internal_audit_manualv4127_nov_2012330491372937837

8/12/2019 Internal_Audit_Manual__v41__27_Nov_2012330491372937837

1/57

INTERNAL AUDIT

Version 4.1 27 November 2012

Not to be copied or reproduced without the permission of the Director Internal Audit, Curtin

University.

AUDITMANUAL


2/57

Page 2of 57

Table of Contents

FOREWORD.................................................................................................................................. 6

1.0 General Policies & Standards.................................................................................................... 7

1.1 Audit Charter..................................................................................................................................... 7

1.2 Auditing Standards............................................................................................................................ 7

1.2.1 IIA Professional Practices Framework ......................................................................................... 7

1.2.2 Other External Standards ............................................................................................................ 8

1.2.3 General Standards - Summary .................................................................................................... 8

1.2.3.1 Qualifications of Audit Staff ..................................................................................................... 8

1.2.3.2 Reasonable Professional Care .................................................................................................. 9

1.2.3.3 Independence .......................................................................................................................... 9

1.2.3.4 Confidentiality ......................................................................................................................... 9

1.2.3.5 Evidence................................................................................................................................. 10

1.2.3.6 Adequate Documentation...................................................................................................... 10

1.2.4 Operating Standards - Summary ............................................................................................... 11

1.2.4.1 Planning ................................................................................................................................. 11

1.2.4.2 Supervision ............................................................................................................................ 11

1.2.4.3 Statutory and Regulatory Requirements................................................................................ 11

1.2.4.4 Internal Controls .................................................................................................................... 12

1.2.4.5 Reporting ............................................................................................................................... 13

1.2.5 Audit Management Responsibilities ......................................................................................... 13

1.2.5.1 Organising .............................................................................................................................. 14

1.2.5.2 Directing ................................................................................................................................ 14

1.2.5.3 Controlling ............................................................................................................................. 14

1.3 Audit and Compliance Committee Charter...................................................................................... 14

2.0 Personnel & Administration.................................................................................................... 15

2.1 General Procedures......................................................................................................................... 15

2.1.1 Commencement of an Audit ..................................................................................................... 15

2.1.2 Conduct of an Audit .................................................................................................................. 15

2.2 Personnel......................................................................................................................................... 15

2.2.1 The Auditor ............................................................................................................................... 15

2.2.2 Internal Audit Area - Organisation Structure ............................................................................ 16

2.3 Administration................................................................................................................................. 17


3/57

Page 3of 57

2.3.1 Audit Procedures ...................................................................................................................... 17

2.3.2 Area Expenditure ...................................................................................................................... 17

2.3.3 Management Reporting ............................................................................................................ 18

2.3.4 Hardcopy Audit Documentation ............................................................................................... 18

2.3.5 Electronic Working Papers ........................................................................................................ 18

2.4 Time Usage Analysis........................................................................................................................ 18

2.4.1 Timesheets................................................................................................................................ 18

3.0 Audit Planning........................................................................................................................ 20

3.1 Planning........................................................................................................................................... 20

3.1.1 Summary of Planning Process ................................................................................................... 20

3.2 Strategic Audit Plan......................................................................................................................... 20

3.2.1 Introduction .............................................................................................................................. 20

3.2.2 Purpose ..................................................................................................................................... 20

3.2.3 Developing a Strategic Audit Plan ............................................................................................. 21

3.2.4 Identification of Auditable Areas .............................................................................................. 21

3.2.5 Risk Ranking .............................................................................................................................. 22

3.3 Annual Audit Work Plan.................................................................................................................. 22

3.3.1 Introduction .............................................................................................................................. 22

3.3.2 Considerations for Planning ...................................................................................................... 23

3.3.3 Planned Audits Spreadsheet ..................................................................................................... 24

3.4 Field Audit Plan................................................................................................................................ 24

3.4.1 General ..................................................................................................................................... 24

4.0 Audit Methodology................................................................................................................. 26

4.1 The Audit Cycle Summary............................................................................................................. 26

4.1.1.1 Introduction ........................................................................................................................... 26

4.1.1.2 Planning and Administration ................................................................................................. 26

4.1.1.3 Review and Evaluation ........................................................................................................... 26

4.1.1.4 Verification ............................................................................................................................ 26

4.1.1.5 Reporting ............................................................................................................................... 26

4.1.1.6 Follow-up ............................................................................................................................... 27

4.2 Audit Programs ................................................................................................................................ 27

4.2.1 Introduction .............................................................................................................................. 27

4.2.2 Structure ................................................................................................................................... 274.2.2.1 Audit Objectives and Scope ................................................................................................... 27


4/57

Page 4of 57

4.2.2.2 Controls and Risks Sections .................................................................................................... 28

4.2.2.3 Standard General Section ...................................................................................................... 28

4.2.2.4 Conduct of Audit Testing........................................................................................................ 29

4.2.2.5 Communication with Auditee ................................................................................................ 29

4.3 Working Papers - General................................................................................................................ 29

4.3.1 Rationale .................................................................................................................................. 29

4.3.2 Structure ................................................................................................................................... 30

4.4 Audit Reports................................................................................................................................... 32

4.4.1 Philosophy ................................................................................................................................ 32

4.4.2 Audit Report Structure .............................................................................................................. 32

4.4.3 The Reporting Process .............................................................................................................. 34

4.5 Working Paper Review.................................................................................................................... 35

4.5.1 Introduction .............................................................................................................................. 35

4.5.2 Procedures ................................................................................................................................ 36

4.6 Flowchart Documentation............................................................................................................... 37

4.6.1 Introduction .............................................................................................................................. 37

4.7 Audit Sampling................................................................................................................................ 37

4.7.1 General ..................................................................................................................................... 37

4.7.2 Testing Template ...................................................................................................................... 37

5.0 Major Project Development Audits......................................................................................... 39

5.1 Audit Objectives.............................................................................................................................. 39

5.1.1 General ..................................................................................................................................... 39

5.1.2 Audit Objectives ....................................................................................................................... 39

5.2 Audit Approach................................................................................................................................ 39

5.2.1 General ..................................................................................................................................... 39

5.2.2 Audit Scope ............................................................................................................................... 39

5.2.3 Audit Deliverables .................................................................................................................... 39

5.3 Major Project Development Audit Working Papers......................................................................... 40

5.3.1 General ..................................................................................................................................... 40

5.4 System Documentation................................................................................................................... 40

5.4.1 Introduction .............................................................................................................................. 40

5.4.2 System Description ................................................................................................................... 40

5.4.3 Identification of Risks and Controls .......................................................................................... 416.0 Audit Evaluation and Performance......................................................................................... 42


5/57

Page 5of 57

6.1 Audit Client Questionnaire Form..................................................................................................... 42

6.1.1 General ..................................................................................................................................... 42

6.2 Performance Reviews - KRIs and KPIs.............................................................................................. 42

6.2.1 General ..................................................................................................................................... 42

7.0 Miscellaneous......................................................................................................................... 43

7.1 LAN Permanent File Naming Standards - Effective 1 May 2003 to 30 June 2012 (now replaced by

CCH TeamMate).............................................................................................................................. 43

7.1.1 General ..................................................................................................................................... 43

7.2 Important LAN Directories/Files...................................................................................................... 44

7.2.1 Subdirectories ........................................................................................................................... 44

8.0 Other Special Audit Work....................................................................................................... 45

8.1 Audit Certificates............................................................................................................................. 45

8.1.1 General ..................................................................................................................................... 45

8.1.2 Preferred External Service Providers ........................................................................................ 45

8.2 Special Investigations...................................................................................................................... 45

8.2.1 Introduction .............................................................................................................................. 45

9.0 Forms and Templates List....................................................................................................... 47

9.1 Introduction..................................................................................................................................... 47

9.2 Time Recording................................................................................................................................ 47

9.2.1 Timesheet .................................................................................................................................. 47

9.3 Section 1 - Planning and Evaluation................................................................................................. 48

9.3.1 Email Notification of Audit Commencement (example) ............................................................ 48

9.3.2 Audit Checklist (two pages) ...................................................................................................... 48

9.3.3 Field Audit Plan (two pages) ..................................................................................................... 49

9.3.4 Audit Engagement Letter (usually four to five pages) ............................................................... 49

9.3.5 Internal Audit Request IAR (one page) ................................................................................... 50

9.3.6 List of CAATs (one page) ........................................................................................................... 51

9.3.7 PANA (one page) ....................................................................................................................... 51

9.3.8 Reference File System Description (up to three pages) .......................................................... 52

9.3.9 Audit Budgeted Hours Estimate Sheet (one page) .................................................................... 52

9.4 Section 2 - Reporting....................................................................................................................... 53

9.4.1 Draft Audit Report Covering Memo (one page) ........................................................................ 53

9.4.2 Audit Observations (variable no. of pages) ............................................................................... 53

9.4.3 Main Audit Report (variable no. of pages) ................................................................................ 54


6/57

Page 6of 57

9.4.4 Audit Client Questionnaire (one page) ...................................................................................... 56

9.4.5 Hardcopy Cover Sheet for Official Records File (one page) ....................................................... 57

9.5 Section 3 - Verification..................................................................................................................... 57

9.5.1 General ..................................................................................................................................... 57

9.6 Other............................................................................................................................................... 57

9.6.1 Major Project Development Checklist (available on request) ................................................... 57

9.6.2 Major Project Development Report (available on request) ...................................................... 57

NOTE: the official Internal Audit Manual is found on J drive at

J:\ODVC\PQ\AUDIT\OPERATIONAL MANAGEMENT\Procedures\Internal Audit Manual\2011 Onwards

FOREWORD

The purpose of this manual is to provide Curtin University Audit staff with a source of reference for general

audit procedures and routine, in accordance with the Audit Charter (refer Section 1.1).

Any instruction contained herein which is inconsistent with Curtin University's internal policies and

procedures is void to the extent of that inconsistency.


7/57

Page 7of 57

1.0 General Policies & Standards

1.1 Audit Charter

The Internal Audit Charter establishes the purpose, authority and responsibilities conferred by the Council

of Curtin University (the University) on the Internal Audit area, with respect to the carrying out of internal

auditing duties.

The Internal Audit Charter may be found on the Curtin University Internal Audit websitehere.

1.2 Auditing Standards

1.2.1 IIA Professional Practices Framework

To assist auditors in achieving an acceptable level of performance, The Institute of Internal Auditors

(IIA), an international body, has issued the International Professional Practices Framework (IPPF)which is intended to be used throughout the world in the conduct of internal audit assignments.

Refer to theIIA websitefor further information.

The IPPF provides internal audit professionals worldwide with authoritative guidance which is both

mandatory and strongly recommended in nature.

The three mandatory elements of the IPPF are:

Definition of Internal Auditing Code of Ethics International Standards for the Professional Practice of Internal Auditing (Standards)Conformance with the principles set forth in mandatory guidance is required and essential for the

professional practice of internal auditing.

The Internal Audit Charter contains a definition of internal auditing that is in alignment with the

IPPF i.e.

The basic objective of Internal Audit is to provide independent, objective assurance andconsulting services designed to add value and improve the Universitys operations.

Section 9.2 of the Internal Audit Charter states that the Director Internal Audit will ensure:

compliance with professional standards, as laid down by the Institute of Internal Auditors

(IIA) i.e. the International Standards for the Professional Practice of Internal Auditing;

and

compliance with the IIA Code of Ethics
http://internalaudit.curtin.edu.au/charter.cfmhttp://internalaudit.curtin.edu.au/charter.cfmhttp://www.theiia.org/index.cfm?doc_id=1625http://www.theiia.org/index.cfm?doc_id=1625http://www.theiia.org/index.cfm?doc_id=1625https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspxhttps://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspxhttps://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspxhttps://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspxhttps://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspxhttps://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspxhttps://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspxhttp://www.theiia.org/index.cfm?doc_id=1625http://internalaudit.curtin.edu.au/charter.cfm


8/57

Page 8of 57

1.2.2 Other External Standards

In specific areas of specialisation, such as audits of financial records and audits related to computer-

based systems and functions, other authoritative bodies have issued audit statements and

guidelines.

In particular, the Australian accounting bodies have issued statements on auditing standards and

practices, having regard to generally accepted principles applying in both the public and private

sector, for audits of financial statements. The Information Systems Audit and Control Association

(ISACA), another international body, has developed standards for Information Technology auditing.

Section 9.2 of the Internal Audit Charter states that the Director Internal Audit will ensure where

applicable, that regard is had for auditing standards and practice statements issued jointly by CPA

Australia and the Institute of Chartered Accountants in Australia, and standards issued by ISACA.

1.2.3 General Standards - Summary

General auditing standards in operation for Internal Audit at Curtin University are in alignment with

the above referred external standards:

1.2.3.1 Qualifications of Audit Staff

Audits must be performed by or under the supervision of a person or persons having the

managerial, technical and perceptive skills possessed by an experienced and competent internal

auditor. Requirements for staff performing audits are:

General:

Knowledge of auditing theory and practice and the education, ability and experience to applysuch knowledge to a variety of auditing assignments.

Knowledge and understanding of the operations of the organisation acquired througheducation and experience.

Knowledge of management principles and practices.Specific:

A level of experience and appropriate qualifications to perform as a competent internal auditor. For audits of financial statements appropriate qualifications providing a detailed

understanding of accounting standards concepts, principles and practices.

For audits of computer-based systems and environments appropriate qualifications providinga detailed understanding of computing concepts, principles and practices.


9/57

Page 9of 57

1.2.3.2 Reasonable Professional Care

Auditors must take reasonable professional care in specifying evidence required, in gathering and

evaluating the evidence and in reporting findings.

The standard requires professional performance of a quality appropriate to the complexities of

particular audit assignments. It imposes upon auditors the need to be alert for situations, control

weaknesses and transactions which could be indicative of fraud, improper or unlawful expenditure,

unauthorised operations, waste and inefficiency.

In determining which audit tests and procedures are to be applied to achieve reasonable

professional care, the following matters are relevant:

Requirements to meet audit objectives. Relative materiality of matters to be investigated. Prior knowledge of the effectiveness of the systems of internal control. Estimate of costs of implementing internal audit plans in relation to likely benefits to be

derived.

1.2.3.3 Independence

Independence is essential to the effectiveness of Internal Auditing. This independence is obtained

primarily through organisation status and objectivity.

The organisational status of the Internal Auditing function, and the support accorded to it by

management, are the major determinants of its effectiveness. The Director Internal Audit,

therefore, is responsible to the Audit and Compliance Committee whose authority is sufficient to

ensure both a comprehensive range of audit coverage, and the adequate consideration of, and

effective action on, the audit findings and recommendations.

Whilst the auditor may recommend standards of control for systems or review procedures before

they are implemented, the design, installation and operation of systems or drafting of procedures

for systems are not an Audit function. Performing such activities is presumed to impair audit

objectivity and could be seen to be displacing the role of management.

1.2.3.4 Confidentiality

Information acquired by an auditor in the course of audit duties must not be used for purposes

outside the scope of assessment and formation of an opinion and in reporting according to audit

responsibilities.

It is essential that the auditor maintain confidentiality regarding audit matters and information

arising from audit tasks.


10/57

Page 10of 57

1.2.3.5 Evidence

Auditors must obtain all evidence necessary for the effective completion of the audit.

The decision on how much evidence is enough and what type to seek requires the exercise of the

auditors judgement based on experience, education, reasoning and intuition. A thorough

knowledge of the concepts underlying audit evidence will help the auditor to improve the audit

quality and efficiency.

Evidence needed to support the auditors findings may be:

Physical evidence obtained by observation and enquiry; Testimonial evidence from interview and statements from involved persons; Documentary evidence consisting of legislation, reports, minutes, memoranda, etc., contracts,

extracts from accounting records, formal charts and specifications of documentation flows,

systems design, operations and organisation structure; and

Analytical evidence secured by analysis of information collected by the auditor.Regardless of the type, the evidence involved should meet basic tests of sufficiency, competence

and relevance. The audit working papers should reflect the details of the evidence upon which the

auditor has relied or include copies of papers containing the evidence.

1.2.3.6 Adequate Documentation

Auditors must provide adequate documentation of the audit, including the base and extent of

planning, the work performed and the results and findings of the audit.

Adequate documentation of audit planning, methods, procedures, findings and results is necessary

in order to maintain an acceptable level of auditing service by providing:

The Director Internal Audit with an adequate basis and sufficient evidential material to supportany opinions expressed in the Audit Reports;

Evidence of the achievement of the required standard of audit performance; An effective link between successive audits; and A basis for quality assurance reviews.Specifically, the following documentation is relevant and should be retained on file:

Planning procedures; Information provided by the client or other parties that is significant to the findings or the

recommendations;


11/57

Page 11of 57

Principal procedures and findings to the extent that these are not documented in the finalreport;

Evidence of review of work papers by the Director Internal Audit; and Client correspondence and reporting, including the final report (NOTE: only the first draft and

final copy of the report need to be kept on file).

Documentation that is not referred to in the working papers or report findings is not to be retained

on file.

1.2.4 Operating Standards - Summary

Operating auditing standards in operation for Internal Audit at Curtin University are in alignment

with the above referred external standards:

1.2.4.1 Planning

An audit plan must be prepared and revised as necessary in the course of an audit to cover all

material areas under examination.

This standard requires sufficient advance planning to provide a basis for effective audits. This is the

first step towards effective and efficient utilisation of staff time.

The audit planner is expected to be thoroughly familiar with the operations of the organisation and

be concerned broadly with medium to long-term horizons to ensure systematic and adequate

coverage of activities over time.

1.2.4.2 Supervision

Where work is assigned to members of an audit team, each member must have sufficient

proficiency and training to carry out assigned tasks. Their work must be carefully supervised and

reviewed.

The most effective way to control quality and to expedite the efficient and effective progress on an

assignment is by supervision from the beginning of preparatory work to the completion of the

report in draft form.

In particular, the Director Internal Audit is required to oversee and assess the audit work program

and audit budget throughout the course of each audit. In addition, it is the Director Internal Audits

responsibility to approve any change to the audit budget or deviation from the audit work program

on each audit.

1.2.4.3 Statutory and Regulatory Requirements

One specific aspect to be covered is a review of compliance with statutory and regulatory

requirements, organisation plans and policies, directives and procedures.


12/57

Page 12of 57

This standard places an onus on the auditor to advise management of any instances where the

organisation has not complied with pertinent laws and regulations. In reviewing compliance, the

auditor should examine enabling legislation and general regulations as appropriate.

1.2.4.4 Internal Controls

The system of internal control is conceptual in nature. It is the integrated collection of control

mechanisms used to achieve desired results.

A control is any mechanism or practice used to enhance the probability that required results will be

achieved.

Internal auditors must systematically evaluate the nature of the organisations operations and

systems of internal control to assess the extent to which they may be relied upon to:

Ensure the integrity of management data; Ensure that the organisations assets are safeguarded; Ensure compliance with policies, plans, procedures, standards, laws and regulations; and Promote effectiveness, efficiency and economy in organisational practices.Internal controls comprise the plan of organisation and the methods and measures adopted to

safeguard assets, comply with laws and regulations, check the accuracy and reliability of

management data, promote operational efficiency and encourage adherence to prescribed

managerial policies. These controls embrace the policies, procedures and practices established by

management as well as the plan of organisation and other measures intended to promote and

facilitate their implementation.

Internal control is the whole system of control, financial or otherwise, established by management

in order to carry on the business of the organisation in an orderly manner.

The characteristics of a sound system of internal control include:

A plan of organisation providing segregation of responsibilities and duties appropriate forsafeguarding the organisations resources, and accountability for the economical and efficient

utilisation of such resources;

A system of authorisation and recording procedures adequate to provide control overresources;

Sound, formal practices to be followed in the performance of duties and functions of each ofthe organisational units;

Procedures to ensure the selection of personnel of a quality commensurate with theirresponsibility; and


13/57

Page 13of 57

Checks and balances to ensure desired results are achieved.Types of control include:

Management; Organisation; Accounting; and Physical controls.A complete review of internal controls as a specific requirement would often be prohibitive in terms

of available resources. An examination of all controls would not be efficient (and would not

always add value) because not all are significant in fact, the importance of controls is directly

linked to the assessment of business risk within an auditable area under review. The auditor shouldexercise professional judgement and should concentrate on controls which are important within the

full scope of the system under review, i.e. key controls.

1.2.4.5 ReportingEach audit report should:

Be clear, concise and complete; Explain clearly, where applicable, the scope, objectives and limitations of the audit; Include an audit opinion; Present findings, conclusions and recommendations in order of importance (based on risks

assessed) and in an objective and dispassionate manner;

Include only factual information and findings and conclusions adequately supported byevidence;

Reflect the balance between critical comments and recognition of management and initiatedimprovements;

Identify and explain issues or questions needing further study and consideration by the auditoror others;

Highlight any departure from policies, plans, procedures, standards, laws and regulations; and Recognise the views of management which should be considered for presentation in the final

audit report.

1.2.5 Audit Management Responsibilities

The responsibilities of the Director Internal Audit include the following:


14/57

Page 14of 57

1.2.5.1 OrganisingThe Director Internal Audit should define and put into effect organisational arrangements

appropriate to provide the quality and level of auditing services required at reasonable cost.

Organising involves the establishment of the organisational structure and includes the division of

work into manageable units and the specification of the span of management. It involves the use of

such tools as organisation charts, position descriptions, flowcharts, procedures, records and reports

to establish the flow of information and the responsibilities and authorities of individuals for

performing activities, establishing information trails, and setting standards of performance.

1.2.5.2 DirectingThe Director Internal Audit should provide directives and written policies and procedures to guide

Audit staff.

Directing involves undertaking certain activities to provide additional assurance that plans are

carried out and that systems operate as intended. These activities include issuing instructions to

staff.

The form and content of written policies and procedures should be appropriate to the size and

structure of the Audit unit and the complexity of its work.

1.2.5.3 ControllingThe Director Internal Audit should establish and maintain a system of supervision and control

(including a quality assurance program) to evaluate the operations of the Audit unit and provide

reasonable assurance that required results will be met in an efficient and economical manner.

1.3 Audit and Compliance Committee Charter

The Audit and Compliance Committee Charter provides details of that Committees membership, purpose

and responsibilities.

The Audit and Compliance Committee Charter may be found on the Curtin University Internal Audit

websitehere.
http://internalaudit.curtin.edu.au/committee.cfmhttp://internalaudit.curtin.edu.au/committee.cfmhttp://internalaudit.curtin.edu.au/committee.cfm


15/57

Page 15of 57

2.0 Personnel & Administration

2.1 General Procedures

2.1.1 Commencement of an Audit

Audits are to be commenced and conducted only at times when, at the auditor's discretion, they

will cause the least inconvenience and disruption to the normal activities of the

Faculty/School/Department/Area.

All audits should be preceded by an initial email notificationof the audit's commencement and one

or more entry interviews where the scope and objectives of the audit are discussed. The auditor

should also consider meeting with the prime auditee of the auditable area prior to issuing the email

notification, if there is any possibility that problems may be experienced in obtaining management

support for the audit to be undertaken.

The auditor should later formulate a letter of engagementwhich confirms with the auditee, the

matters discussed at the entry interview. Where the auditor is concerned that the auditee may be

lax in providing information required to commence the audit, anInternal Audit Request (IAR)form

may be used (see Section 9 Forms and Templates List).

2.1.2 Conduct of an Audit

When in the field, auditors are to arrange a suitable position in the office in which to conduct their

work.

Due care of University property and records is to be exercised and the confidentiality of records and

security of value items is to be maintained by the auditors. Auditor working documentation and

materials, and University records, are not to be carried loosely but in folders or brief cases.

2.2 Personnel

2.2.1 The Auditor

The auditor's role involves the critical reporting of deficiencies in the University's system of control

and management of business risk. This can sometimes upset or cause dissatisfaction amongst

management and staff.

People in authority have the added responsibility of setting an example to others. Other University

staff members expect auditors not only to know the correct procedures but to exhibit a certain level

of behaviour, particularly if the auditor is in a position to be reporting on where work doesn't meet

an acceptable standard.

The following points may act as a guide to the level of behaviour that is expected of new Audit staff:

Approach - Auditors, like their auditees, are all members of the same institution and shouldn'tset themselves apart or appear to be aloof. Audit is a management tool in the overall


16/57

Page 16of 57

organisation of the University and its function is to assist rather than to hinder. Audit officers

are to be friendly and fair in their approach but, at times, need to be firm in exercising their

authority - particularly if other staff members are reluctant to give positive assistance.

Work Knowledge - The whole basis of the auditor's work centres around determiningweaknesses in control and management of risk. In order to be appointed to Internal Audit,

officers must display a certain level of experience and competence. It is the auditor's

responsibility to ensure that he/she refers, as often as is necessary, to the University's policies

and procedures, individual Faculty/School/Department/Area procedures manuals, user guides

and any statutes/regulations which may be applicable.

2.2.2 Internal Audit Area - Organisation Structure

The Internal Audit Area is structured as follows:

2.2.3 Security of Documentation

It is most important that University records and property in the care of auditors be adequately

secure at all times whether in the office or in transit.

Auditors shall ensure that:

Audit files, when the auditor is in the field, are suitably housed overnight and not left on desks; Personal computer equipment and backup thumb drives/CDs are not left unsecured while the

auditor is away from his/her desk;


17/57

Page 17of 57

Any University documents, files, reports or papers of any nature are not taken outside thebuilding unless in a suitable envelope, parcel or briefcase.

Audit staff who are required to take PC equipment, working papers or reports to their home prior to

commencement of (or during) an audit must ensure that this property is not left in motor vehiclesovernight.

2.3 Administration

2.3.1 Audit Procedures

The Internal Audit area may maintain various Acts and Statutory Regulations, as required. However,

much of this information is now readily available on the web.

The Internal Audit area will maintain the following internal documentation:

Audit Manual(which is stored electronically on the Internal Audit Area J drive and published onthe Internal Audit website). This manual determines the standard expected of auditors in

discharging their audit responsibilities.

This document is stored on the LAN in: J:\ODVC\PQ\AUDIT\OPERATIONAL

MANAGEMENT\Procedures\Internal Audit Manual\2011 Onwards

CCH TeamMate System User Guide for Curtin Auditors (which is stored electronically on theInternal Audit Area J drive and published on the Internal Audit website). This guide describes

how the Internal Audit Areas audit methodology is to be utilised through the use of the CCHTeamMate electronic working papers system see further information below.

This document is stored on the LAN in: J:\ODVC\PQ\AUDIT\OPERATIONAL

MANAGEMENT\Procedures\CCHTeam Mate Manual

Other technical auditor information (which is stored electronically on the LAN in theappropriate directory e.g. running CAATs).

CAAT software is held on the LAN in: J:\ODVC\PQ\AUDIT\INFORMATION AND

COMMUNICATION TECHNOLOGY\Compliance\CAATS

Amendments to the above documentation are to be authorised by the Director Internal Audit.

2.3.2 Area Expenditure

All drawings made to recoup expenses paid during the course of an Audit, for interstate travel or

external training, are to be compiled personally by the auditor for authorisation by the Director

Internal Audit (or relevant support administrative staff). Copies of all supporting documentation,

including receipts, vouchers etc are to be filed in the relevant administration area of the Office

within which the Internal Audit Area operates.


18/57

Page 18of 57

2.3.3 Management Reporting

Each quarter, the Director Internal Audit is to submit a report to the Director's administrative

supervisor (i.e. the Vice-Chancellor) outlining activities carried out by the area for the previous

quarter.

The information contained within this report will also form the basis for the Internal Audit quarterly

update paper presented to Audit and Compliance Committee (The Director Internal Audit is

required to attend Audit and Compliance Committee meetings, as required, to discuss activities

performed by the Area for the previous quarterly period).

2.3.4 Hardcopy Audit Documentation

The final audit report for each audit conducted is to be retained in two official records files. One file

(for the audit itself) is stored in the Internal Audit compactus; the other file is kept in the cupboard

space in the office of the Director Internal Audit.

Retention time for this documentation is in accordance with University recordkeeping procedures.

2.3.5 Electronic Working Papers

The Internal Audit Area has moved to full use of the CCH TeamMate electronic working papers

module (EWP). In this system, all programs, working papers, supporting appendices etc are stored

electronically.

2.4 Time Usage Analysis

2.4.1 Timesheets

As a means of providing information for analysis of time usage, it is required that each auditor

maintain records of time spent on activities during the day (see Timesheetin Section 9 Forms and

Templates List). The Time Recording Sheet (a computerised spreadsheet) is to be completed each

day and handed to the Director Internal Audit midway during each month and within one working

day after the end of each month.

Auditors are required to record time spent on each individual activity by key

task/category/milestone as specified in Part A of the Field Audit Plan.

The minimum unit of time to be recorded is 0.25 hours (15 minutes) in a 7.5 hour working day.

In calculating administration (non-productive time), the auditor should first determine hours spent

on each assigned project and other tasks during a working day; the remaining hours should then be

allocated as administration to make up 7.5 hours in total.

The timesheet is to be updated each day and figures accumulated on a calendar month basis, with

final actuals being carried forward from the previous calendar month. Any necessary totalling of

figures is performed automatically by the spreadsheet software.


19/57

Page 19of 57

The Director Internal Audit is to ensure that, on a monthly basis, totals are transferred from the

computerised timesheets to the Audit Progress spreadsheet (which reports annual budgeted time

against actual hours for scheduled audits).


20/57

Page 20of 57

3.0 Audit Planning

3.1 Planning

3.1.1 Summary of Planning Process

The Director Internal Audit should establish plans to discharge assigned responsibilities as laid down

in the Charter. Such planning involves a systematic approach to the setting of objectives and goals,

the selection of an appropriate strategy and planning approach from various alternatives, and

enables measurement of the achievement of the unit's objectives.

The total audit planning process involves the establishment of:

A Strategic Audit Planwhich is the identification and documentation of auditable areas withinan Audit Universe, and the prioritisation of these areas for review based on a predetermined

risk assessment methodology over a period greater than one financial year;

An Annual Audit Work Planwhich sets out the planning of individual audit assignments overone financial year; and

A Field Audit Planwhich determines the scope and parameters for each individual audit.3.2 Strategic Audit Plan

3.2.1 Introduction

It is Internal Audit policy that a five year Strategic Audit Plan shall be maintained, in alignment with

the Universitys five year strategic plan.

The plan will be designed so that all major auditable areas of the University are considered and risk

ranked before audit resources are assigned to selected tasks.

The plan will be developed by the Director Internal Audit, or an auditor delegated the task (with

ultimate approval by Director Internal Audit), on at least a yearly basis.

3.2.2 Purpose

The Strategic Audit Plan serves the following purposes:

As an Identification of Auditable Tasks.A strategic plan highlights the key activities in the organisation to be reviewed. It can thus

provide assurance that no significant auditable area has been overlooked. A well-constructed

and dynamic strategic plan provides tangible evidence of management commitment to audit

coverage as part of the organisation's overall system of internal control.

Justification of Resources.


21/57

Page 21of 57

A strategic plan, when accepted, can support Audit management's requests for establishing

staff levels and in determining associated budgets.

Management Participation.Management overview of the strategic plan will ensure that Audit's assessment of relative

priorities accords with that of management.

Accountability.A plan allows the comparison of work completed to work scheduled and is an important link in

the accountability chain.

Direction and Control.A well-structured, long-range strategic plan, with regular reports to Executive Management, isan indicator of a well-organised and administered Audit unit.

Liaison.Communication of long-term plans can facilitate working arrangements with all other review

activities, including external audit.

3.2.3 Developing a Strategic Audit Plan

A Strategic Audit Plan is established by:

Identification; Risk ranking; and Prioritisation of auditable areas (within the Audit Universe).While the Audit Charter defines the responsibilities of the Audit function in broad terms, Audit

management should possess sound knowledge of the organisation's activities in order to document

the auditable areas.

3.2.4 Identification of Auditable Areas

The Audit Universe of auditable areas must consider all major University operations, systems and

computer environments. To this end, Audit management must seek relevant information from a

variety of different sources e.g.

Executive management Line management Organisational strategic and operational plans


22/57

Page 22of 57

User Guides, Procedures Manuals, and other departmental documentation Audit staff Previous audit results The University's Risk Map (covering strategic, operational and project risks)The Audit Universe is held on the LAN in: J:\ODVC\PQ\AUDIT\OPERATIONAL

MANAGEMENT\Planning\20xx Operational Plan\0 Audit General Documents, where 20xx

indicates the year of the current plan.

Each year, the current year's Audit Universe should be used as a starting point for the new plan i.e.

copy and rename last year's Universe before performing any updates.

3.2.5 Risk Ranking

Having identified the total set of audit tasks within the Audit Universe, it is now necessary to

individually rank and prioritise these tasks so as to ensure that Audit resources are allocated to

where they are most needed.

This is done by employing a suitable risk assessment methodology e.g. aligning the Audit Universe

with the University's Risk Map, or using a range of weighted risk assessment factors such as

Criticality, External Factors, and Management Competence. In either case, the expected outcome is

a sorted and prioritised list of audits ready for input into the Annual Audit Plan.

NOTE: The Strategic Audit Plan reflects the risk profile of the organisation at one specific point in

time. It needs to be dynamic, as during the year:

New auditable areas may be identified; Existing auditable areas may disappear; and New risks may be identified or existing risks may change in terms of their probability and/or

impact.

3.3 Annual Audit Work Plan

3.3.1 Introduction

Prior to the commencement of each new financial year, the Strategic Audit Plan will be updated and

an Annual Audit Work Plan developed. This plan indicates audit coverage within the constraints of

available resources for a period of one financial year.

The plan will be developed by the Director Internal Audit, or an auditor delegated the task (with

ultimate approval by Director Internal Audit), after due consideration by the external auditors and

Executive Management.


23/57

Page 23of 57

The final Annual Work Plan for the area is submitted to the Audit and Compliance Committee for

review and approval, prior to the commencement of the new financial year.

3.3.2 Considerations for Planning

Not all of the auditable areas identified and risk ranked in the Audit Universe will be covered in the

Annual Audit Work Plan.

The availability, skills and knowledge of available internal audit resources, the ability to outsource or

co-source audits, and the scope and objectives of each audit are factors affecting the selection of

any one audit in the final operational plan.

With regards to scope and objectives, typical examples are:

Preliminary Review - no audit testing required. New Audit - audit program development and audit testing required. Existing Audit - audit program update and audit testing required.A 7.5 hour working day will be used in determining duration of audit assignments.

Consideration will have to be given to administration (non-productive) time each working day.

Administration caters for personal breaks, phone calls, Christmas lunches etc.

In assigning audits to staff, the Director Internal Audit shall:

reserve a proportion of time to meet ad hoc management requests or undertake specialinvestigations, and be involved in major University projects if required;

make appropriate allocations of time for two or more auditors to work on the same audit; ensure auditors are adequately rotated on audits to minimise reliance on key persons and

increase skills and knowledge across the team; and

determine availability of working hours for each employee ONLY after first calculating totalnon-worked time e.g. annual leave, long service leave, personal leave, training, studyleave/exams and non-productive administration time.

In addition, the Director Internal Audit will strive to ensure that agreement is reached with

management on the timing of selected audits (where feasible) and their scope and objectives, prior

to the Annual Audit Plan being approved by the Audit and Compliance Committee. A special form

has been developed to facilitate this i.e. the Audit Budgeted Hours Estimate Sheet(see Section 9

Forms and Templates List).


24/57


25/57

Page 25of 57

Part B of the Field Audit Plan document should also be updated with relevant information upon

completion of the audit and handed to the Director Internal Audit for final sign-off.

The Field Audit Plan and accompanying documents enable Audit management to ensure that work

performed meets accepted standards and audit objectives, and is carried out in the mosteconomical and effective manner.


26/57

Page 26of 57

4.0 Audit Methodology

4.1 The Audit Cycle Summary

4.1.1.1 Introduction

The process of performing an audit has several stages. These are collectively referred to as the Audit

Cycle. This covers all aspects of an audit from the initial plan to final resolution of all matters raised:

Planning and Administration; Review and Evaluation; Verification; Reporting; and Follow-up.A short explanation of each phase appears below. Note that these stages do not necessarily run

contiguously but may overlap.

4.1.1.2 Planning and AdministrationA pre-requisite for an efficient and professional audit is an adequate plan. The amount of work

involved in planning may vary considerably, depending upon whether or not the audit has been

performed before. An integral part of this planning is the entry interview (where the scope and

objectives of the audit are discussed), and the engagement letter (where the outcome of the entry

interview, and other audit planning related matters, are confirmed with the auditee).

4.1.1.3 Review and EvaluationIn this phase, the system or operation is reviewed and documented, risks and associated controls

are identified, and a preliminary evaluation of the adequacy of these controls performed. From

here, an audit program is developed or an existing audit program modified.

4.1.1.4 Verification

During this phase, the audit program is followed and assessments made based upon the results of

further investigation and testing.

4.1.1.5 ReportingAt the end of the Verification phase, findings are documented, together with appropriate audit

recommendations, in report form for later discussion with the Auditee during the exit interview.

A draft copy of the report is sent to the auditee (management) to gain final clearance on matters

raised (via written management comments).


27/57

Page 27of 57

Upon receipt of management comments, the comments are included within the body of the report

and an audit opinion determined and inserted in the Conclusion section, prior to publication.

The final report is issued, and two to three days later, an Audit Client Questionnaire Form (see

Section 9 Forms and Templates List) is issued requesting feedback from the Auditee on theAuditor's performance.

4.1.1.6 Follow-upOn a six monthly basis, a follow-up report is issued by the Director Internal Audit on all outstanding

matters reported during prior audits. The status of action taken on each item is noted, and items

are carried forward until all action is complete.

The issues reported as being outstanding at the end of the follow-up process are reported to Audit

and Compliance Committee (this occurs twice a year, at the May and November meetings).

4.2 Audit Programs

4.2.1 Introduction

It is Internal Audit policy that, before detailed audit testing is undertaken, an Audit Programshould

be prepared (see Section 9 Forms and Templates List). The audit program is in fact the end point

of the Review and Evaluation phase.

Programs may cover more than one auditable area (if these areas are clearly inter-related) but must

be structured so that different auditable areas can be covered separately. In circumstances where anumber of auditable areas are covered in one program, the program must make provision for a

summary assessment covering all included areas.

Note that there are occasions where standard audit programs may be employed e.g. for Business

Unit audits.

The audit program is reassessed and updated during each subsequent performance of the audit.

The program is thus a working document used as a guide to the auditor and subject to amendment

as appropriate.

4.2.2 Structure

The audit program is made up of several sections.

4.2.2.1 Audit Objectives and ScopeThis is always the first section of the audit program. It has the following components:

Audit Objectives- the primary (and perhaps secondary) objective for the program as a whole.Any summary assessment of the audit will be based on the achievement of this objective.


28/57

Page 28of 57

Audit Scope- the scope of activities to be included or excluded.4.2.2.2 Controls and Risks SectionsA separate section of the audit program is established for each major control area identified for the

auditable area under review.

Each control section must have one or more summary control objectives and a list of audit tests to

be performed in association with these objectives. In classical systems-based audit theory, these

tests should be identified with both substantive and compliance testing; i.e. to test both that the

system operates as described and that it operates correctly.

Each audit test, for it to exist, must be associated with key controls linked to one or more extreme,

high or medium risks covering the auditable area (NOTE: low risk items are not to be tested).

Risks will be identified and assessed using the Universitys approved Risk Matrix or other relevantinformation. This involves consideration of:

Likelihood of Risk; Consequence of Risk; and Risk Rating (based on a combination of likelihood and consequence).Upon completion of the audit testing in any one control section, the auditor will be able to

conclude, based on the results of the testing performed, whether management is achieving/has

achieved the stated control objectives.

4.2.2.3 Standard General Section

Each audit program will have a standard section, at the beginning, titled "General". This section

requires the auditor to do the following:

List the recommendations to major findings from the previous auditin the working papers (andthe most recent management response to each recommendation) and verbally verify, with the

auditee, that the matters have been addressed or are being addressed. Where a particular issue

will, for whatever reason, not be covered during the current audit, sufficient audit testing mustbe performed in this step to verify management's response; and

Review all related external audit management letter issuesraised in the current and previousfinancial year (whether cleared or outstanding), then verbally verify, with the auditee, that the

matters have been addressed or are being addressed. Where a particular issue will, for

whatever reason, not be covered during the current audit, sufficient audit testing must be

performed in this step to verify management's response.


29/57

Page 29of 57

4.2.2.4 Conduct of Audit TestingIt is Internal Audit policy that the audit program will be followed exactly, except as determined by

the Director Internal Audit or Senior Auditor supervising the audit (where applicable). The Director

Internal Audit must approve any deviation from the program, where limited time is a factor.

Prior to the audit work being undertaken, the Director Internal Audit will approve the audit

program, including any specified changes or exclusions to the program steps.

4.2.2.5 Communication with AuditeeDuring the course of audit work, the auditor will communicate matters of significance with the

auditee to minimise the possibility of "surprises" at the end of the audit.

This may be done informally (e.g. emails, discussions) or via formal meetings.

4.3 Working Papers - General

4.3.1 Rationale

The auditor prepares working papers for a number of different purposes:

To identify and document deficiency findings, and accumulate evidence needed for determiningthe existence and the extent of the deficient conditions.

To help perform the audit in an orderly fashion coinciding with the audit program; to documentwhat has been done; to indicate what is still to be done and give reasons for what will be left

undone.

To provide support for the audit report. Well-structured working papers make it easy to transferthe material written during the audit to the pages of the final audit report. The auditor can

develop discipline that moves both the working paper documentation and the audit report on

the same assembly line, minimising any rephrasing and restructuring and ensuring that the

points raised in the report are covered by the working papers. An experienced auditor has the

structure of the final report in mind throughout the entire audit project. It helps keep the work

relevant and pointed in the right direction.

As a line of defence when conclusions and recommendations are challenged. Criticism,expressed or implied, is rarely taken kindly. It leads to challenges from the one criticised and

such challenges must be rebutted with facts and proof. The working papers, properly developed

and referenced and readily accessible, lend support to the auditor and give a feeling of security.

As the basis for supervisory or peer review of the audit progress and accomplishment. Review ofthe audit project should be current and continual. The working papers, as evidence of work

done and to be done, are much better indices of accomplishment than unsupported oral

assertions (which may easily become general, distorted or superficial) and can materially


30/57

Page 30of 57

benefit the audit. A review of work progress is seriously diminished in value if it is based only on

conversation with the auditor.

As a basis for appraising the auditor's technical ability, skills and working habits. Auditproficiency is clearly mirrored in the documentation of work and support for conclusions.

As background and reference data for subsequent reviews. Audit projects may be repeated orfollowed up. High quality working papers make the repeat audit much easier and more

economical. The subsequent review may therefore build on the earlier one.

4.3.2 Structure

It is Internal Audit policy that current working papers on each program will be completed and

presented in three sections (one set for each performance of the audit). See Section 9 Forms and

Templates List:

PLANNING AND ADMINISTRATION - comprises Initial Email notification of auditcommencement, Field Audit Plan, Audit Checklist, Engagement Letter, List of CAATs, (new)

Points for Attention at Next Audit (PANA), a Reference File (including a system description),

Audit Budgeted Hours Estimate Sheet and other correspondence:

o The Initial Email notification of audit commencement briefly informs Executive andSenior Management of the audits commencement and the audit objective.

o TheField Audit Planfacilitates the planning process at the individual field audit level. Thefirst page of this form (Part A) is completed before the field work commences, and the

final page (Part B) is completed upon completion of the audit.

o The Audit Checklist is a detailed guideline of activities to be performed by the auditorduring the course of an audit. It serves as a reminder of the tasks to be performed and

their order of completion.

o The Engagement Letter summarises the scope and objectives of, approach to, and anestimate of time for completing, a particular audit.

o The List of CAATs identifies the proposed computer assisted audit techniques (e.g.sample data extracts, exception reports) that will be required to support the specified

audit tests, and who will be responsible for running them.

o The PANAis completed during the course of the audit and outlines any points that needto be highlighted at the next audit. It provides a mechanism whereby appropriate follow-

up action can be initiated and, for this reason, the form should be referred to before the

next audit of the auditable area for which it was completed. Examples of points which

may be listed for attention at next audit include selected items which could not be

located for checking at the time of audit and any other matter which could not be


31/57

Page 31of 57

properly dealt with at the time of audit and requires or merits attention at the next audit,

including program steps not performed.

o The Audit Budgeted Hours Estimate Sheetprovides information obtained on the scopeand objectives of the audit, during the audit planning cycle undertaken in the previousyear.

o The Reference Filecontains static or permanent information in relation to the auditablearea e.g. a system description, design committee minutes, executive submissions, user

guide sections, flowcharts, sample forms, sample reports etc.

EVALUATION AND VERIFICATION comprises the development of a set of audit tests to beperformed on identified key controls that are linked to one or more extreme, high or medium

risks, and the collection of sufficient and appropriate evidence in order to assess whether these

controls are operating adequately and effectively:

Test Workpapersare prepared while the Audit Programis being executed. The contents of this

section will vary greatly from one audit to another; however, in general terms it should record

the full detailed results of the audit:

o The actual test or work performed must be described in narrative/tabular form, withappropriate references (where necessary) to supporting documentation in the

Appendices e.g. copies of actual forms, documents or report pages used to support

findings. In addition, large tables of tests performed should also be documented and

inserted here to avoid excessive detail in the main narrative.

o Each test completed should have, incorporated within it, statements of any conclusionsreached (and the validity of these statements should be self-evident from the

documented findings).

o Upon completion of an audit section, the overall conclusion for the section should bedetermined and documented immediately after the last program step on the worksheet.

This overall conclusion should be documented as a separate paragraph with its own heading

"CONCLUSION" and should indicate whether the control objectives for the section have

been attained.

o Each audit program step documented may have one or more unique reference numberscreated which link to identified Audit Issues(this is usually performed at the completion

of the audit when all of the issues identified during the course of the work can be

considered).

o Where audit testing involves drawing conclusions based on samples, then an appropriateapproved sampling methodologywill be employed.

o All audit documentation produced must be signed off by the auditor when it is complete,before being reviewed and signed off by the Director Internal Audit (or a delegate).


32/57

Page 32of 57

AUDIT REPORTING comprises Audit Issues identified, Audit Reports and associatedmemoranda:

o During the course of the audit, Audit Issuesmay be identified which may eventually findtheir way into the draft audit report (as either major issues or minor issues).

o Prior to the final report being compiled, the Auditor may develop a set of AuditObservationswhich will contain information on observations made during the course of the

audit work, and associated evidence to support observations. These observations may not

necessarily be raised as report findings, but are for discussion with auditees to ensure they

are kept informed of matters arising from the audit that have potential to be reported (and

to eliminate any erroneous or incorrect findings at an early stage). The observations may be

progressively accumulated during the audit, but must be discussed with management

before the final working papers are submitted to the Director for review. As there may be

many changes arising from these matters being brought to the attention of management, itis not necessary (or even feasible) to align each matter raised in the Audit Observations

sheet with those in the final draft report and working papers.

o At the end of the audit, the Audit Report Gradeand Conclusionwill be determined atthis point, the Audit Reportis ready to be issued to the Executive Manager and his/her

direct reports by the auditor through the Director Internal Audit (see section 4.4 below

for more detail).

o Other memos and any extra correspondence received/raised during the course of the audit,or after final audit report issue, may also be included here.

4.4 Audit Reports

4.4.1 Philosophy

At the conclusion of every audit project, a formal report to management will be issued see Section

9 Forms and Templates List.

The purpose of such a report is to give University management the auditor's assessment of the

reviewed area. This assessment will include major issues and action to be taken by management to

correct any problems, as well as recommendations for improvement on low risk items. Note that a

major issue is defined as one whose inherent risk has been classified as either Extreme, High or

Medium.

It is Internal Audit policy to report in detail onlydeficiencies. This does not preclude a

complimentary assessment, but such an assessment would be part of a more general statement

rather than treated in detail.

More importantly, the readers of the report must be left in no doubt as to the agreed or required

action.

4.4.2 Audit Report Structure


33/57

Page 33of 57

The standard report structure is in three main sections:

Audit Report Gradeis displayed on the front page of the report by placing a tick graphic againstthe relevant audit grade row. Each of the four audit grades:

o Satisfactory(Green)o Some Improvement Required(Amber)o Major Improvement Required(Blue)o Unsatisfactory(Red)is described in detail on the cover page of the Audit Report template.

There are no hard and fast rules for determining the Audit Report Grade; however the risk

rating of the audit findings reported will naturally help determine the final outcome e.g. the

presence of one to two very high risks may be sufficient to grade an audit as Major

Improvement Required.

Immediately before the issue of the final report, the main auditees at Executive level are to be

informed of the proposed grade of the audit report via email. This is done by the Director

Internal Audit.

If the Audit Report Grade is to be Unsatisfactory, then immediately before report issue to

Executive Management, an unsigned draft copy is to be provided to the Vice-Chancellor for

his/her perusal. Usually, the Vice-Chancellor is permitted one week to review the draft report

and provide any comments back to the Director, prior to issuing the final report. It will also be

necessary to raise the audit report grade with the relevant Executive Manager first.

Executive Summaryprovides a summary of the audit performed and includes standard sectionsdescribing the audit objective and scope (which should align with the audit objective and scope

detailed in the Engagement Letter), any positive observations noted during the audit, a list of

issues raised and the final audit conclusion (which provides the high level justification for the

audit grade reported on the first page of the audit report).

Major Audit Issues should each be inserted in a separate table, with the following information:o Major Issue No.- a unique number identifying the issue (in the heading).o Description - a concise description of the issue.o Cause(s) - details the cause or causes of the issue.o Consequence(s) - details the consequence to the University should the underlying risk not

be minimised, treated or eliminated. This links to the Risk Consequence rating below.

o Risk Likelihood, Risk Consequence and Risk Rating- provide a quantitative assessment ofthe risk arising from the reported finding. These are explained further in the appendix at


34/57

Page 34of 57

the back of the audit report (which is standard appendix contained in each major audit

report issued).

o Audit File Ref.- one of more references to issue nos raised during the audit (in the CCHTeamMate system).

o Audit Recommendations- Internal Audit's recommendations to address the findingsraised.

o Management Action Plans- management's response to Internal Audit'srecommendations.

o Clearance Date- management's indication, in association with their formal response, asto when the matter will be cleared.

Minor Audit Issuesare identified as Low risk and should each be inserted as separate rows ina section titled MINOR ISSUES at the back of the report but before the standard appendix,

with the following information:

o No.- a unique number identifying the issue (commencing from no. 1 onwards).o Minor Issue Description- a concise description of the minor issue.o Audit File Ref.- one of more references to findings located in the working papers.o Recommendations- Internal Audits recommendations to address the findings raised.Note that while these minor matters are discussed at exit interview with the auditee, no

formal management comments are sought.

4.4.3 The Reporting Process

Main Audit ReportAll audit reports must be printed in colour and sent to the Audit and Compliance Committee

members by post. One copy of the report must also be produced for the Director Internal Audit

and one other for the hardcopy working paper file.

All other copies of audit reports should be converted to PDF form and emailed (in secure form

i.e. password required on OPEN) to the officers on the Distribution List of the report (which

includes as a standard, the Office of the Auditor General and the Curtin University Corporate

Risk area).

A standard email template should be used for the above purpose.

Before finalisation, electronic signatures of the Director Internal Audit and the auditors

concerned should be added to the report, which should then be converted to PDF format andsecured with a standard password.


35/57

Page 35of 57

Finally, the Auditor is required to electronically transfer a copy of the final audit report to the

following two LAN subdirectories:

o For Audit Follow-up purposes (in MS Word form) if applicable - to:J:\ODVC\PQ\AUDIT\COMMITTEES\Reporting\Audit and ComplianceCommittee\Outstanding Issues Followups\Internal Audit\New IA Reports - for inclusion in

Audit followup

o For permanent electronic storage in the Audit Repository (in PDF form) to:J:\ODVC\PQ\AUDIT\PUBLICATION\Reporting\Internal Audit Report Repository

Interim ReportsDuring the course of an audit, matters requiring immediate attention may arise.

Rather than wait for the completion of the audit, an interim report (Action Memo) stating the

deficiencies, causes, risks and recommended action (if any) should be issued. The matters so

raised, and their resolution, will still be reported in the final report.

Special ReviewsInternal Audit may be called upon to perform a special review.

The report from such a review should follow a standard format, which may be modified to suit

the circumstances of the review: see Section 9 Forms and Templates List.

Deficiencies unrelated to Current AuditMatters unrelated to the current audit project may come to an auditor's attention.

If these matters are of significance to Executive or if the auditor believes that the resulting

exposure is serious, a formal report (Action Memo) should be issued. A final resolution of

matters raised need not appear in the final report.

Periodic Audit Management ReportsThe Director Internal Audit reports audit activity to the Vice-Chancellor (as the administrative

head to the Director) and Audit and Compliance Committee on a quarterly basis.

4.5 Working Paper Review

4.5.1 Introduction

Working papers are to be reviewed by the nominated reviewing officer, usually the Director Internal

Audit.

Interim reviews of completed sections of uncompleted audits should be performed by the reviewerto allow for timely rework if necessary (rather than waiting for the entire audit to be finished).


36/57

Page 36of 57

The working papers file, including the draft report findings and Scope and Objectives (but not the

Audit Report Grade and Conclusion), is to be handed to the reviewerpriorto the exit interview.

Once the review has been completed and queries resolved, all documents are to be filed on the

working paper file.

4.5.2 Procedures

All working papers must be reviewed to ensure that the audit has been adequately conducted and

documented. The reviewer must sign each worksheet (excluding appendix documents) as evidence

of review.

Formal queries raised by the reviewer will be documented as Review or Coaching Notes and

referred to the auditor for answers. No working papers will be considered complete until all

questions have been answered to the reviewer's satisfaction.

The checklist below is an indication of the aspects which the reviewer will examine before exit

interview:

Ensure that the audit program is fully signed off. Ensure that audit steps signed off as being "not applicable" are in fact not applicable. Ensure that the program is changed to reflect any system changes. Enquire into audit steps which have not been signed off. Ensure that the `Points for Attention at Next Audit' from the previous audit have been

adequately resolved or addressed.

Ensure that there is adequate cross-referencing of detail. Confirm that the Reference File has been brought up-to-date. Check that each finding in the working papers has been accurately brought forward to the

report.

Assess if there is sufficient supporting evidence for each matter raised.The checklist below is an indication of the aspects which the reviewer will examine after

management comments have been received, inserted in the report, and the Audit Report Grade and

Conclusion prepared:

Ensure that each major finding reported has been properly resolved or includes a commentfrom relevant management.

Ensure that the draft report has been discussed with the appropriate auditee(s) before the finalreport is released.


37/57


38/57

Page 38of 57

Why the sample size was selected; Who provided the documentation to be tested; Any exceptions found; and Test conclusion.NOTE: Where the audit period selected is such that the sample size cannot be achieved, the Auditor

must exercise his/her judgement in determining what to sample and in what period. It may mean

that the whole population in the audit period is selected, plus other transactions outside of the

period in order to achieve a reasonable sample for testing, based on the guideline in the template.

4.7.3 Sample Selection

Once a sample size has been determined, each item to be sampled will be selected on the basis of

the following:

On a completely random basis and in such a manner that each item in the population has anequal or known chance of being selected; or

On a fixed interval basis, with a random starting point.


39/57

Page 39of 57

5.0 Major Project Development Audits

5.1 Audit Objectives

5.1.1 General

The following guidelines provide Audit personnel with direction in respect to the audit activity to be

undertaken during major project development in the Univers

internal_audit_manual__v41__27_nov_2012330491372937837

Documents

internal_audit_manualv4127_nov_2012330491372937837