internal auditing guidelines - esaag - about us. introduction 1.0 these internal auditing guidelines...

INTERNAL AUDITING GUIDELINES

for

East and Southern Africa Association of Accountants General

February 2001

E S A A G

INTERNAL AUDITING GUIDELINES

for

The East and Southern African Association of Accountants General

CONTENTS

PAGE

1. Introduction 1

2. Nature, Objectives and Scope of Internal Audit 1

3. Internal Audit Independence 7

4. Managing Internal Audit 12

5. Professional Proficiency 15

6. Relationships 20

7. Internal Audit Planning 23

8. Approaches to Internal Audit 26

9. Reporting, Monitoring and Follow-up 28

Glossary of Technical Internal Audit Terms 32

1. INTRODUCTION

1.0 These Internal Auditing Guidelines are recommended to all government institutions in member

countries. These may include Ministries, Departments, Regions, and other public sector

organisations or entities, where appropriate. The Guidelines are prepared in compliance with

the “Standards for the Professional Practice of Internal Auditing” developed by the Institute of

Internal Auditors and international best practice in public sector Internal Audit.

1.1 The guidelines are intended to provide best practice principals rather than specific guidance on

Internal Audit procedures and techniques. Each professional Internal Auditor should hold the

general skills and knowledge of Internal Audit practice.

1.2 A brief explanatory note to facilitate a clear understanding of the guidelines is included before

each guideline.

1.3 These guidelines provide criteria by which Internal Auditing in the Public Sector in member

countries should be measured and evaluated.

1.4 Any standards or guidelines should be dynamic to keep up to date and these guidelines will be

revised from time to time as necessary.

2. NATURE, OBJECTIVES AND SCOPE OF INTERNAL AUDIT

2.0 Explanatory Notes:

2.1 This guideline explains the nature, objectives and scope of Internal Auditing and indicates the

range of responsibilities that Internal Audit should cover. The Head of Internal Audit should

ensure that each Accounting Officer (see Glossary of Technical Internal Audit Terms at the end

of these Guidelines) in the public sector organisations for which they are responsible are aware

of the full range of activities that fall within the scope of Internal Audit.

2.2 Nature: The Institute of Internal Auditors defines Internal Auditing as "an independent objective

assurance and consulting activity designed to add value and improve an organisation's

operations. It helps an organisation accomplish its objectives by bringing a systematic,

disciplined approach to evaluate and improve the effectiveness of risk management, control and

governance processes."

Internal Auditing Guidelines February 2001 Page 1 of 33

2.3 Internal Audit should be an independent function or division within the public sector

organisation. It assists management by reviewing, assessing and helping to improve the internal

control system. Internal Auditors work with Accounting Officers and other managers to help to

improve internal controls within their public sector organisation and so reduce the risks the

Government faces in achieving its objectives to an acceptable level. Internal Audit undertakes

reviews of individual systems and processes. As a result, recommendations are made to the

relevant Accounting Officer on how internal controls could be improved.

2.4 Scope: The scope of internal audit needs to cover the systematic review, appraisal and reporting

of the adequacy of the systems of managerial, financial, operational and budgetary control and

their reliability in practice, including:

• the relevance of established policies, plans and procedures, the extent of compliance with

these

• the appropriateness of organisational, personnel and supervision arrangements

• the extent to which assets and interests are accounted for and safeguarded from losses of all

kinds arising from waste, extravagance, inefficient administration, fraud or other causes

• the appropriateness, reliability and integrity of financial and other management information

and the means used to identify, measure, classify, report and act upon that information

• the integrity of computer systems, including systems under development

• the follow-up action taken to remedy previously identified weaknesses.

2.5 The actual areas reviewed by Internal Audit should be determined by a risk assessment that

guides Internal Audit planning (see Guideline Seven).

2.6 There should be an Internal Audit service for all public sector and government organisations

including the armed and secret services.

2.7 Objectives: Internal Audit should operate in partnership with management by helping to

enhance their accountability, transparency and corporate governance. This is achieved by

identifying and evaluating their internal control systems and making recommendations for

improvements and refinements to these systems.

2.8 Internal Audit assists Accounting Officers by evaluating and reporting on the elements of the

internal control system for which the Accounting Officer is responsible. It is not, however, an

extension of, or a substitute for, effective internal controls. Responsibility for internal control

rests fully with the Accounting Officer, who should ensure that appropriate and adequate

arrangements for internal control exist in addition to any Internal Audit activity in their public

sector organisation. It is for the Accounting Officer to decide whether or not to accept and


implement Internal Audit findings and recommendations. However, the Accounting Officer

should be responsible to an Audit Committee and the Public Accounts Committee for ensuring

that prompt and effective action is taken to address Internal Audit's findings. An Audit

Committee may assist in ensuring that prompt and effective action is taken in response to audit

recommendations.

2.9 Internal Audit may undertake checks that individual items of expenditure are necessary and have

been authorised as required. This may be undertaken before the payment is made (pre-audit) or

may be undertaken later (post-audit). Internal Audit may also be required to undertake

independent checks on stores and fixed assets. However, international best practice suggests

that the core element of Internal Audit work should be systems audit. The objective of systems

audit is to improve the controls operated by management rather than Internal Audit acting as a

control itself.

2.10 If Internal Auditors undertake pre-audit, they should not also undertake system reviews of the

same transactions or systems.

Advantages and Disadvantages of Pre-Audit

Advantages Disadvantages

Could help to ensure that expenditure is necessary and appropriate.

May reduce officers' responsibilities for internal control. Managers may not check payments properly, but rely on Internal Audit to do these checks.

Could help to ensure that expenditure is properly authorised before payment is made.

Payments may be delayed until Internal Audit has completed their checks.

Could help to prevent management fraud. It may be an inefficient use of valuable Internal Audit time.

Could help to reduce the incidence of fraud or irregularity.

Could provide an opportunity for unethical Internal Auditors to seek bribes.

Could help to confirm the existence of projects, supplies and stores.

Could relax Internal Audit objectivity when doing systems audit work.

Could put Internal Audit security at risk.

2.11 In some countries, Internal Audit may be required to undertake pre-audit. Where this is the case

consideration should be given to reducing this role. This could be achieved by only undertaking

pre-audit on larger payments or those that are particularly vulnerable to fraud or irregularity.

Public sector organisations with good internal controls could be rewarded with a reduced

requirement to have their expenditure subject to pre-audit.


2.12 Internal Audit is not necessarily best suited to under take investigations into suspected fraud,

corruption or irregularity. This is a specialised function that requires expert knowledge and

experience. The approach to fraud investigation is different to that used in routine Internal

Audit work. For these reasons, where possible, fraud investigations should be undertaken by a

special unit.

2.13 Internal Audit can:

• independently review and appraise the systems of control throughout the public sector

organisation (not just the financial controls);

• recommend improvements to internal controls;

• ascertain the extent of compliance with procedures, policies, regulations and legislation;

• provide reassurance to management that their policies are being carried out with adequate

control of the associated risks;

• facilitate good practice in managing risks;

• save money by identifying waste and inefficiency, and by facilitating the spread of good

practice;

• avoid duplication of effort by an effective partnership with the Auditor-General and other

review agencies;

• by its activities help to ensure that assets and interests are safeguarded from fraud, deter

fraudsters and possibly identify fraud.

2.14 The existence of Internal Audit in a public sector organisation should not cause a general

relaxation or vigilance on the responsibility of the line managers. It is not the responsibility of

Internal Audit to detect and/or prevent fraudulent activities and irregularities. This is the

responsibility of all officers, managers and the Accounting Officer.

GUIDELINE ONE: NATURE, OBJECTIVES AND SCOPE OF

INTERNAL AUDIT

1

NATURE OF INTERNAL AUDIT

Internal Auditing is an independent objective assurance and consulting activity

designed to add value and improve an organisation's operations. It helps an

organisation accomplish its objectives by bringing a systematic, disciplined approach

to evaluate and improve the effectiveness of risk management, control and governance

processes. The effect of Internal Audit should be continual improvements and

refinements to the internal control system as a contribution to proper, economic,

efficient and effective use of government resources.


2

OBJECTIVES OF INTERNAL AUDIT

Internal Audit has two main objectives. These are to:

a) ensure that internal control and risk management systems are continually being

improved and optimised in response to an ever changing environment;

b) provide reasonable assurance to the relevant Accounting Officer and the Audit

Committee that significant risks in the public sector organisation are being

appropriately managed, with an emphasis on the role of internal controls.

3 The way that these objectives are achieved will vary between countries and

organisations. This leads to a variety of different approaches to Internal Audit. This

subject is covered in the Guideline below on Approaches to Internal Audit.

4 The Head of Internal Audit should be consulted when the Accounting Officer wishes to

change the system of internal control. The Head of Internal Audit should be required

to co-ordinate inter-ministerial or departmental issues concerning control.

5 If Internal Auditors are used to investigate potential fraud or irregularity they will need

specialist knowledge and experience. An expert team should be created to investigate

cases of actual or potential fraud and irregularity.

6

INTERNAL CONTROL

Internal control has been defined by the Committee of Sponsoring Organisations of the

Treadway Commission (COSO) in Internal Control – Integrated Framework, as:

'A process, effected by an entity’s board of directors, management and other

personnel(people), designed to provide reasonable assurance regarding the

achievement of objectives in the following categories:

• Effectiveness and efficiency of operations; (basic operational objectives,

performance goals and safeguarding resources)

• reliability of financial reporting

• compliance with applicable laws and regulations.'

7 Internal control is a management tool used to provide reasonable assurance that the

public sector organisation's objectives are being achieved efficiently. Internal control

covers the whole system of controls, policies and procedures established by

management to meet their targets and objectives.


8 The responsibility for the adequacy and reliability of internal controls rests with

management. The relevant Accounting Officer has overall responsibility for the

establishment and maintenance of internal controls within their area of responsibility.

The Accounting Officer of each public sector organisation should ensure that proper

internal controls are introduced, reviewed, and updated to keep them effective. An

Audit Committee can assist with this role.

9

SCOPE OF INTERNAL AUDIT

The potential scope of Internal Audit is the whole system of internal control established

by a public sector organisation. This may include controls over all the organisation's

activities, not just controls over financial accounting and reporting. Internal Audit

should review all significant operational and management controls, including policies

and procedures for the management of risk. However, Internal Audit should

concentrate its efforts on the high risk areas and the most important internal controls.

10 The Accounting Officer and Audit Committee should not restrict Internal Audit to

work on financial systems or checking that assets are safeguarded. Internal Audit work

should go beyond the accounts to check that public officials and others entrusted with

public resources are:

a) complying with applicable laws and regulations

b) achieving government objectives and desired services or benefits established by the

public sector organisation.

11 The Audit Committee and the Accounting Officers should ensure that Internal Audit

has the widest scope to ensure that internal controls across the whole public sector

organisation may be subject to review by Internal Audit.

12 Internal Audit should have unrestricted access to all the people, systems, documents

and property it considers necessary for the proper fulfilment of its responsibilities.


3 INTERNAL AUDIT INDEPENDENCE

3.0 Explanatory Notes:

3.1 Internal Audit should be sufficiently independent from line management to ensure that Internal

Audit's professional judgements and recommendations are objective and impartial. To be

effective, Internal Audit needs to have adequate authority and report at a sufficiently senior level

within the public sector organisation. As a result, the Head of Internal Audit should report (for

pay and rations) at a level at least equivalent to the Accountant-General in the Ministry of

Finance or the Permanent Secretary in other ministries. Internal Audit should also report to an

Audit Committee and have a direct reporting line to the Accounting Officer.

3.2 It is generally considered that Internal Audit should not report to a manager if Internal Audit

regularly reviews systems that this manager is directly responsible for. For this reason, in some

countries it is considered inappropriate for the Accountant-General to be responsible for

Internal Audit. The reason for this is that the Accountant-General is the accounting advisor to

the Permanent Secretary in the Ministry of Finance and is also in charge of the treasury and the

national accounts. The Head of Internal Audit regularly reviews systems that the Accountant-

General is responsible for and so should not report on these systems to the same officer.

3.3 Internal Audit will achieve respect through the status it is given in a public sector organisation.

For the individual Internal Auditor, objectivity is essential to ensure an attitude of mind

characterised by integrity, steadfastness and an impartial approach to work. Objectivity may be

impaired through familiarity both with systems and non-audit staff. This may occur if Internal

Audit staff are involved with the same work assignments and ministerial officers for several

years.

3.4 Internal Audit should take its authority and terms of reference from the Audit Committee and

Accounting Officer to whom the Head of Internal Audit should report and have the right of

direct access. Internal Audit's terms of reference (or charter) should clearly outline the nature,

objectives, responsibilities and scope of Internal Audit. Internal Audit’s terms of reference

should be approved by the Audit Committee subject to applicable legislation.


3.5 The written terms of reference for Internal Audit should clearly:

a) establish Internal Audit's position within the organisation

b) establish Internal Audit's right of access to all records (both electronic or otherwise), assets,

personnel and premises, and its authority to obtain such information and explanations, as it

considers necessary to fulfil its responsibilities

c) define the scope of Internal Auditing activities.

3.6 Objectivity is an independent attitude of mind that Internal Auditors should maintain when

performing Internal Audit work. It is important that Internal Auditors always retain a critical

edge in undertaking their work. Internal Auditors need to be sceptical in discussions with

officers and to obtain an adequate level of proof from Audit testing.

3.7 Objectivity requires Internal Auditors to carry out Audits in such a way that the quality of their

work or their honest belief in the results of that work is not compromised. Internal Auditors

should not be placed in situations in which they feel unable to make objective professional

judgements.

3.8 Internal Auditors should not be placed in situations in which they feel unable to make objective

and impartial professional judgements. If any of the situations referred to below arise, Internal

Auditors should inform their Head of Internal Audit so that alternative arrangements for the

Internal Audit assignment may be made:

(a) Internal Auditors, notwithstanding their employment by the organisation, should be free

from any conflict of interest arising either from professional or personal relationships or from

pecuniary or other interests in an organisation or activity that is subject to Audit.

(b) Internal Auditors should be free from undue influences, which either restrict or modify

the scope or conduct of his work or over-rule or significantly affect judgement as to the content

of the Internal Audit report.

(c) Internal Auditors should not allow their objectivity to be impaired when Auditing an

activity for which they have had authority or responsibility in the past.

(d) Internal Audit should be consulted about significant proposed changes to the internal

control system or the implementation of new systems. Internal Audit may make

recommendations on the standards of control to be applied without prejudicing Internal Audit's

objectivity in reviewing those systems at a later date.


(e) Internal Auditors should not normally undertake non-Audit duties, but if they do,

exceptionally, they should ensure that management understands that they are not then

functioning as Internal Auditors.

3.9 International best practice suggests that Audit Committees should be established. Audit

Committees are generally considered to improve the independence of Internal Audit. Audit

Committees should be established for each public sector organisation. Members of an Audit

Committee, especially the chair, should be chosen so that they are sufficiently independent from

the senior managers of the public sector organisation and so they are suitably experienced. An

Audit Committee may deal with more than one organisation.

3.10 The role an Audit Committee with regard to Internal Audit is that it should:

• approve Internal Audit's strategic and operational plans and review performance against

them

• discuss with Internal Audit its findings and the responses of management to its major

recommendations; and, periodically, its views on the overall quality of internal control

• consider the objectives and scope of any additional ( non-audit work) work undertaken by

the Internal Auditors to ensure there are no conflicts of interest and that independence is not

compromised

• review the adequacy of the Internal Audit function, its adherence to professional standards,

particularly independence, standing, scope, resourcing, its liaison with the Auditor-General

and other review agencies and its reporting arrangements

• meet regularly two or three times a year and meet with the Internal Auditors at their request

as they deem necessary

• through its Chair represent the concerns of Internal Audit to the relevant Accounting

Officer, Permanent Secretary or Minister

• be involved in the process of appointment or dismissal of the Head of Internal Audit

• periodically review the Internal Audit terms of reference.


GUIDELINE TWO: INTERNAL AUDIT INDEPENDENCE 13 Internal Auditors should be objective, and, as far as possible, operationally independent

of the management of the public sector organisation.

14 Internal Audit independence should permit it to provide impartial and unbiased

judgements that are essential for its proper function. Internal Audit independence

should also ensure that the Head of Internal Audit can report without 'fear or favour' to

all levels within the public sector organisation. Internal Audit independence can be

ensured through status and objectivity.

15 It is the responsibility of the Accounting Officer and the Audit Committee to ensure

that conflicts of interest do not arise and that Internal Audit’s objectivity and

independence are not compromised. If the independence or objectivity of Internal

Audit is impaired, in fact or appearance, the details of the impairment should be

disclosed to the Accounting Officer and the Audit Committee.

16

STATUS

The Head of Internal Audit should be responsible to an individual with sufficient

authority to promote Internal Audit independence and to ensure the broadest Internal

Audit coverage, adequate consideration of Internal Audit reports and appropriate action

on Internal Audit recommendations. Internal Audit needs the support of top

management officials so that they can gain the co-operation of officers and perform

their work without interference. Internal Audit should have a direct reporting line to

the Accounting Officer and the Audit Committee.

17 The Head Internal Auditor should report to the Accounting Officer and an Audit

Committee.

18

TERMS OF REFERENCE

Internal Audit should have written terms of reference (or charter) that are agreed by the

Accounting Officer and the Audit Committee. These should clearly outline the nature,

objectives, responsibilities and scope of Internal Audit. The Head of Internal Audit

should actively seek to develop and obtain approval of such terms of reference. The

terms of reference should be reviewed and revised, if necessary, at least every three

years.

19 The terms of reference for Internal Audit should include the requirement for Internal

Audit to have the access, to all personnel, records, assets and property that Internal

Audit considers necessary for it to undertake its work effectively.


20 The terms of reference for Internal Audit should be supported by a law, by-law or

regulation that specifies the position of the Internal Auditor in the government

hierarchy.

21

OBJECTIVITY

The term objectivity includes the requirement on the part of Internal Auditors to have

an independent mental attitude to the performance of their work. Objectivity should

ensure that Internal Auditors have an honest belief in their work product and that no

significant quality compromises are made.

22 Internal Auditors should not be placed in any situation where they feel unable to make

objective professional judgements. Objectivity may be impaired through familiarity,

with both systems and officers. This may be created by Internal Audit staff being

involved with work assignments for too long a period of time. In order to maintain

maximum awareness and motivation amongst Internal Audit staff, work assignments

should be rotated on a planned basis. Transfers of Internal Audit staff between public

sector organisations are to be recommended, every few years, where possible.

23 Internal Audit assignments should be undertaken in such a way that there is no

potential or actual conflict of interest. Internal Audit staff should not undertake Audits

of systems if they worked in this area in the last year. Internal Audit staff should

declare any conflict of interest that may arise.

24 Recommending standards of control for new systems or reviewing procedures before

they are implemented is part of Internal Audit work. However, designing, installing

and operating systems is not an Internal Audit function. Performing such work is

presumed to impair Internal Audit objectivity.

25

POSITION

The position of Internal Audit should be categorised specifically as a Staff function as

opposed to all Line Functions. Internal Auditors should not supervise or manage other

sections or activities. If Internal Auditors perform non-audit work they are not

functioning as Internal Auditors. Performance of such activities is presumed to impair

Internal Audit objectivity. Therefore, the Internal Auditor should not undertake

executive functions outside their divisional activities.

26 The position of Internal Audit within the public sector organisation should be high

enough to ensure that there is no impairment of Internal Audit scope.


4 MANAGING INTERNAL AUDIT

4.0 Explanatory notes:

4.1 The appointment of appropriate staff is important to the success of Internal Audit. Internal

Auditors must be able to develop good working relationships with all officers. Internal Auditors

must also be able to quickly understand how systems work and be able to identify suitable

improvements. The Head of Internal Audit should ensure that all their staff are appropriately

trained and receive suitable guidance.

4.2 Controlling: Internal Audit work should be controlled at all levels of operation to achieve

objectives and ensure the economic and efficient use of resources.

4.3 The Head of Internal Audit should continually monitor Internal Auditors' performance. Any

significant variations from work plans should be investigated and dealt with appropriately. The

results of each Internal Audit assignment or groups of Audit assignments should be reviewed

against Internal Audit plans. Efficiency should be assessed and any necessary revisions made to

subsequent planned work.

4.4 Recording: The Head of Internal Audit should specify standards of Audit documentation, ensure

that those standards are maintained and monitor compliance with the standards.

4.5 Appraisal: Like any other department, Internal Audit should be constantly appraised to ensure

that its performance and value to the management of the public sector organisation is

maximised. The Internal Audit function is subject to budgetary constraints, in common with all

other elements of the public sector, therefore its value should continually be re-assessed. This

appraisal or assessment should be undertaken by Internal Audit managers and also periodically

by independent suitably experienced external assessors. The assessment should consider the

views of the Accounting Officer and other senior managers on the success of Internal Audit. It

may also consider Internal Audit’s effectiveness and any appropriate directional changes.

4.6 An Internal Audit management unit in the Ministry of Finance may assist in maintaining the

quality of internal audit across all public sector organisations and can assist with ensuring the

independence of Internal Audit. The Internal Audit management unit may have responsibility for

the staffing, planning, organisation and co-ordination of Internal Audit units in all public sector

organisations. The management unit may provide guidance to Internal Audit units in other

public sector organisations, monitor all Internal Audit reports, and co-ordinate training across

the public sector. In some countries Internal Audit units in all public sector organisations are

managed by a central Controller of Internal Audit in the Ministry of Finance.


GUIDELINE FOUR: MANAGING INTERNAL AUDIT 27 The Head of Internal Audit should effectively manage Internal Audit to ensure it adds

value to the public sector organisation and to ensure that:

(a) Internal Audit work fulfils its terms of reference

(b) resources for Internal Audit are used efficiently and effectively

(c) Internal Audit staff undergo suitable professional development

(d) Internal Audit work conforms to approved standards

(e) the morale of Internal Audit staff is developed and maintained.

28 The Head of Internal Audit should submit periodic activity reports to the Accounting

Officer and the Audit Committee. These reports should compare:

(a) actual performance with goals and Internal Audit plans

(b) actual expenditures with financial budgets.

The Head of Internal Audit should explain major variances (positive or negative) together

with action taken to address these.

29 The Head of Internal Audit should ensure that Internal Audit staff are provided with a

suitable Audit Manual including written policies and procedures to guide them with their

work. This guidance should also include programmes for particular Internal Audit

assignments. The Internal Audit programmes should specify reporting lines at each level

of management.

30 The Head of Internal Audit should ensure that the work of all levels of Internal Audit staff

is effectively supervised from planning to conclusion. This supervision should include:

(a) provision of suitable instructions and guidance at the outset of an Internal Audit

assignment and approving the Audit programme

(b) seeing that the approved Audit programme is carried out unless deviations are both

justified and authorised

(c) ensuring that Internal Audit staff understand the work to be undertaken and obtain and

document sufficient relevant and reliable audit evidence

(d) determining that Internal Audit objectives are being met.


31

MANAGEMENT REVIEW

All Internal Audit working papers and reports should be reviewed by Internal Audit

managers before the reports are released. This review should include:

(a) determining that Audit working papers adequately support the Audit findings,

conclusions and report

(b) making sure that Audit reports are accurate, objective, clear, concise, constructive and

timely.

32 Internal Audit working papers should show clear evidence of this management review.

33

QUALITY ASSURANCE APPRAISALS

There should be periodical reviews of Internal Audit performance to ensure that its

performance and value to the management of the public sector organisation is maximised

and to ensure compliance with appropriate standards and guidance.

34 The Head of Internal Audit should establish and maintain a quality assurance programme

to evaluate the operations of Internal Audit. This programme should provide reasonable

assurance that Internal Audit work conforms to relevant standards and these Internal

Auditing Guidelines. It should also ensure that Internal Audit adds value by improving

internal control. This quality programme should include:

(a) supervision (b) internal review

(c) external review.

35 Supervision of Internal Audit work should continuously ensure conformance with the

Institute of Internal Auditors Standards, these Internal Auditing Guidelines, department

policies and Audit programmes.

36 Internal reviews should be performed periodically by senior Internal Audit staff to

appraise the quality of the Internal Audit work that is undertaken in all public sector

organisations.

37 External reviews should be performed to assess the quality of Internal Audit work against

these Guidelines. These reviews should be performed by suitably qualified Internal

Auditors who are independent of the organisation and who do not have either a real or an

apparent conflict of interest. The external reviews should be undertaken at least once

every five years.

38 On completion of such reviews, formal written reports should be issued to the relevant

Accounting Officer and the Audit Committee. These reports should express an opinion on

Internal Audit's compliance with these Internal Auditing Guidelines and, where necessary,

should include recommendations for improvement.


5. PROFESSIONAL PROFICIENCY


5.1 In carrying out their duties Internal Auditors should exercise due professional care, that is

competence based on appropriate experience, training, ability, integrity and objectivity.

5.2 Due professional care is defined as carrying out Internal Audit work with competence and

diligence. Due care does not mean infallibility. Consequently Internal Auditors cannot provide

absolute assurance that non-compliance or irregularities do not exist. However, it will be

incumbent upon the Internal Auditor to consider the effect of significant weaknesses in the

systems under review and evaluate the possibility of material irregularity or non-compliance

with the legislation and regulations when undertaking Internal Audit.

5.3 Professional care requires the use of Audit skills and judgements based on appropriate

experience, training, ability, integrity and objectivity. The level of professional care to be

exercised should be appropriate to the objective and complexity of the Internal Audit work being

performed.

5.4 In order to demonstrate due professional care, Internal Auditors should be able to show that

their work has been performed in the manner which meets the criteria set by these Internal

Auditing Guidelines or specific departmental policies.

5.5 Internal Audits should be performed by, or supervised and controlled by, Audit staff who have

the technical skills, experience and perspective which will enable them to comply with these

Guidelines. This is necessary to maintain Internal Audit's credibility as a dependable instrument

of management.

5.6 The Head of Internal Audit should therefore ensure that Audit staff have the capacity to meet the

responsibilities identified by the terms of reference agreed with the Audit Committee and the

Accounting Officer.

5.7 The Head of Audit should ensure that all Internal Audit staff are reminded of their ethical

responsibilities and also ensure that their declarations of interest are reviewed, and where

appropriate, updated at least once a year.


5.8 Internal Auditors should not accept any gift or inducement from an officer, worker, supplier or

other third party. Information acquired by Auditors in the course of their work should not be

used for unauthorised purposes or for personal benefit or gain. Internal Auditors should only

accept hospitality when this is consistent with the public sector organisation’s documented

arrangements.

5.9 The most important source of information for Internal Auditors is the staff working within the

area subject to Audit. These officers know how the system actually operates and should have a

reasonable idea of how practical any improvements may be. Thus interviewing skills are

essential for all Internal Auditors. Internal Auditors need to be able to understand what may be

a complex system. Internal Auditors also need to be able to critically assess each stage of the

process. Why is its performed? Could it be undertaken more efficiently?

5.10 Staff who operate the system will know what they do, but not necessarily why they do it. They

may also try and explain the system in the most positive light. The skill of Internal Auditors is to

enable all the staff they interview to open up and describe what they actually do (not just what

they think they should do) and to identify any aspects they think could be improved.

Understanding why each step is taken is more difficult. Staff may just do it “because we’ve

always done it that way” or even worse “because the Auditors told us to”!

5.11 An experienced Internal Auditor will ensure that the staff they talk to are relaxed and so describe

the system, its bad points as well as the good points. They will also challenge the staff to ensure

that they describe what actually happens and through discussion ascertain whether any

improvements are possible and practical.


GUIDELINE FIVE: PROFESSIONAL PROFICIENCY

39

Staffing

Internal Auditors should be appointed through free and open competition on the basis

of merit. The criteria used to fill Internal Audit posts should be suitable and clearly

documented. They should be developed after considering the level of required scope

and responsibility. Deliberate attempts should be made to ensure the proficiency and

qualifications of each prospective Auditor.

40

Compliance with Codes of Conduct

Internal Audit staff should follow existing codes of conduct and ethics for their

organisation. All professional Internal Audit staff should be members of the relevant

accounting or Internal Auditing professional body and follow their code of conduct or

ethics. All Internal Auditors should follow a professional code of conduct which calls

for:

a) high standards of honesty

b) high standards of diligence

c) high standards of loyalty.

41

Knowledge Skills and Discipline

Internal Auditors should be required to (individually) possess the knowledge, skills and

competencies essential to the performance of effective Internal Audit. Internal Audit

staff should be required to possess the following skills:

a) proficiency in applying Internal Auditing Guidelines

b) knowledge of techniques required to perform Internal Audit

c) proficiency in accounting principles and techniques (especially government

accounting)

d) an understanding of management principles and administrative procedures to

enable recognition and evaluation of the materiality and significance of deviations from

good and acceptable practice.

42

Human Relation and Communication

Internal Auditors should possess the skills required to deal with people and to

communicate effectively. They should cultivate harmonious relationships with officers

and managers. Internal Auditors should be proficient in oral and written

communication to enable effective reporting.


43

Continuing Education

Training of Internal Auditors should be a planned and continuous process at all levels

and should be designed to cover:

a) basic training providing the minimum level of skills and knowledge which all

Internal Auditors should possess

b) development training in Audit skills, techniques and behavioural aspects to

improve the effectiveness of those staff currently engaged as Internal Auditors

c) management training for those Auditors with responsibility for managing and

directing Audit teams, together with those staff members who show the potential for

management positions

d) specialist training for those Auditors responsible for a special field of Audit work

which requires specialist skills and knowledge, for example, computer auditing or

performance auditing.

44 Internal Auditors, as responsible Government officers, should be responsible for

continuing their education in order that they maintain their knowledge, skills and

proficiency. They should keep themselves informed on changes and developments in

their public sector organisation's activities and other Government developments.

Internal Auditors also need to be aware of developments across the Internal Auditing

profession.

45 If there is an Internal Audit management unit in the Ministry of Finance, this unit

should be responsible for the co-ordination of training requirements for all government

Internal Auditors. The foundation, from which the assessment of training requirements

of Internal Audit will be derived, should be the database of Internal Audit staff in all

public sector organisations.

46 Internal Auditors should be aware of their responsibility for continuing their education

on order to maintain their proficiency through participation in professional societies,

conferences and seminars, college courses, in-house training and engage in research to

identify new Internal Auditing developments.

47

Due Professional Care

The term due professional care means and includes the application of the care and skill

expected of a reasonable, prudent and competent Internal Auditor in the same or

similar circumstances.


48 In exercising due professional care, Internal Auditors should be alert to the following:

a) the possibility of intentional wrong doing

b) errors and omissions

c) inefficiency, waste, ineffectiveness

d) conflicts of interest

e) conditions and activities likely to give rise to irregularities

f) inadequate control situations.

49 In exercising due professional care the Head of Internal Audit is required to consider

the following:

a) the extent of Internal Audit work needed to achieve the Audit objectives

b) the relative complexity, materiality or significance of matters to which Audit

procedures are applied

c) adequacy and reliability of risk management and control processes

d) likelihood of material irregularities or non-compliance

e) the cost of Internal Audit work compared to potential benefits or the risk of poor

internal controls.


6. RELATIONSHIPS


6.1 Management and staff at all levels should have confidence in the integrity, independence and

capacity of Internal Audit. This should be reflected and maintained in good working

relationships between Internal Auditors and the staff in the sections that they review.

6.2 The Head of Internal Audit should seek to foster and maintain constructive working

relationships with stock verifiers, fraud investigators, inspectors and any other review staff.

Consultations between Internal Audit and review staff should lead to effective co-ordination and

minimise duplication of work.

6.3 Internal Audit should not improperly disclose any information obtained during the course of

their work. Permission should be provided by senior management before any information is

passed outside the organisation. Internal Audit will, quite properly, reveal to appropriate

responsible parties (for example, police or Auditor-General) all material facts they have

established which, if not so revealed, may prevent the uncovering of unlawful acts or could

distort Audit reports. The passing of this information should be treated as confidential and

legally privileged. That is the Internal Auditor will be exempt from any legal liability from the

passing of such information.

6.4 It is important for Internal Audit to market the services it can provide to managers. This could

include producing leaflets and making presentations to Accounting Officers and other senior

officers on the services, assistance and role that Internal Audit can play.

6.5 The relationship between Internal Audit and the Auditor-General's Office needs to take account

of their differing roles and responsibilities. Internal Audit is an independent appraisal function

within the organisation and Internal Auditors are direct employees. It is the Auditor-General's

role to ensure that the financial statements, operating performance and related statements are

properly stated in all material respects. Internal Audit and the Auditor-General may also have

responsibility for performance audit to ensure that economy, efficiency and effectiveness are

improved.

6.6 The aim should be to achieve mutual recognition and respect, leading to a joint improvement in

performance and the avoidance of unnecessary overlapping of work. It should be possible for

the Auditor-General and the Head of Internal Audit to rely on each other's work, subject to

limits determined by their different responsibilities, respective strengths and special abilities.

Consultations should be held and consideration given to whether any work of either Auditor is


adequate for the purpose of the other. Internal Audit does not automatically have a right of

access to the records of the Auditor-General. However, the relationship between the Head of

Internal Audit and the Auditor-General should be such that the Auditor-General will allow

access to the necessary records.

6.7 The Head of Internal Audit should seek, where appropriate, co-ordination of the plans of

Internal Audit with those of the Auditor-General's Office and the programme of, for example,

stock verifiers. This co-operation should promote the most effective total audit coverage and

should avoid duplication of work. The Auditor-General's Office will have to decide if they can

place reliance on the work of Internal Audit and so reduce the amount of work undertaken by

their own staff.

6.8 The Head of Internal Audit should meet regularly with staff from the Auditor-General's Office

to:

• discuss work plans for Internal Audit and the Auditor-General's Office

• agree and review the performance of the work relied on

• evaluate the relationships with the Auditor-General's Office and report as required to the

Accounting Officer and Audit Committee on this relationship

• agree access to each other's audit programmes and working papers

• exchange audit reports and management letters

• enhance understanding of each other's audit techniques and methods

• discuss any other matters of mutual interest.

GUIDELINE SIX: RELATIONSHIPS 50 Internal Audit’s relations with other staff in the public sector organisation, the Auditor-

General, stock verifies and other review agencies should be based on mutual

confidence, understanding of each others needs and a reciprocal desire for co-

operation. Management, at all levels should have complete confidence in the integrity,

independence and capability of the Internal Audit unit.

51 There should not be any form of rivalry or conflict between the Internal Auditors and

staff in the Auditor-General's Office. Similarly, there should be a constructive

relationship between Internal Auditors, stock verifiers and other review agencies.


52 The Head of Internal Audit should initiate action to ensure the development of co-

ordination, effective working relationships and the avoidance of duplication of work

with other review agencies. This could include:

a) liaison meetings to discuss matters of mutual interest

b) arranging for access to each other’s plans, system notes and findings

c) arranging for consultation on plans and proposed visits

d) reviewing training proposals to arrange joint training sessions where possible

e) dissemination of literature for discussion to promote understanding of techniques,

methods and terminology.

53 Copies of Internal Audit reports should be made available to the Auditor-General for

information and co-ordination.

54 Internal Auditors should be familiar with the legislation that defines the statutory

responsibility, duty and rights of access of the Auditor-General. The Head of Internal

Audit should recognise the differences between the roles of Internal Audit and that of

the Auditor-General.

55 The staff of the Auditor-General's Office may review the effectiveness of Internal

Audit as part of their evaluation of management control arrangements. This review

should determine the extent that the Auditor General's Office is able to rely on Internal

Audit work. Internal Audit should not necessarily undertake special tasks at the request

of the Auditor General's Office. However, routine, planned Internal Audit work may

be used by the Auditor General's Office for their own purposes.

56 The relationship between the Internal Auditor and the public sector organisation should

be considered legally privileged. That is the Internal Auditor will be exempt from any

legal liability from the proper undertaking of their work.

Internal Auditors should not release Audit findings or other information outside the

normal reporting arrangements without the knowledge and permission of those

concerned.

57 Internal Auditors should normally consult and advise managers when arranging Audit

visits to their department. The exception to this rule would be for unannounced

surprise visits.

7. INTERNAL AUDIT PLANNING



7.1 Internal Audit work should be planned at all levels of operation in order to establish priorities,

achieve objectives and ensure the efficient and effective use of Audit resources. Planning should

be based on Internal Audit's terms of reference and allow for coverage of all significant systems,

operations, staff and sites within the public sector organisation.

7.2 Internal Audit plans should be based on a comprehensive understanding of the public sector

organisation and the way in which it operates. High-risk systems or transactions and any known

problem areas should be clearly identified. The emphasis of the Internal Audit plan should be

directed towards these systems.

7.3 Internal Audit plans should be developed in consultation with senior staff and the relevant

Accounting Officer. The appropriate Audit Committee should then approve the Internal Audit

plans.

7.4 Internal Audit planning should include the following steps:

• identify all auditable activities within the agreed scope of Internal Audit

• carry out a risk assessment on these activities in conjunction with management, identifying

categories such as high, medium, low

• prepare an audit needs assessment based on the risk assessment

• develop an overall strategic plan from the audit needs assessment to cover these risks, over,

say, a three-year period

• bring to the Accounting Officer and/or the Audit Committee's attention any mismatch

between Audit needs and actual Audit resources

• identify systems to be covered in the first year of the strategic plan and prepare an annual

Internal Audit plan

• discuss the strategic and annual plans with appropriate senior managers, Accounting

Officers and the Auditor-General's Office and amend as necessary

• present the plans to the Accounting Officer and/or the Audit Committee for approval.

7.5 Internal Audit plans should be amended as necessary to take account of changing

circumstances. The Accounting Officer and the Audit Committee should formally approve all

significant changes to the Internal Audit plans.

GUIDELINE SEVEN: INTERNAL AUDIT PLANNING


58 The Head of Internal Audit should establish plans to carry out the responsibilities of

Internal Audit consistent with the public sector organisation's goals and objectives.

59 The Internal Audit planning process should include the following:

(a) identifying goals

(b) preparation of strategic Internal Audit plans

(c) establishing proper staffing plans and financial budgets

(d) preparation of activity reports.

60 Internal Audit plans should:

(a) establish a list of systems that could be Audited and prescribe a period within which it

is desirable that each significant system should be examined

(b) define the tasks to be performed

(c) assist in the direction and control of work by identifying critical areas, setting target

dates and allocating resources.

61 To be effective, the Head of Internal Audit should:

(a) define audit needs taking into account the Internal Audit's terms of reference

(b) identify the staff and other resources needed and reconcile these with available,

resources

(c) choose an appropriate time period for the Audit plans

(d) record all plans in writing

(e) monitor work against planned activity and revise plans as appropriate.

62 Internal Audit plans should be based on a risk assessment. The risk assessment process, to

be conducted at least annually, includes an assessment of:

a) relevant risks and their significance

b) consideration of senior management, the Accounting Officer and the Audit

Committee's professional judgement

c) identification of activities to be audited.


63 Internal Audit strategic plans should take into account the following factors:

(a) the date and results of the last Internal Audit assignment

(b) the estimated time required, taking into account the scope of the planned work and the

nature and extent of audit work to be performed by others.

(c) requests by management

(d) major changes in operations, programs systems, and controls

(e) staffing, planning and effective utilisation of financial budgets

(f) Internal Audit priorities

(g) flexibility to cover unanticipated demands on the department.

64 Internal Audit plans and staffing and financial budgets should be developed from strategic

plans, administrative activities, education and training requirements and research and

development efforts.

65 The Head of Internal Audit should submit annually to the Accounting Officer and Audit

Committee for approval a summary of Internal Audit's strategic plans, staffing plans and

financial budgets. All significant amendments to these plans should similarly be approved

by the Accounting Officer and Audit Committee.

66 The Head of Internal Audit should explain, if necessary, why the Audit needs are not

being met. This should prompt the relevant Accounting Officer to take action to ensure

that their public sector organisation is provided with sufficient Internal Audit resources.


8 APPROACHES TO INTERNAL AUDIT


8.1 There are several different approaches to Internal Audit. International best practice suggests

that systems audit is the most effective way that Internal Audit can add value to an organisation.

However, in many countries it is considered necessary for Internal Audit to complement systems

audit with a pre-audit approach. If a pre-audit approach is adopted the Head of Internal Audit,

the Audit Committee and the Accounting Officer should discuss the extent that this is necessary.

They should also consider suitable means of reducing the proportion of time that Internal

Auditors spend on pre-audit work.

8.2 The systems approach to Internal Audit seeks to assess and improve the effectiveness of the

public sector organisation’s internal control system. The prime purpose of a systems Audit

should be to evaluate the extent to which the system may be relied upon to ensure that the

objectives of the system are met. Where internal controls are not adequate and reliable Internal

Audit should make practical recommendations to ensure that these controls are improved.

8.3 Internal Audit evidence should be adequate to meet the objectives of Audit assignments. Internal

Auditors should be satisfied with the nature, adequacy and relevance of Audit evidence before

placing reliance on that evidence. Information should be collected analysed and documented by

the use of appropriate Audit techniques.

8.4 The production of Audit evidence should be supervised and reviewed by the Head of Internal

Audit. To meet an acceptable standard the evidence should be sufficiently adequate and

convincing to the extent that a prudent, informed person would be able to appreciate how the

Auditor's conclusions were reached.

8.5 Internal Audit may also complement its systems approach with other techniques, for example:

• performance auditing

• control self assessment

• advice and assistance on control issues

• helping with risk management.


GUIDELINE EIGHT: AUDIT APPROACH 67 Internal Auditors should ensure that their approach and methods enable them to discharge

their responsibilities effectively. This will involve careful thought and discussion with the

Accounting Officer, the Audit Committee and others on the most effective approach to

Internal Audit given the particular circumstances of the public sector organisation.

68 Internal Audit should assess and improve the public sector organisation's risk

management, control, and governance processes. The internal auditing activity should

assist the public sector organisation in maintaining effective controls. Assistance can be

provided by evaluating the public sector organisation's controls to determine their

effectiveness and efficiency and by developing recommendations for improvement.

Internal Auditors should ensure that the costs of maintaining controls balances the

potential benefits.

69

SYSTEM APPROACH

Internal Audit should, where possible, adopt a systems approach. The systems approach

aims to asses and helps to improve the control features that govern the system. This

approach should provide reasonable assurance that existing controls will ensure that each

system’s objective is achieved.

70 When undertaking systems audit an Internal Auditor should:

a) document and analyse the internal control system across all public sector organisations

and establish Internal Audit plans

b) identify and evaluate the controls that are established in individual systems to achieve

the public sector organisation's objectives in the most economic and efficient manner

c) obtain and record relevant, reliable and sufficient audit evidence to support their

findings and recommendations

d) report findings and recommendations for each individual system that is Audited

e) provide an opinion on the adequacy and reliability of the controls in the individual

system under review

f) provide periodic assurance based on an evaluation of the whole internal control system

across all public sector organisations.

71 The use of the systems approach should enable Internal Audit to confirm the following:

a) the official system

b) whether it is operating according to agreed guidance and regulations

c) whether the system is adequate

d) whether the controls are reliable.


72 The system's adequacy should be used to ascertain the following:

a) what should happen to achieve the system’s objectives

b) what could go wrong in view of the system's design

c) what has been done to stop things going wrong.

9 REPORTING, MONITORING AND FOLLOW UP


9.1 The findings and recommendations arising from each Internal Audit assignment should be

promptly reported to management. The recommendations should then be followed up to check

that agreed action has been implemented. A summary of Internal Audit findings,

recommendations and activities should be submitted periodically to the Accounting Officer and

the Audit Committee.

9.2 In general Internal Audit reports should:

• state the scope, purpose, extent and conclusions of the Internal Audit assignment, including

Internal Audit's opinion on the adequacy of controls

• make recommendations that are appropriate and relevant, that call for action to correct

identified weaknesses or improve the efficiency of operations

• acknowledge the action taken, or proposed, by management.

9.3 Recommendations included in the Internal Audit reports should:

• be practical and provide constructive solutions to problems identified

• be sufficiently detailed to act as a guide for action and facilitate the efficient achievement of

the organisations objectives

• be prioritised based on the significance of the weakness identified.


9.4 Conclusions are the Internal Auditor's evaluations of the effects of the findings on the particular

system reviewed. They should:

• put the findings in perspective based on the overall implications and significance of the

weaknesses identified

• identify the extent to which the system's control objectives are being achieved and the

degree to which the internal control systems should ensure that the goals and objectives of

the public sector organisation are accomplished efficiently.

9.5 Management should be required to respond in writing to each Internal Audit report.

Management and Internal Audit should agree officer responsibility and target dates for

implementation of agreed recommendations. The responsibility for final editing of Audit reports

should remain with the Head of Internal Audit who should always retain the right to issue

reports without further editing.

9.6 Follow-up activity is the process by which Internal Audit confirms that agreed

recommendations have been implemented by line managers. Internal Audit should periodically

follow up Audit reports to review and test the implementation of agreed Internal Audit

recommendations.

9.7 The Head of the Internal Audit should submit to the Accounting Officer and Audit Committee, at

agreed intervals, a report of Internal Audit activity and results. The report should compare

actual Internal Audit activity against the annual Internal Audit plan and should clearly indicate

the extent to which the total Internal Audit needs of the public sector organisation have been

met.

9.8 In the annual Internal Audit report the Head of the Internal Audit should give a formal opinion

to the Accounting Officer and Audit Committee on the extent to which reliance can be placed on

the public sector organisation’s internal control system. The attention of the Accounting Officer

and Audit Committee should be drawn to any major Internal Audit findings where action

appears to be necessary but has not been undertaken.


GUIDELINE NINE: INTERNAL AUDIT REPORTING 73 The Head of Internal Audit should report periodically to the Accounting Officer and the

Audit Committee on Internal Audit's purpose, authority, responsibility, and performance

relative to its plan. Reporting should also include significant risks and control issues,

corporate governance issues, and other matters needed or requested by the Accounting

Officer and the Audit Committee.

74 The findings and recommendations arising from each Internal Audit assignment should be

promptly reported to the Accounting Officer and others who are affected by the report.

The final Internal Audit report including any comments from the Accounting Officer

should be reported to the Audit Committee.

75 The Head of Internal Audit should have complete freedom in the way in which Internal

Audit findings are reported and to whom each report is issued. The Head of Internal

Audit should review and approve each final Internal Audit report before it is issued.

76 Internal Audit reports should contain all material facts known to the Auditor concerning

the system under review to avoid distortion or concealment of any unlawful or improper

practice.

77 Internal Audit reports should be regarded as confidential and exclusive to the public sector

organisation concerned except for privileged external reviews by the Auditor-General and

Permanent Secretary to the Treasury.

78 The Head of Internal Audit should submit monthly or periodic progress reports to the

Accounting Officer and the Audit Committee and explain significant deviations from

approved strategic plans, staffing plans and financial budgets.

79 The Head of Internal Audit should provide an annual report to the Accounting Officer and

the Audit Committee. This report should include:

a) the Head of Internal Audit's opinion on the adequacy and reliability of the whole

internal control system

b) the extent that the Internal Audit needs of the public sector organisation have been met

c) any significant Internal Audit findings where action appears necessary but has not

been taken

d) any systems within the public sector organisation where the internal controls are not

adequate and reliable

e) a comparison of actual Internal Audit activity against the agreed annual plan.


80

COMMUNICATING RESULTS

When communicating results of their work Internal Audit should:

a) oral reports may be issued and should be confirmed in writing

b) discuss conclusions and recommendations at appropriate ministerial, departmental or

regional levels before issuing final written reports

c) issue a signed written report after each Internal Audit assignment that is objective

clear, concise, constructive and timely.

d) give reports which clearly present the purpose, scope and results of the Audit

e) give reports with recommendations for potential improvement, suggestions of

corrective action and acknowledgement of satisfactory performance

f) obtain and include in the report the system managers' views about the conclusions or

recommendations

g) include the officer who is to implement each agreed recommendation and a target

dates for its implementation.

81

MONITORING AND FOLLOW-UP

Internal Auditors should follow up their reports to ascertain that appropriate action is

taken on agreed Internal Audit recommendations. Internal Audit should determine, with

appropriate Audit testing, that corrective actin has been taken and is having the desired

effect.

82 If the Accounting Officer does not agree with an Internal Audit recommendation or does

not ensure that agreed recommendations are implemented they should accept the

associated risks. The Audit Committee may advice the Accounting Officer to implement

an Internal Audit recommendation if it considers necessary to achieve sound internal

control.

83 The Auditor-General may review and report on the extent that Internal Audit

recommendations have been implemented. Internal Audit may also review the extent that

recommendations made by the Auditor-General have been implemented.


Glossary of Technical Internal Audit Terms

Accounting Officer – the head of a government ministry or department who is personally responsible for the management and internal controls of the ministry or department and any fraud or irregularity that may occur. Adequacy of internal control – an assessment of the quality of internal control. Controls may be considered to be adequate if, when applied consistently, the controls should help to provide reasonable assurance that a control objective will be achieved. Auditor-General – the head of the government’s external audit service. The Auditor-General is responsible for certifying that the government accounts show a true and fair view, there has been a proper use of public funds and often for undertaking value for money reviews. Audit Committee – a high level committee, comprising, where possible, independent, non-executive members, with responsibility for overseeing the independent review of the framework of internal control, monitoring the Internal Audit function and the external audit processes. Audit Needs Assessment - an assessment undertaken by Internal Audit in consultation with managment to determine the extent of Internal Audit that is needed within an organisation and the frequency that particular systems should be reviewed. Control objectives – the objectives of a control system. Used by Internal auditors as a framework for undertaking systems auditing and so assessing the overall quality of the internal control system. Control Self Assessment – an approach to risk management, that may be facilitated by Internal Audit, that enables management to assess the risks and controls to the achievement of the organisation’s objectives. It may include the development of a risk register that lists the main risks the organisation faces and an action plan for improvements to internal control. Head of Internal Audit - is a generic title for Chief Internal Auditor or Director of Internal Audit or any other equivalent title. Internal Audit - is an independent objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal Control - is a process, effected by an entity’s board of directors, management and other personnel (people), designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • effectiveness and efficiency of operations; (basic operational objectives, performance goals

and safeguarding resources) • reliability of financial reporting • compliance with applicable laws and regulations. Management - implies the Permanent Secretary and Accounting Officers in Ministries, or Controlling officers in Regions or other responsible officers in a public sector organisation. Performance Audit – an approach to Audit that aims to improve the economy, efficiency and effectiveness of operations. The objective of Performance Audit is to improve the value for money provided by a public sector organisation. Public Sector Organisation – types of public sector entities, for example, ministries, departments, regions or districts, as examples of the range of possible governmental entities that may exist.


Reliability of Internal Control – an assessment of the extent that internal controls are applied consistently by all staff, at all times and in all circumstances. Risk – the chance (or probability) that one or more of the organisation’s objectives will not be achieved. It may refer to the failure to achieve objectives efficiently or the occurrence of unwanted outcomes. It may also refer to the inability to exploit possible opportunities. Risk management - the formal identification, assessment and planned management of significant risks facing the organisation. Systems Audit - systems audit is the structured analysis of internal control in relation to the objectives of the organisation. Systems audit should enable internal audit to make practical recommendations to address any weaknesses that have been identified within the context of risks to the achievement of the system’s objectives. It should also enable internal audit to form an opinion on the adequacy and reliability of the organisation’s internal control system.


internal auditing guidelines - esaag - about us. introduction 1.0 these internal auditing guidelines...

Documents