the organisation.

Conclusions

Conclusions are the internal auditors attempt to put the observations and recommendations into perspective based on their overall implications. Conclusions should cover but are not be limited to:

Whether operating or programme objectives and goals conform to those of the organization,

Whether the organisations programme goals and objectives are being met,

Whether the activity under review is functioning as intended.

Conclusion should be:

Clear and succinctly expressed,

Evidence based – factual evidence compiled in working papers and other documents,


Meaningful – say something that would not have been said if the audit had not been completed,

Useful – lead to positive outcomes from the auditee.

In addition to this, the auditor should:

Spend time when planning the audit about what the possible conclusions may be,

Quantify conclusions where possible, monetary impact will attract attention,

Analyse cause and effect relationships,

Make comparisons with performance indicators,

Link report to other relevant reports completed on the issue in hand.

Recommendations

Internal audit recommendations are based on audit observations and conclusions, they call for action to correct existing conditions or improve operations including:

Suggesting approaches to correct or enhance performance as a guide for management in enhancing results,

General or specific plans depending on the circumstances, while in some situations it may only be appropriate to advise further investigation or study,

Weighting recommendations in terms of importance, which is determined by the overall impact they will have if implemented.

Incorporate Managements Views In order to give a proper perspective and present fairly the existing conditions it may be

necessary to report the accomplishments of management since the previous audit/review.

Management views on the audit conclusions or recommendations should also be included in the final report. To enable this to happen, a timetable must be agreed at the start of the process which factors in adequate time for management response.

The internal auditor should always try to reach agreement with management on the audit conclusions and recommendations prior to issuing the final report; a good audit report will never include differences on points of fact though it may include differences in interpretation.

If the auditor cannot reach agreement with management about the audit results then both positions and reasons for the disagreement should be clearly stated.

The auditee’s views may be attached as an appendix to the report or they may be included in the body of the main report however it is preferable to include the client’s views at the end of the report as an appendix.

Reporting Confidentiality

Certain information may not be appropriate for disclosure to all report recipients because it is:

Privileged,

Proprietary, or

Related to improper or illegal acts.


Such information may however be disclosed in a separate report to senior management. All audit reports must be signed by the head of internal audit prior to them being issued, if distributed electronically a signed version must be maintained on the audit file.

Sample Assignment Reporting Template

The assignment report should include the following sections in all cases:

Cover and Title Page

Executive Summary

Introduction / Background

Scope and Objectives

Observations

Conclusions

Recommendations

Appendices

Quality of Communications Communications should be:

Accurate – free from error and faithful to the underlying facts,

Objective – unbiased observations, conclusions and recommendations expressed without partisanship, prejudice, personal interests, and undue influence of others,

Clear – easily understood and logical,

Concise – to the point and avoid unnecessary elaboration superfluous detail and wordiness,

Constructive – helpful to management, and lead to improvements where needed,

Complete – include all significant relevant information to support conclusions and recommendations,

Timely – enable prompt effective action and facilitate consideration by those who will act on recommendations. As part of the planning process a deadline for completion of the work and reporting should always be stated.

Audit Follow up The benefits of internal audit report recommendations are reduced, and risks remain, if recommendations are not implemented within the agreed timeframe. The following must be considered by the internal audit function:

A rigorous process of follow-up of audit report recommendations,

A follow up audit should be determined by the risks posed to the organisation,

If internal audit is not satisfied with progress there should be a process to escalate its concerns to senior management so Management fully understands the risks involved,

The internal auditor will also follow up the implementation of agreed recommendations of the external auditor, Committees and other review bodies.


Section 10: Performance Assessment and

A performance assessment and quality assurance function is of the utmost importance to ensure a consistent standard / quality is produced on a regular basis. The key questions that should be considered in assessing the quality control systems effectiveness are;

Quality Assurance

1. Are we doing the right jobs?

2. Are we doing the jobs right?

3. Are we getting results?

4. Are we achieving consistent quality?

In order for the internal audit function to answer the above questions the ACEO, IAID and other Internal Audit Managers use the following to manage the function and report against:

Key Performance Indications (KPI’s) – these provide a benchmark against which internal audit and investigations functions can measure their performance. The IAID KPIs are in the Budget Paper.

Management Information System –collects data to report against the KPI’s. This data is collected through a structured filing system that orders paper and electronic files and data.

Performance reporting mechanism – in Ministries this is the regular budget monitoring procedure within each Ministry and similarly within Public Bodies. It enables the key stakeholders to receive a performance report on the internal audit function,

A Quality Assurance Function – this new function has been developed to enable the Government to demonstrate a commitment to quality, consistency and continuous improvement in the work performed by the internal audit function, including during external assessments and the PEFA assessment. This includes:

Professional Supervision of the work of internal auditors

Performing internal assessments,

External assessments, and

Report on the annual activities of the internal audit function.

Key Performance Indicators Key performance indicators tend to be those items that are of the utmost importance to the successful implementation of the internal audit activities; there is be a direct link with the strategic objectives established in the internal audit strategic plan.

Key performance indicators address the following areas:

The quality of the audit work performed including client satisfaction,

Timeliness and cost of delivering the audits,

The satisfaction of the internal audit staff, and


The contribution of the internal audit functions to the operations of the organisation.

A sample internal audit KPI’sis attached in appendix 18. Most of the data required to answer this information should be available within the internal audit service however other data will have to be collected in order to assess performance. This data is crucial for the external assessment and to enable internal audit to demonstrate to the GoS the value of its operations.

Management Information System Performance data is collected and collated for reporting against the KPI’s each quarter during the budget review. A management information system for an internal audit unit will record information on:

1. Planned internal audits

2. Internal Auditor positions required to complete the work.

3. Internal Auditors available in the positions required to complete the work.

4. Hours internal auditors have available to complete the planned work.

5. Hours and internal auditors assigned to each planned internal audit or to the investigation function

6. Actual hours spent on the internal audit or investigation per internal audit or investigation activity, e.g. planning, review, fieldwork, reporting.

A management information system includes a spreadsheet that is used to allocate the hours available per year per position assigned to high priority internal audits and investigations. To enable the audit manager to deliver the plan, it is supplemented by actual data on activities undertaken and time spent on them per internal auditor against the planned internal audits and the investigations function. A management report is drawn from this data to provide information on the actual work completed against the annual internal audit plan.

An Audit Manager would use information from such a report weekly, monthly and it would form the basis for the annual report on the internal audit function.

In addition, the ACEO IAID and Audit Managers collect information on client satisfaction with the internal audit and investigations function across government. CEOs are generally very satisfied with the work of internal audit. This information has been collected through interviews. As internal audit assignments flow from the implementation of the Strategic Plan, data on satisfaction will be collected through the completion of short surveys at the end of an audit assignment, with significant issues identified by clients examined in detail.

They surveys will consider issues such as:

The auditors understanding of the area(s) under review,

The quality of the analytical work performed by the auditors,

The usefulness and practicality of the recommendations made,

The efficiency in performing the audit including releasing the final report,

Assignment with management and acceptance of their suggestions,

Overall value of the work performed during the audit.

An example of a client survey questionnaire is included in appendix 19


Internal Audit Annual Performance Report To assist the main stakeholders in reviewing the performance of internal audit, the Chair of the Internal Audit Forum, currently the ACEO, IAID at the Ministry of Finance, prepares an annual performance report, which reports on the achievements against the strategic plan, annual internal audit plans of all units across government, and a summary of performance against the key performance indicators of the internal audit function.

The content of the report agreed with the key stakeholders19

Comment on the activities performed and any deviations from the approved plans,

includes:

Progress on implementation of the strategic plan for the internal audit function,

Comment on some of the main audit observation made as result of the activities completed,

The highlights and challenges faced by internal audit during the period,

The contribution of internal audit towards improving financial management and internal control,

The working relationship with other similar review bodies,

Any issues, which need attention e.g. internal audit budget, staffing issues, audit areas etc.

19 Key stakeholders are the CEO, Ministry of Finance, Controller and Chief Auditor, ADB, AusAID, NZAID, Chairs of the Public Bodies Audit Committees and the SIA.


Implementing KPI’s

Quality Assurance and Improvement Program The Quality Assurance and Improvement Program (QAIP)is designed to enable the Government to demonstrate that the work performed by the Internal Audit function complies with recognised standards and practices. The following International Standards for the Professional Practice of Internal Auditing (Standards) are relevant to the development of a QAIP: 1300: Quality Assurance and Improvement Program. 1310: Requirements of the Quality Assurance and Improvement Program. 1311: Internal Assessments. 1312: External Assessments. 1320: Reporting on the Quality Assurance and Improvement Program.


1321: Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing.”

The QAIP helps ensure that internal audit work is performed consistently across Government in all assignments undertaken.

“The chief audit executive should develop and maintain a quality assurance and improvement project that covers all

aspects of the internal audit activity and continuously monitor its effectiveness…..each part of the programme should be designed to help the internal audit activity add value to and improve the organisations operations….20”

The above standards require the head of internal audit to provide assurance to the various stakeholders that the internal audit function is: Performing its functions in accordance with the charter, internal audit standards and

the code of ethics,

Operating in an efficient and effective manner, and

Adding value to and improving business processes and operations.

Key Elements of the Quality Assurance Programme (QAIP)

The purpose of the Government of Samoa’s QAIP for internal audit is to achieve an optimum level of professional competence. An ongoing review of the internal audit activities help achieve this. The following internal audit activities are part of the QAIP: All internal auditors to use the internal audit manual and the templates and processes

contained in the Practice Guide,

The internal audit function to be actively managed including budget preparation and financial administration,

The evaluation of audit risks and strategic planning of the internal audit function,

The overall scheduling arrangements for audit assignments and time tracking of assignments,

The management, acquisition and maintenance of audit tools and technology development,

The management of staff including staff development, staff evaluation, staff rotation and recruitment policies,

Evaluation of the internal audit quality assurance activities,

Assess the follow-up procedures for recommendations and action plans resulting from internal audit assignments and other assessments performed,

Ensure the internal audit function is keeping up to date with the most recent standards and practices in internal audit.

20Institute of Internal Auditors.Standard 1300 Quality Assurance and Improvement programme


Internal Assessments

It is the responsibility of the head of internal audit to ensure that there are adequate ongoing internal assessments in the work performed by the internal audit activity. These are usually included in the routine activities performed and include: Assignment supervision by a qualified member of staff,

Procedures (contained in the internal audit manual) are followed in the performance of assignments,

Feedback from customers and other stakeholders,

Selective peer reviews of working papers of staff not involved in a particular assignment,

Management of project budgets, timekeeping systems, audit plan completion and cost recoveries,

Analyses of performance metrics as outlined in the key performance indicators.

Examples of internal assessment checklists are included in appendices 14, 15, 16 and 17. See also the Quality Assurance Manual. External Assessments

According to internal audit standards, an independent external assessment should be completed on the internal audit activities at least every 5 years. Such reviews occur to ensure that the internal audit function is operating to a desired standard. The most recent review was conducted by Mr.Conleth Heron FCMA in 2010 and the next is scheduled for 2015.


Source: International Professional Practices Framework – Practice Guide “Quality Assurance and Improvement Program”

Quality Assurance (QA) Manual A Quality Assurance Manual – this new QA function has been developed to enable the Government to demonstrate a commitment to quality, consistency and continuous improvement in the work performed by the internal audit function, including during external assessments and the PEFA assessment. The quality assurance (QA) manual documents the procedures to be followed during:

Internal assessments,

External assessments, and

Reporting on the annual activities of the internal audit function.

This manual records the procedures that ensure internal audit managers can demonstrate that all internal audit units across government are:

1. doing the jobs right. 2. getting results?

3. achieving consistent quality?

The Quality Assurance Manual is based on the 6th Edition provided by the Institute of Internal Auditors. The contents of the QA Manual are:

1. Evolving Internal Audit Landscape

2. External Quality Assessment: A Business Focused Quality Assessment

3. Self-Assessment with Independent Evaluation

4. Internal Quality Assessment.


5. Overview of Tools for Quality Assessment.

It is to be adapted by the Internal Audit Forum for use in the Government of Samoa.

An introductory section is to be added to the manual to provide clear direction on how and by whom the procedures will be applied to ensure the professional supervision of the work of internal auditors.

The QA Manual includes examples of successful practices, sample templates, tools and guides.

Application of the QA Manual No internal auditor can work alone. Where individual internal auditors have been assigned to Ministries or Public Bodies, the professionalism of their work is assured through supervision by a colleague. This supervision takes the form of reviewing and signing off working papers that the internal auditor has applied the general principles of internal auditing in the Internal Audit Manual and detailed procedures, programmes and working papers contained in the Practice Guide.

The supervisory role is one of a coach and mentor. The aim of the role is to slowly and surely raise the quality of the planning of internal audits, the field work, and the reports. It will involve two professional internal auditors learning together how best to apply the professional principles and practices in sometimes challenging environments.

The system of professional supervision is NOT a performance appraisal system. That is the role of the direct line supervisor within each Ministry or Public Body.

The professional supervisor does not address matters of content within the Ministry or Public Body. Rather the professional supervisor addresses how best the internal auditor can apply the principles in the Internal Audit Manual and the procedures in the Practice Guide in undertaking internal audits.


Glossary:

Term Description

Analytical Review the study and investigation of significant ratios, trends and other statistics to form conclusions about the likelihood of weaknesses and errors in financial systems

Audit Risk the risk that audit procedures will fail to detect an absent, inappropriately designed or ineffectively implemented internal control or management arrangement, which could result in an unacceptable level of business risk

Business Risk the risk of the organisation failing to meet its objectives

Control a procedure designed to ensure that transactions or other information processed through a system are done so in a complete, orderly, accurate and timely manner, and in accordance with the organization’s rules and regulations

Control Risk the level of business risk not being prevented or detected by the internal control environment as a whole

Detection Risk the level of business risk not being detected by audit procedures

Fraud illegal acts characterized by deceit, concealment or violation of trust

Inherent Risk the level of business risk associated with the organisation as a whole, or the individual system being examined

Internal Control a policy or procedure designed to minimize the risk of deliberate or accidental errors or omissions in the processing of financial, operating or accounting systems

Internal Control Environment

the whole system of policies and procedures established in order to provide reasonable assurance that the organisation’s objectives are being achieved

Interval Sampling selection of a sample by extracting every nth item from the population

Materiality the degree of relevance or significance of an absent, inappropriately designed or ineffective control or management arrangement, in relation to the business risk of the organisation

Materiality by Nature the degree of relevance towards business risk of an individual system or set of transactions arising from the characteristics of that system and its sensitivity towards public opinion

Materiality by Value the degree of relevance towards business risk of an individual system or set of transactions arising from its monetary value


Term Description

Non-sampling Risk the risk that the auditor draws an incorrect conclusion from an item or items that (s)he has examined

Preliminary Systems Evaluation

an initial evaluation of an audited body’s control environment conducted to establish whether proper accounting records are maintained to provide sufficient, relevant and reliable audit evidence to support a systems based audit approach

Process a procedure designed to pass transactions or other information through a system

Random Sampling selection of items from a sample such that all items have an equal chance of being selected, with all bias removed

Sampling Risk the risk that sampling techniques will lead the auditor to an incorrect conclusion, compared to the conclusion reached if the whole population were tested

Substantive Tests an evaluation of an individual transaction, asset or liability in comparison to its recorded or expected value or state

Substantive Error a physical difference between the transaction or property being examined, and what the auditor expects to find

Systems the procedures and operations by means of which an organization’s transactions and events are affected and recorded

Systems Based Auditing evaluation of the design and operation of an organization’s systems of internal control

Test of Controls the evaluation of the design and operation of an identified internal control

Tests of Control Error a failure to operate a control in the manner intended by management, record evidence of the operation of that control, or failure to comply with rules and policies which exercise control

Value for Money the economy, efficiency and effectiveness of an organization’s operations

Walk Through Test the process of confirming an auditor’s understanding of a system and its related controls by following one transaction through the entire system, from start to finish


Appendix 1: Strategic Plan - Internal Audit Resource Allocation

Appendices:

Budget (Currency) Year 1 Year 2 Year 3 Year 4

Staff Costs

Travel & Accommodation

External Service Provider

Total Costs

Human resources (Days) Year 1 Year 2 Year 3 Year 4

Available days: In-house staff External service provider(s)

Total available days

Less days applied to non audit activities21

Total available internal audit days

21 Non audit work days include, holidays, training days, management activities such as preparation and reviewing strategic and annual plans, meeting with stakeholders etc


Appendix 2: Strategic Audit Plan - Audit Coverage

Internal Audit unit

Ministry of Finance

Time

Budget

Year of audit

Annual review of fundamental systems

Days22 2010 2011 2012 2013 2014

Cash and bank

Payroll and expenses

Purchases and payments

Revenue and receipts

Stores and properties

Procurement and contracts

Other systems and work directed by Accounting Officers

Cyclic work

Review of Governance arrangements

Review of budgetary system

Review of performance management systems

Other VFM work

Contingency23

Total days

22 Total number of audit days will be entered for each activity under each year 23 The internal audit function should always allow for contingency days to allow flexibility to pick up assignments requested by management at short notice or to allow for audit slippage


Appendix 3: Audit Resources Allocated to Audit Activities

SI Audit Area24 Selection Criteria25 Location (s)26 No of Days Date of

Assignment

1

2

3

4

5

6

7

8

9

10

24 Audit area has been identified during the strategic planning 25 This is directly linked to the audit area and is based on risk analysis, stakeholders wishes etc 26 Where the audit will be performed, in a single ministry or multiple ministry’s, in the central office or in the field offices, islands


Appendix 4: Control Environment Assessment

Key Issues Last Year

G/A/P27

Changes since Last

year

This year

G/A/P

Audit action

required

WP Ref

Good leadership and values offered by senior managers and decision makers

Clarity and effectiveness of management structure

The quality of key staff

Satisfactory financial rules and regulations which are enforced

Evidence that internal controls are operating effectively

Quality and morale of staff operating internal controls

Effective budgetary monitoring control

Overall arrangements for preventing and detecting fraud

IT policies and procedures in place and implemented

Number of outstanding audit queries from external audit

How do we rate the overall control environment?

27 G = Good, A = Average, P = Poor


Appendix 5: Audit Planning Memorandum Template Audit Planning Memorandum (to be completed by the Auditor in Charge)

Name of audited unit: _______________________ Budget year _______________________

Date and nature of last audit (if applicable): ________________________________________

Name of HIA: ________________________________________________

Name of auditor in charge: _________________________________________________

Ref.

No. A Results of Preliminary Review

Ref. to working papers

1 Names and designation of staff assigned for the preliminary review of systems and procedures:

(1)

(2)

(3)

(4)

2

Matters arising from visit to the audited unit

(Give date(s) and details)

3 Points arising from a review of the previous audit planning memorandum (if any)

4 Major weaknesses in the accounting, financial and operating system and their audit implications

5

Major weaknesses in systems of internal control and their audit implications

6

Major weaknesses noted during previous audits, dates of management letters issued, actions taken by management, and implications for the current audit:

7 Visit(s) (with dates) to audited unit to discuss identified weaknesses, and points of clarification obtained from the audited unit's management

8 Major matters to be pointed out in any management letter to be issued at


Ref.



this stage

9 Names and designations of additional staff to be assigned or withdrawn as a result of the preliminary review

(1)

(2)

(3)

(4)

10 Specific matters to be investigated

11 Systems to be audited (list in ‘Overall Audit Planning Control Form’)

(a)

(b)

(c)

(d)

12

Detailed transactions for which direct substantive testing should be applied (Give, in each case, the amount above which this procedure should be adopted)

13

Estimates of population and sample sizes (list in ‘Overall Audit Planning Control Form’)

Types of Estimates

Recommended

Transactions

Population

Sample size

14 Acceptable error rates

15 Steps to be taken if actual errors found to be above acceptable rates

16 Systems / Transactions to be examined in depth

17 Any additional or special work to be performed


Ref.



18 Date of staff planning meeting, and any special instructions given

19 Types of Audit programmes required (e.g. cash, purchases, payrolls, etc.)

20 Changes (if any) required to the Specimen Audit programmes in the Manual:

Audit programme Changes Required

21 Estimated time for the audit:

22 Date for commencement of audit:

23 Target date for completion of the audit:

24 Audit work completed to date (check with working papers)

25 Has all the audit documentation been properly maintained?

26 Does the work done to date and the time taken so far appear to be satisfactory as regards:

(a) nature and extent of audit tests done?

(b) resolution of audit queries?

(c) conclusions drawn to date

27 Any significant matters arising from the interim review which need to be reported in a summary of findings and recommendations:


Ref.



28 Changes (if any) required to the preliminary audit strategy

29 Changes (if any) required to the approved audit programmes

30 Any other matters to ensure satisfactory completion of audit by target date

The interim review has been completed in accordance with IAS policies and procedures and the matters arising have been incorporated in the audit plan.

________________________________

AIC signature Date:

_________________________________

Head of Internal Audit signature Date:


Appendix 6: Sample Working Paper

WP Ref

WORKING PAPER FOR [insert details]

AUDIT OF: YEAR END

PREPARED BY: DATE:

REVIEWD BY: DATE:

Purpose:

Tests:

Test Results:

Test Conclusion:

Recommendations


Appendix 7: Sample Permanent File Checklist A Organisation Profile

A1 Organisation Vision / Mission

A2 Strategic Plans

A3 Annual Business Plans

A4 Organisational Structure

A5 List of Senior Officials

B Internal Policy Documents

B1 Financial Regulations – Accounting Policies, Budget Policy,

B2 Procedure Notes – Budget Preparation, Accounting Manuals etc

B3 Staff Codes of Conduct

B4 Ethical / Governance Codes

B5 Relevant Laws and Regulations

C Internal Committees

C1 Composition and Regulations of Management Committees

C2 Minutes of Meetings

C3 Composition and Regulations of audit Committees

C4 Minutes of Meetings

D Published Reports

D1 Annual Financial Statements

D2 Annual Budget

D3 Performance Statements Prepared

D4 Other Relevant Reports e.g. report on internal controls

E Permanent Audit Information

E1 Finalized Audit Reports

E2 Notes on Governance Arrangements

E3 Notes on Budget and Performance Management Systems

E4 Accounting System Notes / Flow Charts

E5 IT / IS Notes

F Other Permanent Information

F1 Copies of Long Term Contracts

F2 Location of Central and Main Regional Headquarters


Appendix 8: Sample Interviewing Questions

Agenda Item (action to be taken at meeting is in italics)

Record of Meeting (to be written up during the meeting)

1. Introductions

Record the names and job titles of all those present at the meeting. Introduce the members of the audit team to the operational staff.

2. Overview of the Assignment

Outline and explain the nature and subject of the assignment to management. Explain the reasons for the assignment being included in the audit Plan.

3. Assignment Scope and Objectives

Outline the provisional scope and objectives of the assignment to the management

Discuss the internal Control matters of particular interest or concern

Identify any possible amendments to the scope of the assignment

4. Duration, Resources and Methods

Outline in broad terms the duration of the assignment, who will be involved from the audit side and what procedures will be used

Identify the working arrangements between the audit team and management

5. Issues to be Raised by the Audit Team

Identify any recent changes in management or major system changes / developments

Raise any other issues discussed and record them. Some examples from recent practice include requests for documents, arrangement of further meetings and arrangements for access


Agenda Item (action to be taken at meeting is in italics)

Record of Meeting (to be written up during the meeting)

to certain government offices and sites

6. Questions and Issues From Management

Ask management for their views on the assignment and ask them to identify the operational and control issues in the area of the assignment

Identify any operational concerns or any requests from management

Reassure Management that their views will be taken into account

7. Responses to Management Issues

Make responses as appropriate to management issues raised. Record responses in the minute of the meeting

Issues, Findings and Conclusions (To be completed by interviewer after the interview)

........................................................................................................................................

........................................................................................................................................

........................................................................................................................................

........................................................................................................................................

........................................................................................................................................

........................................................................................................................................

........................................................................................................................................

........................................................................................................................................

........................................................................................................................................

........................................................................................................................................

........................................................................................................................................

........................................................................................................................................


Appendix 9: Flowchart Shapes

Symbol Title and Explanation

Document – the documents worked on by persons in the system. Operations, checks and controls performed on documents.

Start / End – starting or ending point of the process

Decision – A decision or a branching point, lines representing different decisions emerge from different points of the diamond

Operation / Process – a task carried out by a person in the system.

Document flow – flow of information through the system

Input / Output – represents material or information entering or leaving the system for example a customer order request or a product

Control Operation – a control operation carried out by a person in the system. A control can either prevent or detect errors, omissions or mistakes.

Check Operation – a check operation carried out by a person in the system. A check operation is a confirmatory task conducted by a person during the document flow.

Connector – links to another chart / worksheet

Secure Storage – this is usually a file. In some schemes, the nature of the file is noted within the symbol. D is by date, whilst N denotes numeric and A indicates Alphabetical.


Appendix 10: Stages in Drawing a Flow Chart There are no hard and fast rules for constructing flowcharts, but there are guidelines, which are useful to bear in mind.

Here are six steps, which can be used as a guide for completing flowcharts:

1. describe the process to be charted e.g. payroll payments,

2. start with a 'trigger' event e.g. monthly payments due,

3. note each successive action concisely and clearly,

4. go with the main flow (put extra detail in other charts) ,

5. make cross references to supporting information,

6. follow the process through to a useful conclusion (end at a 'target' point) e.g. reconciliation of monthly payroll payments.

Drawing tips:

Decide what activities are to be shown and the purpose of drawing the flowchart,

Obtain the information needed to draw the flowchart,

A flowchart proceeds from top to bottom and from left to right,

Use arrow heads to show the direction of flow and improve clarity,

A flowchart may be any size but keep dimensions and be as neat and tidy as possible,

The flowchart should be identified with a title, the date and name of the author,

Try and fit flowcharts on as few pages as possible.

Narrative Drawing Tip

Only one flow line is used in a terminal symbol

When starting your flowchart the flow line leaves the symbol

When completing your flowchart, the flow line must enter the terminal symbol

Only one flow line should come out from a process symbol

Only one flow line should enter a decision symbol, but 2 or 3 may leave it depending on the options, the most common decisions however will be Yes / No decisions


Appendix 11: Example of a Cross Functional Flowchart for Procure to Pay

Description of the Controls [C] in the system

The vendor,

Procurement:

C1 – Review of purchase requisition which will include:

The item,

The quantity,

The account coding.

C2 & C3 – Purchase Order (PO) requisitions reviewed on a monthly basis to detect any unauthorized requisitions as well as any excessive order quantities.

Buyer – Purchase Order Processing:

C4 – Creation of a purchase order from the purchase requisition.

C5 & C6 – All purchase orders reviewed monthly to detect any unauthorised PO’s and any excessive quantities ordered.

Receiving:

C7- Physical count of all items received and matched to the purchase order. A member in the accounting department reviews inventory general ledger account to ensure that the goods received have not been invoiced by the supplier.

C8 – The buyer from the purchasing department reviews all unmatched purchase order reports on a monthly basis.

Accounts Payable:

C9 & C14 – Invoice received, date stamped as received, matched to the PO, invoice entered on to accounts payable application by different individual.

C10, 12 & 13 – Accounts payable application generates requests for payments based on standing credit data held in the application on the vendor. A check run for is prepared by the accounts payable clerk and approved by a supervising officer.

C11 – At the month end, the accounts payable manager reconciles the accounts payment systems sub total with the total held on the general ledger control account.

Appendix 12: Example Audit Programme (Payroll – Control Tests)

Key Control Objective Expected Control Standard or Activity

Desi

gned

in

to

syst

em

(Y/N

) O

pera

ting

(Y/N

) WP

Ref

1. Payments are made only to valid employees

New starts confirmed prior to payroll processing, with written confirmation on personnel file.

Preparation, recording and payment functions are adequately segregated.

A unique ID number assigned to each employee, thereby confirming that the payroll contains only valid employees.

Personnel records of authorized employees periodically compared to the payroll. Salaries paid based on the Monthly Payroll Worksheet / Timesheet.

Payroll leavers are processed only on receipt of an appropriately authorized notification.

Pay staff have access to up to date lists of authorized signatories and specimen signatures.

Changes to employee bank details processed, only on receipt of written notification from employees.

Payroll staff and offices confirm that leavers have been removed from the payroll on time.

Independent staff check all new start and leaver output to authorized source documents.

Payroll exception reportsproduced regularly. Reports followed up independently of those involved in processing input.


Desi

gned

in

to

syst

em

(Y/N

) O

pera

ting

(Y/N

) WP

Ref

Cash pays only issued on production of valid identification and a signature of recipient.

Unclaimed wages recorded and written back as soon as possible.

2. All data input to the payroll system is correct and properly authorized

Where relevant, computer terminal access for both ‘read’ and ‘write’ facilities (including authorization and update functions) is restricted to appropriate staff.

Passwords restricting computer access are regularly changed.

Pay staff have access to up to date lists of authorized signatories and specimen signatures.

All payroll input is entered to the system only on receipt of properly authorized documents.

Accurate overall control totals calculated prior to payroll processing and are reconciled to output control totals.

Payroll authorised prior to release of funds by a senior officer.

3. Permanent payroll standing data is complete and accurate

Offices periodically confirm the accuracy of the permanent standing data held by payroll.

Exception reports, which identify excessive working hours or payments beyond defined limits produced, independently reviewed by management, and followed up as required.

4. Payroll data is adequately Computer files are regularly backed up


Desi

gned

in

to

syst

em

(Y/N

) O

pera

ting

(Y/N

) WP

Ref

protected and is securely stored

Back up files held in a separate location.

In the event of system failure, written procedures exist to re-create the payroll.

Re-creation procedures tested regularly.

5. Payments are correctly calculated in accordance with approved pay scales

Complaints by employees promptly investigated and resolved.

Periodic checks made that all payroll forms and details maintained properly maintained, and all authorized data correctly entered to the payroll system.

Management should confirm by checking periodically that pay scales and rates of allowances authorized and incorporated in orders and manuals.

All leave requests properly authorized.

Supervisors notified when excess leave is taken.

6. Payroll costs are correctly recorded in the financial accounting system

Periodic reconciliation carried out between bank, payroll system and the general ledger.

A sample review of payments performed periodically to identify incomplete or inaccurate postings.

A test check of a sample of postings is conducted for coding accuracy and invalid postings are reviewed and corrected.

Arithmetic checks are in evidence for all payroll input, including deductions.


Desi

gned

in

to

syst

em

(Y/N

) O

pera

ting

(Y/N

) WP

Ref

Checks that codes have been allocated correctly are conducted.

Exception reports identify invalid codes.

Payroll suspense accounts are cleared and reconciled every month.

7. Payroll payments are correctly calculated in accordance with contracts of employment, pay scales, hours worked and other authorized allowances

Standing data checked periodically by payroll staff and evidenced.

All staff are encouraged to question any salary, allowance, or rate of pay that appears to be inconsistent with an employee’s status or with Government pay fixation scales.

Wages and overtime processed only on receipt of a signed and authorized timesheet.

Appendix 13: Example Audit Programme (Payroll – Substantive Tests)

Test

No Audit Objective and Audit Procedure

Resu

lt Sa

tisfa

ctor

y Y/

N

Initi

als

Date

WP

Ref

Completeness: All payments relevant to the period of review have been recorded

1 Compare and reconcile the number of payments made in consecutive periods. Investigate discrepancies.

2 Check a sample of payroll payments have been paid once and only once.

Occurrence: All recorded payments, and transactions to which they relate, actually occurred and were relevant to the period of review

3 Reconcile payroll output totals to general ledger input totals. Investigate any discrepancies.

4 Reconcile payroll output totals to payroll figures recorded on the bank statement.

5

Check a sample of payroll payments to the staffing establishment lists held by personnel. Ensure payments are for the correct amount and have been made to the correct employees.

Measurement: The recorded payments have been properly calculated.

6 For a sample of starters and leavers, check there is adequate authorization from the personnel department. Check payments start and finish on the correct dates.

7 Check amendments to standing data to source records, e.g. changes in salary rates, staff salary levels, expense rates.

8 Check a sample of standing data on the pay roll system to source documents.

9 Where cash payments are used, check a sample of payments to amounts recorded on the payroll system.

10 Interrogate the system to produce lists of payments for

Test

No Audit Objective and Audit Procedure

Resu

lt Sa

tisfa

ctor

y Y/

N

Initi

als

Date

WP

Ref

further investigation, including:

gross greater than given percentage of basic pay,

gross pay greater than a given limit,

net pay more than 20% above the previous period,

salary above the grade maximum,

overtime greater than a given limit,

allowances greater than a given limit,

cash payments greater than a limit.

11

Review the budget reports for the organization and check that the staff costs charged to the budget relate only to bona fide employees. Check that total staff budget costs are within the approved expenditure vote.

Regularity - All payments are in accordance with relevant legislation and other specific requirements.

12 Review a sample of deductions from payroll (e.g. income tax, pension payments) and check these have been calculated in accordance with existing legislation.

13 Check that monthly / annual totals transferred to the tax authorities agree to the tax authority’s records.

14 Check any other payroll deductions to appropriate source records.

Disclosure - all payments have been properly classified and allocated to the appropriate expenditure votes.

15 Check that a sample of payroll transactions have been coded correctly on the general ledger.

Appendix 14: Example Quality Control – Assignment Planning Checklist

Ref. No.

Planning Checklist Question Yes No NA Initial Date

Familiarisation

1

Have you visited the organization and acquired a familiarity by interviewing management and senior employees, studying important documents concerning the entity and its activities, etc.?

2 Have you prepared systems notes (Flowcharted) on the main features and procedures of the accounting system?

3 Have you prepared systems notes of the checks and balances inherent in the system of internal control?

4 Have you reviewed and updated the existing systems notes, if any?

5 Are there any weaknesses in the accounting systems and systems of internal control, which are evident from the systems notes?

6 Have you noted all such weaknesses in the Audit Planning Memorandum?

INTERNAL CONTROL EVALUATIONS

7 Have you evaluated the organization's accounting, financial and operating internal control systems, and procedures?

8 Are you satisfied that the evaluations have been properly reviewed and that the audit implications of any weaknesses are fully covered?

9 Have you yourself evaluated the audit implications of any negative answers?

ACTIONS FOR FOLLOW UP (PREVIOUS AUDITS)

10 Have you reviewed prior-year reports for:

a) points to which special attention should be paid?

b) improvements to be made to the contents and

style of the audit report.

Ref. No.


11 Have you reviewed prior-year working papers for:

a) points noted (if any) for attention at the next audit.

b) the necessity types of schedules, analyses etc.

previously prepared.

c) audit work previously found to be inadequate or

excessive.

d) action taken by the audited body to rectify matters

previously reported upon.

e) changes in circumstances since the previous audit?

STAFF ASSIGNMENT

12 Are you satisfied with the number and quality of the staff assigned to this audit?

TIME BUDGETING

13 Have you prepared a time budget based on the particular complexities of the audit and the experience and competence of the staff assigned?

14 Did you prepare a time budget on a systematic analysis of the time estimated for each stage of the audit procedure to be undertaken?

15 Is the total audit time within the specified budget for the particular audit category?

16 Has the time budget been approved by the Head of Division?

PLANNING MEETING

17 Have you held a planning meeting with the staff assigned to the audit and discussed with them aspects of the audit and the work to be undertaken?

18 Have you reviewed with the staff assigned to the audit, the following:

a) systems notes to draw their attention to particular

systems and control weaknesses and the audit implications thereof.

Ref. No.


b) prior-year audit report, if any, to draw their

attention to particular items or matters?

c) prior-year working papers (if any) to draw their attention to unnecessary or excessive audit work previously done and to points noted previously for attention at the next audit?

d) the time budgeted for the audit and the target

date for completion of all audit procedures.

e) other relevant matters noted in the APM?

19 Do the scope, extent and timing of the audit tests take account of the audit implications of control weaknesses disclosed by the systems notes?

20 Has a staff briefing been completed prior to commencing the fieldwork?

AUDIT PROGRAMMES

21 Have audit programmes been tailored for the audit area to take account of the strengths and weaknesses of the accounting and systems of internal control?

22 Do the scope, extent and timing of the audit tests take account of the audit implications of control weaknesses disclosed by the systems notes?

AUDIT PLANNING MEMORANDUM

23 Have you prepared and completed the main sections of the APM as per prescribed procedures?

24 Have you noted the names and designations of all staff assigned to the audit?

26 Have you recorded the approved time budget?

27 Have you recorded the date of the staff planning meeting, the principal matters discussed, points arising at the meeting and any actions yet to be taken?

Appendix 15: Example Quality Control - Planning Review Checklist

Ref. No.

Planning Review Checklist Question Yes No NA Initials Date

1 Are all “Yes” answers in the audit-planning checklist (Appendix 14) justified?

2 Are you satisfied with the justifications given for any 'No' answers in the Audit Planning Checklist?

3 Review the number and quality of the staff assigned to the audit and if adjustments where necessary?

4

Are you satisfied that the audit programmes fit the audited body's particular circumstances and that the scope and extent of the proposed tests adequately cover all implications arising from evaluation of the accounting system and the systems of internal control?

5 Have you reviewed and approved the estimated time budget required for the audit?

6

Have you discussed with the audited body's management all weaknesses identified from the systems notes, and are you satisfied that the identified weaknesses do exist?

7 Have you issued a letter to the audited body setting out all material accounting or control weaknesses found?

8

Are you satisfied that the audit-planning memorandum clearly records all the major weaknesses identified, and the principal matters addressed in determining the audit strategy?

9 Have you reviewed the audit strategy to satisfy yourself with the appropriateness of the proposed audit approach?

11 Have you conducted an interim review after the audit commenced? In addition, have you devised a revised audit strategy in the light of such review?

12 Have you ensured that the independence of internal audit staff on this assignment?

Appendix 16: Example Quality Control - Audit Fieldwork Checklist

Ref. No.

Fieldwork Checklist Question Yes No NA Initials Date

1

The audit is carried out in accordance with auditing standards, policies and manuals, guidelines and documented practices.

2

The auditors have a sound understanding of the techniques and procedures such as inspection, observation, enquiry, interviewing etc to collect audit evidence.

3 All phases of the audit have been carried out as planned and approved.

4 Valid explanations are given and documented explaining why parts of the audit plan have not been completed?

5 Appropriate approval exists for significant deviations from the audit plan.

6 Staff resources used for audit are largely in line with those planned in terms of time, grade and expenses entailed.

7 Justification is available for material deviations from budgeted resources.

8 Appropriate audit techniques and audit procedures were used to fulfil each audit objective in order to provide for effective audit evidence.

9 There is evidence of the use of Computer Assisted Audit Techniques where appropriate.

10 There is evidence of appropriate testing of internal control systems.

11 Appropriate analytical procedures were used including an assessment of the reliability of the supporting data.

12 Appropriate sampling methods were used when performing the audit where 100% coverage was not possible.

Ref. No.

Fieldwork Checklist Question Yes No NA Initials Date

13 All tests of transactions were clearly related to audit objectives outlined in the audit programmes.

14 Evidence of full investigation was made of all queries raised during the audit.

15

There are adequate working papers in the audit file, properly cross referenced in respect of:

Evaluation of internal controls,

Audit programmes completed,

Tests of control,

Analytical review,

Substantive tests,

Systems documentation, and

Audit of computer based applications.

16 Working papers have been properly cross referenced using the Internal audit function referencing system.

Appendix 17: Example Quality Control - Audit Reporting Checklist

Ref. No.

Reporting Checklist Question Yes No NA Initials Date

1 Reporting is in accordance with auditing policies, standards and manuals.

2

The form and content of reports are in accordance with established procedures e.g. title, signature and date, objectives and scope, addressee, legal basis, timeliness etc.

3 Terminology used in reports can be easily understood by the person to whom the report is presented and technical terms are fully explained.

4 All audit findings have been evaluated in terms of materiality, errors and other irregularities.

5

All errors, deficiencies and unusual matters have been properly identified, documented and satisfactorily resolved, or brought to the attention of appropriate staff member (auditee).

6 The final audit report covers all areas representing the objectives of the audit or explanations are provided for omissions.

7 Observations and conclusions in reports are supported and well documented to ensure completeness, accuracy and validity of working papers.

8 All evaluations and conclusions are soundly based and supported by competent relevant and reasonable audit evidence.

9 Only sufficiently material audit findings are included in the main audit report.

10 The report is timely, comprehensive, performed by suitably qualified staff and appropriately documented.

11 Receipt of relevant and timely replies of the audit to the internal audit function is ensured.

12 Replies to audit queries have been carefully studied with contested findings duly evaluated.

Ref. No.

Reporting Checklist Question Yes No NA Initials Date

13 Materially relevant comments by the auditee have been incorporated in the audit report.

14 All significant fraud or other irregularities have been notified to the appropriate authorities.

15 Material items requiring subsequent follow up have been duly identified, recorded and taken into account.

16 Action plans to address audit recommendations have been agreed with the auditee.

Appendix 18: Example Key Performance Indicators28

Performance Indicator Target Actual Percentage Variation

Performance against plan

Number of audits completed.

Number of audits delivered by due date.

Cost of audit plan.

Stakeholders

Stakeholders assessment of overall contribution of internal audit

Auditee assessment of overall contribution from client satisfaction survey results

Number of requests for ad hoc advice assistance from management

Staff

Staff satisfaction

Training days per staff member

% staff turnover

Overall Contribution

Identification of key issues brought to attention of stakeholders

Recommendations made that led to performance, process improvements

Clients assessments of benefits resulting from internal audit activities

28 KPIs will vary according to the strategic objectives of the internal audit function, however the examples given provide a good platform from which to develop the KPI for an internal audit function

Appendix 19: Example Client Satisfaction Survey Rating Scale:

Performance:

1 Strongly Disagree 2 Disagree 3 Agree 4 Strongly Agree

Question Performance

The timing of the audit was appropriate. 1 2 3 4

My staff and I were informed in advance of the audit and given adequate time to prepare.

1 2 3 4

My staff and I were given the opportunity to provide input, including any concerns and our perspectives to the planning process.

1 2 3 4

The audit focused on issues that were important. 1 2 3 4

I was kept informed throughout the audit process. 1 2 3 4

The internal auditor was knowledgeable on the subject matter under review. 1 2 3 4

The internal auditor was professional and objective in the audit approach. 1 2 3 4

I was given the opportunity to provide input on the audit findings and the conclusions reached by the auditor and on the recommendations made to address them.

1 2 3 4

The conclusions reached were adequately supported by relevant facts and thorough analysis.

1 2 3 4

The audit was completed on a timely basis. 1 2 3 4

The audit report was balanced and constructive. 1 2 3 4

Recommendations were useful, realistic and cost effective. 1 2 3 4

Overall I was satisfied with the audit. 1 2 3 4

Please tell us which aspects of the audit you were most happy / unhappy with:

Appendix 20: Model Charter of Internal Audit

<Insert name of Ministry / Public Body>

Government of Samoa

Model Charter of Internal Audit

<add the role of the relevant Ministry / Public Body>

<For example:

ROLE OF THE MINISTRY OF FINANCE The role of the Ministry of Finance is to promote accountability and transparency in service delivery to the community through establishment and implementation of sound financial management systems, standards, policies and procedures. >

PURPOSE OF INTERNAL AUDIT AND INVESTIGATIONS

The internal audit and investigations function provides the CEO with assurance that the systems, standards, policies and procedures in place are operating as intended and providing value to the community. INDEPENDENCE Internal auditors and investigators are independent of the management and staff of the Ministry / Public Body. They report directly to the Audit Committee, where one is operating, or to the CEO. This permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of audit assignments. To provide for the independence of the internal auditing and investigations function, its personnel report to the Chief Audit Executive (CAE), who reports administratively to the chief executive officer and functionally to the board and audit committee in a manner outlined in the section on Accountability. The CAE will include as part of the annual internal audit and investigations report to the audit committee a regular report on internal audit resources and the continuing professional development of personnel. AUTHORITY AND CONFIDENTIALITY In exercising professional independence, internal auditors and investigators also have a professional duty to keep confidential all information obtained in the exercise of their duties. The internal auditors and investigators are formally delegated by the CEO with the authority to: Have unrestricted access to all functions, records, property, and personnel. Have full and free access to the audit committee. Allocate resources, set frequencies, select subjects, determine the scope of work, and apply

the techniques required to accomplish audit objectives. Obtain the necessary assistance of personnel in Ministries and Public Bodies of the

Government where they perform audits and investigations, as well as other specialized services from within or outside the Government.

They work in accordance with professional standards, and their work is subject to

professional supervision and independent quality assurance review. They work in

accordance with the Government’s Code of Conduct and the Internal Auditors Professional Code of Ethics.

The CAE and staff of the internal auditing function of the <insert Ministry / Public Body

name> are not authorized to: Perform any operational duties any entity of the Government of Samoa. Initiate or approve accounting transactions external to the internal auditing function. Direct the activities of any Government employee not employed by the internal auditing

and investigations’ function, except to the extent such employees have been appropriately assigned to auditing and investigation teams or to otherwise assist the internal auditors.

SCOPE OF INTERNAL AUDIT ACTIVITY The scope of work of the internal auditing function is to determine whether the Government of Samoa’s network of risk management, control, and governance processes, as designed and represented by management, is adequate and functioning in a manner to ensure:

Risks are appropriately identified and managed.

Interaction with the various governance groups occurs as needed.

Significant financial, managerial, and operating information is accurate, reliable, and timely.

Employee’s actions are in compliance with policies, standards, procedures, and applicable laws and regulations.

Resources are acquired economically, used efficiently, and adequately protected.

Programs, plans, and objectives are achieved.

Quality and continuous improvement are fostered in the control processes in Ministries and Public Bodies.

Significant legislative or regulatory issues impacting the Ministries, Public Bodies and associated entities are recognized and addressed properly.

Opportunities for improving management control, profitability, and the image of the Ministries, Public Bodies and associated entities may be identified during audits. They will be communicated to the appropriate level of management. ACCOUNTABILITY Each chief audit executive (CAE), in the discharge of his/her duties, shall be accountable to management and the audit committee to: Provide annually an assessment on the adequacy and effectiveness of the Ministry’s /

Public Body’s processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work.

Report significant issues related to the processes for controlling the activities of the Ministry / Public Body, including potential improvements to those processes, and provide information concerning such issues through resolution.

Provide information periodically on the status and results of the annual audit plan and the sufficiency of internal audit and investigations’ resources.

Coordinate with and provide oversight of other control and monitoring functions (risk management, compliance, security, legal, ethics, environmental, external audit).

ROLE AND RESPONSIBILITY The internal audit function in the <insert name of Ministry / Public Body> provides the CEO with assurance on the financial systems, standards, policies and procedures applied across Government. It does this through a work agreed in an annual audit plan, which includes systems audits, compliance audits, spot checks, investigations arising from irregularity reports and other significant events and pre-audits as agreed with the CEO. CAE and staff of the internal auditing and investigations functions have responsibility to: <delete what does not apply, or for which the current internal audit staff do not have the competency to complete professionally> Develop a flexible annual audit plan using appropriate risk-based methodology, including

any risks or control concerns identified by management, and submit that plan to the audit committee for review and approval.

Implement the annual audit plan, as approved, including, and as appropriate, any special tasks or projects requested by management and the audit committee.

Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter.

Establish a quality assurance program by which the CAE assures the operation of internal auditing and investigations’ activities.

Perform consulting services, beyond internal auditing assurance services, to assist management in meeting its objectives. Examples may include facilitation, process design, training, and advisory services.

Evaluate and assess significant merging/consolidating functions and new or changing services, processes, operations, and control processes coincident with their development, implementation, and/or expansion.

Undertake investigations arising from matters raised in the irregularity reports of CEOs. Issue periodic reports to the audit committee and management summarizing results of

audit and investigations’ activities. Keep the audit committee informed of emerging trends and successful practices in internal

auditing and investigations. Provide a list of significant measurement goals and results to the audit committee. Assist in the investigation of significant suspected fraudulent activities within the

organization and notify management and the audit committee of the results. Consider the scope of work of the external auditors and regulators, as appropriate, for the

purpose of providing optimal audit coverage to the Government at a reasonable overall cost.

STANDARDS OF AUDIT PRACTICE The internal auditing function will meet or exceed the International Standards for the Professional Practice of Internal Auditing of The Institute of Internal Auditors. RELATIONSHIP WITH THE CONTROLLER AND CHIEF AUDITOR The <insert title of CAE> will meet consult with the Controller and Chief Auditor in preparing the strategic plan and annual work plan. She will provide the Controller and Chief Auditor with access to internal audit and investigation files and working papers to enable the external auditor to determine the work he needs to complete to fulfil his function. The ACEO, IAID is authorized to work with the Controller and Chief Auditor to fulfill the role, function and responsibility of internal audit in the <insert name of Ministry / Public Body>.

PLANNING This charter is prepared to achieve the objectives of the Strategic Plan of Internal Audit and Investigations for the Government of Samoa for the period 2012-2016. It will be reviewed after the final Annual Audit Plan for 2012 has been submitted. REPORTING The <insert title of Internal Auditor> will report on administrative matters to the CEO. <Insert reporting timetable agreed with Audit Committee / CEO). The <insert title of Internal Auditor> will present an annual report of the Internal Audit Forum to the CEO on the internal audit function across government. S/He will also report annually on the use of internal audit resources, the continuing professional development of staff and the achievement of audits against the annual internal audit plan. ADMINISTRATIVE ARRANGEMENTS The draft Internal Audit Manual has been prepared and is being distributed to all internal auditors across government for their comment. Once that consultation process is complete, the draft manual with be distributed to all internal auditors across Government. Once agreed, the Manual will be applied in the internal audit of <insert name of Ministry / Public Body). <ADD KPIs from BUDGET> The next external review of the internal audit function is due in 2016. REVIEW OF THE CHARTER This charter will be reviewed after approval of the Annual Audit Plan or by 31st May in each year, whichever is the sooner. _________________________________ ____________________________ Chief Audit Executive Chief Executive Officer _________________________________ Date: …………………………… Audit Committee Chair

References The Institute of Internal Auditors www.theiia.org

The internal audit standards

The internal audit code of ethics

The internal audit practice advisories

The internal audit professional practices framework

The institute of internal audit journals

Public Sector Audit Agencies

The International Organisation of Supreme Audit Institutions www.intosai.org

The Asian Organisation of Supreme Audit Institutions www.asosai.org

The Australian National Audit Office www.anao.gov.au

The UK National Audit Office www.nao.gov.uk

Audit New Zealand www.auditnz.gov.nz

The Audit Commission www.audit-commission.gov.uk

The United States Government Accountability Office www.gao.gov

Standard Setting Bodies

The International Federation of Accountants www.ifac.org

The Information System Audit and Control Association www.isaca.org

The International Standards for Supreme Audit Institutions www.issai.org

The Committee of Sponsoring Organisations www.coso.org

http://www.theiia.org/�

http://www.intosai.org/�

http://www.asosai.org/�

http://www.anao.gov.au/�

http://www.nao.gov.uk/�

http://www.auditnz.gov.nz/�

http://www.audit-commission.gov.uk/�

http://www.gao.gov/�

http://www.ifac.org/�

http://www.isaca.org/�

http://www.issai.org/�

http://www.coso.org/�

For Internal Audit Function Government of Samoa

Documents

Transcript of For Internal Audit Function Government of Samoa