iat manual final.doc

7/29/2019 iat manual final.doc

1/62

INTERNAL AUDIT MANUAL

SNIPS UTENSILS MANUFACTURING COMPANY

GROUP 3

CATLI, FELY JANE

PUNZALAN, PRINCESS ANGELA

RAMALES, MA. FIANNE

REYES, VIRGINIA

YAP, AVELINJHEE


2/62


SECTION TABLE OF CONTENTS

10 Introduction

10.1 Organization of the Manual

110.2 Corporate Governance

2Definition and Purpose2Code of Corporate Governance

2Corporate Governance Manual2Role of the Board of Directors for Corporate Governance4

10.3 Overview of the Internal Auditing ActivityDefinition of Internal Audit4Internal Auditing Activity Framework6

10.4 Audit Committee7

10.5 Internal Audit Department8

10.6 Audit StaffingPosition Description and Staffing Level10Staff Knowledge and Skills10

Audit Staff Profession Certification12Continuing Professional Education12

10.7 Internal Audit Professional Organization & Governing BodiesInstitute of Internal Auditors13Institute of Internal Auditors Philippines13Information Systems Audit and Control Association14


3/62

20 Audit Concepts and Standards

20.1 Professional Practices Framework14

20.2 Internal Auditing Code of Ethics

1420.3 Standards for the Professional Practice of Internal Auditing

1520.4 Overview of Internal Control Framework

15Elements of Internal Control15

Control environment16

Risk assessment16

Information and communication16

Approved for implementation by: Effective Date: Property of

INTERNALAUDIT

DIVISION__________________________

Chairman, Audit and Compliance CommitteeSep 24 2010

This Manual may not be photocopied or taken out of the Companys premises without prior written approval



Monitoring and Control activities17

20.5 Control Objective for Information and Related TechnologyFramework19

Principles1920.6 Risks Framework

Risks Consideration in Planning the Audit21

20.7 Audit ObjectiveObtaining audit evidence21


4/62

Sufficiency of audit evidence22

Appropriateness of audit evidence22

Nature

23 Timing24Techniques to obtain audit evidence24

Inspection25

Observation26

Inquiry27

External confirmation28Computation

29

30 Audit Planning

30.1 Introduction30

30.2 Strategic Analysis

31Data Requirements and Sources31

30.3 Risk Assessment and Risk Management SystemRisk Management System34Risk Assessment35

30.4 Performing analytical procedures in planning the audit35

30.5 Setting the Audit Universe

35


INTERNALAUDIT

DIVISION__________________________ Sep 24 2010


5/62

Chairman, Audit and Compliance Committee




Establishing the audit universe35Defining the Risk Criteria35Ranking the Audit Universe36

30.6 Engagement time and cost estimates

3830.7 Audit Staffing and Logistical Plan39

30.8 Approval and Communication of Audit Plan40

40 Audit Process

40.1 Audit Engagement Plan40.2OpeningConference

6140.3ProcessAnalysis

62

40.5. ExitConference62

8440.6.AuditReporting

6240.7. Follow-upandMonitoring

62

50 Audit Documentation and Quality Reviews

50.1 Audit Work Documentation


6/62


INTERNALAUDIT

DIVISION__________________________





Managing working papers 62Standard working papers 63

Documents obtained from Auditee 63Digital format working papers 63Working paper organization and indexing 63Ownership and access to working papers 63

50.2 Quality Assurance ProgramObjectives 64Scope and Approach 64Measuring the Internal Audit Activity performance 64

50 Appendices

1 Code of Corporate Governance2 Corporate Governance Manual3 Sample Audit Committee Charter 4 Sample Internal Audit Department Charter 5 Position Description of Audit Team Members6 Internal Auditing Code of Ethics7 Standards for Professional Practice of Internal Auditing8 Business Risk Model


7/62

9 Pest Analysis10 Five Forces Analysis11 Audit Universe Risk Ranking Worksheet12 Sample Audit Engagement Plan13 Process Analysis Worksheet


INTERNALAUDIT

DIVISION__________________________



INTRODUCTION

10.1 Organization of the Manual

This INTERNAL AUDIT MANUAL was developed using as guide of the

Professional Practice Framework issued by the Institute of Internal Auditors (IIA).

It defines the policies, procedures and standards to be used by the Internal Audit

Department of the company as guidelines in all engagements to be performed.

This would provide the audit team with a tool to consistently provide quality audit

services the board, senior management, and external third parties.

In case there is a deviation to the standards set in this manual, the

judgment of the Chief Audit Executive has to be used with the end in mind of

providing better set of procedures in performing the audit service.

Referenced to specific reference materials for more detailed discussions

and examples about the subject matters or business practices, which are not

within the scope of this manual, can be adopted.


8/62

10.2 Corporate Governance

Definition and Purpose

Corporate Governance refers to the framework of rules, systems and

processes in the corporation that governs the performance by the Board of

Directors and Management of their respective duties and responsibilities to the

stockholders.

It is the policy of the Company to adopt the above definition and setup a

corporate governance system that institutes checks and balances designed to

permit the appropriate scope of authority (power) and limit the abuse of that

authority (accountability). For the corporate governance system to be effective, it

should be based upon strong working relationships among four groups:

management, the board, external auditors, and internal auditors.

The board of directors is typically central to corporate governance. Its

relationship to the other primary participants, typically shareholders and

management, is critical. Additional participants include employees, customers,

suppliers, and creditors.

The corporate governance framework also depends on the legal,

regulatory, institutional and ethical environment of the community.

Code of Corporate Governance

In the year 2002, the Securities and Exchange Commission (SEC) of the

Philippines in its Memorandum Circular No. 2, Series of 2002 promulgated the


9/62

Code of Corporate Governance. The Code specifies:

In accordance with the States policy to actively promote corporate

governance reforms aimed to raise investor confidence, develop capital market

and help achieve high sustained growth for the corporate sector and the

economy, the Commission, in its Resolution No.135, Series of 2002 dated April

4, 2002, approved the promulgation and implementation of this Code, which shall

be applicable to corporations whose securities are registered or listed,

corporations which are grantees of permits/licenses and secondary franchise

from the Commission and public companies. This Code also applies to branches

or subsidiaries of foreign corporations operating in the Philippines whose

securities are registered or listed.

Corporate GovernanceManual

In connection with the SEC Memorandum Circular No.2, Series of 2002,

the Internal Audit Department assisted in the setting up of the Corporate

Governance manual.

The Chief Audit Executive of the company is tasked to coordinate with the

Companys management in the implementation of this Corporate Governance

Manual.

Role of the Board of Directors for corporate Governance

The Companys Board of Directors is the first tier of the levels of elements

of corporate governance. Through oversight, review, and counsel, the Board of

Directors establishes and promotes the business and organization objectives.


10/62

The Board oversees the companys business affairs and integrity, works with

management to determine the companys mission and long-term strategy,

performs the annual CEO evaluation, oversees CEO succession planning,

oversees internal controls over financial reporting, and assesses company risks

and strategies for risk mitigation.

In ensuring that the stakeholders interests are being protected, the board

should adhere to the implementation of the code of corporate governance

promulgated by the SEC of the Philippines and ensure that a corporate

governance manual is used by the company.

10.3. Overview of Internal auditing activity

This section outlines the Internal Auditors responsibilities with respect to the

internal audit function. The internal auditor describes audit planning and

scheduling, and discusses the scope and types of internal audits generally

performed.

Definition of Internal Audit

Internal Auditing is an independent, objective assurance and consulting

activity designed to add value an organizations operations. It helps an

organization accomplish its objectives by bringing a systematic, disciplined

approach to evaluate and improve the effectiveness of risk management, control,

and governance process.

Internal Audit is an independent appraisal function. The Internal Audit

Department examines and evaluates the company's business and administrative


11/62

activities. The independent and objective service provided by the Internal Audit

includes the evaluating and promoting of the accomplishment of the vision and

mission of the company.

The Internal Audit Department assists all levels of management of the

company in the effective discharge of their responsibilities. Internal auditing

furnishes them with analyses, recommendations, counsel and information

concerning the activities and records reviewed. The Office of Internal Audit

reports to the board and to management. In carrying out their duties and

responsibilities, the internal auditing office has full, free, unrestricted access to all

of the Company's activity, records, personnel and property.

Objective

The Internal Audit department is committed to the highest professional

standards for conducting audits in the company. The department will continue to

provide assurance that the manufacturing company operates effectively,

efficiently, provides outstanding requirements of the clients and implements best

practices in carrying its operations and activities.

Goal

In executing the aim of the department, the Internal Audit will focus on the

following goals:

Perform all audits in compliance with International Standards for the

Professional Practice of Internal Auditing (Standards)

Develop annual reporting

Perform audits within the assigned time budgets


12/62

Perform a post audit review

Provide audit sufficient training to satisfy IPPF Continuing

Education Requirements

Adhere to the Code of Ethics of the Institute of Internal

Auditors

Internal Auditing Activity Framework

The Internal Audit Activity of the Company has two major phases, namely

Audit Planning and Audit Process.

In Audit Planning, the audit plan for a year is set, detailing the strategic

analysis and risk assessment, which becomes the basis for prioritizing the audit

engagement to be done. The audit plan comprises the engagements to be

performed; timing, staffing and other logistical aspects are set.

In Audit Process, the activities performed in a specific audit engagement

are presented. It starts with planning the work to be done in that audit

engagement, the actual performance of the audit, reporting on the results of the

audit and follow-up in subsequent period to determine if the recommendations

are implemented.

10.4. Audit Committee

The Audit Committee of the Board shall be responsible for overseeing; the

reliability of financial reporting, the effectiveness of internal controls over financial

reporting, the processes for monitoring compliance with regulatory requirements,

and the processes for monitoring compliance with the organizations code of


13/62

conduct.

The committee shall be responsible for overseeing the effectiveness of the

organizations risk management and control processes. These responsibilities

are intended to provide reasonable assurance that the Company will be able to

achieve its objectives as they relate to the effectiveness and efficiency of

operations; the reliability of financial and operational information; and the

compliance with applicable laws and regulations.

Audit Committee has the authority to appoint Chief Audit Executive. The

Audit Committee appoints a Chief Audit Executive to manage the Audit

department.

Some of the more important roles of the Audit Committee are:

Evaluate whether management is setting the appropriate tone at the top

by communicating the importance of internal control and the management of risk,

and that employees have an understanding of their roles and responsibilities.

Inquire of management about the areas of greatest financial risk and how

management is managing that risk.

Review and approve the internal audit charter and ensure its compatibility

with the audit committee charter.

Review and approve the annual internal audit plan.

Be involved in the hiring of external auditors, and in the evaluation of their

performance.

Be informed as to whether the internal control recommendations, made by

either the internal and external auditors, are implemented by management.


14/62

Be made aware of significant accounting and reporting issues, including recent

professional and regulatory pronouncements, and understand their impact on the

organizations financial statements.

Ensure that the internal auditing activity can independently plan audit

projects and conduct and report the results objectively.

Be involved in the hiring, replacement, reassignment, or termination of the

CAE, and in the evaluation of his/her performance.

Ensure that the internal audit activity has adequate staffing and budget

resources to accomplish the plan.

To document the functional roles of the Audit Committee of the Board, an

audit committee charter has to be drawn up and submitted for approval by the

Board to formalize the authority and responsibility being given to it.

10.5 Internal Audit Department

The internal audit department, headed by the Chief Audit Executive (CAE)

is tasked to perform the internal audit activity for the company. The Chief Audit

Executive prepares an audit plan that identifies the individual audits to be

conducted during the year to be approved or not by the Audit Committee. The

approval or rejection of the audit plan prepared by the CAE is also the

responsibility of the Audit Committee. Its function includes assessment of internal

controls and the recommendation to implement measure to ensure adequate

control.

The major functions that the internal audit department performs are:


15/62

Develop and audit charter, approved by both senior management and the

audit committee, for the internal auditing activity

Develop, along with management, an organization model that can be used

to map major processes/operations for the purpose of identifying the

organizations auditable entities

Develop a risk assessment methodology for the auditable entities

identified in the model of major process/operations

Develop an audit plan based on the risk assessment and request from

management and get it approved by the board

Work with senior management and the audit committee to establish a

reporting relationship that will ensure that the audit recommendations receive

appropriate attention

Establish a quality assurance and improvement program for the internal

auditing activity that provides assurance that the internal auditing activity: 1)

performs in accordance with its charter, 2) adheres to the standard and code of

ethics, 3) operates in an effective and efficient manner, and 4) is perceived by

the board and management as adding value and improving an organization

operation.

10.6 Audit Staffing

The internal audit of the company obtains, develops and retail highly

specialized and qualified staff to ensure that audit engagements are performed

with proficiency and due professional care.


16/62

Position Description and Staffing Level

The companys internal audit department shall maintain the qualification

and level of staff to support the performance of audit engagement as planned. In

this connection, the organization of the internal audit department would consist of

the following team members:

Chief audit Executive

Audit managers

Senior auditors

Junior auditors

IS audit specialist

Staff Knowledge and Skills

In order for the internal audit staff to carry out its work, the different

knowledgeable and competency expected has to be maintained in the audit

department staff membership. In case, there are competencies required for

certain audit engagement, which are found within the staff membership, the

Department is authorized to source such requirements from external

organizations providing such qualifications.

To define the different knowledge and skills requirements of the

department, below is a guideline, based on SPPIA, which may be used.

Each internal auditor should possess certain knowledge skills and other

competencies:

Proficiency in applying internal auditing standards, procedures, and


17/62

techniques is required in performing internal audits. Proficiency means the ability

to apply knowledge to situations likely to be encountered and to deal with them

without extensive resources to technical research and assistance

Proficiency in accounting principles and technique is required of auditors

who work extensively within financial records and reports.

An understanding of management principles is required to

recognize and evaluate the materiality and significance of deviations from good

business practices. An understanding means the ability to apply broad

knowledge to situations likely to encountered, to recognize the significant

deviations, and to be able to carry out the research necessary to arrive at

reasonable solutions.

An appreciation is required of the fundamentals of such subjects as

accounting, economics, commercial law, taxation, finance quantitative methods,

and information technology. An appreciation means the ability to recognize the

existence of problems or potential problems and to determine further research to

be undertaken or the assistance to be obtained.

Internal auditors should be skilled in dealing with people and in

communicating effectively; internal auditors should understand human relations

and maintain satisfactory relationships with engagement clients. Internal auditors

should be skilled in oral and written communications so that they can clearly and

effectively convey such matters as engagement objectives, evaluation, and


18/62

recommendation.

The chief audit executive should establish suitable criteria of education

and experience for filling internal audit positions, giving due consideration to

scope of work and level of responsibility. Reasonable assurance should be

obtained as to each prospective auditor s qualifications and proficiency. The

internal audit staff should collectively possess the knowledge and skills essential

to the practice of the profession within the organization.

Audit Staff Processional Certification

The internal audit department recognizes the different certification programs

available for members of the internal auditing profession. The department places

value on certification garnered by staff members of the department. Such

certifications may include the following:

Certified Public Accountant (CPA)

Certified internal auditor (CIA)

Certified information system auditors (CISA)

Certification in Control Self-Assessment (CCSA)

Continuing Professional Education

To ensure the maintenance of sufficient qualification to service the audit

engagement, the Internal Audit Department provides internal audit staff the

opportunity to advance his/her level of skill and responsibility. The internal Audit

department shall have a training program that will provide the staff with the

means to learn new methods and develop new skills.

Training program has as their main goal the achievement of both


19/62

individual staff goals and objectives of the internal audit activity. To achieve this

training should be a continuing program, not just an occasional seminar. A

continuing program should provide for senior auditors to be assigned for a period

of time to supervisory positions, and for supervisors to be assigned a managers

responsibilities. This promotes staff learning firsthand the skill and responsibilities

required of the position above them.

The continuing professional education objective may be implemented by:

Budgeting an appropriate amount of money to be spent on training seminars and

courses each year and spending the money.

Ask staff members to document their plan to improve their skill and

knowledge each year.

Supporting and promoting opportunities for people who continue to

improve and develop their knowledge and skill.

Maintain catalogs of seminar and extension courses for both in-house and

outside training.

Developing recognition programs with incentives for the staffs who are

working on or who have advanced degrees and professional certification.

10. 7 Internal Audit Professional Organization and Governing Bodies

Institute of Internal Auditors (IIA)

IIA is the primary international professional association, organized on a

worldwide basis, dedicated to the promotion and development of the practice of

internal auditing. The IIA are the recognized authority, chief educator, and


20/62

acknowledged leader in standards, education, certification, and research for the

profession worldwide. For additional information about The Institute, refer to

contacts below.

The Institute of Internal Auditors 247 Maitland Avenue Altamonte

Springs, Florida 32701-4201 USA+1-407-937-1100 Fax +1-407-937-1101

www.theiia.org

Institute of Internal Auditors- Philippines (IIA-P)

The Institute of Internal Auditors Philippines is the primary association of

internal auditors in the Philippines dedicated to develop and promote the practice

of internal auditing, it serves as the principal educator of internal auditors and

provides professional guidance on emerging issues and trends that impacts the

profession.

We, the primary professional association of internal auditors in the Phils.,

are committed to develop and promote the practice of internal auditing,

consistent with recognized professional standards.

In the Philippines, the IIA-P handles the local function of the IIA, it being

the Philippine affiliate. For additional information about IIA-P, refer to contacts

below:

Corporate Address: Unit 1803 & 1807 Cityland Herrera Tower, V.A. Rufino

St. cor. Valero St., Makati City

Contact Numbers: +632 813 2553, +632 812 2754, +632 753-3272, +632

753-3271


21/62

Fax Number: +632 325 0414

Email Address: [email protected]

Website: http://www.iia-p.org

Information System Audit and Control Association (ISACA)

ISACA is an international professional association that deals with IT

Governance. Previously known as the Information Systems Audit and Control

Association, ISACA now goes by its acronym only, to reflect the broad range of

IT governance professionals it serves. ISACA and its affiliated IT Governance

Institute lead the information technology control community and serve its

practitioners by providing the elements needed by IT professionals in an ever-

changing worldwide environment.


22/62

AUDIT CONCEPTS AND STANDARDS

20.1 Professional practice framework

The Companys Internal Audit Staff, especially those members of the IIA

and has Certified Internal Auditor (CIA) certification, adheres to the guidelines set

by the Professional Practice Framework. The IPPF is intended to assist

practitioners and stakeholders throughout the world in being responsive to the

expanding market for high quality internal auditing (International Professional

Practices Framework).

The Professional Practice Framework consists of three types of instruction:

1.) Mandatory Guidance

2.) Practice Advisories, and

3.) Development and Practice Aids.

20.2 Internal Audit code of ethics

The Spoon and Fork Manufacturing Company's Internal Audit department

subscribes to the Code of Ethics of the Institute of Internal Auditors. The Institute

of Internal Auditors (IIA) is the setting - body for the internal audit profession

globally.

The purpose of the Code of Ethics is to promote an ethical culture in the


23/62

profession of internal auditing. The Code of Ethics is necessary and appropriate

for the profession of internal auditing, founded as it is on the trust placed in its

objective assurance about risk management, governance, and control. The Code

of Ethics extends beyond the definition internal auditing to include two essential

elements:

1. Principles that is relevant to the profession and practice of internal auditing

2. Rule of Conduct that describes behavior norms expected of internal

auditors. These rules are an aid to interpreting the Principles into practical

applications and are intended to guide the ethical conduct of internal

auditors.

The four core values or principles considered essential to the effective

practice of internal auditing are Integrity, Objectivity, Confidentiality, and

Competency.

These rules are accompanied by 12 rules conduct describing specific

behaviors expected of internal auditors. The rules serve as practical

applications of their four principles and are intended to guide the ethical

conduct of internal auditors. The purpose in the code is to promote an

ethical culture in the profession of internal auditing.

20.3. Standards for the professional practice of Internal Auditing

To provide assurance that the Spoon and Fork Manufacturing Company's

Internal Audit Department operates at a high professional level, the department

adhered to the Standards for the Professional Practice of Internal Auditing issued


24/62

by the IIA.

These standards are principles - focused, mandatory requirements

consisting of:

Statements of basic requirements for the professional practice of internal

auditing and for evaluating the effectiveness of performance, which are

internationally applicable at organizational and individual levels.

Interpretations, which clarify terms or concepts within the Statements.

The Standards consists of three components:

1. Attribute Standards address attribute of organizations and individuals

performing internal auditing services.

2. Performance Standards described the nature of internal auditing

services and provide quality criteria against which the performance of

these services can be measured, and

3. Implementation Standards provide guidance applicable in specific

types of engagements. These standards may be expanded to ultimately

address industry-specific, regional, or specialty types of audit.

20.4. Internal control framework

The company adopts the Commission on Sponsoring Organization

(COSO) definition of internal control. Internal Control, under COSO definition, is a

process affected by an entity's board of directors, management, and other


25/62

personnel, designed to provide reasonable assurance regarding the achievement

of objectives in the following category: effectiveness and efficiency of operations,

reliability of financial reporting, and compliance with laws and regulations.

Elements of Internal Control

Control Environment

Control environment sets the tone of an organization, influencing the

control consciousness of its people. It is the foundation for all other components

of internal control. Control environment factors include the integrity, ethical

values, and competence of the entity's people; managements philosophy and

operating style; the way management assigns authority and responsibility, and

organizes and develops its people; and the attention and direction provided by

the board of directors.

Risk Assessment

Risk assessment is the identification and analysis of relevant risks

to achievement of the objectives, forming a basis for determining how the risks

should be managed. Certain broad objectives include operational, financial

reporting, and compliance objectives.

Control Activities

Control activities are the policies and procedures that help ensure

management directives are carried out. They help ensure that necessary actions

are taken to address risks to achievement of the entity's objectives. Control

activities occur throughout the organization, at all levels and in all functions.

Information and Communication


26/62

Pertinent information must be identified, captured, and communicated in a

form and time frame that enable people to carry out their responsibilities.

Information is only used when communicated appropriately.

Monitoring

Internal control systems need to be monitored- a process that assess the

quality of the system's performance over time. Monitoring includes regular

management and supervisory activities and other actions personnel take in

performing truer duties.

20.5. Control objective for information and related technology

The Internal Audit Department of the company adopts the control

objectives of information and related technology released by the ISACA as the

basis of its audit work relating to information system and related technology.

Information

Accurate and timely information must be available to those management

representatives that need it at all levels of an organization to run the business

effectively. Not only must be provided "to appropriate personnel so they can carry

out their operating, financial, reporting and compliance responsibilities," but

communication also must take place in a broader sense, dealing with

expectations, responsibilities of individuals and groups, and other important

matters.

The access of information of the company must be monitored especially if

unauthorized person can or maybe able to access confidential information.


27/62

Information Technology

IT controls have not always been the default condition of new systems

hardware or software. The development and implementation of controls typically

lag behind the recognition of vulnerabilities in systems and the threats that exploit

such vulnerabilities. Further, IT controls are not defined in any widely recognized

standard applicable to all systems or to the organizations that use them.

The compliance with applicable regulations and legislation, consistency

without the organization's goals and objectives, and the use of releasable

evidence are use to assess IT and to provide and document its own internal

control framework to meet the organizations objectives.

20.6. Risk framework

Risk in consideration in planning the Audit

The Internal Audit Activity's audit plan shall be designed within the

framework of the Company's risk strategy. In this regard, the risk-based

approach to auditing shall be implemented and adopted by the Internal Audit

Department. Also, the Department shall coordinate its audit approach with the

overall Company's risk management system.

The internal audit activity's audit plan should be designed based on an

assessment of risk and exposures that may affect the organization. Ultimately,

the audit objective is to provide management with information to mitigate the

negative consequences associated with accomplishing the organization's

objectives. The degree or materiality of exposure can be viewed as risk mitigated


28/62

by establishing control activities.

The audit universe can include components from the organization's

strategic plan. The audit universe can be influenced by the results of the risk

management process. When developing audit plans the outcomes of the risk

management process should be considered.

Audit work schedules should be based on, among other factors, an

assessment of risk priority and exposure. Prioritizing is needed to make

decisions for applying relative resources based on the significance of risk and

exposure.

Change& in management direction, objectives, emphasis, and focus

should be reflected in updates to the audit universe and related audit plan.

In conducting audit engagements, methods and techniques for testing and

validating exposures should be reflective of the risk materiality and likelihood of

occurrence.

Management reporting and communication should convey risk

management conclusions and recommendations to reduce exposures. For

management to fully understand the degree of exposure, it is critical that audit

reporting identify the criticality and consequence of the risk activity to achieving

objectives.

The chief audit executive should, at least annually, prepare a statement of

the adequacy of internal controls to mitigate risks. This statement should also

comment on the significance of unmitigated risk and management's acceptance

of such risk.


29/62

20.7. Business Risk model and Risks definition

Business Risk model

Internal Audit Department considers the following risks in the planning the

audit:

-Strategic risks

-Compliance risks

-Reporting risks

-Operational risks

Risks

Risk is the possibility that an event will occur and adversely affect the

achievement of objectives. It is the possibility that the company may not attain its

goal due to the threat.

Audit Evidence

Obtaining of Evidence

The work of internal audit depends largely on documenting the audit

procedures performed. These audit work and conclusions thereto are supported

with audit evidence. The audit engagement team should obtain sufficient

appropriate audit evidence to be able to draw reasonable conclusions on which

to base the audit opinion and other reports thereto.

If unable to obtain sufficient appropriate audit evidence, however, the audit


30/62

engagement team needs to state the reasons for such situation, and the

limitations should be included in the audit report.

Sufficiency of Evidence

Sufficiency is a measure of the quantity of audit evidence. Sufficiency is

related to the extent of our audit work and the corresponding evidence to be

gathered from such work. We judge the required extent of audit procedures by

considering the required volume of audit evidence necessary to achieve the audit

objectives. The use of inspection, observation, inquiry and interview,

confirmation, and computation are sufficient to conduct the audit is a sufficient

means of evidence.

Appropriateness of Audit Evidence

Appropriateness is a measure of the quality of audit evidence, its

relevance to an assertion and its reliability. Appropriateness is related to the

nature and timing of our audit work.

The evidence gather are in its reasonable time to add economic value to

the objective of the organization. The use of manual audit procedure and

computer - assisted audit techniques are used to tests the objectives of Spoon

and Fork Manufacturing Company.

The internal auditors time of testing the operating effectiveness of manual

and computer - assisted audit techniques will be to the time that will cover the

operations.

Nature


31/62

We judge the nature of the required audit procedures by considering the

following generalizations:

Audit evidence obtained from outside the entity is more persuasive than

that obtained from within the entity;

Audit evidence obtained from or created by unrelated third parties is more

persuasive than that obtained from related parties;

Audit evidence obtained from inside the entity is more persuasive when

related controls are effective;

Audit evidence obtained directly through performing an inspection,

observation or computation is more persuasive than that obtained indirectly by

inquiry of others;

Audit evidence in the form of documents and written representations is

more persuasive than oral representations;

Audit evidence obtained from several sources that suggest the same

conclusion is more persuasive: than that obtained from only one source.

Timing

Some of the accounting data and corroborating information are available

only manual form at a certain period in time, or date, or moment in time. We

consider the time during which information exists or is available in determining

the timing audit procedures applicable.

Techniques to obtain audit evidence

We obtain audit evidence by performing an appropriate mix of audit

procedures, including tests of control, analytical procedures and tests of details.


32/62

Such audit work 'involves inspection, observation, inquiry, confirmation, and

computation as the techniques used to obtain evidence for the audit.

Inspection

Inspection involves reading records or documents, either visually or

electronically. Unlike observation, we do not need to be present at the time a

process or procedure is performed to obtain audit evidence. Inspection also

includes examining tangible items such as an item of equipment or inventory. We

often use inspection techniques as part of our follow-up procedures for

observations or enquiries.

Observation

Observation involves looking at the process or procedure performed by

others. We often use observation techniques to obtain an understanding of, and

test controls. In these situations we:

Observe and evaluate the performance of the control.

We observe the operation of the control and compare it to our

understanding of what ought to happen. There is always a danger that when we

observe a control it will be performed correctly just because we are present.

We assess this risk.

Ask what happens when breakdowns in control are found.

An operations control operates by preventing or detecting and correcting a

misstatement of theft.


33/62

Find instances where errors have occurred and review clearance.

To assess the effectiveness of the operations control, we investigate

occasions where the operations control has prevented, detected or corrected

theft in the operations.

Assess adequacy of procedures.

For an operations control to be effective, any misstatement detected must

be corrected. We assess both the operation of the operations controls in

preventing / detecting a misstatement and the subsequent corrective action.

Inquiry

Inquiry technique consists of asking appropriate questions of knowledgeable

persons inside or outside the entity, listening to and considering their responses,

asking follow-up questions, corroborating information, as appropriate.

Inquiry is an important technique both in obtaining knowledge of an entity's

business and in performing tests of control. It is more than simply asking the

entity's staff for information or to confirm that they perform specified activities. It

involves:

External confirmation

An external confirmation is a direct communication from a third party in

response to an inquiry requesting information.

The degree of our professional skepticism is heightened if we obtain

information that leads to questions about the respondent's competence,

knowledge, motivation, ability, or willingness to respond or about the


34/62

respondent's objectivity and freedom from bias. We usually apply alternative

audit procedures when we do not receive responses to positive confirmation

requests.

Computation

Computation involves checking the arithmetical accuracy of source

documents and accounting records or performing independent calculations.

Computer assisted audit techniques (CAATs) can remove much of the

mechanical routine of audit work. They can be used in the performance of tests

of control, analytical procedures and tests of details.

Data interrogation, which refer to performing audit tests to client's data

using CAATs, may allow us to apply audit procedures that would otherwise be

very time consuming, because of the sheer volume of information to investigate

or the complexity of the audit procedures, or a combination of both;


35/62

AUDITING PLANNING

30.1 Introduction

Audit planning shall be done annually to reflect the most current strategies

and direction of the Company. The Audit Plan should be prepared based on an

assessment of risks and exposures that may affect the organization.

There are three main benefits from planning audit. First, it helps the

auditor obtain sufficient appropriate evidence for the circumstances. Second, it

helps keep audit costs at a reasonable level. Third, helps avoid

misunderstandings with the client.

"Auditors should plan the audit work so that the engagement is

performed in an effective manner. It is important to clarify what are meant by the

terms overall audit strategy and audit plan as per ISA 300. The overall audit

strategy describes in general terms how the audit is to be carried out and the

audit plan details the specific procedures to be carried out to implement the

strategy and complete the audit. It is also important for students to understand

the precise meaning of the risk terms: audit risk and inherent risk as both risks

influence how the audit is carried out and the costs involved.

The best way to add value to an organization is to make sure the risk

assessment and the plan developed from the assessment reflect the overall

objectives of the organization. Risk assessments need to include input from

management. To accomplish this, there is a need to study the Company's

strategic plan and then discuss with management where the risks are in

obtaining the objectives.


36/62

The overall objective of an internal audit activity is to provide management

with information to lessen the negative consequences associated with

accomplishing its objectives. Implementing control activities in areas where the

risks are high can mitigate the risks of an organization not accomplishing its

goals.

A risk-based audit plan ensures that audit activities are effectively focused

on those areas where the risks or materiality of exposure is greatest.

30.2 Strategic Analysis

Strategic Analysis is performed to provide initial understanding of the

business risks that can be linked to strategic objectives of the Company. This

would pave way to the identification of the business risks that will be assessed in

the succeeding part of the audit planning activity. In detail, the strategic analysis

is undertaken to:

Gain a high-level understanding of a Company's business, its markets and

external forces;

Understand and identify the Company's strategic objectives that provide

for its business continuity and strategic vision;

Understand how the Company reacts to these challenges;

Provide foundation for the Annual Audit Plan;

Assist in identifying the key business processes that address strategic

risks and will be targeted for audit engagements.


37/62

Data Requirements and Sources

In order for the Internal Audit Team to proceed to analyze strategies of the

Company for audit planning purposes, it has to obtain the following information:

- Company's vision, mission, goals

- Objectives and strategies to achieving the objectives

- Business plans

- Organization charts

- Industry data and literature

Procedures -- Strategic Analysis

The procedures for strategic analysis that are listed below may be

performed concurrently to a certain extent and would normally overlap. In

performing these activities, care should be exercised to determine that no

duplication takes place and that the whole Strategic Analysis process is

undertaken in the most efficient and cost effective manner.

1. Review Background Information

The review of background information will enable the INTERNAL AUDIT

team to understand the detailed operations of the Company and environment in

which it operates. The background information may be obtained through in-house

or external sources. It is recommended that the audit team obtain all relevant

internal and external data relating the operations of the Company.


38/62

Sources of the required information include, among others, the following:

Chief Executive Officer and other senior management; Chairperson of the

Board and/or the Audit Committee and other Directors; Persons external to the

organization who are knowledgeable about the Company, its operations, its

prospects and the industry in general. These may include analysts, customers,

lenders, suppliers, alliance partners, industry professionals, the external audit

partner/manager, other consultants, etc.

2. Identify Business Objectives & Strategies

We have focused on understanding the client, the industry in which it

operates and the client's position in the industry. At this point we integrate this

information with the business objectives and strategies the client management

has chosen for achieving its business objectives. The identification and review of

the client's business objectives and management's strategies/plans to meet

these objectives is primarily achieved through:

Discussions with Directors and senior management;

Review of business and strategic plans prepared by management;

Review of other relevant documentation (e.g., vision, mission and values

statements, minutes of Board/executive committee meetings, special Board

resolution, etc.)

At the conclusion of this step we document the strategic objectives and the


39/62

strategies in place to achieve each objective.

3. Analyze Business Objectives & Strategies

Having identified the client's business objectives and strategies, we

objectively assess their reasonableness in light of our knowledge of the

organization and the industry in which it operates. By combining the background

information with Strategic Analysis tools and models, we perform an objective,

balanced evaluation of the Company's organizational structures, processes and

strategic plans.

After performing the analysis, we document our analysis which will be the

basis in discussing them with senior management of the Company.

4. Confirm the Results of Analysis with Management

The INTERNAL AUDIT team presents the results of its analysis to

management to get agreement and input on our understanding of their corporate

objectives, market strategies, organizational structures and processes, and

general risk areas that may threaten the achievement of objectives. At the end of

this activity, the audit team should have the following already documented:

A summary of the market issues identified;

A list of the general risk areas

5. Periodically Revise/Update Strategic Analysis

The Strategic Analysis performed, together with the related risk

assessments, is regularly reviewed and updated to take account of changing

circumstances, new management strategies and risks. This update takes place

at least annually with a complete re-performance of the Strategic Analysis and


40/62

risk assessment occurring every three to five years, or more frequently as

required.

30.3Risk Assessment and Risk Management System

Risk Management System

It is the responsibility of the Company's Management to institute a risk

management system to ensure that the Company is ready to face the business

challenges. Management need to understand the major risks that the business

faces, if they are to avoid being adversely affected by unexpected or uncontrolled

events.

They need to identify areas of risks, assess the likelihood of an adverse

event arising and consider the potential effect of such an occurrence. Only then

can they decide how to respond to the risk and take steps to minimize its effect.

These activities, when institutionalized represent the risk management system of

the Company.

The risk management system may be considered effective if it achieves at

least the following key objectives:

Risks arising from business strategies and activities are identified and

prioritized. Management and the board have determined the level of risks

acceptable to the organization, including the acceptance of risks designed to

accomplish the organization's strategic plans. Risk mitigation activities are

designed and implemented to reduce, or otherwise manage, risk at levels that

were determined to be acceptable to management and the board. Ongoing


41/62

monitoring activities are conducted to periodically reassess risk and the

effectiveness of controls to manage risk.

It should be stressed that the board and management receive periodic reports

of the results of the risk management process. The corporate governance

processes of the Company should provide periodic communication of risks, risk

strategies, and controls to stakeholders.

Risk Assessment

As part of the annual audit planning to be done by the Internal Audit

Department, considerable time has to be spent on establishing a good

assessment of the risk position of the Company.

The auditors main concern is the risk of material misstatement in

the financial statements due to client business risk. It is important to note that not

all business risks will turn into risks leading to material misstatement in the

financial statements.

In this regard, the Internal Audit Department has to undergo an annual

assessment of the risk management system.

The objectives of the assessment are:

Focuses the internal audit effort on strategic risks identified by

management that have the greatest potential effect on the Company;

Provides a trial to demonstrate whether the Audit Plan is aligned with the

Company's strategic risks;

Provides risk awareness and education of the Management and

stakeholders;


42/62

Assists compliance to corporate governance codes, reports and

legislation;

It provides access, exposure and relationship-building with senior

management in the Company.

Develop foundations that will assist in identifying the key business process

that mitigate strategic risks and should be targeted for individual audit

engagements (Audit Process)

In doing the risk assessment, the following activities have to be done:

1. Establish and Agree Criteria to Assess the Significance of Risks

The INTERNAL AUDIT team assists management to develop criteria to be

used in assessing the significance of risks identified in the Strategic Risk

Assessment process. The significance of the risks identified can be determined

by considering two factors:

The potential IMPACT of the risks;

The LIKELY HOOD that the risks will occur.

30.4 PERFORM PRELIMINARY ANALYTICAL PROCEDURES

Analytical procedures applied at the planning stage can assist the auditor

in gaining an understanding of the clients business and in assessing client

business risk. ISA 520 states, The auditor should apply analytical procedures at

the planning and overall review stages of the audit. ISA 520 Analytical

Procedures states that analytical procedures include the consideration of


43/62

comparisons of the entitys financial information with, for example:

Comparable information for prior periods

Anticipated results of the entity, such as budgets or forecasts, or

expectations of the auditor, such as an estimate for depreciation

Similar industry information, such as comparison of the entitys ratio of

sales to receivables with industry averages or with other entities of comparable

size in the same industry

30.5 Setting the Audit Universe

Defining the Risk Criteria

For each risk unit identified and listed in the risk profile, assign weight to each

risk by using points for each risk criteria defined below:

Control Environment based on preliminary assessment

Prior Audit Findings based on prior audit experience

Management/Interest concern how much concern management put into

it

Comfort with Operations Management based on operating management

experience

Changes to system whether new system or new changes to system

introduced

Asset sensitivity whether related asset accounts are susceptible to


44/62

exposure

Size/Amount relates to revenue, expenses, asset or liability impact

Date last audited whether the area has not been audited for a while

Using a worksheet to summarize the criteria for each risk identified and listed

in the risk profile , assign to each criterion a weight of 1 to 5, 1 being the least

impact or risk and 5, most impact. Get the sum of the points assigned to all the

criteria for each risk item. After getting all the summary points, rank the risks

based on these total points in the order of risk impact i.e. the highest total points

to the lowest total.

Ranking the Audit Universe

An audit universe represents the potential range of all audit activities and

is comprised of a number of auditable entities. These entities generally include a

range of programs, activities, functions, structures and initiatives which

collectively contribute to the achievement of the department's strategic

objectives.

The last step in constructing the risk model is ranking all the

auditable items in the universe. Each auditable area should be evaluated using

risk rating opposite the auditable area identified. The scale to be used is listed

below:

1 = Low risk

2= Medium risk


45/62

3= High risk

4= Extreme risk

Based on the assessment specified for each auditable area, these areas

will have to be listed in the audit plan in the order of importance and assign a

frequency or times the audit area will be performed.

Risk-based Audit Plan

Audit Universe Audit Plan Total

Coverage

10 % 100% 10%

20% 50% Sampled 10%

40% 10% Sampled 4%

30% 5% Sampled 1%

100% 25% of

Universe 4-Year

Cycle


46/62

The sample risk-based audit plan presented above indicates the level of

effort that has to be spent when planning for the audit of the areas included in the

scope of the audit plan. Such is the case when not all or 100% of the auditable

areas could be covered by the audit team or audit resources in a given period. A

prioritization and allocation of the resources could be done by sampling the areas

that need not be covered 100% in one period.

30.6 Engagement Time and Cost Estimates

After compiling a list of major auditable units and subunits, identify a

number for planning purposes that represents the hours that will be allocated for

auditing each auditable unit. The hours estimated for each unit should include

time for the following:

Conducting the preliminary survey

Developing the audit test work program

Performing the fieldwork, and;

Communicating the results of the review to management

As the budget time and costs for the entire audit areas are identified and

summarized, the audit team has to prepare the final audit plans budget. Below is

a benchmark allocation of the total budget for each year.


47/62

Activity Percentage Allocation

Developing the Audit Plan 10-20%

Administration and overall Engagement

Management

10-20%

Reviews contained in the plan and

deliverables

50-80%

Follow up 5-15%

Special projects 0-30%

Attendance at Audit Committee

meetings

5-10%

The following points have to be considered also when preparing the audit budget:

Administration and management of the overall engagement is a significant

task and should not be underestimated. This however can appear significant to

the client and hence can be blended by allocating this amongst the reviews in the

plan.

A separate allocation for special projects during the year may be required.

The advantages of this approach are flexibility and ability to respond quickly

without protracted negotiations and seeking of funding. The disadvantage of this

approach is that the internal audit team could spend a significant amount of time

on PREFERRED type reviews which could undermine the value to the

Company if the reviews are not strategic or addressing significant risks. It is

usually done to avoid allocating money for special projects unless specifically

requested by Management.


48/62

30.7 Audit Staffing and Logistical Plan

Based on the engagement time and cost estimates computed for each

audit engagement planned during the year, the audit team has to determine how

much audit staff quantity and quality could support such requirements as well as

the other overhead costs to be incurred in servicing all the audit engagements.

Using the required hours on the engagement (staff and supervisors time),

compute the number of staff and supervisors that has to be working on the

planned audit engagements for the year.

If it appears that there is not enough staff to work on the engagement and

there is limitation on the total peso budget allocated to staff costs for the

department, the audit team may have to balance the factors by establishing a risk

strategy or selection policy based on the following:

Where the audit team may start to work on audit engagements from

top of the list with the high-risk audits and proceed to the engagements

with less risk as they complete those jobs from the top of the list.

Coordinate with external auditor on the scope of the external audit

work to be covered since the latters work may have some cost

consideration and work duplication impact with the work of the internal

audit team.

Allow the assignment of certain staff to work at the same time on

projects at the top of the list and succeeding jobs following such top

priority audit job.

When the second option is chosen, it may be necessary to develop


49/62

a strategic audit plan of 2-3 years to accommodate overflow of the

estimated hours to be worked on by staff in projects that cannot be

covered in one year.

However, it should be assured by the team that the plan for 12

months be updated each year. The CAE has to finally decide on which

approach will satisfy the objectives of the department and the Company as

a whole.

30.8 Approval and Communication Audit Plan

After completing all the data necessary to formulate the audit plan, a draft

may already be prepared for presentation to the Audit Committee. This enables

the Audit Committee to make an informed decision on whether the annual audit

plan coverage is sufficient to meet their governance obligations.

The draft audit plan should have the following elements or selections:

- Planning process and approach

- Business risk matrix

- Summary of reviews by strategic and significant risk

- Risk rating criteria

- Business Process Matrix

- Scopes of reviews

- Detailed list of risks which will not be addressed within the proposed

plan

- Budget and indicative timing


50/62

Once the audit team is able to formulate the audit plan containing the

above information, it may already present this to the Audit Committee. There is a

negotiation process that may take place on the scope of work to be undertaken.

AUDITING PROCESS

40.1. Audit Engagement Plan

Determine engagement objectives and scope

In executing the aim of the department, the Internal Audit will focus on the


51/62

following goals:

Perform all audits in compliance with International Standards for the

Professional Practice of Internal Auditing (Standards)

Adhere to the Code of Ethics of the Institute of Internal Auditors

To ensure that annual reporting assigned time budgets

Understand the auditee including the auditee objectives

The SNIPS Utensils Manufacturing locates at Muoz, Quezon City has the

goal to expand their company not only locally but international and be the

number one supplier of Utensils in the Philippines

Identify the assess risk

There are a lot of known competitors in the market

The Company is new to Market

There are cheaper Utensils in the market.

The process of establishing branch abroad is not easy.

Identify key control activity

Establish a strategy to override the competitors.

Evaluate adequacy of control design

The controls are adequate but added recommendation will be needed to improve

the operations of the company by department.

Develop a Work Program

An audit program is a detailed plan of tasks to be performed during the

audit in order to assess the quality of management systems and practices in the


52/62

organization. This will provide the auditor with sufficient evidence to support the

audit conclusions. Key aspects of the audit plan include:

1. Understand the objective of the department

2. Determine whether the objective of the department being audited meet

the objectives

3. Know the risks of the department for not attaining the set objectives

4. Know the problem in the department by interviewing, observing and

inspecting the department need for the audit

5. Look for the records of the department

6. Assess the risks given the information gather

7. Identify the control activities to prevent those risks

8. Evaluate the adequacy of the controls given

9. Finalize the process

10. Prepare an Audit report

11. Communicate the Audit report

12. Follow - up and monitor the given recommendations if they are being

implemented by the department being audited

Allocate Resources to the Engagement

The need of the ability of acquiring information about the auditee is

needed in the engagement. The time allotted in auditing one department of the

company is based on the time allotted given by the board in a time that could

improve the operations of the company.


53/62

40.2. Opening Conference

The opening conference should be held to gather information about the

mission, critical processes, and control procedures of the unit. The auditor uses

this information in the risk assessment process to determine an appropriate

objective and scope for the audit. Under some conditions, the objective and

scope may be predetermined. The auditor should prepare an opening conference

e-mail confirming the appointment. The e-mail should briefly state the

announcement of the audit; the date, time, and place of the opening conference;

the purpose of the opening conference; and the desire to resolve any questions

regarding the tentative draft objective and scope.

Audits with a surprise component, such as investigative audits, cash

counts, etc., may not have an opening conference.

The opening conference is an important step in a regular audit. It is an

opportunity to establish the proper tone and to begin building good relationships.

Explain the "who, what, where, when, why, and how" for those who have not

been exposed to the audit process.

40.3. Process Analysis

Process Documentation

1.Marketing Department

a. Objectives of Internal Audit

-Ensure that marketing strategies are being met.

-Determine whether the personnel in marketing department are doing their

job well.


54/62

-Establishing and communicating of overall product or marketing strategy.

b.Internal Audit Procedures

-Evaluate the effectiveness of their marketing strategy like observation

and survey.

-Assessing the rules and regulation of marketing department of the

personnel.

-Evaluate customer research

-Know market condition

-Assessing the marketing plan changes as needed

2.Human Resource Department


-To determine the proper hiring of employees to audit the HR.

-Appraise and develop internal personnel resources.

-To ensure that HR is not hiring incompetent or suspicious applicant that

might commit fraud or destruction to the company.

b. Internal Audit Procedures

-Make a surprise visit to HR department when there is a hiring session.

-Ask a current report to the HR department whenever there is a new hire

employee to the company.

-Attend some of the training meetings and appraise the receptivity on part

of the trainee.

-Evaluate the procedures in terms of efficiency, economy and


55/62

effectiveness.

3. IT Department


-To determine whether the IT department is complying e- commerce

policies and others computer supported systems law.


-Examine the profile of the IT personnel to see his capacity and

effectiveness of the company computer system

4. Production Department


-To evaluate production performance for a specific period of time to

promote understanding of production related cost interdepartmentally and

by upper management.

-To set specific goals that will meet by future objectives.


-Check first the raw materials to be used in the product and must be

supervised by the head supervisor as to what quality they want to be an

output.

5. Warehouse Department


-To determine the accuracy of all the purchases that goes inside the


56/62

warehouse and the security as well.


-There must have a security personnel example security guard to check all

the reports and receipts of all the inventories that comes in and out in the

warehouse. There should have verifiability.

-By attaching cameras and lock in the warehouse.

6. Accounting Department


-Efficient processing of financial data.

-Maintain adequate employee benefit program.

-Effective reporting format.

-Effective responsibility reporting.

-To ensure that the Accounting Department is complying with the rules

and regulations of a company and segregation of duties are implemented.


-Discuss and observe whether they are follow.

-Review frequency of errors.

-Review supporting worksheets and sources of information.

-There must have an often meetings by the board of directors to ensure

that the said department is complying department.

7. Treasury Department


-To ensure the accuracy of daily transaction of the treasury department


57/62


-Receives collections from various sources.

-Process payments of various disbursements and sees to it that funds

are available for these.

-Reports on a daily basis, the cash position of RCAM.

-Acts as comptroller, exercising discretionary authority within certain

clear limits.

8. Delivery department

c. Objectives of Internal Audit

- To assess the profile of the personnel in charge in delivering the product

so that conflict of interest be avoided. To examining the time on

scheduling on when delivering the product.

d. Internal Audit Procedures

-There should have Id requirements for every warehouse personnel who is

in charge for the delivery.

-Check the vendors voucher and the bulletin board to be able to deliver

the product on time.

40.5. Exit Conference

The exit meeting concludes the formal audit process. The final draft

version of the audit report is presented to management. Once the report is


58/62

finalized, it is prepared for distribution to the Audit Committee.

40.6. Audit Reporting

Audit Committee members are provided with the Executive Summary of all

audit reports. A detailed audit report is provided to Audit Committee members

upon request. In addition, the respective Vice-President is provided with an

Executive Summary. Detailed audit reports are distributed to management of the

areas or functions that were audited.

40.7. Follow-up and Monitoring

In some instances, follow-up audits or monitoring may be part of the audit

process. These projects are selected on an individual basis.

DOCUMENT &QUALITY REVIEW

50.1 Audit Work Documentation

Audit working papers are used to document the engagement process.

This documentation is the principal record of the procedures completed,

evidence obtained, conclusions reached, and recommendations formulated by

the internal audit team during the engagement.Working papers are records kept

by the auditor of the procedures applied, and the tests performed, the information

obtained and the pertinent conclusions reached.


59/62

Managing Work Papers

Managing the working papers is important in providing evidence that the

audit was performed appropriately (in relation to standards of auditing and other

legal requirements).

The internal auditors should prepare working papers which are sufficiently

complete and detailed to provide an overall understanding of the audit. The

internal auditor should record in the working papers information on planning the

audit work, the nature, timing and extent of the audit procedures performed, and

the results thereof.

Standard audit working papers

The internal auditor shall use standard working papers in documenting the

audit plan. The auditors need to consider the size and complexity of the audit

engagement when applying the use of standard working papers.

Document obtained from auditee

To improve audit efficiency, the auditor may keep the records obtain

during the audit for three years. In such circumstances, the auditor would need to

be satisfied that those documents have been properly prepared or have not been

tampered with. And the records are not already needed for the company.

Digital format working papers

Audit working papers may be printed or retained electronically. Working

papers in digital format are maintained using the same methodologies and

policies used SNIPS Utensils IT Department. To determine that electronic


60/62

documents have an owner who is conversant with the contents of the document

and that extraneous information is not being retained, the following guidance

applies to electric media.

Working Papers Organization and Indexing

Working paper files should be complete and well - organized. At the end of

an engagement, the files should be cleared out so they contain only the final

versions of the working papers completed during the engagement.

Ownership and Access to Working Papers

We should adopt appropriate procedures for maintaining the confidentiality

and safe custody of the working papers and for retaining them for a period

sufficient to meet the needs of internal audit and in accordance with legal and

professional requirements or record retention.

Audit working papers are the property of the Internal Audit Department.

The CAE considers requests to provide working papers or other documents for

inspection. We provide access to working papers only with the prior approval of

the CAE. In considering a request, the CAE may decide to consult with the Audit

Committee before deciding which working papers may be inspected.

50.2. Quality Assurance Program

The Internal Audit Department shall maintain a quality assurance

program to ensure consistent delivery of quality internal audits. Such quality

assurance program shall be an ongoing program and shall be compliant with the

proposed program by the IIA:


61/62

The chief audit executive should develop and maintain a quality assurance and

improvement program that covers all aspects of the internal audit activity and

continuously monitors is effectiveness. The program should be designed to help

the internal audit activity add value and improve the internal audit activity is in

conformity with the Standards and the Code of Ethics. (Standard 1300)

Objectives

The main objectives of the quality assurance program are to provide

reasonable assurance to management and the board that it performs in

accordance with the IIA Standards and the Code of Ethics perceived by all as

adding value and improving the organizations operation; and operates in an

effective and efficient manner.

Scope and Approach

The quality assurance program shall cover all aspects of the internal audit

activity, continually monitor the internal audit activitys effectiveness, assure

compliance with the Standards and Code of ethics, and include both periodic and

ongoing internal assessments.

Measuring the Internal Audit Activity Performance

Internal assessment should include:

Ongoing reviews of the performance of the internal audit activity. Periodic

reviews performed through self-assessment or by other persons within the

organizations who have knowledge of internal auditing practices and the

Standards.


62/62

External Assessment should be concluded at least once every five years by a

qualified, independent reviewer or review team from outside the organization.

The potential need for more frequent external assessments as well as the

qualifications and independence of the external reviewer or review team,

including ant potential conflict of interest, should be discussed by the CAE with

the board. Such discussions should also consider the size, complexity and

industry of the organization in relation to the experience of the reviewer or

review team.

iat manual final.doc

Documents

Transcript of iat manual final.doc