Internal Audit Manual - Ministry of Financeextranet.finance.gov.tt/content/Audit Manual- Very...
102
COMPTROLLER OF ACCOUNTS Ministry of Finance Government of the Republic of Trinidad Tobago Internal Audit Manual Prepared by the Financial Management Branch, Treasury Division, Ministry of Finance
-
Upload
phungquynh -
Category
Documents
-
view
215 -
download
0
Transcript of Internal Audit Manual - Ministry of Financeextranet.finance.gov.tt/content/Audit Manual- Very...
COMPTROLLER OF ACCOUNTS
Ministry of Finance
Government of the Republic of Trinidad Tobago
Internal Audit Manual
Prepared by the Financial Management Branch,
Treasury Division, Ministry of Finance
i
TABLE OF CONTENTS Pages
Introduction ……………………………………………………………………………… iii
1. The Internal Audit Environment
1.1 Legislative Framework – Specific to the Government of the Republic of
Trinidad and Tobago
1.1.1 Constitution of the Republic of Trinidad and Tobago………………… 3
1.1.2 Exchequer and Audit Act, Chapter 69:01……………………………. . 4
1.1.3 Financial Regulations to the Exchequer and Audit Act………….. …… 5
1.1.4 The Financial Instructions 1965………………………………………. 5
1.1.5 Ministry of Finance and Comptroller of Accounts Circulars………… 5
1.1.6 Manual of the Terms and Conditions of Employment……………….. 5
1.1.7 Chief Personnel Officer Circulars…………………………………….. 6
1.1.8 Commissions and Relevant Acts……………………………………… 6
1.1.9 Civil Service Act Chapter 23:01……………………………………… 7
1.1.10 Civil Service Regulations…………………………………………….. 7
1.1.11 Civil Service (External Affairs) Regulations…………………………. 8
1.1.12 Public Service Commission Regulation, 1966……………………….. 8
1.2 The Changing Environment of Internal Auditing
1.2.1 Compliance vs. Risk Management…………………………………… 10
1.2.2 Manual Environment vs. Information Technology Environment……. 11
1.2.3 Independence – Location vs. Mental Attitude……………………….. 12
1.2.4 Post Auditing vs. Ongoing Audits……………………………………. 13
1.3 International Standards
1.3.1 International Best Practice…………………………………………… 14
1.3.2 The Code of Ethics…………………………………………………… 15
1.3.2.1 Code of Ethics – Principles…………………………………………… 15
1.3.2.2 Rules of Conduct ……………………………………………………. 16
1.3.3 International Auditing Standards ……………………………………. 17
ii
1.4 The Committee of Sponsoring Organizations
1.4.1 Control Environment…………………………..……………………… 19
1.4.2. Risk Assessment…………………………………….………………… 19
1.4.3. Control Activities……………………………………………………… 20
1.4.4. Information and Communication……………………………………... 20
1.4.5 Monitoring…………………………………………………………..... 21
1.5 Criteria of Control Committee……………………………………………... 23
1.6 COBIT – Control Objectives for Information and Related Technology
1.6.1 What is COBIT………. ………………………………………............ 25
1.6.2 Benefits of implementing CobiT…………………………................... 25
1.6.3 COBIT Structure – Process Oriented…………………………………. 26
1.6.3.1 How does CobiT Work?……………………………………................ 28
1.6.3.2 Control Based …………………………………………….................... 29
1.6.3.3 Use of COBIT by the Internal Auditors………………………………. 29
1.7 Reporting Relationships
1.7.1 The Parliament of Trinidad and Tobago……………………………… 31
1.7.2 Minister of Finance …………………………………………………… 31
1.7.3 The Accounting Officer...……………………………………….......... 32
1.7.4 The Treasury Division……………..…………………………………. 33
1.7.5 Auditor General‟s Department ………………………………………. 34
1.7.6 The Public Accounts Committee and the Public Accounts Enterprises 35
Chapter 2
Treasury Statement on Corporate Governance
2.1 The Governance Structure of the Public Service – Legal Environment……38
Chapter 3
Management of the Internal Audit Unit
iii
3.1 The Corporate Planning Process……………………………………… 37
3.1.1 Government‟s overall Objectives & Policies…………………………. 38
3.1.2 The Ministry‟s Corporate Plan & Operational Plan…………………. 38
3.1.3 The Internal Audit Unit Corporate Plan……………………………… 38
3.1.3.1 Internal Audit Vision and Mission Statement ………………………. 39
3.1.3.2 Ministry‟s Priority Policies, Key Outcomes and Strategic Objectives 39
3.1.3.3 Strategies …………………….............................................................. 40
3.1.3.4 Key Output……………………………………..................................... 40
3.1.4 The Internal Audit Unit Operational Plan……………………………. 40
3.1.5 The Annual Audit Plan ………………………………………………. 41
3.2 Risk Assessment……………………………………............................ 42
3.2.1 Risk Assessment and Professional Judgement……………………….. 43
3.2.2 Information Sources……………………………………........................ 43
3.2.3 Setting Priorities…………………………………….............................. 43
3.3 Human Resource Management……………………………………....... 44
3.3.1 Training…………………………………………................................... 44
Chapter 4
Performance of Audit Work
4.1 Planning the Audit Assignment………………………………………. 46
4.1.1 Background Information……………………………………................ 47
4.1.2 Conducting Risk Assessment……………………………………......... 47
4.1.3 Establishing audit Objectives and Scope……………………………… 48
4.1.4 Ensure Subject Is Auditable……………………………………........... 49
4.1.5 Determining the necessary resources to perform the audit…………… 49
4.1.6 Communicate with the Relevant Stakeholder of the Audit…………… 50
4.1.7 Preliminary Survey……………………………………........................ 50
4.1.8 Development the Audit Programme…………………………………... 51
4.1.9 Define recipients of audit results……………………………………... 51
4.2 Audit Evidence……………………………………............................... 52
4.2.1 Nature of Evidence……………………………………........................ 52
4.2.2 Attributes of Evidence……………………………………................... 54
4.3 Documentation and Working Papers…………………………………. 55
4.3.1 Working Papers……………………………………............................. 55
iv
4.3.2 Purpose of the Working Papers………………………………………. 56
4.3.3 Documentation…………………………………….............................. 56
4.3.4 Supervisory Review…………………………………………............... 58
4.3.5 Control and Retention of Working Papers…………………………… 58
4.3.6 Permanent Files……………………………………............................. 59
4.4 Reporting……………………………………....................................... 59
4.4.1 Purpose of Report…………………………………….......................... 59
4.4.2 Elements of a Good Report……………………………………........... 60
4.4.3 Format of the Report……………………………………..................... 61
4.5 Interviews……………………………………...................................... 62
4.5.1 Identifying Availability of Evidence………………………………… 62
4.5.2 Exit Interview……………………………………................................ 63
4.6 Follow-up……………………………………...................................... 63
4.6.1 Timing of the follow-up……………………………………................. 63
Chapter 5
Value for Money Auditing
5.1 Background…………………………………….................................... 65
5.2 Economy, Efficiency and Effectiveness……………………………… 65
5.3 Approaches to VFM Auditing……………………………………....... 66
5.3.1 Procedures or Process-Oriented Approach…………………………… 67
5.3.2 Results-oriented Approach……………………………………............ 67
5.4 The Audit Process……………………………………......................... 68
5.4.1 The Planning Process…………………………………….................... 69
5.4.2 The Examination Phase…………………………………………......... 69
5.4.3 The Reporting Phase………………………………………….............. 70
5.4.4 The Follow-up Phase…………………………………………............. 71
5.5 Generic Questions for scope the audit……………………………….. 71
Chapter 6
Information Technology Audit
6.1 Background…………………………………….................................... 75
v
6.2 Computer-assisted audit Techniques (CAATS) ……………………… 76
6.2.1 Concept…………………………………….......................................... 76
6.2.2 Planning…………………………………………................................. 77
6.3 The Environment in which CAATS operate…………………………. 78
6.3.1 Understanding of the System………………………………………..... 78
6.3.2 Characteristics of the Data……………………………………............. 78
6.3.3 Audit Objectives………………………………………….................... 78
6.3.4 Audit Scope……………………………………................................... 79
6.4 Data Access……………………………………................................... 79
6.5 Application of CAATS……………………………………................. 79
6.6 Follow up Investigations……………………………………............... 80
6.7 Working Papers……………………………………............................ 81
6.8 Reporting……………………………………...................................... 81
Chapter 7
Role of Audit Committee……………………………………………………………………. 82
Glossary 83- 89
Appendices
vi
INTRODUCTION
(i) Purpose
This Internal Audit manual is designed to provide a comprehensive guidance for the
development and operations of internal auditing in the Public Service. It is intended to be used as
a source of reference and guidance for Internal Auditors in the daily performance of their duties.
Users of this manual are assumed to possess a basic knowledge and understanding of
management framework with practical guidance, tools and information for managing the Internal
Audit activity and for planning, coordinating and reporting to Management / the Accounting
Officer.
Against this background, this document aims to provide a standard set of guidelines regarding
Internal Auditing in the Public Service.
Internal Auditors must keep pace with current trends in their profession if they are to remain
effective in assisting management in the proper discharge of their duties
The Comptroller of Accounts believes that this manual will set the tone and will create the
necessary impetus for a sustainable and effective Internal Auditing mechanism in Government.
(ii) Definition of Internal Auditing
The Institute of Internal Auditors (IIA) (the world-wide professional organization for Internal
Auditing) defines internal audit as:-
„Internal Auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organization’s operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control and governance processes.’
In order to assist Accounting Officers in achieving their objectives in an intelligent manner,
Internal Auditors must be aware of the environment in which they operate and the rules which
govern their work activities.
vii
(iii) The Objective of Internal Auditing
The overall objective of Internal Auditing is to assist the Accounting Officer in the effective
discharge of his/her responsibilities by furnishing objective analyses, appraisals,
recommendations and pertinent comments on the activities reviewed.
The Internal Auditor must therefore be involved in any phase of activity in which he can be of
service to the Accounting Officer.
Activities include:-
appraising the soundness and application of accounting, financial and operating controls;
ascertaining the reliability of accounting and other data developed within the
organization;
ascertaining the extent of compliance with establish policies and procedures;
appraising the quality of performance in carrying out assigned responsibilities;
NB: Please note that this Auditing Manual is a work in progress. Inclusions will be inserted as
the various sections areas developed, reviewed and verified.
8
CHAPTER 1
INTERNAL AUDIT ENVIRONMENT
The Internal Audit Environment is shown on the flowchart at figure 1, page 2. The various
components are as follows:-
Legislative Framework- specific to the Government of Trinidad and Tobago;
Legislative Framework – International Best Practice;
The Treasury;
The Accounting Officer;
Minister of Finance;
The Auditor General Department;
The Parliament.
The ensuing sections give details of these areas.
9
Figure 1 – The Internal Audit Environment
Internal Audit
Section
The Treasury The Accounting Officer- Appointed by the Minister of Finance
- Governance & Transparency
Legislative Framework
Specific to GORTT
-Constitution of the Republic of
Trinidad & Tobago
-The Exchequer & Audit Act Chap: 69:01
- Financial Regulations
-Financial Instructions 1965
-Civil Service Act.
-Public Service Regulations
-Terms & Conditions of Employment
-Relevant Circulars
Establishes, Overseers & Monitors
Reports to
Auditor General’s Department
Provides guidance on:
-Work Programme
-Audit Reports
-Auditing& Accounting Standards
- Audits the work done by the
Internal Auditor
Minister of Finance
Reports to
Parliament
Reports to
The Internal Audit Environment
Page 1
Legislative Framework
International Best Practice
- Institute of Internal Auditors (IIA)
(International Auditing Standards)
- COSO
- COBIT
- COCO
- International Accounting Standards (IAS)
Governs the
Reports to
The Changing Environment
of Internal Audit
Current Environment New Environment
- Compliance - Risk management
- Independence - Independence
(location) (mind)
- Post Auditing - During the Audit
- Manual - IT Environment
Relationship
with
Objectives
- Contribute to the organization
achieving its objectives by improving
the effectiveness of Risk management
controls & processes
Accounting Environment
- Accounting Unit
- Legislative (Fin. Regs. & Instructions)
- Circulars - (CPO., MOF. COA.)
- Budget Cycle
Personally and peculiarly
responsible for the operations of
the Accounting Unit
10
1.1 THE LEGISLATIVE FRAMEWORK- SPECIFIC TO THE GOVERNMENT
OF THE REPUBLIC OF TRINIDAD AND TOBAGO
Internal Auditors in the operation and execution of their duties are governed by legal
provisions. These provisions are as follows:-
1.1.1 The Constitution of the Republic of Trinidad and Tobago Ch 1:01
Chapter 8 of the Constitution of the Republic of Trinidad and Tobago deals with Finance and
outlines the following requirements:-
The establishment of the Consolidated Fund
The authorization of expenditure from the Consolidated Fund
The responsibility of the Minister of Finance
The establishment of the Office and the functions of the Auditor General
The requirements for the appointment of the Auditor General and the setting up of the
Public Accounts Committee.
Chapter 8, Section 113 (1) of the Constitution of the Republic of Trinidad and Tobago states:-
(1) “The Minister responsible for Finance shall cause to be prepared and laid before the
House of Representatives before or not later than thirty days after the commencement
of each financial year estimates of revenues and expenditure of Trinidad and Tobago
for that year.”
Chapter 8, Section 116 (1-2) of the Constitution of the Republic of Trinidad and Tobago
states:-
(1) “There shall be an Auditor General for Trinidad and Tobago, whose office shall
be a public office.”
and
(2) “The public accounts of Trinidad and Tobago and of all officers, courts and authorities of
Trinidad and Tobago shall be audited and reported on annually by the Auditor General,
and for that purpose the Auditor General or any person authorized by him in that behalf
shall have access to all books, records, returns and other documents relating to those
accounts.”
In order to assist the Minister of Finance in complying with these provisions, Accounting
Officers are charged with the responsibility for preparing and submitting the estimates of
revenue and expenditure to the Minister of Finance and the Appropriation Accounts to the
Auditor General. Accounting Officers have the responsibility of ensuring that proper systems
of accounting as prescribed by the Treasury are establish and maintained within their
respective Ministry/Department.
The Auditor General is empowered by the Constitution to carry out audits of the accounts,
balance sheets and other financial statements of all enterprises that are owned or controlled by
or on behalf of the State. She shall submit reports annually to the Speaker, the President of the
11
Senate and the Minister of Finance. The Auditor General is also responsible for monitoring the
systems and records used in the preparation of these accounts to ascertain whether they are
functioning properly and are in compliance with the relevant laws and guidance.
Internal Auditors in Central Government are charged with the responsibility of assisting
Accounting Officers in the effective discharge of their duties as defined in the Exchequer and
Audit Act, Chapter 69:01. Internal Auditors must examine the records of their
Ministries/Departments in order to ascertain the extent of compliance with established policies
and procedures as established by the Treasury and must ensure that expenditure incurred and
revenue earned conform to the Estimates of Expenditure/Revenue approved by Parliament.
They must also ensure that expenditure incurred under the various votes, are made in
accordance with Budgeted Allocations and that expenditure does not exceed releases granted.
1.1.2 The Exchequer and Audit Act, Chapter 69:01
In the daily performance of their duties, Officers are guided by and operate under the rules as
enshrined in the Exchequer and Audit Act, Chap.69:01.
This Act provides for:-
- the control and management of the public finances in the Republic of Trinidad and Tobago;
- the duties and powers of the Auditor General;
- the collection of, issue and payment of public moneys;
- the audit of the Public Accounts and the protection and recovery of public property;
- the control of the powers of statutory bodies and for matters connected therewith.
The Act also interprets the title of the Accounting Officer in Part I Section 2 which states inter-
alia:-
“an accounting officer means any person appointed by the Treasury and charged with the duty
of accounting for any service in respect of which moneys have been appropriated by the
Constitution or by Parliament, or any person to whom issues are made from the Exchequer
Account.”
Internal Auditors are a valuable resource for Accounting Officers and as such must be aware of
the role of the Accounting Officer.
1.1.3 The Financial Regulations to the Exchequer and Audit Act, Chapter 69:01
In addition to the Exchequer and Audit Act which states and interprets the law, Internal
Auditors are also guided by the Financial Regulations in their daily operations. These
Regulations provide a more detailed guidance and makes provision for an independent Internal
Audit Unit.
Part II Section 13 (4) of the Regulations states:-
“Each Accounting Unit shall have a check staff and an independent internal audit
unit”
12
Part II Sections 4 (1) and (3) of the Exchequer and Audit Act makes provision for the control
and management of the accounts.
Part I Section 8 of the Regulations also states:
“It is the duty of an accounting officer to –
(a) ensure that the proper system of accounting as prescribed by the Treasury is
established and maintained.”
Guided by the Financial Regulations in their role and responsibilities, Internal Auditors will be
able to give assurance to Accounting Officers that records are accurate, systems of internal
controls are performing effectively, and there is compliance with systems laid down by the
Treasury.
1.1.4 The Financial Instructions 1965
The Financial Instructions 1965 was issued by the Treasury under Section 4 of the Exchequer
and Audit Ordinance 1959. These Instructions give details on accounting procedures to be
adopted by the various Ministries/Departments so as to promote reliance on the accuracy of
records and to ensure that systems are functioning as intended.
1.1.5 Ministry of Finance and Comptroller of Accounts Circulars
Circulars are issued from time to time by the Minister of Finance and the Comptroller of
Accounts.
Circulars from the Minister of Finance are issued when new accounting
systems/procedures are being introduced.
Circulars from the Comptroller of Accounts are issued for clarification/updating of
existing systems and procedures.
1.1.6 Manual of the Terms & Conditions of Employment
The terms and condition of employment for officers employed in the Public Service has been
compiled in a manual by the Chief Personnel Officer (CPO). Unlike the Financial Regulations
which deals with accounting matters within the Public Service and the treatment of such, the
Manual of the Terms and Conditions of Employment addresses the administration of rules,
regulations and circular instructions relating to the terms of employment of Officers in the
Public Service.
Section I of the manual embodies those rulings, guidelines, interpretations and classifications
that are most frequently sought from the CPO in respect of areas such as:
- hours of work,
- treatment of work in excess of normal working hours,
- different types of leave, traveling and subsistence allowance,
- transfers between Trinidad and Tobago,
- uniform and
- employment on contract.
13
Each area dealt with in the Manual is referenced to the relevant regulations from the Civil
Service, Public Service, CPO and Ministry of Finance Circulars.
Sections II and III of the manual contain circulars/circular memoranda mentioned in Section I.
The manual must be read in conjunction with the relevant provisions of the Civil Service
Regulation, Public Service Regulation or the Traveling Allowances Regulations as may be
appropriate.
This manual is one of the tools used by the Internal Auditor in interpreting and clarifying
issues on the terms and conditions of employment of officers employed in the Public Service.
1.1.7 Chief Personnel Officer Circulars
The Chief Personnel Officer issues circulars from time to time for the variation of officer‟s
terms and conditions of employment in relation to the terms and conditions, salaries and
allowances for all officers employed in the Civil Service as well as clarification of existing
circulars when necessary.
1.1.8 Commissions and Relevant Acts
Various Commissions established under the Constitution of the Republic of Trinidad and
Tobago are as follows:-
1. Public Service Commission
2. Police Service Commission
3. Teaching Service Commission
4. Judicial and Legal Service Commission
5. Statutory Authorities Commissions
These Commissions are followed by specific Acts and Regulations governing the relevant
service are as follows:-
- Public Service Commission:
Civil Service Act Chapter 35:50 - Civil Service
Fire Service Act Chapter 23:01 - Fire Service
Prison Service Act Chapter 13:02 - Prison Service
- Police Service Commission:
Police Service Act Chapter 15:01– Police Service
- Teaching Service Commission:
Education Act Chapter 39:01 – Teaching Service
- Judicial and Legal Service Commission:
Judicial & Legal Service Act Chapter 6:01 – Judicial and Legal Service
- Statutory Authorities Commission
Statutory Authorities Act Chapter 34:01 - Statutory Bodies
14
1.1.9 Civil Service Act Chapter 23:01
The Civil Service Act, Chapter 23:01 makes provision for the establishment and classification
of:
- the Civil Service,
- a Personnel Department,
- procedures for negotiations and consultation between the Government and members of
the Civil Service,
- the settlement of disputes,
- other matters concerning the relationship between the Government and the Civil Service.
The Act outlines the terms and conditions of employment of officers employed in the Civil
Service.
1.1.10 Civil Service Regulations
The Civil Service Regulations guided by the Civil Service Act, Chapter 23:01 defines the
various positions within the Civil Service and the details of the entitlements of these positions.
The Regulations also treats with various areas such as probation periods, secondment,
remuneration, increments, allowances, payment of pensions and gratuities and other matters
relating to officers.
An amendment to the Regulations in 1996 made provision for the Code of Conduct.
It is recommended that copies of the Regulations and Code of Conduct should be given to
every officer on their first appointment by the Public Service Commission by which he was
appointed together with his letter of appointment.
The Code of Conduct in the Civil Service Regulation deals with the conduct of an officer while
the Public Service Commission Regulations defines the method for dealing with an officer‟s
discipline and the relevant disciplinary action to be taken.
1.1.11 Civil Service (External Affairs) Regulations
The Civil Service (External Affairs) Regulations established under the Civil Service Act,
provides detailed requirements for Foreign Service Officers at the various Missions and the
entitlements to those Officers. Areas addressed under the Regulations are as follows:
Entry into the Foreign Service;
Postings to and from the Missions;
Allowances and other benefits;
Housing accommodations;
Leave and leave passage; and
Conduct of officers assigned to the Missions.
1.1.12 Public Service Commission Regulations, 1966
The Public Service Commission Regulations defines the following:
15
The “Public Service” includes the Civil Service, the Fire Service, the Prison Service, and for
the purposes of Section 53 of the Education Act, shall be deemed to include the Teaching
Service.
An “officer” means a person employed in that part of the Public Service established
respectively as the Civil Service, the Fire Service, the Prison Service, or any other service in
the Public Service who is subject to the jurisdiction of the Commission and, for the purposes of
Section 53 of the Education Act, shall be deemed to include all persons employed in the
Teaching Service.
A “Public Office” includes the Civil Service, the Fire Service, the Prison Service, and for the
purposes of Section 53 of the Education Act, shall be deemed to include the Teaching Service.
The Public Service Commission Regulations addresses the following areas within the Public
Service:
1. Appointments
2. Promotions
3. Transfers
4. Staff reports
5. Resignations
6. Retirement
7. Termination of appointments
The Civil Service Regulations also deals with the recruitment of officers as well as the terms
and conditions of these officers. The Public Service Regulations provides all officers and in
particular the Internal Auditor with the necessary guidance and knowledge in interpreting
matters listed above.
The Civil Service Act, Chapter 23:01 amended in 1966 provides for a Code of Conduct which
addresses the general conduct of a Civil Servant whereas the methods for dealing with Public
Officers‟ discipline and disciplinary actions are covered by the Public Service Commissions
Regulations.
The Internal Auditor in the conduct of the audit must be knowledgeable of the following laws
in relation to the various bodies:
1. The Civil Service Act, Chapter 23:01
2. The Fire Service Act, Chapter 23:01
3. The Prison Service Act, Chapter:13:02
4. The Police Service Act, Chapter: 15:01
5. The Education Act, Chapter 39:01
6. The Statutory Authorities Act, Chapter 34:01
The various Acts, Regulations, Instructions and Circulars are some of the main tools used by
Internal Auditors. The Internal Auditor must be knowledgeable of all aspects in order to
interpret and apply them to accounting transactions, verify compliance with the relevant laws
and provide advice and recommendations to his Accounting Officer.
The Internal Auditor, in assessing and reviewing the existing internal controls provides
Accounting Officers with an independent assessment of the Department‟s internal controls and
16
risk management framework and policies. This promotes reliability of information provided
and used in the decision-making process.
Summary to this Section- The legislative framework – specific to Government of the
Republic of Trinidad and Tobago provides guidance and
assists the internal auditors in their daily function and is
MANDATORY as tools to be used in all Internal Audit and
Accounting Units in the Public Service.
1.2 THE CHANGING ENVIORNMENT OF INTERNAL AUDITING
The increasing demand for good governance and transparency by the citizenry in the use of
taxpayer‟s dollars has impacted the way in which organizations conducted their businesses in
the past. In order to facilitate this demand for good governance and transparency and in
keeping with Government‟s mission and vision, the Public Service business processes,
communication techniques, and delivery services are continuously being upgraded and
transformed.
In this changing environment where the pace of Legislative Reform tends to lag behind, the
Internal Auditor is met with challenges in carrying out his responsibilities. In order to cope
with these challenges, the Internal Auditor must adopt relevant Standards and Tools from
internationally recognized Auditing and Accounting bodies in the conduct of their audits.
In the past the focus of Internal Audit activities within the Public Service was in the areas of
compliance, independence, post-auditing and auditing in a manual environment. This
traditional approach has continued in audit activities in the current environment. Internal
Auditors must now enhance their approach in order to fulfill their audit responsibilities in this
continuously evolving environment.
1.2.1 Compliance vs. Risk Management
Presently Internal Auditors are primarily concerned with checking accounting transactions
(historical) for compliance with financial laws. Checks are transaction based with a financial
focus in accordance with the relevant authorities and adherence to prescribed policies,
procedures and systems.
While compliance to relevant authorities, policies and procedures continues to be important,
the way in which compliance is currently being carried out must now change to compliance
with a risk focus. The Internal Auditor must be able to assess whether the existing controls are
adequate and relevant in addressing existing and potential risks which can prevent/delay the
organization achieving its objective.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), an
internationally recognized body gives guidance on monitoring internal controls systems. COSO
recognizes that risk changes over time and as such internal control systems need to be
reassessed for relevance and must address new risks as they emerge.
Ongoing assessment is recommended through the monitoring and evaluation of the
organization‟s internal control system and should be able to ascertain whether:
17
- management needs to reconsider the design of the existing controls when risk changes
and
- the controls which were designed to reduce risk at an acceptable level, continues to
operate effectively.
With ongoing assessments and the efficient and effective management of risks through strong
internal controls, the organization is able to have:
- more efficient , reliable and cost effective delivery of services to it‟s customers;
- more reliable decisions;
- innovation;
- minimal waste and fraud;
- better value for money through the efficient use of resources;
- improved project and programme management – better outputs and outcomes.
Once risks are mitigated, the organization‟s performance will improve and the likelihood of its
strategic and current objectives being achieved will increase.
1.2.2 Manual Environment vs. Information Technology Environment
Internal Auditors have traditionally operated in a paper based environment within the Public
Service. Checks for completeness, accuracy and verification of accounting transactions are
carried out against the relevant hard copy documents. A manual system provides an audit trail
which allows the Auditor to trace a transaction from its source to its completion. While manual
processing has its advantages it often operates at a slower pace and is prone to a higher degree
of errors.
Government, in improving its business processes with the aim of promoting the efficiency and
timeliness of its service delivery to its customers is engaged in ongoing development and
implementation of Information Technology (IT) related systems within the Public Service.
Internal Auditors must now be able to identify and assess the controls in this computerized
environment. Auditing software is now available for use by Internal Auditors in the form of
Computer Assisted Auditing Techniques (CAAT). With CAAT tools, an auditor can review,
test and analyze an entire population of data. Some areas of testing include testing in
compliance with standards, identifying control issues, verification of balances etc.
With the continuous development in new IT systems and the upgrading of existing ones,
business processes are constantly evolving with IT driven processes. Several accounting and
reporting processes within the Public Service are undergoing changes due to the incorporation
of either partially or wholly IT applications into its processes.
With the introduction and varying complexity of computerized systems, there exists a
corresponding loss of audit trail. The Internal Auditor must now tailor his audit activities in
order to give assurance on the integrity, accuracy, validity, timeliness and completeness of
outputs derived from such systems. He must assess the controls for adequacy and relevance
which will mitigate any risk which may prevent or delay the organization‟s ability in meeting
its objectives.
Some areas of risk in an IT environment that the Internal Auditors must consider in relation to
internal controls are:
18
- Data input
- Controls that are no longer relevant
- Hardware failure
- Threats /viruses
- System failure
- Fraud – human factor
- Resource management – efficient use of
COBiT, Control Objectives for Information and related Technology, is a framework which
addresses IT governance and gives guidance to management, IT professionals and auditors
on strategy and tactics that can best contribute to the achievement of the organization‟s
objectives
A methodology consisting of recognized and accepted standards and controls which is able
to assist IT professionals in implementation, reviewing, administrating and monitoring
various IT processes of the organization is available using COBiT. It is a tool that can be
used to assist them in linking Information Technology and control practices and addresses
the needs of IT governance and the integrity of information and information systems.
COBiT can be used by the Internal Auditor to:
- establish and review control baselines and standards:
- facilitate and creates performance metrics for risk assessments
- develop audit plan
- facilitate the audit
- manage residual risk
- issue control advisory and recommendations to IT groups.
While there is currently no legislation on auditing in an IT environment in the Public Service,
the Treasury advises that the principles with respect to COBiT be incorporated into the design
of their audit work programme. In this regard, the Internal Auditor must consult with the
Treasury Division for guidance on these matters.
1.2.3 Independence - Location vs. Mental Attitude
It is usual for Internal Audit Units within Ministries/Departments to be set up separately from
the Accounting Units for which most of its audit activities are carried out. This was seen to
promote the independence of the Internal Auditor. While independence is encouraged by
separate location, the need for independence must shift to one where it is more a state of mind.
In an era of new accountability and control there is a need for greater transparency and
accountability in the use of public funds.
The Internal Auditor, in meeting his responsibilities must conduct the audit in line with the
organization objectives for transparency and accountability. This will require the Internal
Auditor to develop a sound working relationship with management and relevant staff at all
levels. The internal auditor‟s knowledge and understanding of the organization will assist in
building effective relationships and in evaluating and improving the effectiveness of risk
management, internal controls and governance processes. Also, an effective and well run audit
team will be sought out for services, information and guidance.
19
The Internal Auditor must analyze the strengths and weaknesses of the organization‟s internal
controls, considering its governance, organizational culture, and related threats and opportunities
for improvement which can affect whether the organization is able to achieve its goals.
Internal Auditors may be called upon to advice on controls necessary in the development of
new systems for the organization and may also be involved in the auditing of those systems for
efficiency and effectiveness of the controls in place. In order to maintain independence in these
circumstances, Audit Committees within the Organizations can be set up to review the Audit
Report of the Internal Auditor.
Independence and objectivity continues to be required of the Internal Auditor in the
performance of his duties. He must have an unbiased mental attitude in the performance of his
engagements in such a manner that the quality and integrity of his work is not compromised in
any way.
1.2.4 Post-Auditing vs. Ongoing Audits
The work viewed by the Internal Auditor has been primarily historical in nature. Upon
completion of the transaction process, the Internal Auditor verifies the various accounting
transactions for compliance, accuracy and completeness. Errors and irregularities are often
discovered at this stage. With the emphasis on good governance and transparency this
continued approach to auditing will not mitigate impending risks. Risk-based auditing allows
the Internal Auditor to continuously assess new and emerging risk and to review existing
policies and procedures in order to strengthen where necessary. Reports from ongoing audits
may recommend new controls, where needed, in order to safeguard and use the resources of the
organization in an efficient manner, add value to and improve its operations.
1.3 INTERNATIONAL STANDARDS
Internal Auditing is conducted in a wide range of organizations diverse in their legal and
cultural environment. The complexity, size, structure and purpose are unique to each
organization. While differences may affect the practice of Internal Auditing in any given
environment, the Institute of Internal Auditors International Standards for Professional Practice
of Internal Auditing (Standards) is essential in providing guidelines with respect to the conduct
of the audit.
The purpose of the Standards is to:
Delineate basic principles that represent the practice of internal auditing;
Provide a framework for performing and promoting a broad range of value-added
internal auditing;
Establish the basis for the evaluation of internal audit performance;
Foster improved organizational processes and operations.
1.3.1 International Best Practice
The Institute of Internal Auditors (IIA) - Internal Auditing Standards
20
The Institute of Internal Auditors (IIA) is an international organization of internal auditing
professionals which sets guidance for Internal Auditors. Developed under the IIA is the
International Professional Practices Framework (IPPF) and its scope has been narrowed to
include only authoritative guidance which is categorized under the following two areas:
1. Mandatory:
i. The Definition of Internal Auditing; ( defined in the Introduction on page iii)
ii. The International Standards for the Professional Practice of Internal Auditing;
and
iii. The Code of Ethics.
2. Strongly Recommended:
i. Position Papers;
ii. Practice Advisories; and
iii. Practice Guides.
The Standards addressed under the International Professional Practices Framework are as
follows:
- Attribute Standards
- Performance Standards
- Practice Advisories to the Standards
- Assumption of Non-Audit Duties
- Assurance
- Board and Senior Management Reporting
- Chief Audit Executive Responsibilities
- Compliance with Standards
- Consulting
- Disclosures
- Engagement Communication
- Engagement Performance
- Engagement Planning and Scope
- Engagement Work papers
- Governance
- Independence & Objectivity
- Internal Control
- Outsourcing or Co-sourcing
- Proficiency and Due care
- Quality Assurance and improvement Program
- Resource Management
- Risked-based Planning
- Risk management and Assessment
1.3.2 The Code of Ethics
The Code of Ethics of the Institute of Internal Auditors (IIA) are principles relevant to the
profession and practice of internal auditing, and the rules of Conduct that describes behavior
expected of internal auditors. The Code of Ethics applies to both individuals and entities that
21
provide internal audit services. The purpose of the Code of Ethics is to promote an ethical
culture in the global profession of internal auditing.
Although it is not mandatory for Internal Auditors within the Public Service and State
enterprises to be members of the IIA, registered members in the Public Service are governed
by the Code of Ethics which include Principles that is relevant to the profession and practice of
internal auditors and the rules of conduct which are intended to guide the ethical conduct of
internal auditors.
Founded on the trust placed in its objectives assurance with respect to Governance, Risk
Management and Control, the Code of Ethics is appropriate and necessary in the Internal
Auditing profession.
1.3.2.1 Code of Ethics – Principles
Internal auditors are expected to apply and uphold the following principles:
i. Integrity
The integrity of internal auditors establishes trust and thus provides the basis
for reliance on their judgment.
ii. Objectivity
Internal auditors exhibit the highest level of professional objectivity in
gathering, evaluating, and communicating information about the activity or
process being examined. Internal auditors make a balanced assessment of
all the relevant circumstances and are not unduly influenced by their own
interests or by others in forming judgments.
iii. Confidentiality
Internal auditors respect the value and ownership of information they
receive and do not disclose information without appropriate authority
unless there is a legal or professional obligation to do so.
iv. Competency
Internal auditors apply the knowledge, skills, and experience needed in the
performance of internal audit services.
1.3.2.2 Rules of Conduct
i. Integrity
In demonstrating integrity, Internal auditors shall:
Perform their work with honesty, diligence, and responsibility;
Observe the law and make disclosures expected by the law and the profession;
22
Not knowingly be a party to any illegal activity, or engage in acts that are discreditable
to the profession of internal auditing or to the organization;
Respect and contribute to the legitimate and ethical objectives of the organization.
ii. Objectivity
Internal auditors shall:
Not participate in any activity or relationship that may impair or be presumed to impair
their unbiased assessment. This participation includes those activities or relationships
that may be in conflict with the interests of the organization;
Not accept anything that may impair or be presumed to impair their professional
judgment;
Disclose all material facts known to them that, if not disclosed, may distort the
reporting of activities under review.
iii. Confidentiality
Internal auditors shall:
Be prudent in the use and protection of information acquired in the course of their
duties;
Not use information for any personal gain or in any manner that would be contrary to
the law or detrimental to the legitimate and ethical objectives of the organization.
iv. Competency
Internal auditors shall:
Engage only in those services for which they have the necessary knowledge, skills, and
experience;
Perform internal audit services in accordance with the International Standards for the
Professional Practice of Internal Auditing;
Continually improve their proficiency and the effectiveness and quality of their
services.
Refer to Appendix 1.3.2A for the full list of the Code of Ethics.
1.3.3 International Auditing Standards
For more specific guidance, users of this manual should refer to Appendix 1.3.3A for the full
list of the relevant Standards. Where an appropriate standard was not developed to address an
area within the public sector environment, the Treasury Division will advise on the controls
to be used.
Refer to appendix 1.3.3A for relevant standards.
23
1.4 THE COMMITTEE OF SPONSORING ORGANIZATIONS (COSO) –
TREADWAY COMISSION
In 1992, five U.S. accounting and finance professional groups, in an alliance known as the
Committee of Sponsoring Organizations of the Treadway Commission (COSO) introduced the
Internal Control – Integrated Framework (the COSO Framework), a comprehensive report on
internal controls.
The motivation for the COSO report was the concern about the lack of uniform internal control
standards in organizations. The COSO framework is meant for managers and auditors to use in
developing and evaluating internal control systems.
Included within the COSO framework are five interrelated and equally important components
of internal control (Figure 1). The components are:
control environment;
risk assessment;
control activities;
information and communication; and
monitoring.
These are detailed in the ensuing sub-sections.
Figure 1: The COSO Internal Control Integrated Framework
1.4.1 Control Environment
An organization‟s control objective is its “tone at the top”. This is the attitude of
management towards internal controls. Is the organization control conscious of or is it
24
relatively indifferent to internal controls? The components of the control environment
are as follows:
1. Integrity and Ethical Values - sound integrity and ethical values, particularly of top
management, are developed and understood and set the standard of conduct for
financial reporting.
2. Management - management understands and exercises oversight responsibility related
to financial reporting and related internal control.
3. Management‟s Philosophy and Operating Style - Management‟s philosophy and
operating style support achieving effective internal control over financial reporting.
4. Organizational Structure - the Company‟s organizational structure supports effective
internal control over financial reporting.
5. Financial Reporting Competencies - the Company retains individuals competent in
financial reporting and related oversight roles.
6. Authority and Responsibility - Management and employees are assigned appropriate
levels of authority and responsibility to facilitate effective internal control over
financial reporting.
7. Human Resources - Human resource policies and practices are designed and
implemented to facilitate effective internal control over financial reporting.
1.4.2 Risk assessment
The COSO report recognizes risk assessment as an important component of internal
control. The enterprise‟s risk framework will provide the organization with guidance
in developing plans to identify, measure, evaluate, and respond to risk. In assessing
risk internal auditors should consider the different types of risk as follows:
Financial Reporting Risks - the Company identifies and analyzes risks to the
achievement of financial reporting objectives as a basis for determining how the risks
should be managed.
Fraud Risk - the potential for material mis-statement due to fraud is explicitly
considered in assessing risks to the achievement of financial reporting
objectives.
1.4.3 Control activities
Control Activities are specific internal control procedures and policies. Examples are
authorizations, approvals, passwords, and segregation of duties. These are the heart of
internal controls. The activities are as follows:
1. Integration with Risk Assessment - Actions are taken to address risks to the
achievement of financial reporting objectives.
25
2. Selection and Development of Control Activities - Control activities are selected and
developed considering their cost and potential effectiveness in mitigating risks to the
achievement of financial reporting objectives.
3. Policies and Procedures - Policies related to reliable financial reporting are
established and communicated throughout the company, with corresponding
procedures resulting in management directives being carried out.
4. Information Technology - Information technology controls, where applicable, are
designed and implemented to support the achievement of financial reporting
objectives.
1.4.4 Information and Communication
Information and communication refers to the need for the organization to ensure that it
obtains and communicates the information needed to carry out management strategies and
objectives. The information may be internal or external to the organization. That is,
management must communicate internal control policies and procedures across the
organization, and to related parties outside the organization.
Types of information/communication are as follows:
1. Financial Reporting Information - Pertinent information is identified, captured, used at
all levels of the company, and distributed in a form and within a timeframe that
supports the achievement of financial reporting objectives.
2. Internal Control Information - Information needed to facilitate the functioning of other
control components is identified, captured, used and distributed in a form and within a
timeframe that enables personnel to carry out their internal control responsibilities.
3. Internal Communication - Communications enable and support understanding and
execution of internal control objectives, processes and individual responsibilities at all
levels of the organization.
4. External Communication - Matters affecting the achievement of financial reporting
objectives are communicated to outside parties.
1.4.5 Monitoring
COSO calls for continuous monitoring of an internal control system. This may be
accomplished by regular audits and evaluation, as well as by constant attention to
internal controls. Monitoring consists of:
1. Ongoing Monitoring and Separate Evaluations - Ongoing monitoring and/or separate
evaluations enable management to determine whether the other components of internal
control over financial reporting continue to function over time.
2. Reporting Deficiencies - Internal control deficiencies are identified and communicated
in a timely manner to those parties responsible for taking corrective action, and to
management and the Board as appropriate.
26
Four of the components of the COSO framework relate to the design and operation of the
system of internal control. These are:
control environment;
risk assessment;
control activities;
information and communication.
The fifth component- monitoring, is designed to ensure that internal control continues to
operate effectively.
The framework is designed to assist businesses and other organizations in assessing and
enhancing their internal control systems. IT provides a set of 20 basic principles drawn
directly from the five components mentioned above.
The following is a diagrammatic representation by COSO of a monitoring design and
implementation progression of an internal control system:-
This framework has since been incorporated into policies, rules and regulations, and has been
used by thousands of organisations to better control their activities in moving towards
achievement of their established objectives.
27
1.5 CRITERIA OF CONTROL COMMITTEE (COCO)
The Canadian Criteria of Control Committee (CoCo) was an initiative of the Canadian Institute
of Chartered Accountants to strengthen control and governance. According to CoCo the
essence of control in any organization is a combination of the organization‟s purpose,
commitment, and capability, monitoring and learning.
In CoCo, control entails all the elements of an organization which taken together, support
people in the achievement of the organization‟s objectives.
The elements include:
resources
systems
processes
culture
structure and
tasks
SUMMARY:
While it is management‟s responsibility to ensure that the organisation has a strong system of
internal controls, the Internal Auditor plays an important role in evaluating the effectiveness of
the internal control system and contributes to its ongoing effectiveness by significantly
monitoring internal controls in the organisation. Internal Auditors as well as the management
team can use the above framework as part of the process of improving the effectiveness and
efficiency of their internal control systems.
In order to have assurance that the controls are adequate, the Internal Auditor in the Public
Service can incorporate the above principles into their work programme. In so doing, they must
do the following:
i. Understand the organization‟s risks and prioritize in accordance with its objectives.
This process can influence management decisions regarding the type,
timing and extent of monitoring in relation to its internal controls. ii. Identify the controls which will address the existing and potential risk. With the
prioritization of risks, key controls can be identified within the organization‟s internal
control system. With key controls identified, monitoring resources of the organization
can be allocated where they can provide the most value. iii. Identify information which will indicate persuasively whether the controls selected are
operating effectively. This information is used by evaluators of the internal control system in
order to support a conclusion on whether or not the
system is operating effectively.
28
iv. Develop and implement cost effective procedures in order to evaluate persuasive
information supporting the conclusion that the internal control system is operating
effectively. Ongoing assessment of the monitoring procedures and/or evaluating and
analyzing information supporting conclusions on the effectiveness of the internal controls can
manage or mitigate identified risks.
1.6 COBIT – CONTROL OBJECTIVES FOR INFORMATION AND
RELATED TECHNOLOGY
1.6.1 What is COBIT
With the increasing reliance on Information Technology in business processes within
organizations, Managers need assurance that the information used satisfies business objectives.
Information must have and conform to characteristics which include – Effectiveness,
Efficiency, Confidentiality, Integrity, Availability, Compliance, and Reliability. This is critical
in influencing decisions made by managers and is useful for the organization‟s business
processes with the aim of achieving its objectives.
As a result of this increasing reliance on IT, the need for standards governing the IT processes
adopted by managers became necessary. The institute of IT Governance, established under the
Information Systems Audit and Control Association (ISACA) created the Control Objectives
for Information and Related Technology (CobiT).
CobiT, a tool primarily designed for use by Auditors has evolved into a management resource
due to the increasing need for IT governance in addressing current and future risks. It provides
management with a foundation upon which IT related decisions and investments can be based
and assists them in understanding their IT systems. It also assists managers in deciding on the
level of security and controls necessary to protect the organization‟s assets through the
development of an IT governance model. It includes internal and external stakeholders who
provide IT services and who have a control/risk responsibility.
The CobiT framework is based on the principle that the enterprise needs information for
decision making and therefore –
- requires information to achieve its objectives,
- needs information to invest in its IT resources and
- needs information to manage and control its IT resources.
29
This is best illustrated in the following diagram
1.6.2 Benefits of implementing CobiT
The use of CobiT as a governance framework over IT includes:
Better alignment, based on a business focus
A view, understandable to management, of what IT does
Clear ownership and responsibilities, based on process orientation
General acceptability with third parties and regulators
Shared understanding amongst all stakeholders, based on a common language
The use of COBIT as a tool must not be interpreted as any of the following and is therefore
not:
Audit Software
An IT audit plan
An IT Internal Audit work program
An IT Audit testing plan
Guide on how to Audit IT
The CobiT framework helps identify risks and the controls which have an impact on the
organization. It is divided into four distinct groups or domains which address these risks and
controls. Within each of these groups, guidelines are provided to analyze and understand
internal controls in the organization‟s IT resources. It provides its users with a set of generally
accepted measures, indicators, processes and best practices to assist them in analyzing and
evaluating IT governance. With the use of CobiT, Auditors are able to identify and assess IT
controls within the company‟s IT environment and to provide advice to management on these
matters. It also assists them in corroborating their audit findings and in substantiating their
opinions.
Business
Requirements which
responds to
Enterprise
Information
drive the
investments in
COBIT
IT Processes
IT Resources
to deliver that are
used by
30
1.6.3 COBIT Structure -Process Oriented
CobiT defines IT activities in a generic process model within the following four domains:
Plan and Organize - provides direction to solution delivery and service delivery.
Acquire and Implement - provides the solutions and passes them to be turned into
services.
Deliver and Support -receives the solutions and makes them usable for end users.
Monitor and Evaluate – monitors.
This model guide managers in tailoring the process model necessary for the organization. This
enables responsibilities and accountability to be defined. To govern IT effectively, it is
important to appreciate the activities and risks within IT that need to be managed.
The following diagram represents the four interrelated Domains of COBIT
(a) Plan and Organize
The Plan and Organize domain covers the use of Information & Technology and how best it
can be used in a company to help achieve the company‟s goals and objectives. It also
highlights the organizational and infrastructural form IT is to take in order to achieve the
optimal results and to generate the most benefits from the use of IT. This domain also covers
the organization‟s strategy and tactics. The realization of the strategic vision needs to be
planned, communicated and managed for different perspectives. A proper organizational as
well as technological infrastructure should be put in place.
The Plan and Organize domain typically addresses the following management questions:
Are IT and the business strategy aligned?
Is the enterprise achieving optimum use of its resources?
Does everyone in the organisation understand the IT objectives?
Are IT risks understood and are they being managed?
Is the quality of IT systems appropriate for business needs?
Plan and Organise
Acquire and
Implement
Deliver
and
Support
Monitor and Evaluate
31
(b) Acquire and Implement
The Acquire and Implement domain covers identifying IT requirements, acquiring the
technology, and implementing it within the company‟s current business processes. This domain
also addresses the development of a maintenance plan that a company should adopt in order to
prolong the life of an IT system and its components. Changes in and maintenance of existing
systems are covered by this domain to ensure that the solutions continue to meet business
objectives.
The Acquire and Implement domain addresses the following management questions:
Are new projects likely to deliver solutions that meet business needs?
Are new projects likely to be delivered on time and within budget?
Will the new systems work properly when implemented?
Will changes be made without upsetting current business operations?
(c) Deliver and Support
The Deliver and Support domain focuses on the delivery aspects of the information
technology. It covers areas such as the execution of the applications within the IT system and
its results as well as the support processes that enable the effective and efficient execution of
these IT systems. These support processes includes service delivery, management of security
and continuity, service support for users, training, and management of data and operational
facilities.
The Deliver and Support domain addresses the following management questions:
Are IT services being delivered in line with business priorities?
Are IT costs optimised?
Is the workforce able to use the IT systems productively and safely?
Are adequate controls for confidentiality, integrity and availability of information in
place for information security?
(d) Monitor and Evaluate
The Monitor and Evaluate domain addresses a company‟s strategy in assessing the needs of the
company and whether or not the current system still meets the objectives for which it was
designed and the controls necessary to comply with regulatory requirements and governance. It
covers the independent assessment by auditors of the effectiveness of the IT System in its
ability to meet business objectives.
The Monitor and Evaluate domain addresses the following management questions:
Is IT performance measured to detect problems before it is too late?
Does management ensure that internal controls are effective and efficient?
Can IT performance be linked back to business goals?
Are adequate controls for confidentiality, integrity and availability of information in
place for information security?
32
1.6.3.1 How does CobiT Work?
Contained under the four groups or domains of the CobiT framework are 34 high level control
objectives. Each of these high level control objectives contains several detailed control
objectives. Each of the 34 IT process can be broken down into the following steps:
Process Description
Control Objectives
Management Guidelines
Maturity Model
1.6.3.2 Control Based
Control is defined as the policies, procedures, practices and organizational structures designed
to provide reasonable assurance that business objectives will be achieved and undesired events
will be prevented or detected and corrected.
IT control objectives provide a complete set of high-level requirements to be considered by
management for effective control of each IT process.
1.6.3.3 Use of COBIT by the Internal Auditors
COBIT can be used by the Internal Auditor in the following ways:
Assisting in the development of the audit plan.
Facilitating and creating performance metrics for Risk Assessments for managers.
Facilitating the audit.
Managing Residual Risk in the organisation.
Issuing effective controls advisory in order to reduce risk and making recommendations
to the IT Department for improved efficiency.
While CobiT targets control issues, it is not a replacement for the COSO internal control
framework (which focuses on internal controls in a manual environment) but addresses the
internal controls in today‟s Information Technology environment.
The Treasury Division advises that the principles with regard to the processes of CobiT can be
found in the CobiT 4.1 booklet which will be accessed through the Treasury Division. In this
regard, the Internal Auditor can consult with the Treasury Division for guidance.
SUMMARY:-
CobiT is an internationally accepted controls-based framework for IT governance that was first
released by ISACA in 1996. The framework provides guidance to an organisation on how to
use IT resources (i.e. applications, information, infrastructure and people) to manage IT
domains, processes and activities to respond to business requirements (i.e. compliance,
effectiveness, efficiency, confidentiality, integrity, availability and reliability). Well-governed
IT practices can assist businesses in complying with laws, regulations and contractual
arrangements.
33
1.7 REPORTING RELATIONSHIPS
1.7.1 The Parliament of Trinidad and Tobago
Chapter 4, Section 39 of the Constitution of the Republic of Trinidad and Tobago makes
provision for the establishment of the Parliament and states „There shall be a Parliament of
Trinidad and Tobago which shall consist of the President, the Senate and the House of
Representatives‟
The Minister of Finance reports to Parliament on the Public Accounts of the Republic of
Trinidad and Tobago. The Minister in pursuance of his statutory obligation also lays and
presents in the House of Representatives, the Budget Speech and the Appropriation Bill.
The Budget Speech is presented and the Appropriation Bill is debated and passed in the House
of Representatives. The Bill is then brought before the Senate where it is also debated and
passed after which it is forwarded to the President of the Republic of Trinidad and Tobago for
his assent. It then becomes the Appropriation Act for the particular year.
1.7.2 The Minister of Finance
(a) Control and Management of Public Finance
The Minister of Finance under Chapter 8, Section 113 (1) and (2) of the Constitution of the
Republic of Trinidad and Tobago and the provisions of the Exchequer and Audit Act Chapter
69:01 is responsible for the management of the Consolidated Fund and the supervision, control
and direction of all matters in relation to the financial affairs of the state which are not by law
assigned to any other Minister.
(b) Authorization of Expenditure from the Consolidated Fund
Chapter 8, Section 113 (1) and (2) of the Constitution states:
(1) “The Minister responsible for finance causes to be prepared and laid before the
House of Representatives before or not later than thirty days after the
commencement of each financial year, estimates of the revenues and
expenditure of Trinidad and Tobago for that year.”
(2) “The heads of expenditure contained in the estimates, other than expenditure
charged upon the Consolidated Fund by this Constitution or any Act, shall be
included in a Bill, to be known as an Appropriation Bill, providing for the
issue from the Consolidated Fund of the sums necessary to meet that
expenditure and the appropriation of those sums for the purposes specified
therein.”
After the Appropriation Act has been passed by Parliament (see 1.7.1 above) a General
Warrant is issued by the Minister of Finance to the Comptroller of Accounts authorizing him to
make withdrawals from the Consolidated Fund within the limits approved under the Act and in
accordance with Treasury directives.
34
Further, if within any financial year it is found that the sum appropriated may be insufficient,
or that there is need to expend on an item for which no appropriation was made, or that
money may have been over-expended on an appropriated item, a supplementary estimate,
showing the sum required or spent shall be laid before the House of Representatives and the
heads of any such expenditure shall be included in a Supplementary Appropriation Bill.
If the Appropriation Act in respect of any financial year does not come into operation by the
beginning of that financial year, the Minister of Finance may authorize the withdrawal of
moneys from the Consolidated Fund to meet the expenditure necessary to carry on the
services of the Government, until the expiration of thirty (30) days from the beginning of that
financial year of the coming into operation of the Act, whichever is the earlier.
Parliament may also provide for the establishment of a Contingencies Fund, and for
authorizing the Minister of Finance to make advances from that Fund, if he is satisfied that
there has arisen an urgent and unforeseen need for expenditure for which no other provision
exists.
1.7.3 The Accounting Officer
An Accounting Officer is defined in Section 2 Part 1 of the Exchequer and Audit Act Chapter
69:01 as:
„any person appointed by the Treasury and charged with the duty of
accounting for any service in respect of which moneys have been
appropriated by the Constitution or by Parliament, or any person to whom
issues are made from the Exchequer Account.‟
The duties and responsibilities of the Accounting Officer are as follows:
An accounting officer shall be appointed by a letter addressed personally to him by the
Treasury setting out in details his duties and responsibilities.
An accounting officer shall be responsible for ensuring –
a) that the financial business of the State for which he is responsible is properly
conducted; and
b) that public funds entrusted to his care are properly safe-guarded and are applied
only to the purposes intended by Parliament.
All accounting officers are personally and pecuniary responsible for –
c) the due performance of the financial duties of their departments;
d) the proper collection and custody of all public moneys receivable by them; and
e) for any accounts rendered by them or under their authority.
It is the duty of an accounting officer to –
a) ensure that the proper system of accounting as prescribed by the
Treasury is established and maintained.
To assist Accounting Officers in the efficient execution of their duties, the Internal Auditor is
provided as a management aid and reports directly to them. Prevention and detection of fraud
is management‟s responsibilities and the Internal Auditor must be alert to risks and exposures
that could allow for fraud.
35
The Internal Auditor‟s responsibility is therefore to the Accounting Officer. The scope of work
undertaken by the Internal Auditor is determined by his Accounting Officer to whom he is
responsible. The Audit Work programme of the Internal Auditor must be approved by the
Accounting Officer; consequently, the Accounting Officer can limit or expand the extent of the
Audit Work programme.
The Accounting Officer shall be answerable to the Public Accounts Committee and is required
to attend Public Accounts Committee (PAC) meetings on any matter relating the formal
regularity and propriety of accounts of all the expenditure out of the votes for which he is
responsible.
The Accounting Officer reports to the Minister of Finance on any irregularity connected with
the public accounts that may have been discovered.
1.7.4 The Treasury Division
In accordance with Section (2) Part I of the Exchequer and Audit Act Chapter 69:01:
“Treasury means the Minister, and includes such officer or officers in the Ministry of Finance
as may be deputed by the Minister to exercise powers and to perform duties under this act.”
The Minister of Finance is responsible for the control and management of the financial affairs
of the State. One of the core agencies through which this is accomplished is the Treasury
Division.
The Comptroller of Accounts is the Head of the Treasury Division as deputed by the Minister
of Finance and is charged with the responsibility of superintending the expenditure of public
moneys and ensuring that proper arrangements for accounting to the House of Representatives
are made.
Responsibilities
The core responsibilities of the Treasury Division are as follows:
to provide financial management and accounting services to Ministries and
Departments;
to produce the consolidated accounts of the Republic of Trinidad and Tobago;
to administer superannuation and/or terminal benefits to retired public
officers/beneficiaries;
to ensure that the appropriation account of the Republic of Trinidad and
Tobago are laid in Parliament on a timely basis.
To facilitate these operations the Treasury Division is divided into three broad functional areas
as follows:-
i. Financial Management;
ii. Treasury Management; and
iii. Pensions Management.
36
In the execution of its responsibilities for the management of the financial affairs of the State,
the Treasury Division develops implements and monitors financial management and
accounting systems throughout the Public Service. In addition, the Division is also responsible
for ensuring that the internal audit operates effectively. The Comptroller of Accounts is the
Head of the Treasury Division as deputed by the Minister of Finance and is charged with the
responsibility of superintending the expenditure of public moneys so and to ensure that proper
arrangements for accounting to the House of Representatives are made.
1.7.5 The Auditor General‟s Department
The Auditor General is appointed by the President after consultation with the Prime Minister
and The Leader of the Opposition. The office of the Auditor General is a public office, its staff
are public officers appointed in accordance with section 117 of the Constitution of the
Republic of Trinidad and Tobago. As stated in the Constitution the Auditor General, in the
exercise of his/her functions shall not be subject to the direction or control of any other person
or authority. This independence is necessary for an unbiased opinion on the accounts
examined.
The Auditor General reports annually to the Speaker, the President of the Senate and the
Minister of Finance on the Public Accounts of the Republic of Trinidad and Tobago.
In accordance with Section 25 (1) of the Exchequer and Audit Act, the Auditor General is
required to audit the accounts of Ministries, Departments and other Government Agencies to
ensure that expenditure was carried out in accordance with the Appropriation Act. The
Appropriation Accounts together with the Auditor General‟s Report must be submitted to the
Speaker of the House of Representatives, the President of the Senate and the Minister of
Finance by April 30th.
On receipt of such reports, the Speaker and the President of the Senate
are obliged to lay such reports before the respective houses of Parliament at the first sitting
after receipt thereof. It is then referred to the Public Accounts Committee for examination.
The Internal Auditors have an independent appraisal function within the
Ministries/Departments and is answerable to their Accounting Officer while the Auditor
General has a statutory responsibility to express an independent opinion to Parliament on the
financial statements and stewardship of Ministries and Departments whose budgets have been
funded by the Annual Appropriation Act of Parliament.
The Auditor General has the authority to appraise the effectiveness of the internal audit
function and may report her findings to Parliament.
The relationship between the Auditor General‟s Department and The Internal Audit Unit is one
where the Auditor General examines the work of the Internal Auditor by reviewing their
quarterly and annual work programme to ensure adequate audit coverage of the
Ministries/Departments and public entities, and also assist in minimizing the duplication of
efforts.
Co-operation between the Internal Audit Unit of each Ministry/Department and the Auditor
General‟s Office may take place in the following ways:
Shared knowledge of planned audit coverage to minimize the incidence of
overlapping.
37
Joint reporting by both Auditor General and Internal Auditors at the developmental
stage where changes from manual to computer-based systems are involved.
Exchange of audit reports and management letters.
Common understanding of audit techniques, methods, and terminology.
In addition to auditing Ministries, Statutory Authorities and State Enterprises the Auditor
General is also responsible for approving the Grant of Credits on the Exchequer Account.
1.7.6 The Public Accounts Committee and the Public Accounts Enterprises
Committee
The Constitution of the Republic of Trinidad and Tobago establishes the Public
Accounts Committee (PAC) and the Public Accounts Enterprises Committee
(PAEC).
The PAC is charged with the responsibility of examining the appropriation accounts of moneys
granted by Parliament to meet the public expenditure of Trinidad and Tobago. This Committee
therefore examines the audited accounts of Government Ministries and Departments, paying
close attention to the comments made by the Auditor General which relate to financial
management.
In the performance of its work, the PAC calls to account many Permanent Secretaries and
Heads of Government Departments and has been instrumental in the establishment of a more
responsive attitude on the part of Administrative Heads of Government Ministries/Departments
to the advice and requirements of the Auditor General‟s Department.
The PAEC was established as a result of the growth of the public sector. Since the early 1970‟s
there has been an increase in the number of Statutory Corporations and State Enterprises
covering a wide range of industrial and other economic activities. Consequently, it was
considered that since parliamentary control was too remote and not continuous, a mechanism
should be created for Parliament to keep an effective watch over public sector projects in
which millions of taxpayers‟ dollars had been invested.
The PAEC examines the reports and accounts of the public undertakings and determines
whether the affairs of these institutions are being managed in accordance with sound business
principles and prudent commercial practices.
The work of both the PAC and PAEC are facilitated by the assistance of personnel from the
Offices of the Comptroller of Accounts as well as the Auditor General whose audited reports of
Government Ministries and Departments and public sector enterprises form the basis of the
scrutiny exercised by these Committees.
38
CHAPTER 2
The Governance Structure of the Public Service-Legal Environment
Corporate Governance refers to the process by which organizations are directed, controlled and
held to account, and is underpinned by the principles of openness, integrity and accountability.
Governance is concerned with structures and processes for decision-making, accountability,
control and behavior at the top of organizations.
The Public Service plays a major role in society, and effective governance in the Public Service
can encourage the efficient use of resources, strengthen accountability for the stewardship of
those resources, improve management and service delivery, and thereby contribute to improving
peoples‟ lives. Effective governance helps to build confidence in public service entities which is
necessary if public service entities are to be effective in meeting their objectives.
The proper conduct of public service business requires a framework which must include
effective systems of control and accountability, and above all responsible attitudes on the part of
those handling public money.
The Governance Structure in the Public Service is outlined below.
39
PARLIAMENT
(LEGISLATIVE)
CABINET
(EXECUTIVE)
AUDITOR GENERAL
Report on Public
Accounts
MINISTER OF
FINANCE
LINE MINISTER
Budgetary Releases
and Accounting Officers
Letters
CPO
Terms & Conditions
of Employment
Civil Service Act No.
29 of 1965
SERVICE COMMISSIONS
Recruitment, Appointment and
Disciplinary Control
Constitution Sections:-
(120)
(122)
(124)
(110)
Monday, July 04, 2011
THE GOVERNANCE STRUCTURE OF THE PUBLIC SERVICE
Prepared by:MM
CTB
Procurement and
Disposals
Act No. 22 of
1961
LEGAL ENVIRONMENT
Constitution
Exchequer and Audit Act and
the Financial Regulations
Civil Service Regulations
Judicial Review
INDEPENDENT BODIES
TREASURY DIVISION
Financial and
Accounting Advice
ACCOUNTING
OFFICER
2.1 The purpose of this chapter is to provide an overview of the Governance Structure in
the Public Service.
Governance Structure of The Public Service - Legal Environment
An important part of the framework of Public Service governance is the legislative framework within which the laws of Trinidad and Tobago, rules, regulations and policies are made and adhered to. This legal framework gives the public service a certain amount of predictability in that citizens have a common understanding of what measures can be applied to government policy. The Legislative Framework that governs the Public Service comprises the following: i) The Constitution of the Republic of Trinidad and Tobago; ii) Exchequer and Audit Act Chapter 69:01; iii) Financial Regulations to the Exchequer and Audit Act; iv) The Financial Instructions 1965; v) Ministry of Finance and Comptroller of Accounts Circulars; vi) Manual of the Terms and Conditions of Employment; vii) Chief Personnel Officer Circulars; viii) Commissions and Relevant Acts; ix) Civil Service Act Chapter 23:01; x) Civil Service Regulations; xi) Civil Service (External Affairs) Regulations; xii) Public Service Commission Regulation, 1966. As the legislative framework is provided for in the Constitution, other issues like accountability follow closely. Accountability deals with the criteria used: - to assess performance- productivity i.e. financial, economic etc.; - to hold public officials responsible for their actions; - to assess the system of control that determines how money is spent and for what purpose. It also deals with the process by which private persons seek redress for actions and decisions of government, public officials and institutions. With responsibility comes accountability and accountability laws are enshrined in the Constitution of the Republic of Trinidad and Tobago in the Exchequer and Audit Act, Chapter 69:01. Outlined in the Act is the mandate given to the Office of the Auditor General to audit “the public accounts…of all officers, courts and authorities of Trinidad and Tobago.” It also gives “the Auditor General or any person authorized by him…access to all books, records, returns and other documents relating to those accounts.” The Integrity Commission and the Office of the Ombudsman also call public officials to account for their actions. For example the Integrity in Public Life Act (Amendment 2010) seeks “to make provisions for the prevention of corruption of persons in public life by providing for public disclosure”. The Act also seeks to regulate the conduct of person exercising public functions and to preserve and promote the integrity of public officials and institutions. The Office of the Ombudsman assists members of the public who feel aggrieved by the actions of entities in the public service. The availability of information on government, public officials and institutions also contributes to another facet of governance in the Public Service. Public sector companies such as state enterprises are required by law to provide published public reports on their operations. Even if the reports are not published the public has the right to access such information. 40
41
The Freedom of Information Act of 1999 “give members of the public a general right (with exceptions) of access to official documents of public authorities and for matters related hitherto”. The Act is the legal mechanism for the prevention of corruption. It has been argued that the Act helps to reduce corruption among public officials. The national Chapter of Transparency International monitors activities in the public service. It is a non-governmental organization registered under the Companies Act of 1999 and controlled by a board of directors. Its objective is to reduce corruption and foster good governance by raising awareness, stimulating action and contributing to the reform of systems, institutions and laws. The Treasury is empowered by the Exchequer and Audit Act 20 of 1959, Chapter 69:01 to oversee and monitor the operations of all Government entities such as Ministries, Departments, Agencies etc. Part II 4. (1)- (3) of this Act state the powers of the Treasury as follows: (1) “All persons concerned in the collection, receipt, custody and payment or issue of public moneys, stores, stamps, securities or other state property shall obey all such instructions as they may from time to time receive from the Treasury in respect of public moneys, stores, stamps, securities or other state property, or accounting for the same.” (2) “The Permanent Secretary to the Minister, or any officer in the Treasury authorised by him, shall be entitled to inspect all offices and to have such access to all official books, documents and other records as may be necessary for the exercise of the powers and duties of the Treasury under this Act.” (3) “The Treasury shall so superintend the expenditure of public moneys as to ensure that proper arrangements for accounting to the House for such expenditure are made.” 2. Parliament (Legislative Arm of Government) Parliament which is the Legislative arm of Government provides authority for the acquisition and use of financial resources and is responsible for overseeing administration. It is basically responsible for sanctioning the overall public sector financial plan or budget and authorizing the executive to make expenditures (within limit), invest, borrow and administer programs in accordance with any laws that may affect them.
Because it provides financial authority and powers, Parliament has the right and responsibility to hold government and its entities accountable for the management of the financial affairs, the use of resources entrusted to them and the result achieved. In effect, accountability is the obligation to answer for a responsibility that has been conferred. It presumes the existence of at least two parties: one who allocates responsibility and one who accepts it with the undertaking to report upon the manner in which it has been discharged. Therefore, Parliament plays an important role in the overall framework of governance in the public sector.
Parliament needs to exercise control over the expenditure of public monies made available to the Ministers by way of budgets. It usually reviews the annual reports of public service entities, evaluates the standard of their work and makes recommendations, based on the facts contained in the various audit reports by the external auditor and the Minister in question. In the interest of transparency, such hearings need to be public hearings.
41
42
3. Cabinet (Executive Arm of Government)
The Constitution provides for a Cabinet under the general direction and control of the Government, collectively responsible to Parliament. The Cabinet has effective control of the nation‟s affairs and is headed by the Prime Minister, who is appointed by the President, and such numbers of other Ministers as he may decide to have, of whom one shall be the Attorney General, chosen from among the members of the House of Representatives and the Senators appointed by the President acting in accordance with the advice of the Prime Minister.
The functions of the Cabinet include initiating and deciding on policy, the supreme control of the Government and the Coordination of Government departments. 4. Role and Function of the Minister of Finance
The Minister of Finance is responsible for the management of the Consolidated Fund and the
supervision, control and direction of all matters in relation to the financial affairs of the state
which are not by law assigned to any other Minister. The Minister of Finance issues the
General Warrant to the Comptroller of Accounts authorizing him to make withdrawals from
the Consolidated Fund within the limits approved by the Appropriation Act for the relevant
financial period.
The Minister of Finance also has the power to authorize the withdrawal of moneys from the
Consolidated Fund to meet necessary expenditure to carry on government services if the
Appropriation Act is not operational at the beginning of any financial year. The Minister of
Finance is also authorized by Parliament to withdraw moneys from the Contingency Fund in
cases of urgent and unforeseen need for expenditure. The Accounting Officer is appointed by
the Minister of Finance.
5. Role and Function of Line Ministers
The President acting on the advice of the Prime Minister appoints Cabinet Ministers and may
assign to the Prime Minister or any other Minister responsibility for any business of the
Government including the administration of any Department of Government. A Minister
assigned responsibility for any Department of government exercises general direction and
control over that Department and is answerable to Parliament for that Department‟s
activities. Ministers assist in: 1) the management of financial affairs and resources of the Ministry. 2) developing a budget or financial plan for the Ministry within the overall approved level of expenditure for approval by Cabinet. They are also responsible for overseeing and monitoring the implementation of the approved budget or financial plan.
6. The Service Commissions
The Accounting Officer is dependant on the Service Commissions for recruitment and
appointment of staff and the disciplinary control of staff.
Four Service Commissions are established under the Constitution of the Republic of Trinidad
and Tobago. These are:
The Public Service Commission (sec.120);
43
The Teaching Service Commission (sec.122);
The Police Service Commission ( sec.124) and
The Judicial and legal Service Commission (sec.110).
The objective of establishing non-political bodies was for the sole purpose of maintaining
neutral services operating on the basis of merit, free from patronage; discrimination,
nepotism and injustice.
Functions of the Service Commissions
The Service Commissions are vested with the power to appoint persons to hold or to act
in public offices in the relevant services, including the power to make appointments on
promotion and transfer and to confirm appointments and to remove and exercise
disciplinary control over persons holding or acting in offices governed by the respective
Service Commissions. The Service Commissions also act as appellate bodies for officers
who feel aggrieved by any decision of Permanent Secretaries/Accounting Officers or
Heads of Departments or the Commissions themselves.
Responsibilities of the Service Commissions
As the administrative head of the Service Commissions Department, the Director of
Personnel Administration is responsible for the efficient conduct and work of the entire
Department and as such is responsible for:
i) the recruitment of the best possible candidates including government
scholars, for appointment to entry level offices within the various classes of
offices in the Services in keeping with the requirements for such offices and
the principles, procedures and policies laid down by the respective Service
Commissions by regulations or otherwise;
ii) ensuring that the human resource needs at the higher levels of the service
falling under the constitutional responsibility of the various Service
Commissions and the legitimate career goals and expectations of officers are
satisfied; and monitoring the management activities attendant thereto;
iii) assisting the Commissions in fostering a positive discipline among employees
of the public service and ensuring where there are breaches of the code of
conduct that the appropriate procedures are applied; and
iv) provision of support staff for the Examination Board and ensuring that the
Examination Board is properly staffed at all times.
7. The Personnel Department
The Accounting Officer relies on the Personnel Department to provide terms and
conditions of employment for staff attached to his Ministry/Department.
The Personnel Department, headed by the Chief Personnel Officer was established by the
Civil Service Act, No. 29 of 1965 which came into force on August 27, 1966. The duties
and responsibilities of the Department as set out at Section 14(1) of the Act are:
44
(a) to maintain the classification of the Civil Service and to keep under review the
remuneration payable to civil servants;
(b) to administer the general regulations respecting the Civil Service;
(c) to provide for and establish procedures for consultation and negotiation between the
Personnel Department and an appropriate recognized association/s in respect of:
(i) the classification of offices;
(ii) any grievances;
(iii) remuneration; and
(iv) the terms and conditions of employment.
The Personnel Department is also empowered to perform the same functions for:
the Teaching Service, the Police Service, the Fire Service and the Prison Service.
The clients of the Personnel Department include public officers, officers of Statutory
Authorities and workers as defined by the IRA, who are in the employ of the Government
or the Municipal Corporations.
As a central Human Resource Management Agency, the Personnel Department is involved
in the following:
formulating policy in areas of Human Resource Management which are not within the
purview of the Service Commission.
Formulating specific public sector policies in areas such as Occupational Safety and
Health, and the development of guidelines for the Public Service on the treatment of
persons afflicted with HIV/AIDS and other life threatening diseases.
Reviewing the legal and regulatory framework for aspects of Human Resource
Management in the Public Service.
Providing advisory and consultative services in the sphere of Human Resource
Management to line agencies.
Facilitating the implementation of specific strategic Human Resource management
initiatives in the Public Service; and
Monitoring and auditing the practice of human resource management in line agencies.
The terms and conditions of employment of persons employed on contract are, by decision
of Cabinet, determined by the Personnel Department.
8. The Central Tenders Board (CTB)
The Central Tenders Board aids the Accounting Officer in the procurement of supplies and
services for his Ministry/Department.
The Central Tenders Board was established by Act No. 22 of 1961 to ensure that the proper
procedures are followed to obtain the most suitable supplies and services from available
sources. The CTB is the main authority-
1. to act for, in the name and on behalf of the Government and the Statutory Bodies to
which the Ordinance applies, in inviting, considering and accepting or rejecting offers for
the supply of articles or for the undertaking of works or any services in connection
therewith, necessary for carrying out the functions of the Government or any of the
Statutory Bodies;
45
2. to dispose of surplus or any unserviceable articles belonging to the Government or
any of the Statutory Bodies;
3. to perform other functions and duties as the President may by order prescribe from
time to time; and
4. to appoint consultants in connection with any project.
Other bodies such as NIPDEC and all state enterprises have their own procurement Boards.
9. The Treasury Division
The Treasury Division, Ministry of Finance is headed by the Comptroller of Accounts who
is the Chief Accounting Officer of the Public Service and charged with the responsibility
of:
1. Superintending the expenditure of public moneys and ensuring that proper
arrangements are in place for accounting to the House of Representatives.
2. providing financial management and accounting services to Ministries and
Departments.
3. producing the Consolidated Accounts of the Republic of Trinidad and Tobago.
4. administering superannuation and/or terminal benefits to retired public
officers/beneficiaries.
5. ensuring that the Appropriation Accounts of the Republic of Trinidad and
Tobago are laid in Parliament on a timely basis.
The Treasury Division is also responsible for submitting recommendations to CTB for the
disposal of unserviceable articles in the Public Service. The Accounting Officer of the
Ministry/Department submits a memorandum to the Comptroller of Accounts, the Head of
the Treasury Division, requesting to dispose of the items and stating the location of the
items. The Treasury Officer would review the relevant documents and would appoint a
Special Board of Survey to inspect the items.
The Board would make recommendations based on the findings such as sell by auction,
repair, transfer and destroy, or other. The Chairman of the Board of Survey would then
forward the documentations to the Comptroller of Accounts who would review the
documents and forward to the Director of Contracts, Central Tenders Board. If the
recommendations made are acceptable to the Director of Contracts the Central Tenders
Board then contacts the Ministry /Department on the final decision. The CTB contacts the
Treasury Division if the recommendations are not acceptable for further recommendations.
10. The Auditor General
The Auditor General is appointed by the President after consultation with the Prime
Minister and the Leader of the Opposition. As stated in the Constitution the Auditor
General, in the exercise of his/her functions shall not be subject to the direction or control
of any other person or authority. This is necessary in order to have an unbiased opinion on
the accounts examined.
In accordance with Section 25 (1) of the Exchequer and Audit Act, the Auditor General is
required to audit the accounts of Ministries, Departments and other Government Agencies
46
to ensure expenditure was made in accordance with the Appropriation Act. The Auditor
General reports annually to the speaker, the President of the Senate and the Minister of
Finance on the Public Accounts. The Auditor General also has the authority to appraise the
effectiveness of the internal audit function in Ministries/Departments and may report the
findings to Parliament. The Accounting Officer has to approach the Auditor General for the
approval of Grant of Credits on the Exchequer Account.
11. Role and Function of the Accounting Officer
The Accounting Officer in the Public Service is usually the Permanent Secretary/Head of
Department of a Ministry/Department.
The Exchequer and Audit Act Chapter 69:01, Part I section 2 describes an Accounting
Officer as follows: “any person appointed by the Treasury and charged with the duty of
accounting for any service in respect of which moneys have been appropriated by the
Constitution or by Parliament, or any person to whom issues are made from the
Exchequer Account;”
An Accounting Officer is responsible for:
(a) ensuring that the financial business of the state for which he is responsible is
properly
conducted;
(b) ensuring that public funds entrusted to his care are properly safe-guarded and
are applied only to the purposes intended by Parliament;
(c) the due performance of the financial duties of his department;
(d) the proper collection and custody of all public moneys receivable by him; and
(e) for any accounts rendered by him or under his authority.
The duties of an Accounting Officer are detailed in the Financial Regulations to the
Exchequer and Audit Act at Part I Section 8 (a)-(l).
The Accounting Officer is usually responsible for the planning, directing and controlling
of day-to-day operations and for preparing reports that provide an account of his
administration. His responsibilities include directing operations with due regard to
economy and efficiency, maintaining an adequate system of internal control, ensuring
compliance with applicable authorities, selecting and applying appropriate accounting
policies, safeguarding assets, measuring the effectiveness of programs and reporting on
his performance to Parliament.
The Accounting Officer is at the core of the Governance Structure. He is firstly accountable to
the Minister appointed to his Ministry/Department and then to Parliament for the operational
aspects of his Ministry/Department. He may be called to give evidence before the Public
Accounts Committee on the basis of reports by the Auditor General. It is therefore up to the
Accounting Officer to perform his duties within the scope of law. The Accounting Officer is
responsible for the day-to-day running of the office and as head of the department the buck
ultimately stops with him. The relationship between the Minister and the Accounting Officer is
a political/administrative one. The Accounting Officer is responsible for advising the Minister,
implementing the government‟s agenda and managing his Department.
47
The Accounting Officer interacts with numerous Ministries/Departments in the Public Service
in order to fulfill his roles and responsibilities. Some of the major ones as outlined above are:
1. The Service Commissions for recruitment of staff;
2. The Personnel Department for guidelines re remuneration to staff;
3. The Central Tenders Board for Procurement and Disposal of Assets;
4. The Treasury Division for financial and accounting advice;
5. The Auditor General.
48
CHAPTER 3
MANAGEMENT OF THE INTERNAL AUDIT
UNIT
The corporate planning process is outlined in this Chapter, showing Government‟s
overall objective and how each Ministry and their respective
Departments/Divisions/Units strategize to meet that objective. Additionally, the
relationship between the corporate plan, the operational plan, and the annual audit plan is
highlighted.
This Chapter also looks at preliminary risk assessment as a part of the planning process
and provides guidelines for the management of human resources within the Internal Audit
Unit.
3.1 THE CORPORATE PLANNING PROCESS
The Internal Audit Unit within a Ministry or Department is required to prepare:
a Corporate Plan
an Operational Plan
an Annual Audit Plan.
In order to do this the Internal Audit Unit needs to be fully aware of its function, how its
operations impact on the areas it serves and how it is integrated into the Ministry‟s
strategic policies.
In Government, the planning process is carried out at three levels –
Cabinet
the Ministries
Departments/Divisions/Units.
In order to understand the process, the link between the government‟s overall
objective(s), the respective Ministry‟s strategic policies and its Departments‟, Divisions‟
and Units‟ strategic objectives are discussed.
49
3.1.1 Government‟s overall Objective & Policies
The Government of Trinidad and Tobago has an overall objective and to achieve this,
several strategic policies are developed. Each Ministry has a major role in the process and
as a result will establish policies, in collaboration with Cabinet, that complement the
overall objective of Government and the Ministry‟s portfolio.
The government, in an effort to ensure that adequate attention is given to priority policies,
require each Ministry to develop three-year Corporate Plans. These plans should
directly relate to the achievement of sector and overall policy outcomes. The corporate
plan is to be updated and rolled forward each year.
3.1.2 The Ministry‟s Corporate Plan & Operational Plan
The Ministry‟s Corporate (Strategic) Plan is the translation of national development
policies into medium and long term goals and objectives, the adoption of strategies to
achieve these goals, along with the allocation of necessary resources and the
establishment of performance criteria to facilitate monitoring and evaluation.
The Operational Plan provides the details for carrying out the responsibilities and
objectives of the Corporate Plan. This represents the first year of the three-year corporate
plan.
Each Ministry must include all the Heads of Departments, Divisions and Units in the
corporate planning process. The Departments‟, Divisions‟ or Units‟ Corporate and
Operational Plans are “pull downs” of the Ministry‟s. For purposes of this section, the
corporate planning process will be looked at in greater detail at the Internal Audit Unit
level.
The Ministry of Finance (Comptroller of Accounts) will be used as an illustration.
The elements of the Ministry‟s Corporate & Operational Plan are the same as its
Departments‟, Divisions‟ and Units‟ and the link between both are:
The Ministry‟s priority policies and their desired outcomes; and
Its strategic objectives and related outputs.
3.1.3 The Internal Audit Unit Corporate Plan
The Corporate Plan of the Internal Audit Unit is at a micro-level and should have a direct
link to its Ministry‟s or Department‟s Corporate Plan. The Internal Audit Unit‟s
Corporate Plan is of a strategic nature and presents a broad description of what the
Internal Audit Unit hopes to achieve within the three year period. This Corporate Plan
should also to be updated and rolled forward.
50
The Internal Audit Unit Corporate Plan should have the following headings. (They are
the same headings as the Ministry‟s Corporate Plan):
The Name of the Unit e.g. Internal Audit Unit
The Vision of the Unit
The Mission of the Unit
The Ministry‟s Outcome Indicator (Desired Outcome) to which the Internal Audit
Unit will contribute.
The Priority Policy/ies to which the Internal Audit Unit will contribute.
The Strategic Objective/s to which the Internal Audit Unit will contribute.
The Strategy/ies that the Internal Audit Unit will employ to realise the strategic
objectives.
The Key Output/s of the Internal Audit Unit specific to the strategies that it will
employ.
The Performance Indicators/Targets
These headings are discussed below:
3.1.3.1 Internal Audit Vision and Mission Vision Statement
The vision statement should give direction to the Internal Audit Unit and be an
expression of how the Unit would like to be perceived.
Mission Statement
The mission statement should outline the purpose for which the Internal Audit Unit
exists. It should also embrace the audit responsibilities relating to the scope of audits
carried out within the Ministry or Department.
Note – Appendix 3.1.3.1.A contains an example of a generic vision statement and
mission statement. Individual units may modify these documents to meet their
particular needs. The Head of the Internal Audit Unit should ensure that the
Permanent Secretary signs off on these statements.
3.1.3.2 Ministry‟s Priority Policies, Key Outcome Indicators, And Strategic
Objectives
The Internal Audit Unit must identify which of the Ministry‟s key outcome indicator(s),
priority policy (ies) and strategic objective(s) that it relates to.
In the instance of the Internal Audit Unit of the Ministry of Finance, it can contribute to
the Ministry achieving “cost effective public services”.
51
Of the five priority policies, the Internal Audit Unit may identify two that it could
adequately contribute to, namely “Improving the overall efficiency of the Ministry of
Finance and “Increase operational efficiency and reduce waste in the public sector”.
The strategic objectives that the Internal Audit Unit might have a direct impact on are: -
To build an excellent Public Service through harnessing creativity and effective
management of our resources and;
To improve the financial management of public sector investment projects.
Safeguarding Government‟s Assets.
3.1.3.3 Strategies
For each strategic objective the Internal Audit Unit will be required to outline the
strategies to be adopted. The strategies should indicate how the Internal Audit Unit would
meet the strategic objective(s).
Some examples are as follows:
Monitor systems and procedures to ensure effectiveness, efficiency and
compliance with regulations.
Provision of timely analyses, appraisals, recommendations and commentaries of
the audit activities to management.
3.1.3.4 Key Output
Once the strategies to achieve the strategic objectives have been identified, the Internal
Audit Unit can determine the key outputs they must deliver. Outputs are the things or
conditions that occur as a result of the Internal Audit Unit employing the strategies.
Some examples are:
Effective Internal Audit Unit
Improved Scope and Performance of Audits
Improved compliance to laws, regulations, policies, standards and instructions.
Effective and efficient systems and procedures.
3.1.4 The Internal Audit Unit Operational Plan
The Internal Audit Unit Operational Plan is the detailed plan of the first year of the Unit‟s
Corporate Plan. It highlights the key outputs of the Corporate Plan, the major tasks and
costs associated with these outputs for the twelve-month period.
52
The format of the Operational Plan includes the following headings:
The Name of the Unit e.g. Internal Audit Unit
The Vision of the Unit
The Mission of the Unit
The Ministry‟s Outcome Indicator
The Strategic Objectives
The Key Outputs of the Internal Audit Unit
The Performance Indicators
The Targets
The Major Tasks
Major Tasks
These are the activities that will be carried out to achieve the key outputs specified. Some
examples are:
Prepare an annual audit plan.
Perform value for money, compliance, operational and special audits.
Prepare audit reports and conduct follow –up.
Conduct in-house training.
Conduct cash surveys where necessary.
Conduct Site Inspections.
3.1.5 The Annual Audit Plan
The Annual Audit Plan of the Internal Audit Unit is directly linked to its Operational
Plan. It incorporates some of the major tasks that are to be undertaken by the Unit within
the twelve-month period of the operational plan.
The plan should include, but be not limited to, the activities to be audited; when they will
be audited and the estimated time required. Other factors to be taken into account when
developing the Annual Audit Plan are the scope of the audit planned and the risk
assessment process.
The main steps to develop an Annual Audit Plan are:
Establish goals for the unit.
Identify potential audit areas. This involves selecting the audits that will be
attempted during the course of the year.
Estimate audit time requirement for each potential audit. This involves
calculating audit time available and estimating the audit time requirement for
projected audit work.
53
Decide priorities and allocate resources. This involves deciding which areas or which
audits will be given most emphasis, and therefore where the resources will be first
allocated.
The allocation of priorities takes into consideration the following factors:
a. Areas of high risk / areas undergoing change
b. Management concerns
c. Significance of the area/impact of the area
d. Likelihood of success
The main components of the Annual Audit Plan are as follows:
List of proposed audits.
Priorities allocated to each of the audits selected. Audits can be ranked using a
scale of 1-5. It is important that the annual audit plan has a key that identify the
ranking.
Frequency in which the audit will be conducted.
The last date that area was reported.
Budgeted audit days – this gives an estimate of the audit resources in days
required. Actual days to complete the audit can be inserted into the Annual Audit
Plan. This can be used for comparative purposes and assist in future planning.
An indication of the quarter in which the audit will commence.
Personnel expected to be assigned - this highlights the personnel resources
Estimated start and completion dates for each audit selected.
The Annual Audit Plan should be approved and signed off by the Permanent
Secretary.
3.2 RISK ASSESSMENT
The risk assessment process provides a structured means of evaluating information and
applying professional judgment as to the most important areas for audit examination.
A detailed risk assessment is undertaken during the planning phase of the engagement to
confirm that the lines of enquiry and the initial objectives have indeed focused on the
most important risks associated with the program or activity being audited.
The Head of the Internal Audit Unit should conduct a preliminary risk assessment prior to
deciding which audits to include in the Annual Audit Plan and the amount of resources to
apply to each audit area.
The process should be conducted annually to assist in the development of the operational
plan. The risk assessment process is crucial to the development of the operational plan.
54
The risk assessment process should include:
Identification of auditable activities
Identification of relevant risk factors
Assessment of their relative significance
An assessment of the inherent risk in each potential audit area;
An evaluation of internal controls, to judge the control risk; and
A measure of the materiality: both in terms of the overall amount of resources
involved in the area of audit and the likely resources at risk (through loss, waste
or inefficient use of resources).
3.2.1 Risk Assessment and Professional Judgment
The Head of the Internal Audit Unit may decide to weigh the risk factors to signify their
relative significance. This weighing reflects his/her professional judgment about the
relative impact a factor may have on selecting an activity for audit.
The risk assessment then is a process for assessing and integrating professional judgment
about probable adverse conditions. The assessment process should provide a means of
organizing and integrating professional judgment for selecting the audit assignments for
the year.
3.2.2 Information Sources
Information to assist in the assessment can be gathered from the following sources:
Analyses of financial and operating data
Interviews and discussions with various levels of management
Discussions with the external auditors
Prior year audit files of internal audit and management letters from the external
audit.
Review of applicable laws, regulations and manuals
Review of preliminary survey findings if any
News media
3.2.3 Setting Priorities
The risk assessment process should assist the Internal Auditor to assign priority ratings to
the assignments selected. The Internal Auditor should generally assign higher audit
priorities to activities with higher risks.
Because the environment is always changing, audit priorities that are determined through
the risk assessment process should be reviewed and updated throughout the year as
necessary.
55
There should be a periodic assessment of the effect of any major changes in the audit
areas selected or related risk factors, which have occurred since the operational plan was
prepared. This assessment will assist the Internal Auditor in making appropriate
adjustments to the Annual Audit Plan.
The Internal Auditor, with the assistance of other members of the Internal Audit Unit,
should be able to make these assessments based on the knowledge and experience already
existing within the unit.
3.3 HUMAN RESOURCE MANAGEMENT
The organisational status of the Internal Audit Unit and the support accorded to it by
Permanent Secretaries, Heads of Departments and Agencies determine the range and
value of the services that Senior Managers will obtain from the Internal Audit Function.
One factor that will affect the perceived value of the Internal Audit Unit is its level of
professionalism and this requires professional staff. The staff must possess a broad
knowledge of audit methods and techniques in order to satisfy the extended reach of
modern internal auditing. The Internal Auditor must therefore consider certain attributes
of professional knowledge, ability, and qualities of character when making personnel
selections.
Each Internal Audit Unit should have an established programme for selecting and
developing the Human Resources of the Unit. The programme should provide for:
Developing written job descriptions for each level of the internal audit staff.
Selecting qualified and competent individuals.
Training and providing continuing educational opportunities for each internal
auditor.
Appraising each internal auditor‟s performance at least annually.
Providing counsel to internal auditor‟s on their performance and professional
Development.
3.3.1 Training
Training is a means of self-protection and stabilization for the organisation. The loss of
highly qualified personnel can severely affect the audit services provided. Appropriate
training programs can provide assurance that backup personnel are immediately available
or will be within a reasonable period of time.
The head of the Internal Audit should coordinate, and keep under review, the training
requirements of internal auditors. He/she should be responsible for preparing training
profiles that identify the training requirements for different grades of Internal Audit, and
should maintain personal training records for each individual.
56
The type of training provided will vary, depending on the level of experience of the
internal auditor. Most of the training for the new internal auditor will be on-the-job. This
should be designed to give them experience in the various phases of an audit project and
must be documented in order to ensure that all pertinent matters have been covered. On-
the-job training should be supplemented by giving the auditors the opportunity to attend
seminars given by the relevant auditing institute.
The training program for senior internal auditors should include an opportunity to act in a
supervisory capacity for a period of time. This should go beyond merely sitting in during
vacation periods. The assignment should last long enough to expose him/her to a number
of audit projects and administrative situations.
The individual Internal Audit Units should incorporate into their annual plans, a specific
time allocation for training and development for each auditor at all levels in the
organisation.
If there is a Training Unit in the Ministry/Department that has overall responsibility for
the training of officers, the head of the Internal Audit Unit should liaise with the training
officer to ensure that the training needs of the Unit are met.
See “Guide to Systems Survey” at Appendix
57
CHAPTER 4
PERFORMANCE OF AUDIT WORK
This Chapter deals specifically with the execution of the audit assignment. It details the
various stages of the audit assignment and includes the standards for working papers and
reports. Planning, in this context is specific to the management of an audit.
4.1 PLANNING THE AUDIT ASSIGNMENT
Planning is the preparatory work that the internal auditor performs prior to conducting the
detailed fieldwork. The planning must be documented and should involve:
Obtaining background information about the activities to be audited
Conducting risk assessment
Establishing audit objectives and scope of work.
Ensuring the subject is auditable.
Determining the resources necessary to perform the audit.
Communicating with all persons who need to be aware of the audit.
(Have a planning meeting with the client.)
Performing a preliminary survey to become familiar with the activities
and controls to be audited, to identify areas of audit emphasis.
Developing the audit program.
Determining how, when, and to whom audit results will be communicated.
58
4.1.1 Background Information
A review of the background information should be done to determine the impact of the
audit and also to obtain an understanding of the business of the entity.
This understanding can be obtained through the review of key documents, studies and
interviews with management and other personnel.
Some examples of documentation to be reviewed and collected include:
The relevant legislation, regulations and important public statements regarding the
entity/area to be audited.
The corporate plans, budgets and other planning documents;
A list of the main products and services produced and/or regulatory
functions provided;
Any studies, reports or evaluations done on the entity/area;
Financial and performance reports (past years as well as the
current year‟s reports to determine trends and conduct other analytical
assessment);
Minutes of senior management committees and/or Board meetings;
Organisational structure, with the major managerial positions, and what the
different parts of the organization are responsible for;
Background material on major assets (such as buildings, vehicles, public utilities,
etc.), substantial expenditures (such as major capital projects) and revenues (areas
of revenue collection);
Past audits reports
Any other material that helps to gain an understanding of the business including
the main resources consumed, the revenues generated, the activities, outputs and
outcomes of the entity that are being considered for inclusion in the audit.
4.1.2 Conducting Risk Assessment
After gaining an understanding of the organization‟s operation, the internal auditor
should conduct a risk assessment to determine the audit risk in the execution of his/her
assignment.
Audit risk, which is the risk of arriving at an incorrect conclusion, based on the audit
findings, is broken down into three categories:
Inherent risk -
which is the susceptibility to error or loss unrelated to any internal control system.
Control risk-
which is the risk of error or loss not prevented or detected on a timely basis by the
internal control structure.
59
Detection risk-
which is the risk of major error or loss going undetected despite controls and audit
effort.
As it relates to inherent risk, the audit should focus on those areas of materiality and
significance. First, the auditor needs to ask what could go wrong and what would be the
likely consequences. If the likelihood of the occurrence is low and the materiality or
significance of the consequence is low, the auditor need not be concerned. Where the
likelihood is high and the significance is high the auditor must be assured that either the
internal controls are strong enough to detect and prevent such occurrences or the audit
coverage is sufficient to detect such occurrences with a high level of assurance.
In relation to control risk, the internal auditor should determine how the controls are
applied, assess their adequacy and identify significant control gaps. He/she should expect
to see stronger controls where the risks are highest and limited controls where the risks
are low.
For example, there should be strong controls in place to ensure contracts involving large
expenditure are well managed: for the selection of the contractor, for drawing up the
contract and for the control of performance under the contract. On the other hand, there
should be minimal effort applied to controlling small items of inventory where the risk of
loss, damage or theft is low.
When dealing with detection risk (which is dependent on the selected audit methodology,
audit scope and extent of substantive testing) the auditor should bear in mind that there is
a trade off between this risk and the cost of audit. Thus the risk assessment process is
particularly important in determining the extent to which the audit will examine the
systems, procedures, practices and transactions that govern matters at the lower end of
the objective and control hierarchy.
The nature, timing, audit scope and extent of the substantive audit procedures should be
determined based on the level of audit risk and assessment of the organization‟s inherent
and control risks.
4.1.3 Establishing Audit Objectives and Scope
Defining the audit objectives and scope should be based on the particular audit
assignment and background information gathered.
Audit objectives are broad statements developed by internal auditors and it
defines the intended audit accomplishments, i.e. what do we hope to achieve?
Audit scope is the activities covered by the internal auditor on the assignment.
The audit objectives along with the audit procedures, which are instructions to carry out
the audit work, help the auditor to establish the scope of the work.
60
In setting the audit objectives and the scope of work to be covered the conclusions drawn
from the risk assessment completed at the beginning of the year should be reviewed as
the audit objectives established and the procedures developed should address the risk(s)
that appear to be associated with the particular area.
The scope of the audit should be determined by the magnitude of identified audit risk.
Examples of Audit Objectives
To ascertain whether accounting for payroll is adequate and proper, including
bank account reconciliations.
To determine whether payroll preparation procedures are effective in preventing
the processing of unauthorized transactions.
To determine whether the entity is acquiring, protecting and using its resources
economically and efficiently.
4.1.4 Ensure subject is auditable
Before going any further, some thought should be given to the auditability of the subject.
There is no point in proceeding further if the auditor already knows there is no evidence
to audit or that access will be denied, such as in the case of confidential cabinet
documents. Government sometime imposes secrecy rules for national security. Lack of
evidence may in itself be an audit finding.
4.1.5 Determining the necessary resources to perform the audit
The resources required for each assignment should be estimated. Initially the budgeted
time and personnel to be assigned to the assignment would have been determined during
the preparation of the operational plan at the beginning of the financial year; however this
plan can be amended if required.
In estimating resources the following areas need to be addressed:
The complexity of the audit assignment needs to be considered.
Consideration of the knowledge, skills and disciplines available within the Unit.
This will assist in properly selecting persons for the assignment.
The training and the professional development needs of the unit should also be
considered as the assignment can serve as on-the-job training for the unit.
The preparation of the Time Sheets.
61
4.1.6 Communicate with the Relevant Stakeholders of the Audit
The planning process should be formalized. A part of the planning process requires the
auditor-in-charge to interact with all who need to know about the audit.
The communication process should be a two-way process. The first task in this process is
the identification of individuals with whom to communicate, and then discussing the
audit with these individuals.
A preparatory meeting should be scheduled with the individuals identified.
This will enhance the two-way process.
Topics to be discussed can include:
Planned audit objectives and scope of work
The timing of the audit. Stating intended start and completion dates, and reporting
time.
Introducing the internal auditors assigned to the assignment.
Producing a list of documents/files and other information that will be needed
during the course of the audit.
Communication process throughout the course of the audit.
Arrangement of interviews for the survey phase to obtain an understanding of the
systems in place.
Feedback from management, that is, any concerns or questions that management
may have.
Outlining the reporting, exit interviewing and follow-up processes.
This phase should be documented as minutes and filed in the working paper file.
NOTE: Surprise cash inspections may take a different format, at the discretion of the
Internal Auditor
4.1.7 Preliminary Survey
The primary steps in conducting the survey are:
Initial study - The internal auditor is able to review prior working papers and
audit findings, study organizational charts, review auditee facilities and gain some
familiarity with the audit area.
Documenting – The internal auditor can prepare useful reminder lists,
questionnaires for interviews and discussions to be conducted. All work done in
the survey phase must be documented. At this point the internal auditor can call
on the auditee for the initial preparatory meeting.
62
Meeting - During the meeting, the internal auditor explains to the auditee the
purpose of the audit and the approach that will be taken. The auditor will use this
meeting to explore the objectives, goals, and standards of the operation and its
inherent risks.
During the discussions with unit heads and supervisors, the auditor would seek to
gain an insight into the style of management exercised.
Gathering Information - The internal auditor would seek to gather information
about systems and processes by discussing activities with employees and
obtaining copies of instructions, procedures and other key documents.
He/she may have to document the current procedures by way of interviewing the
employees. This will also assist in planning the rest of the survey.
Observing – Throughout this survey phase, the internal auditor can identify the
purpose of the activity, observe the work flow, the rhythm of activity, and observe
how knowledgeably people seem to be functioning and whether employees seem
to be comfortable with what they are doing. This can highlight how well the
activities are being managed and people are being trained; also identify risks and
related controls.
Flowcharting – This can help and assist with detailed analysis of the operation
being audited.
Reporting – A professional survey often yields information on controls and risks
that may warrant written presentation of the survey findings. This may prompt
action to correct any inadequacies highlighted prior to the audit.
4.1.8 Developing the Audit Programme
The objective of writing the audit programme is to put together in one place the
programme that needs to be completed in order to accomplish the audit objectives.
The audit programme lists directions for the examination and evaluation of the
information needed to meet audit objectives within the scope of the audit assignment.
The audit programme is the link between the preliminary survey and the fieldwork, and
therefore should be prepared prior to the start of the audit work.
The Audit Programme should be designed to:
Document the internal auditor‟s procedures for collecting, analyzing, interpreting,
and documenting evidence and other information.
State the objectives of the audit assignment.
Set forth the scope and degree of testing required to achieve the audit objectives.
State the nature and extent of the testing required.
Be evidence of the audit work performed and completed.
63
The Audit programme should also include:
The period of review
Working paper references
The initial of the internal auditor who has completed the work
The date of completion
4.1.9 Define recipients of audit results
The Internal Auditor is responsible for determining how, when and to whom audit results
will be communicated.
The results of the audit should be transmitted to individuals responsible for taking action
on audit findings and recommendations. The audit report can be transmitted in total to
involved individuals, or those parts of the report applicable to specific individuals can be
sent to them for information and/or action.
Ultimately it is the responsibility of accounting officers to ensure action has been taken
on findings and recommendations. Therefore a copy of the report should be sent to them.
4.2 AUDIT EVIDENCE
The internal auditor should collect, analyse, interpret and document information to
support audit results.
The efficiency and effectiveness of the audit work depends on the manner in which
evidence is collected.
The internal auditor should have a sound understanding of:
The nature of evidence
What constitutes appropriate quality and quantity of evidence
Most appropriate methods of collecting evidence
4.2.1 Nature of Evidence
Audit evidence is the information internal auditors obtain through observing conditions,
interviewing people, and examining records. Audit evidence should provide a factual
basis for audit opinions, conclusions, and recommendations.
64
Audit evidence can be categorized:
Physical
Testimonial
Documentary
Analytical
Physical Evidence
This evidence is obtained by observing people, property and events. This evidence can
take the form of photographs, charts, maps, graphs, or other pictorial representations.
Graphic evidence is persuasive. All observations should, if possible, be supported by
documented examples.
Testimonial Evidence
This evidence takes the form of letters or statements in response to inquiries or
interviews. These forms of evidence standing alone are not conclusive; they should be
supported by documentation if possible. Auditee statements can be important leads not
always obtainable by independent audit testing.
Documentary Evidence
This is the most common form of audit evidence and it may be either external or internal.
External evidence includes:
Letters received by the auditee
Memoranda received by the auditee
Supplier‟s invoices
Leases
Contracts
Third party confirmation
Internal evidence (originates within the Auditee organization) includes:
Accounting records
Copies of outgoing correspondence
Work plans
Organization charts
Corporate plans
Budgets
Internal policies and procedures
65
Analytical Review
This type of evidence stems from analysis and verification.
The sources of such evidence are computations; comparisons with prescribed standards,
past operations, similar operations and laws or regulations; and reasoning.
There are many uses for evidence derived from analysis.
These can include:
Checking that data from different sources are consistent.
Conducting reconciliations.
Calculating averages to compare performance.
Ensuring interest payments are properly calculated.
Confirming payroll and other expenditures are accurate. Also ensure that they
comply with regulations, agreements and other controls for payments.
4.2.2 Attributes of Evidence
All evidence should stand the tests of sufficiency, relevance, reliability, and objectivity.
Sufficient
Evidence is sufficient if it is so factual, adequate, and convincing that it would lead a
reasonable (prudent) person to the same conclusions as the auditor. This, however, would
be a matter of judgment; but the judgment should be objective. Therefore, when samples
are used, the samples should be the result of objective, acceptable sampling methods. The
samples selected should provide reasonable assurance that they are representative of the
population from which they were selected.
Relevant
The relevance of audit evidence refers to the relationship of the information to its use and
applicability. The facts and opinions used to prove or disprove a finding must have a
logical, sensible relationship to that finding.
Evidence must support audit statements directly. Evidence used to support audit
conclusions should be timely, as the relevance of audit findings generally diminishes over
time.
Reliable
Reliable evidence is competent evidence. It should be the best evidence that is reasonably
obtainable. For example:
An original document is more reliable than a copy.
66
Direct evidence is superior to hearsay evidence.
A corroborated oral statement is more reliable than a statement
standing alone.
Objective
Evidence should be objective and free from bias. The auditor should guard against
assuming that the initial findings or assumptions are the only interpretation of the
situation. Whenever there are contradictions in the evidence collected, the auditor should
not reject certain evidence but rather seek an explanation as to why the evidence is not
consistent. Evidence should be evaluated objectively.
4.3 DOCUMENTATION AND WORKING PAPERS
The auditor‟s documentation in the form of audit files is referred to as working papers.
The audit files should be complete in themselves. The auditor must prepare papers that
are accurate, clear, organized, and professional.
There are generally two files maintained by the internal audit unit.
These are:
Current File – Working paper file
Permanent file
4.3.1 Working Papers
Working papers document the audit. They record the information obtained and the
analyses made during the audit process. Working papers are prepared from the time the
internal auditor first launches the assignment until he/she reviews corrective action and
close the audit assignment.
Working papers document the following steps in the audit process:
The plans for the audit, including the audit programme.
The examination and the evaluation of the adequacy and effectiveness of the
systems of internal control.
The audit procedures followed, the information obtained, and the conclusions
reached.
The supervisory reviews
The audit reports.
The follow-up of corrective action
See template and completed worksheets at Appendices 4.3.1A and 4.3.1B
67
4.3.2 Purpose of the working paper file
The working paper file serves the following purposes:
To provide support for audit reports. Well-structured working papers make it
easier for the auditor to transfer the material written during the audit to the
reports.
To record information obtained through the questioning of people, the review of
instructions and directives, the analysis of systems and processes and the
examination of transactions.
To identify and document audit findings.
To offer a basis for supervisory review. Reviews of documented work are more
productive than conversations between audit supervisor and auditor. The
supervisor‟s review also documented in the working papers is a means of control
over the audit.
To provide a means by which external auditors can evaluate the internal audit
work and then use it in their own assessment of the organization‟s system of
internal control.
Assist in planning subsequent audit assignments.
4.3.3 Documentation
Working papers should follow a reasonably consistent form and arrangement, not only on
the assignment level but also throughout the audit unit.
The Internal Auditor must:
Establish and maintain a suitable filing system
Maintain the standards for the formulation of the working paper files
Working papers may include the following information:
Planning documents and audit programs
Internal Control questionnaires (ICQ‟s), flowcharts, checklists, and the results of
control evaluations
Notes of interviews
Organization charts, policy and procedure statements, and job descriptions
Copies of important contracts and agreements
Letters of confirmation and representation
Tests and analyses of transactions.
Results of analytical review procedures.
Relevant audit correspondence.
Audit reports and management responses.
68
The working papers should be arranged in a manner that makes them parallel with the
audit program. That is, each distinct subject should be included in a separate segment of
the papers. This will ensure ready reference during and after the audit.
In general, internal auditors should ensure that working papers are neat, uniform,
understandable, relevant, complete, simple and logically arranged.
Each working paper sheet should generally contain:
A Heading. The heading should identify the organization‟s name, the function
being audited and the period of the audit. For example:
Ministry of XXXXX
Bank Reconciliation Statements
For the period April 1999- July 1999
The date of preparation and the auditor‟s initials. The date should indicate
when the work was complete. The auditors‟ initials should appear on each
worksheet.
The reference for the working papers. Working papers should be referenced.
The reference for each audit area is listed on the index. Working papers should be
kept in logical groupings. It is discouraging for the auditor and the reviewer of the
file to see a mass of working papers unnumbered and uncontrolled.
Tick marks and other symbols. These should be uniform throughout
the audit. They should be small and neatly placed and explained in
footnotes.
Sources of data. Sources should be clearly identified.
Cross-referencing. An independent reviewer should be able to retrace the
auditor‟s steps - from basic audit schedules to summaries and comments - without
needing to ask for additional information.
Therefore working papers should be properly cross-referenced to other related working
papers and to the audit program.
Each working paper file must begin with an index and the file jacket must be properly
labeled with the name of the organization, period of audit, volume number for the file (if
more than one volume) and the type of audit.
69
4.3.4 Supervisory Review
Supervision is a continuous process beginning with planning and ending with the
conclusion of the assignment. The best control over the work on which audit opinions are
based is supervisory review of all audit work. The Head of the Internal Auditor Unit is
responsible for providing appropriate audit supervision.
Such reviews should be evidenced on each sheet by the name or initials of the
supervisor/Head Internal Auditor and the date of the review. Review questions should be
written and included with the working papers. The working papers should not be
considered complete until the questions have been answered to the supervisor‟s
satisfaction.
In reviewing working papers the Internal Auditor/supervisor should be concerned that:
The planning of the audit assignment was properly executed before the fieldwork
began.
The audit programme was followed and specific instructions to auditors were
followed.
The working papers were accurate and reliable, that is, that they reflect adequate
work performed, and that they demonstrably support the audit findings.
Conclusions reached were reasonable, logical and valid.
There were no planned steps that have been omitted.
The standards on the compiling of working papers and other professional
standards have been adhered to.
Reviews with auditees were carried out and adequately recorded and that disputes
were resolved.
The Internal Auditor or the supervisor should review working papers as soon as possible
after they are completed. This will minimize disruption to the workflow and problems
will be resolved before reports are finalized and auditors reassigned.
4.3.5 Control and Retention of Working Papers
Control
The Head of the Internal Audit Unit must take direct interest in the control of auditor‟s
working papers.
Working papers are confidential and are the property of the Internal Audit Unit, and
should be kept under their control. Internal auditors should know exactly where the
papers and the audit files are at all times during the audit.
Audit files should not be made available to people who have no authority to have or use
them. However, this does not mean that internal auditors may not show their work to
auditees under certain circumstances. Also, access to working papers and reports may be
70
allowed to external auditors and to persons within the organization other than the persons
being audited. This must however be with the permission/approval of the Head of the
Internal Audit Unit. Where persons outside the organization seek access to the working
papers, the chief internal auditor must obtain approval from senior management and/or
legal counsel.
Retention
Working papers should be retained within the internal audit unit, seven (7) years after the
completion of the audit assignment.
However, where fraud and irregularities have been investigated and are awaiting legal
decision, the circumstances may demand retention beyond the seven-year period.
4.3.6 Permanent Files
This file includes information that will be of continuing importance to the audit activity.
The file should be flexible and useful. The file should be reviewed and updated as
necessary during the planning phase of the assignment. It should not be cluttered with
material that will not help the current audit or planning of future audits. When reviewed
the contents page should be initialed by the internal auditor to signify review.
The permanent file may include the following information:
Prior audit reports and responses
External audit reports
Post audit reviews
Copies of relevant government legislation, regulations, guidelines and other rules
affecting the operation.
Functions and objectives of the entity
Vision and Mission statements
Corporate plans
Operational plans of the entity
Organization charts
Lists of key personnel
Building layout and /or location of operation
Chart of Accounts
Flow-Charts of the accounting system and other systems within the organization
Summary of accounting principles used by the organization
Contracts and Leases
Important correspondence specifically related to the audit project
Basic directives or instructions applicable to specific activities
71
4.4 REPORTING
Reports are the internal auditors‟ opportunity to get management‟s undivided attention.
When management gives them an audience, internal auditors must never forget that they
are selling.
They must be consciously persuasive – by the techniques of motivation and by the style
they use and must highlight what is management-oriented. They must downplay or omit
what is immaterial and point skillfully to the need for taking action, describe the action,
and explain the penalties for avoiding action.
4.4.1 Purpose of the Report
The purpose of the Internal Audit report is to:
Inform- The report must tell management what is happening, by making them
aware of the results of the audit and also alerting them to recommendations made.
Persuade - Information presented to management must be of direct significance
to the organization or the area in which they are accountable. In the report, the
auditor must explain his findings pointing to the cause of the findings and the
effect of the findings on the section being audited and the organization.
Get results - The auditor should provide direction to management for decision
making by offering recommendations for improvement. Management must be
convinced of the benefits of implementing the recommendations so they will see
the need to take action. The benefit of taking action must exceed the cost of
implementation. The recommended action must be a constructive and practical
means of achieving the needed change.
4.4.2 Elements of a Good Report
The final stage of the audit process is the audit report. The effort made in carrying out the
fieldwork and the analysis of the results will be lost if the information is not properly
communicated in the audit report. There are certain qualities that make up a good report:
1. Accurate
It should be complete, factual and objective without incorrect grammar and spelling.
2. Clear
Reports should put into the mind of the reader exactly what is in the mind of the writer.
Technical jargon that is unfamiliar to the reader should be avoided.
72
3. Concise
Brief statements, condensed key ideas say more than long explanations that detail all
components of a thought.
4. Appropriate
Reports should relate to the reader‟s interest. It should have the proper emphasis and
present relevant and valid information.
5. Timely
The value of audit reports is directly related to the speed with which the information is
acted upon. The final, formal report is not designed to be a historical document but
should answer management‟s need for current information. The effect is therefore lost if
it is not timely.
4.4.3 Format of the Report
There are varying formats that can be used in writing the audit report.
Regardless of the outline used, the auditor must ensure that he is satisfying the needs of
the reader. The final report must always contain the following:
Table of Contents
Introduction
- Scope of the Audit
Conclusion and Recommendations
Findings
(a) Condition – The factual evidence as to what was found.
(b) Criteria – Standards, measures, or expectations used in making an
evaluation and/or verification.
(c) Cause – The reason for a difference between the criteria and the condition.
It should point to the underlying reason.
(d) Effect – The result of the condition or the potential results.
Management Response
Sometimes, it is a good idea to include an executive summary. Whenever possible it is
desirable to estimate achievable savings if recommendations are acted upon.
Interim Reports:
These are reports prepared before the completion of an assignment that may take a longer
time than budgeted and the report is a means by which management can be updated on
the status of the work. Interim reports can also be reports based on work done before the
assignment starts.
73
Report Distribution
Reporting arrangements, including the format and distribution of Internal Audit Reports
should be agreed with management. The Head of Internal Audit should ensure that
reports are sent to managers who have a direct responsibility for the unit or function
being audited and who have the authority to take action on the Internal Audit
recommendations. Internal Audit Reports are confidential documents and their
distribution should be restricted to those managers who need to know and the Permanent
Secretary or the Head of the Division.
Appendix 4.4.3A contains varying formats of internal audit reports.
The Head of the Internal Audit Unit should use his initiative in deciding on a format for
his report based on an analysis of the target audience.
4.5 INTERVIEWS
The internal auditor needs to possess strong interviewing skills. In many cases, success in
obtaining the breadth and depth of evidence required for the audit is highly dependent on
information collected through interviews.
Interviewing may be used for:
a) Identifying availability of evidence
b) Briefing management on the results of the audit
4.5.1 Identifying Availability of Evidence
It is almost impossible for the internal auditor to find and examine all possible
information about an operation. Also, the internal auditor does not have the time to seek
out all information.
The interviewing is the best means of determining:
Sources of information describing the operations (objectives, organization,
resources, activities, systems and procedures, outputs, outcomes);
Where to obtain the information; and
How to go about collecting the information.
Exploratory interviews must be supplemented with direct investigation by the internal
auditor such as file reviews, analysis of data and checking corroborating sources within,
or external to, the organization.
There are different ways of conducting the interview. In some situations, the internal
auditor must adhere strictly to predefined questions; other times, the interviewer has to
explore an area of questioning without any prepared set of questions (the unstructured
74
interview); but in most cases, the interview consists of a mix of prepared questions and
responsive questions.
The output of the interview is the information collected. Therefore, the auditor must be
able to produce sound, representative and accurate notes of the interview. It is difficult to
conduct an interview and at the same time take sufficient notes to be able to write-up
extensive and accurate interview notes later. If there are two or more auditors present,
they can agree who leads the discussions and who is responsible for producing the audit
notes afterwards.
4.5.2 Exit Interview
The Internal Auditor should normally meet with management to discuss the audit
findings at the completion of fieldwork for each Internal Audit assignment and the formal
written report should be presented to management as soon as possible thereafter.
Before issuing the final report, the Internal Auditor should normally discuss the contents
with the appropriate level of management and may submit a draft report to them, for
confirmation of factual accuracy.
4.6 FOLLOW-UP
The role of the auditor is not fulfilled unless, as a result of the audit, any deficiencies
identified have been corrected or at least addressed. The auditor needs to follow up on all
recommendations and major findings and conclusions to determine whether management
is properly addressing them.
It is management‟s responsibility to ensure that proper consideration is given to internal
audit reports. The internal auditor should ensure that appropriate arrangements are made
to determine whether action has been taken on internal audit recommendations or that
management has understood and assumed the risk of not taking action.
The manager responsible for the audited area should produce an action plan to address
the deficiencies and the internal auditor should review the status of management actions
against the plan.
Internal audit reports should remain open until the internal auditors consider the replies
satisfactory, that is, that action has been or will be taken to resolve the defects.
4.6.1 Timing of the Follow-up
The auditors should not be satisfied solely with the statement or description of corrective
action from the auditee. It may be necessary to return to the audit site or schedule interim
examinations within a given period to satisfy themselves that effective action has been
taken.
75
There is no simple rule as to when follow up should be conducted. The timing of the
follow up will depend, to a large extent, on the nature of the actions required to correct
deficiencies.
The timing of the follow up will depend on:
The seriousness of the deficiencies
Realistic timing of proposed action plans
Progress reports provided by management
How follow up can best fit into the Internal Audit Unit‟s schedule
of audit work.
Very serious deficiencies that can be corrected quickly should be followed up within a
short timeframe while the follow up of minor deficiencies may sometimes be postponed
until the next audit of the area.
The Internal Audit Unit should have a formal method of closing reports that have been
satisfactorily responded to. This could take the form of a memorandum or audit responses
to management comments in the final report.
76
Chapter 5
VALUE-FOR MONEY AUDITING
5.1 BACKGROUND
Value-for–money (VFM) auditing is a concept that was pioneered by the Swedish
National Audit Office and the Office of the Auditor General of Canada in the late 70‟s
and early 80‟s. It adds an operational dimension to the traditional compliance and
financial attest audits that had been known as regulatory auditing in the public sector.
While value-for-money auditing started in the Supreme Audit Institutions, it has spread
throughout the internal audit community, strengthening the traditional operational audit
practices of internal auditors.
5.2 ECONOMY, EFFICIENCY AND EFFECTIVENESS
Value-for-money auditing is concerned with assessing whether Government Departments
and agencies are managed with due regard to economy, efficiency and effectiveness.
These are known as the three E‟s in VFM auditing.
When a Ministry or Department exhibits “due regard”, it considers the factors of
economy and efficiency in a manner that is reasonable and appropriate in the
circumstances. Economy refers to the terms and condition under which an organization
acquires financial, human, physical and information resources.
Economy means getting the right amount of the right resource, at the right level of
quality, at the right time, in the right place, at the best price. Lack of economy in
acquiring resources could result in products or services costing more than they should, or
products or services of inappropriate quality, quantity or timeliness.
Indicators of potential economy issues or matters of significance include:
Financial resources such as overspent budgets, year end spending sprees, lapsed
funds, duplication of payments or overpayments;
Human resources issues such as high staff turnover, large number of grievances,
unclear or lack of job descriptions, duplication and overlaps of duties, high
absenteeism, too much overtime, excessive use of consultants;
Physical resource issues such as underused or unused equipment, excessive
maintenance costs, shortages and stock outs, inadequate or excess space, absence
of documented procedures and poor procurement processes;
Information technology issues such as a lack of IT strategy, proliferation of
equipment types, incompatibility of systems, high down time and maintenance
costs; inappropriate reports and poor security.
77
Efficiency refers to the relationship between the quantity and quality of the goods or
services produced and the resources used to produce them. An efficient operation
produces the maximum quantity and quality of output for any given resource inputs, or it
uses minimum inputs for a given quantity and quality of output.
Indicators of potential efficiency issues or matters of significance include backlog, idle
capacity, overtime, and complaints about service, lack of production targets, deadlines
and production standards, lack of performance measures and measurement procedures
and inadequate use of performance information to improve efficiency.
Effectiveness involves assessing the extent to which program objectives or intended
consequences are achieved. Where negative effects occur, effectiveness must be judged
on the balance of positive and negative consequences. Effectiveness measurement
includes assessing the procedure for measuring effectiveness and determining whether
the procedures are sufficient, reliable and that information is correctly reported.
Economy is obtaining the appropriate quality and quantity of goods and services
at the appropriate time and at the best prices.
Efficiency is achieving the best possible productive use of goods,
people and money.
Effectiveness is the extent to which programmes are actually
accomplishing what they were intended to do.
VFM auditing is directed at examining the following matters:
financial management and accounting for public money;
safeguarding and control over public property;
assessment, collection and allocation of revenues;
compliance with authority;
waste and extravagance
due regard to economy;
due regard to efficiency; and
whether or not there are appropriate procedures in place for measuring and
reporting program effectiveness.
5.3 APPROACHES TO VFM AUDITING
The keys to the success of a VFM audit are clearly defined objectives, scope, methods of
evaluation and a participatory approach to the audit.
The focus of a VFM audit will depend on the objectives of the particular audit. An audit
could be focused on any one of the above matters or on a combination of them.
There is no single right way to focus an audit. It takes considerable judgment to target the
best issues. It very much depends on the objectives set for the audit. This is done in the
planning phase of a VFM audit.
78
Basically there are two ways to focus an audit:
A Procedures Or Process-Oriented Approach or
A Results-Oriented Approach.
Over the last two decades VFM auditing has moved away from process type auditing and
become more results oriented. In some cases a combination of the two may be the most
appropriate way to complete the audit.
5.3.1 Procedures or Process-Oriented Approach
A procedures or process-oriented approach starts by examining the relevant activities of
an organization, programme or function and the related management practices to identify
possible strengths and weaknesses, particularly those that have an impact on VFM issues.
Criteria are developed and used to assess the activities or procedures.
These criteria are derived from policies, directives, manuals etc. or accepted management
practices in other similar situations.
In each case the audit objective in the broadest sense, is to assess the extent to which
activities, systems and procedures that should be implemented are in fact, in place. The
auditor must determine if the systems and procedures are well designed or properly
functioning. Where the auditor identifies significant deficiencies, he must examine the
outputs or results of weaknesses with a view to identify causes and effects.
5.3.2 Results-Oriented Approach
A results-oriented approach to VFM auditing proceeds in the opposite direction. It starts
with examining programme outputs or program delivery. The auditor attempts to identify
problems in the outputs or programme delivery and the underlying reasons for the
problem. When negatives are observed the auditor looks for root causes.
In doing so the auditor may revert to examining systems and procedures to determine
why weaknesses persist. Once the weakness is identified, the auditor can report his
finding and recommend corrective action. Benefits from corrective actions must clearly
outweigh the cost of the corrective action.
If no problem is apparent, the auditor can write a positive observation but most seldom do
as a positive observation may be seen as a blanket blessing on a small sample. Never the
less, when auditors are confident that appropriate results are being achieved, they should
state so. Auditing is not just finding negatives. Positives should be reported too.
79
5.4 THE AUDIT PROCESS
The procedures/process approach and the results-oriented approach are complementary.
Usually auditors employ a combination of the two.
Both approaches employ similar phases or stages, which are:
the planning phase;
the examining and evaluating information phase;
the reporting phase; and
the follow-up phase
5.4.1 The Planning Phase
After the area for audit has been chosen, decisions need to be made about:
what and how much to audit;
what audit approaches, methodology and technology to employ to assess
performance; and
what staff skills, disciplines and experience to assign to the audit.
The planning phase takes quite a lot of time as it allows the audit team to communicate
its understanding of the entity, its operations outputs and results. It also allows the auditor
to gain an understanding of the problems in the entity. The process is usually divided into
two stages:
1. The Overview Stage
During this phase the auditor will:
Gather background information on the audit area.
Understand the organization‟s business, objectives, mission, etc.
Interview senior management.
Scope the audit based on
- auditor‟s knowledge of the area‟s relative materiality
- the operational risk presented
Form questions to be answered in the next phase.
The auditor will prepare an overview report that contains a brief description of the audit
entity, sources of overview information, lines of audit enquiry to be explored during the
examination stage and reasons for selecting the lines of enquiry or excluding them.
2. Lines of Inquiry
Usually the Internal Audit Unit does not have the resources or does not need to examine
all aspects of a programme. Therefore, the auditor has to decide what aspects of the
80
management framework and activities of the programme(s) should be examined. This is
known as the lines of inquiry.
Criteria for each line of enquiry will be developed and audit risks will be assessed to
develop the audit strategy. The overview report should also identify the audit objectives
for the audit, an audit plan, the key assignments and tasks, the human resources needed
and a time budget and schedule. Potential savings should also be identified.
3. The Survey Stage
The survey stage of the planning phase follows up on previous audit recommendations,
confirms the specified audit criteria, conducts a preliminary assessment, identifies matters
of significance and finalizes the audit scope and plan. During the survey stage the auditor
should refine the focus and procedures to satisfy the audit objectives.
He should determine if:
the financial information developed for the activity is appropriate for senior
management;
the financial information can be related to program results information to
provide management with the information it needs for operating the program
and decision making;
the financial management controls play an appropriate role in regular
monitoring of operations, efficiency, compliance and accountability;
the financial management information adequately supports performance
measurement, analysis and feedback to make managers aware of progress
toward intended results;
regular assessments are made of quality and levels of service;
the financial management systems assist managers in planning, controlling
and accounting for the use of resources;
there are financial controls in place to ensure that expenditures are made for
purposes intended that are not wasteful or extravagant and do not exceed the
levels approved in the budget;
the Ministry or Department has an accurate listing of all assets;
there are appropriate controls over cash, receivables inventories and other
assets;
financial managers have been given authority and responsibility
commensurate with sound financial management practices; and
financial resources and authorities have been assigned to managers
commensurate with expected results and financial accountability
relationships are clearly defined.
5.4.2 The Examination Phase
The examination phase implements the audit plan developed in the planning phase. The
auditor pursues the lines of enquiry, documenting findings as he/she proceeds. The record
81
of findings forms the basis of the audit report and management letters. Following the
lines of enquiry and using the criteria developed in the planning phase, the auditor
compares actual conditions to the theoretical criteria and explores weaknesses and
deficiencies revealed by the comparison process. He/she gathers supportive evidence and
documents the evidence to assist in arriving at conclusions and recommendations.
The Internal Auditor should review the audit evidence gathered and ensure that the audit
working papers are complete and that the findings are relevant and significant enough to
report to a Permanent Secretary or Head of Department. He/she should also estimate what
savings are achievable if management implements the auditor‟s recommendations.
The major techniques for gathering and selecting evidence are analysis, interviews,
replications, physical observation, documentation, confirmation and systems testing
Evidence can be acquired by:
inspecting documentation such as correspondence, memoranda, minutes, reports
etc.;
analysis of comparisons of figures, operating results, trends, ratios, etc.;
interviews, surveys and inquiries;
replication by walking through or repeating operational steps;
physical observation and inspection. Taking photos provide valuable evidence;
confirmation from independent third parties;
conducting systems tests, usually on a sampling basis;
statistical sampling.
5.4.3 The Reporting Phase
The Reporting Phase is the drafting of the audit report and the management letter. The
audit report should contain the scope of the examination; observations of matters of
significance; recommendations; and potential savings achievable.
This report should be cleared by the auditee and amendments made if the auditee can
demonstrate that the audit report is flawed. The final version of the report can include
management‟s responses.
Conclusions and Recommendations
Judgment, communication skills and experience are the key attributes of a good VFM
auditor to enable him/her to report conclusions and recommendations. Conclusions are
drawn from assessments of the audit findings and their possible causes and effects.
The conclusion may be negative or positive. Wherever justified, positive observations
should be made to provide a fair and balanced report. For negative observations the
auditor drafts recommendations to guide management into corrective action.
82
When drawing up recommendations the auditor should consider:
circumstance that help or hinder the organisation in meeting criteria;
alternative courses for remedial action;
effects and savings that may arise if the recommendations are adopted; and
the feasibility and cost of adopting the recommendations
Before the conclusions and recommendations are finalized, they should be reviewed with
the appropriate level of management and responses should be obtained in writing.
5.4.4 The Follow-up Phase
The Follow-up Phase is done after management has had sufficient time to respond to the
auditor‟s recommendations. Actual achievable savings are noted along with observations
where the management has not responded appropriately to the auditor‟s
recommendations.
5.5 GENERIC QUESTIONS FOR SCOPING THE AUDIT
Management Direction
To what extent is there harmony between the governing body and management
with respect to the strategic directions and priorities they see for the
organisation/program?
To what extent does staff know what is expected of them of them and how this
supports the overall mission of the organisation?
To what extent does staff have the authority and tools needed to make decisions
and take action in accordance with their responsibilities?
To what extent does staff understand the limits of their authority and that matters
that transcend these limits are referred to the appropriate person?
To what extent are programs, operational and work plans in place, linked, and
focus on the issues most pertinent to the decision-making and accountability
interests of those responsible?
Do the organizations‟s planning and communication practices foster the above?
Relevance
What is the nature and extent of the problems, conditions, demands and needs to
which the program is directed?
To what extent have these problems, conditions, demands and needs changed over
time?
To what extent does the program continue to make sense given prevailing
government policy and corporate and community philosophies?
83
Appropriateness
To what extent is each of the program‟s major activities necessary to the
accomplishment of the stated objectives?
To what extent are the program products and services designed and delivered in a
manner that best responds to the nature and extent of the problems, conditions,
demands and needs?
To what extent are the program products and services consistent with prevailing
standards of practice, ethics etc.?
To what extent is the overall level and distribution of effort represented by the
program‟s products and services sufficient in relation to stated objectives and
identified needs? Do the level and distribution of effort exceed legitimate
requirements?
Achievement of Intended Results
To what extent does the program‟s achievements in key result areas meet
expectations in terms of:
- the problems, conditions, demands and needs concerned;
- established performance targets;
- past organizational performance;
- the performance of comparable organizations or programs.
To what extent is the program meeting its own prescribed standards of
performance?
Are the program‟s objectives sufficiently challenging?
Acceptance
What is the nature of the expectations of various stakeholders (e.g. taxpayers) and
the basis for their expectations?
To what extent have stakeholders indicated acceptance of or satisfaction with the
program/services and what is their level of acceptance or satisfaction?
Secondary Impacts
What are the significant unintended effects of the program (both positive and
negative) on the clients, other key stakeholders, related organizations and
programs and/or the community at large?
Do any of the secondary impacts significantly impede or work at cross purposes
to the organization‟s stated objectives?
In what way, do the secondary impacts call into question the value attached to the
primary program objectives?
84
Responsiveness
To what extent does the program have networks, mechanisms, and processes in
place to identify and assess possible consequences of relevant trends and events in
its environment?
To what extent has the program‟s demonstrated responsiveness or its lack thereof
in relation to trends and events?
To what extent does the program‟s responsiveness compare favourably with
similar institutions in relation to the same trends and events?
Financial Results
How do cost and revenue ratios compare to those of similar organizations?
To what extent is the program‟s overall financial position viable?
Does the program have a history of conducting its operations within approved
budgets and funding levels?
Are the books of account, records, and financial management control and
information systems in accordance with sound financial policies and procedures?
Working Environment
To what extent does the program have the number, type, and mix of staff needed
to deliver the program/services?
Do staff job descriptions appropriately reflect work responsibilities?
To what extent does staff have the ability and opportunity to provide services to
clients in a way that is valued by clients?
Does the staff have adequate facilities and equipment to complete their tasks?
Is the organization providing a safe environment for employees and clients?
Are staff members performing to stated and agreed expectations, and are they
receiving appropriate recognition for their efforts?
Is the program making adequate investments in relation to job-and career
satisfaction they derive, and the program‟s management practices?
Does the program have an appropriate human resources management plan for
enabling the recruitment, retention, development and replenishment of well-
qualified people?
Protection of Assets
To what extent has the organisation identified its key assets and assessed their risk
of loss and/or impairment?
To what extent does the organisation have strategies in place that adequately
respond to the nature and level of risk assessed?
85
To what extent do these strategies and their performance compare to industry
practice and standards, as well as comply with external requirements (for
example, legal, regulatory, accreditation, and so on)?
Monitoring and Reporting
To what extent do Cabinet, management, and key users receive complete,
credible, and fair performance information that satisfies their decision-making and
accountability requirements?
Are the right things being reported at the right time and in the appropriate level of
detail and aggregation to achieve accountability?
Are the monitoring and reporting systems and processes cost-effective?
Does the program have an appropriate human resources management plan for
enabling the recruitment, retention, development and replenishment of well-
qualified people?
Protection of Assets
To what extent has the organisation identified its key assets and assessed their risk
of loss and/or impairment?
To what extent does the organisation have strategies in place that adequately
respond to the nature and level of risk assessed?
To what extent do these strategies and their performance compare to industry
practice and standards, as well as comply with external requirements (for
example, legal, regulatory, accreditation, and so on)?
Monitoring and Reporting
To what extent do Cabinet, management, and key users receive complete,
credible, and fair performance information that satisfies their decision-making and
accountability requirements?
Are the right things being reported at the right time and in the appropriate level of
detail and aggregation to achieve accountability?
Are the monitoring and reporting systems and processes cost-effective?
86
CHAPTER 6
INFORMATION TECHNOLOGY AUDIT
6.1 BACKGROUND
The Financial Regulations to the Exchequer and Audit Act and the Financial Instructions
1965 have designated the management of all Ministries and Departments as stewards of
the Government‟s assets and resources. As such, there is an implicit requirement for them
to ensure that a proper system of internal controls is in place.
A key element in determining whether management is fulfilling that mandate is to get the
information necessary to assess performance. In order to achieve this, information
technology is being employed in the various Government Ministries and Departments.
Heads of Ministries and Departments are therefore required to provide assurance that the
type of information that is processed is accurate, timely, useful and relevant.
There is an increasing dependence on information systems to carry out the ministries‟ and
departments‟ operations and to process, maintain and report essential information.
Consequently, information systems are becoming the lifeblood of the public sector. No
longer are computer systems merely recording business transactions but are also
contributing to the achievements of the various objectives and goals of the ministries and
departments.
An information system is not just a computer. It can be complex and have many
components that are integrated to make a business solution. Assurances about an
information system can be obtained only if all the components are evaluated and secured.
The proverbial weakest link is the total strength of the chain. Therefore the reliability of
computerized data and of the systems that process, maintain and report these data should
be a major concern for all including auditors.
The internal audit functions are required to undertake regular monitoring and review of
key controls and procedures, and because of the reliance that may be placed on
information technology, it is an area that should be audited.
Information Technology (IT) Audit (a subset of the audit process) is the process of
collecting and evaluating evidence to determine whether a computer system (information
system) safeguards assets, maintains data integrity, achieves organisational goals
effectively and consumes resources efficiently.
In order to reduce the risk of loss due to errors, fraud, other illegal acts and disasters or
incidents, an internal auditor may be required to evaluate the reliability of computer-
generated data supporting the financial system or evaluate the adequacy of controls in an
information system.
87
The purpose of IT audit is to review and provide feedback, assurances and
recommendations to management about the effectiveness, efficiency, availability,
confidentiality and integrity of the system.
The major elements of the IT Audit can be broadly classified:
Physical and environmental review – This includes physical security, power
supply, air conditioning, humidity and other environmental factors.
System administration review – This includes security review of the operating
systems, database management systems, all administration procedures and
compliance.
Application software review – The business application could be payroll (e.g.
Government Payments System GPS), Integrated Financial Management
Information Systems (e.g. IFMIS), Integrated Human Resource Information
System (e.g. IHRiS) among others. Review of such application software includes
access control and authorizations, validations, error and exception handling,
business process flows within the application software and complementary
manual controls and procedures
Additionally, a review of the system development life cycle (SDLC) for information
systems being developed and implemented should also be conducted.
Network security review – Review of internal and external connections to the
system, perimeter security, firewall review, router access control lists, port
scanning and intrusion detection are some typical areas of coverage.
Business continuity review – This includes existence and maintenance of fault
tolerant and redundant hardware, backup procedures and storage, and
documented and tested disaster recovery/business continuity plan.
Data integrity review – The purpose of this is scrutiny of live data to verify
adequacy of controls and impact of weaknesses, as noticed from any of the above
reviews. Such substantive testing can be done using generalized audit software
(e.g. computer assisted audit techniques- CAATs).
6.2 COMPUTER-ASSISTED AUDIT TECHNIQUES (CAATS)
6.2.1 Concept
Computer Assisted Audit Techniques are powerful and important tools for the auditor in
performing audits. With the use of CAATs, the auditor can inspect records and perform
tests on the records almost instantaneously, which would consume extensive audit effort
if performed manually. They include many types of tools and techniques such as
88
generalized audit software, utility software, test data, application software, tracing and
mapping and audit expert systems.
CAATs may be used in performing various audit procedures including: -
Test of detail transactions and balances;
Analytical review procedures;
Compliance test of general and application controls;
Penetration testing.
6.2.2 Planning
When planning the audit, the auditor should consider an appropriate combination of
manual techniques and CAATs. In determining whether to use CAATs, the factors to be
considered include: -
Computer knowledge, expertise, and experience of the auditor;
Availability of suitable CAATs and Information Systems (IS) facilities;
Efficiency and effectiveness of using CAATs over manual techniques.
Time constraints;
Integrity of the information systems and IT environment;
Level of audit risk.
The major steps to be undertaken by the auditor in preparing for the application of the
selected CAATs are: -
Set the audit objectives. Identify what is to be examined and tested;
Determine the accessibility and availability of the organizations IS facilities
programs/system and data;
Define the procedures to be undertaken e.g. statistical sampling, recalculation,
confirmation etc;
Define output requirements;
Determine resource requirements i.e. personnel, CAATs, processing environment
(e.g. organization‟s IS facilities or audit IS facilities);
Obtain access to the organization‟s IS facilities, programs/system data including
file definitions. Understand the operating system and characteristics of the data;
Document CAATs to be used, including objectives, high level flowcharts and run
instructions;
Arrange for the software to access the operating data files or for the required data
to be downloaded;
Apply the CAAT data analysis and tests; and
Follow up on anomalies and particular transactions to determine explanations for
the results obtained.
89
6.3 THE ENVIRONMENT IN WHICH CAATS OPERATE
6.3.1 Understanding of the System
The auditor should obtain a clear understanding of the systems to be examined.
This understanding should include:
Processing procedures and practices;
Internal controls (both existing and desirable and what tests are needed to
determine whether the existing are operating properly);
Control weaknesses (observed and to be tested);
Security and other environmental considerations (such as back-up procedures,
roles and responsibilities, operating breakdowns, access controls, etc.);
Other issues relating to the particular application.
6.3.2 Characteristics of the Data
The auditor should examine documentation about the systems and/or develop means of
determining the characteristics of the systems.
These should include:
Flow charts of the process;
The internal controls in place;
Characteristics of the files / records / fields in the data;
Processing logic built into the software; and
Any anomalies, such as changes to the database, data gaps, coding problems or
changes in definitions.
6.3.3 Audit Objectives
Although normally, the use of CAATs involves some degree of exploration, the auditor
should initially define, what is to be achieved through the use of the CAATs.
Audit objectives should be defined. Examples of these could be:
Correlate vouchers with purchase order amounts and total contract amounts to
provide assurances that the expenditures have been properly authorized.
Verify the accuracy of financial reports by analysis of transactions and thus
provide assurances on the reliability of the financial statements.
Compare expenditures against budget and confirm that no expenditures are in
excess of budget or out of wrong budget categories.
Check for any duplicate purchase orders or receipts without purchase orders.
Compare overtime hours with normal working hours over a period of time to
identify any overtime abuse.
90
On a sample basis, confirm no misuse of funds or excessive expenditures.
Determine whether internal controls, such as data entry controls, are operating
effectively.
6.3.4 Audit Scope
The auditor has to decide also what audit coverage to provide. The auditor may decide to
examine the total database, or restrict examination to particular areas of the organization
or particular functions. Further, the auditor has to decide what period, or periods to
examine.
The auditor may decide to examine just the current year, or go back three or four years. If
the auditor wishes to determine if there is some pattern of expenditure/income, the total
data within the period selected can be looked at as a whole. Alternatively, the auditor
may want to take discrete periods and compare them with other periods.
6.4 DATA ACCESS
The auditor may require assistance in obtaining access to the data. Data files such as
detailed transaction files are often only retained for a short period. Consequently, the
auditor should make arrangements for the retention of the data covering the appropriate
time frame. Access to the organization‟s IS facilities programs/system and data should be
arranged for well in advance of the needed time period in order to minimize the effect on
the organization‟s production environment. The auditor must be satisfied that the data
examined is a true, accurate and complete set of data utilized in the management of the
organisation under audit.
The CAATs may be applied to the live production data (on-line) or alternatively, a copy
of the required data is made on which the CAATs can be applied off-line. When the
CAAT is operated on-line, there must be assurances that the CAAT has full access to all
data and is not subject to any access controls.
The auditor should assess the effect that changes to the on-line programs may have on the
use of the CAATs. In doing so, the auditor should consider the effect of these changes on
the integrity and usefulness of the CAATs, as well as the integrity of the
programs/systems and data used by the auditor.
6.5 APPLICATION OF CAATS
Before the auditor can perform tests on the data, he/she needs to have input file
definitions, used to describe the record layout of the data file, in order to tell the software
how to read the data in the file.
The first concern is to establish the validity of the data, either on-line or downloaded. The
auditor should conduct various tests to determine number of records, totals, etc. and
wherever possible compare these with reports produced by the programs/systems.
91
The auditor should also ensure that the electronic files examined are for the period under
examination and in line with the understanding of the data being examined. For example,
a test should be performed to see if any transactions in the data file fall outside of the
period under examination.
The auditor should perform tests to confirm that particular controls are working. For
example if the system is meant to have data entry controls such as not accepting a record
unless there is a $ value in a particular field, the auditor can test to see if any records exist
with “0” or blank in the field which is meant to have a “$ value”.
Data analysis includes:
Listing transactions in chronological order or, in increasing or decreasing order of
magnitude for particular fields;
Grouping transactions according to various criteria, such as those with the same
date, the same supplier/recipient/whatever, or combination of characteristics, such
as same supplier with same date or same value of payment;
Searching for fields with values greater than some figure (for example, all
employees with a particular classification level that have received payments
greater than the usual payment for the period);
Calculating aggregate figures for a particular period;
Conducting various calculations on the data, such as average payment for the
acquisition for a particular product; or
Conducting follow up analysis on particular sets of transactions selected on the
basis of an initial cut.
The use of the CAATs should be controlled by the auditor to provide reasonable
assurance that the audit objectives and detailed specifications of the CAATs have been
met.
6.6 FOLLOW UP INVESTIGATION
The auditor has to decide which items identified by the tests should be followed up for
detailed examination. In some cases, a sample can be taken for follow up. The
explanation for all material items should be determined if possible. On the other hand,
when the auditor discovers an underlying explanation on the examination of an initial few
items within a group of items, further audit may not be needed on that group of items.
Explanations for the items discovered may be a systemic problem / pattern or an
individual error/anomaly. Explanations may be discovered very easily and quickly or
may consume extensive audit effort. The auditor needs to apply judgment on how many
items should be investigated in detail and how much audit effort should be applied.
92
6.7 WORKING PAPERS
The step-by-step CAATs process should be sufficiently documented to provide adequate
audit evidence. The audit work paper should contain sufficient documentation to describe
the CAATs application, including the details set out:
Planning of the audit
CAATs objective
CAATs to be used
Controls to be exercised
Staffing and timing
Execution of the audit
CAATs preparation and testing procedures and control
Details of the tests performed by the CAATs
Details of inputs (e.g. data used file layouts) processing (e.g. CAATs high level
flowcharts, logic) and outputs (e.g. log files, reports)
Audit Evidence
Output produced
Description of the audit work performed on the output
Audit findings
Audit conclusions
Audit recommendations
6.8 REPORTING
The objectives, scope and methodology section of the report should contain a clear
description of the CAATs used. This description should not be too detailed but should
provide a good review for the reader. The description of the CAATs used should also be
included in the body of the report where the specific finding relating to the use of the
CAATs is discussed. If the description of the CAATs used is applicable to several
findings, or is too detailed, it should be discussed briefly in the objectives, scope and
methodology section of the report and a more detailed description be placed in an
appendix to the report.
See Appendix 6.8.A for Recommended uses of CAATs.
93
Chapter 7
Role of Audit Committee
The Institute of Chartered Accountants of Trinidad and Tobago (ICATT) sought to
provide guidance with respect to the role that Audit Committees play in organizations.
Appendix 7 provides the material compiled and distributed by ICATT at a seminar on
Audit Committees. This material should provide sufficient knowledge on the importance
of having an Audit Committee as part of an organization.
94
GLOSSARY
Glossary
Accountability: Relates to the structure of: conferred responsibilities; the authority
delegated to carry out those responsibilities; and reporting on the discharge of those
responsibilities. Proper accountability is required to hold individuals accountable for
performance, in achieving intended results and avoiding loss, waste or ineffectiveness.
.
Action plan: In response to an audit report, the responsible manager(s) should produce
an action plan. This should address all recommendations and major findings and
conclusions; and provide proposed corrective action for each deficiency, with the
individual responsible for the action and a schedule for implementation. The action plan
and progress reports against the plan should be tabled with the Audit Committee. The
auditor should review these reports during any audit follow up work.
Application System: An integrated set of computer programs designed to serve a
particular function that has specific input, processing and output activities (e.g. general
ledger, manufacturing resource planning, human resource management).
Area of Significance: Large or important cost or non-cost (e.g.: backlog, idle capacity,
overtime and complaints about service) item or event in its own particular context. To be
distinguished from material, which relates to its size or importance relative to the
organization as whole.
Audit Charter: The charter of the internal audit activity is a formal written document
that defines the activity‟s purpose, authority and responsibility. The charter should (a)
establish the internal audit activity‟s position within the organization; (b) authorise access
to records, personnel and physical properties relevant to the performance of engagements;
and (c) define the scope of the internal audit activities. (IIA Standards)
Audit Evidence: The information obtained by internal auditors to arrive at and support
their findings and recommendations.
95
Audit Expert System: Expert or decision support systems that can be used to assist the
auditor in the decision-making process by automating the knowledge of experts in the
field. The technique includes automated risk analysis, system software and control
objectives software packages.
Audit objectives: Broad statements developed by internal auditors and define intended
audit accomplishments. (IIA Standards)
Audit Procedures: Tasks the internal auditor undertakes for collecting, analyzing,
interpreting, and documenting information during an audit. (IIA Standards)
Audit Plan: A high level description of the audit work to the performed in a certain
period of time (ordinarily a year). It include the areas to the be audited, the type of work
planned, the high level objective and scope of the work and other topics like budget,
resource allocation, schedule dates, types of report and its intended audience and other
general aspects of the work.
Audit Programme: A document, which lists the audit procedures to be followed during
an audit. The audit programme also states the objectives of the audit. (IIA Standards)
Audit Scope: Areas examined, or to be examined, during the audit – locations, functions
and activities, aspects of performance, systems and procedures, audit methods and tests.
Cause: is the reason for the difference between the expected and the actual conditions. -
Why the differences exist. (IIA Standards)
Cause and Effect Analysis: A process of identifying, or judging, the underlying cause of
an observation and the possible, or actual, effect of the weakness observed.
Compensating Controls: Management control framework (also referred to as
Management Framework): Additional procedures designed to reduce the risk of errors or
irregularities. Controls that compensate for the increased risk where adequate resources
may not exist to eliminate or prevent errors from occurring.
96
Compliance: The ability to reasonably ensure conformity and adherence to organisation
policies, plans, procedures, laws, regulations, and contracts. (IIA Standards)
Compliance Testing: Testing designed to establish the controls established by
management are operating as intended and are effective.
Conclusion (Opinions): The internal auditor‟s evaluations of the effects of the findings
on the activities reviewed. Conclusions usually put the findings in perspective based upon
their overall implications. (IIA Standards)
Condition: The factual evidence, which the internal auditor found in the course of the
examination. - What does exist (IIA Standards)
Control: Any action taken by management to enhance the likelihood that established
objectives and goals will be achieved. Management plans, organizes and directs the
performance of sufficient actions to provide reasonable assurance that objectives and
goals will be achieved. Thus, control is the result of proper planning, organizing and
directing by management. (IIA Standards)
Control Environment: The attitude and actions of the board and management regarding
the significance of control within the organization. The control environment provides the
discipline and structure for the achievement of the primary objectives of the system of
internal control.
The control environment includes the following elements: (IIA Standards)
Management‟s philosophy and operating style
Assignment of authority and responsibility
Control Objective: The objectives of controls, derived from the management objectives
of the system, used by the auditor as criteria against which to appraise the adequacy of
internal controls.
97
Control Risk: Risk of error or loss not prevented or detected by the internal control
structure.
Corporate Plan: A three-year strategic plan to be produced by every
Ministry/Department/Agency, and sub-organizations, within the GOJ.
Criteria: The standards, measures, or expectations used in making an evaluation and/or
verification. - What should exist (IIA Standards)
Detection Risk: A risk of major error or loss going undetected despite controls and audit
effort. Also referred to as “audit risk”.
Effect (in auditing): The result or impact of a weakness (finding) not being corrected or
addressed (in government programmes) the result, outcome or impact of a government
programme / the result of government activities in pursuing programme objectives – there
can be both intended and unintended effects and both positive and negative effects
Efficiency: The relationship between goods or services produced (outputs) and the set of
resources used to produce them (inputs). Efficiency is measured in terms of outputs
divided by inputs. Efficiency can be increased by producing more outputs for a given
amount of inputs or by producing the same amount of outputs while reducing the amount
of inputs.
Entity: In this Manual, the “entity” refers to the organisation subject to audit. Other
expressions could be “audit entity” or “auditee”.
Findings: Any observation, or deduction, that the auditor determines worthy of reporting
– derived by judgment, comparison of situation against a criterion or standard,
assessment of significance, consideration of risk, assessment of good management
practice.
General Audit Software: A computer program or series of programs designed to
perform certain automated functions. The functions include reading computer files,
selecting data, manipulating data, sorting data, summarizing data, performing
calculations, selecting samples and printing reports or letters in a format specified by the
auditor. This technique includes software acquired or written for audit purposes and
software embedded in production systems.
98
High-level flow chart (also called first-level or top-down flow chart):
A graphical representation of how a process works, showing the sequence of those major
steps within the process. It also includes the intermediate outputs of each step (the
product or service produced) and the sub-steps involved. Such a flow chart offers a basic
picture of the process, illustrates a “bird‟s eye view” of the process and identifies the
changes taking place within the process.
Indicators of Risk: Situations, or results of enquiry that suggest the existence of a risk
Inherent Risk: Susceptibility to error or loss unrelated to internal control system.
Internal Audit: An independent appraisal within a department, which operates as a
service to management by measuring and evaluating the effectiveness of the internal
control system.
Internal controls: Policies and procedures established by management to provide as far
as practical reasonable assurance that the entity‟s objectives are being met.
Internal Control Questionnaire: A list of questions, related to control objectives, used
by internal auditors to assist in the evaluation of the internal control system.
Internal Control System: The whole network of systems established in an organisation
to ensure that its objectives are achieved in the most efficient and economic manner.
Level of Service: The speed with which a customer is served is referred to as the “level
of service”.
Management Framework: Also referred to as the Management Control Framework
consists of Planning; Organizing; Controlling; Directing (or Leading); and
Communicating (or Reporting and Evaluating). It should also include the Management of
Resources - human, financial, information and materiel resources.
Materiality: An expression of relative significance or importance of a particular matter
in the context of the organisation as whole.
Outcomes: What happens as a result of the outputs produced or activities performed.
Other similar terms include “impacts” and “results”. For example, if the government
99
provides loans to companies (“outputs” of the programme), the “outcome” is what
happens to the companies, or their environment: do their sales increase more rapidly than
might have occurred without the loan; did any go bankrupt, despite the loan; or other
outcomes such as increased employment.
Penetration Testing: An auditor may perform penetration testing to determine if he/she
can break into an organization‟s security defense system (e.g. hacking into a computer
system). By performing penetration testing the auditor is able to identify possible
weaknesses within the various systems or programs and consequently report to
management so that corrective action. The aim of this exercise is to prevent hackers or
unauthorized persons from compromising the systems and exploiting, for example,
proprietary information.
Preliminary Survey: An initial review of an audit area: to gain an understanding of the
business; to identify the major resources, activities, outputs and outcomes; to determine
the internal controls; and to identify the major risks. The preliminary survey is conducted
through an examination of key documents and by interviewing one or more managers of
the area to be examined. (See also Survey.)
Recommendations: Actions the internal auditor believes necessary to correct existing
conditions or improve conditions. (IIA Standards)
Responsive questions: (May not be the appropriate term.) Questions generated in
response to answers to previous questions; and therefore not normally questions
developed prior to the interview.
Review: The examination by an auditor, programme evaluator, consultant or
management team, to assess the performance of an area of the entity. It is not normally as
structured as an audit, does not demand the use of standards or criteria, and places more
emphasis on fast reporting than on the extensiveness of evidence and level of assurance.
Risk: The probability of an occurrence that prevents or hinders an entity achieving its
objectives or meeting its legal requirements. (See also: inherent risk, control risk and
detection risk.)
Risk Assessment: A process of identifying risks, estimating both the likelihood and
potential magnitude of the impact of the risk and evaluating the controls that reduce the
occurrence of risks.
Scope: The extent or range of an audit or the internal audit function
100
.
Significant Audit Findings: Those conditions, which, in the judgment of the Head of
Internal Audit, could adversely affect the organisation. (Based on IIA Standards)
Substantive Testing: Testing of transactions and other data to enable a conclusion to be
reached on the completeness, accuracy and validity of data tested and on the effect of
weaknesses in internal controls.
Survey (also referred to as an Audit Survey): A review of an audit area: to gain an
understanding of the business; to examine the major resources, activities, outputs and
outcomes; to determine the key areas of potential significance; to assess the internal
controls; and to identify the major risks. The components of the survey are: an
examination of key documents; interviews (generally unstructured) of the managers in
the area to be examined; and an analysis of controls, risks and areas of significance. (See
also Preliminary Survey).
Test Data: simulated transactions that can be used to test processing logic, computations
and controls actually programmed in computer application. Individuals programs or
entire system can be tested.
Tracing & Mapping (Application): specialized tools that can be used to analyse the
flow of data through the processing logic of the application software and document the
logic, paths, control condition and processing sequences.
Utility Software: specialized system software used to perform particular computerized
functions and routines that are frequently required during normal processing e.g. sorting,
back-up and erasing of data.
101
