€¦ · web viewjune 2006. table of contents. i. introduction. ii. charter determining the...

JUNE 2006

1

TABLE OF CONTENTS

I. INTRODUCTIONII. CHARTER DETERMINING THE INTERNAL AUDIT SCOPE, TASKS AND AIMS III. PROFESSIONAL CODE OF ETHICS FOR INTERNAL AUDITORSIV. FUNCTIONAL INDEPENDENCE OF INTERNAL AUDITINGV. INTERNAL REGULATIONS, PROCESSES, PROCEDURES AND RISK ASSESSMENT RELATED TO INTERNAL AUDITING ACTIVITY

1. Management of internal auditing activityA. Internal audit human-resource management, basic principles for the continuous further vocational training of internal auditorsB. Performance evaluation of internal auditorsC. Regulations ensuring the quality of internal auditing activityD. Provisions for the involvement of external expertsE. Guidelines for the advisory activity of internal auditors

2. Preparation of internal audit planning, risk assessmentA. The steps of planning preparation B. Risk assessment

3. Planning of internal auditingA. Strategic planningB. Annual audit planC. Division of resources

4. Preparation for auditingA. Planning of implementationB. Administrative preparation

5. Implementation of auditingA. Opening discussionB. Use of auditing work-sheetsC. Fundamental examination procedures, techniquesD. Interview, as a tool for analysing processes and risksE. Assessment of control points or processes (controls) F. The role of testing in the assessment of control points or processes (controls) G. Gathering and registering of evidence, and the declaration of completenessH. Audit protocol, serious insufficiency

6. Regulations on the structure and content of the internal audit reportA. The preparation of the internal audit reportB. Annual report evaluating the internal audit

7. Regulations of the utilisation of audit statements and of the establishing of actions following the audit

A. Action planB. The follow-up of the audits

8. The procedure a pplicable in the case of exploration of acts, failures or deficiencies giving rise to the starting of criminal, infringement, compensation or disciplinary proceedings in the course of the audit9. Formal requirements of audit documentation and the order of safekeeping

VI. METHODOLOGICAL GUIDELINES, IMPORTANT STEPS AND SECTIONS OF INDIVIDUAL AUDITING METHODS

1. International internal auditing standards2. System audit

2

http://www1.pm.gov.hu/web/home.nsf/portalarticles/140EAC4B146A1276C12571BE0033CEB8?OpenDocument#__RefHeading___Toc136255197














































3. Performance audit4. IT systems audit5. Auditing of the Structural Funds6. Auditing of the Cohesion Fund

VII. UNIFORM DOCUMENT SAMPLESVIII. APPENDICESIX. GLOSSARY

3







I. INTRODUCTIONIn Hungary, pursuant to Act XXXVIII of 1992 on Public Finances (hereinafter: PFAPFA) and Government decree 193/2003. (XI. 26) on the internal audit of public budgetary organisations (hereinafter: IAD), public organisations participating in the use of public funds are obligated to operate an internal audit system with the aim that they should provide assurance for the head of the organisation concerning the suitability of the (financial) management and control systems built by and operated by them.

On the basis of article 121/A (1) of the PFA the definition of internal audit is as follows: Internal audit is an independent, objective, assurance and consulting activity, the aim of which is the development of the given organisation's operations and an increase in the effectiveness thereof. In order to reach the aims of the organisation the internal audit evaluates and generates by way of a system-based approach and methodology, the efficiency of the risk management, (financial) management and control procedures of the audited organisation. The internal audit bodies comprise the organic part of the control environment in respect of all of the public budgetary organisations and – in a wider context – the Hungarian public internal financial control system. In respect of risk management, (financial) management and control processes they support, through the formation of an independent and objective opinion, the development of the (financial) management and control systems in harmony with domestic and European Union legal regulations and guidelines. On the basis of international internal audit standards the internal audit’s following essential criteria must be emphasised:

The internal audit, through an increase in effectiveness, aids the (financial) management and control processes of the public bodies.

The internal audit is an internal, assurance-providing and consultancy, not an authoritive activity.

The internal audit operates as the most important element of responsible management.

The task of internal audits is to evaluate the control system designated to manage risk.

Standard Number 2100 of the Institute of Internal Auditors’ (IIA) determines that internal auditing activity, methodologically and through a system-based approach, evaluates risk management and organisation management and control systems and contributes to the improvement thereof.

The Control System Development Department (CSDD) operating within the Ministry of Ministry of Finance is responsible for the implementation of tasks that target the development of legislative, institutional, methodology and professional training systems related to the public internal financial control system, taking into account the standards of the IIA, requirements underpinned by the European Union, and the member states’ “best practices”. The CSDD shall maintain contact with the European Commission and the existing and future member states of the European Union, and with the organisations of the OECD countries, which carry out the coordination and harmonisation tasks of public internal financial control (PIFC).

4

The Ministry of Finance, in harmony with international and domestic requirements, shall prepare the necessary laws and other legislation that together determines the tasks connected with the formation and operation of public organs’ internal audit.

The legislation, handbooks and methodological guidelines issued by the Ministry of Finance shall be in harmony with European Union standards, and with the individual management tools (Organisational and operational regulations (OOR), statutes) of all the public bodies together comprise the tools aiding the management of internal audit activity.

Pursuant to point c) of Article 33 of the IAD, the Ministry of Finance has prepared the sample of the internal audit manual in its current format and with its current content. All public bodies are obligated – taking into account their characteristics – to produce their own internal audit manual within 60 days from the publication of the manual sample. The internal audit leaders of all the public bodies are responsible for the continual up-to-dateness of their own internal audit manual.

The current sample manual is prepared based on the PFA, the IAD, and the international and domestic experiences of internal audit with the aim of conforming to the domestic and international requirements. In relation to the detailing of all questions it shall mention the implementation standards which also describe the basic requirements of the IIA relating to the given sphere of questions, giving the number thereof and denoting the content of the standard. The implementation standards and standards describing the basic requirements are negotiated by the practice advisories processed by the IIA. The regulations appearing in the practice advisory are not obligatory; they provide recommendations for the internal auditors. The manuals must be flexible in order to be in harmony and up-to-date with new Hungarian and European Union regulations and requirements and the manuals issued by the IIA. The development and publication of the internal audit sample manual is an ongoing process. The Ministry for Finance shall proceed with a wide-ranging consultation prior to the publication of any changes to the internal audit sample manual. Observations and recommendations related to the sample manual can be sent to the following address:

Ministry of FinanceControl System Development Department

1051 Budapest, József Nádor tér 2-4

E-mail: [email protected]

The current sample manual details the general principles defined in the internal audit charter with the aim of supporting the regulating of daily internal audit practice and the daily internal audit work. The manual documents and appendices contain the preliminary concepts in order that the content of the documents be better understood. The examples appearing in the appendices serve simply as an interpretation aid.

5

II. Charter determining the internal Audit scope, tasks and aims Pursuant to Article 5 of the IAD, the internal audit charter forms a part of the internal audit manual. On the basis of the mandate defined in point s) of article 48 of the PFA and taking the IIA standards into account, the Finance Minister in the framework of the public internal financial control system coordinator and harmoniser, has published as a recommendation the following sample of the internal audit charter:

INTERNAL AUDIT CHARTER Aim and task of the internal audit Internal audit is an independent, objective, assurance-giving and consulting activity, the aim of which is the development of the given organisation's operations and an increase in the effectiveness thereof. In order to reach the aims of the organisation the internal audit evaluates and generates by way of a system-based approach and methodology, the efficiency of the risk management, (financial) management and control procedures of the audited organisation.

In the interest of provision of its tasks the internal audit prepares analyses, collects and evaluates information, gives recommendations and gives advice to the head of the public budgetary organisation (hereinafter: PBO) in relation to the examined processes.

The task of internal audit is the examination – and during which the supporting with sufficient evidence and giving suitable certainty in relation thereof – of the suitability of the risk management, (financial) management and control systems and procedures formed- and operated by management in relation to the following requirements:

The risk management system is capable of recognising and suitably managing the risks adherent in the attaining of the organisation’s risk management objectives;

Cooperation between all managers and management groups is satisfactory; Data and calculations pertaining to financial-, management-, and operative operation

are accurate, reliable and made available in a timely fashion; Employee activity is in line with legislation and regulations (including both domestic

and EU prescribed legislation on reporting obligations), in harmony with internationally accepted standards, with the guidelines published by the Minister of Finance, and the methodological guidelines;

Equipment and resources are managed sparingly and efficiently, and suitably consider the safeguarding of property;

The worked-out programs, plans and objectives are realised; In the work processes of the PBO the quality of the (financial) management and

control system is suitable and ensures continual up-to-dateness;

6

The systems and procedures – including those under development – are complete, and ensure that the audits provide suitable protection for the avoiding of mistakes, irregularities and other loss, and, that the procedures are in harmony with the comprehensive goals and objectives of the organisation;

The PBO must suitably and in a timely manner react to any changes in legislation or other mandatory regulations affecting the given PBO.

Management must be informed of possibilities related to improving the quality and efficiency of the (financial) management and control system exposed during the execution of the internal audit. The internal audit – as management support activity – does not at the same time exempt management from their responsibility neither of managing risk nor of operating a (financial) management and control system. In the interest of improving the organisation’s (financial) management and control system, internal audit makes recommendations, but the execution of these recommendations or initiation of other measures strictly belongs to the scope of responsibility of management.

The auditing scope of internal audit spreads to the auditing of precise adherence to all centrally issued regulations, directives and procedures (including those also which are undertaken by Hungary out of international obligation and/or derive from membership of some or other international organisation), all budgetary revenues and expenditures, and evaluation of the economy, efficiency and effectiveness of the activity of the public bodies in the interest of transparency of budgetary management. The advisory activity of internal audit spreads to the following:

Support of management in decision-making, with the formulating of recommendations (working out alternatives and estimating the risk attached to all solution opportunities, to which the attention of management must be brought), although management must make the final decision.

More rational management advice in line with human-resource capacities. More rational management advice in line with financial, material and IT resources. Expert and advisory support of management in the establishing of irregularity

management systems and performance-management systems, and in the continuous development thereof.

Consultancy on the rationalisation of the organisational structure, in the field of change-management.

Reporting The chief audit executive is obligated towards the head of the PBO to:

Give yearly a comprehensive evaluation of the PBO’s (financial) management and control-, and risk management system, and report on the suitability and efficiency of the systems;

Report on all important findings related to the PBO’s (financial) management and control system and to give notification on any possible development recommendations;

Give notification at regular time intervals on the situation regarding the implementation of the annual audit plan, on the results of completed audits, on the reasons for deviations from the plan, and on the existence of the personnel and material conditions necessary for the provision of the tasks of the internal audit unit;

7

Give uniform professional interpretation in relation to other audit activity and following the trail (risk-management-, conformity-, security-, legal-, ethical-, environmental issues, external audits), ensure suitable coordination with the organisations and persons seeing to these tasks, and to regularly inform management thereon.

Independence In the interest of ensuring the independence of internal audit the internal auditors shall belong to the chief audit executive. The chief audit executive shall carry out his tasks directly subordinated to the head of the PBO; the head of the PBO shall provide for the appointing thereof.

The internal auditor may not possess any scope of authority over the audited activity and may not be responsible for the audited activity. The involvement of the internal auditor in the processing and implementation of the organisation’s regulations, systems and procedures may only take place in an advisory and opinion-providing capacity. Responsibility The chief audit executive’s and internal auditors’ scope of responsibility:

Ensuring that all audits belonging to the scope of internal audit and actually takes place in compliance with that specified in the current Charter;

The effective management and development of the internal audit unit of the PBO, by giving the necessary professional, technical and operative guidance, in compliance with international internal audit standards, guidelines and practice;

To formulate the strategy based on risk assessment and the annual audit plan, during the preparation of which, any risk factors discovered must be brought to the attention of management. The audit plans and the recommendations for the modification thereof must be provided by the chief audit executive to the head of the PBO for approval;

To implement the approved annual audit plan, also including tasks completed out with the request of management;

To employ professionally qualified auditors with suitable professional understanding and experience for the fulfilment of the requirements covered in the current Charter;

To evaluate the main functions operating at the organisation, new or restructuring organisational units, tasks and processes, problems related to the formation, operation and application thereof;

To prepare at regular time intervals reports for the head of the PBO, in which the findings of the audits are summarized;

To inform the head of the PBO on the measurable objectives of the internal audit activity and the measured results thereof;

To pay attention to the work of external auditors and legislators, in the interest that the internal audit optimally covers the operation of the organisation – besides rational cost-effect.

Rights and obligations Rights and obligations of the internal auditor

8

On the basis of article 13 of the IAD, the internal auditor is also entitled to the following: a) enter into the premises of the audited organisation or unit taking into account the

security rules and the order of work;b) have access at the audited organisation or unit to the relevant documents in relation to

audit containing state secrets, official secrets and business secrets and other documents and data stored electronically with the observance of provisions of data and secret protection defined in the relevant legislation, ask for copies, extracts or certificates of the aforesaid documents and in justified cases take the original documents – by leaving a copy behind - against an acknowledgement of receipt;

c) request oral or written information from any employee or head of the audited organisation or unit;

d) request information from other bodies in connection with the operation and management of the audited organisation or unit;

e) initiate the involvement of external experts.

Pursuant to article 14 (1) of the IAD, the internal auditor is obligated to:a) implement the audit programme during the audit activity; b) inform the head of the audited organisation or unit about the start of the audit and

present his/her letter of appointment;c) study documents and conditions indispensable for formulating an objective opinion;d) elaborate his/her findings objectively and truthfully in written form and support them

with ample and sufficient evidence;e) if during the performance of audit the suspicion of an act, negligence or deficiency

arises which may result in criminal, infringement, liability or disciplinary procedure immediately report it to the chief audit executive;

f) draft an audit report and discuss it with the relevant persons at the audited organisation or unit in a contradictory procedure;

g) send the finalised audit report to the chief audit executive;h) in case there is a conflict of interest regarding the audit task or his/her person he/she

shall immediately report it to the chief audit executive; failure to do so or delayed reporting entails disciplinary responsibility;

i) hand back the original documents in full at the closure of the audit or if in the course of the audit activity the suspicion of an act, negligence or deficiency arises which may result in a criminal, infringement, liability or disciplinary procedure hand the documents to the head of PBO against a acknowledgement of receipt, as it is his/her task to take the necessary measures;

j) observe safety rules and order of work at the audited organisation or unit and their sub-units;

k) keep any state secret, official secret or business secret he/she have known in the course of audit,

l) collect all the working papers in the internal audit file. Rights and obligations of the audited body or organisational unit

Pursuant to article 16 of the IAD, the manager of the audited body or organisational unit and its employees are entitled to:

a) request a personal identification document and a letter of appointment from the auditor, and in lack of these refuse co-operation;

9

b) be invited to make comments and discuss on the draft audit report in the framework of the contradictory procedure.

Pursuant to article 17 (1) of the IAD, the manager and employees of the audited body or organisational unit are obligated to:

a) assist and co-operate during the implementation of the audit task;b) provide oral or written information, declaration requested by the auditor, provide

access to documents and hand over the requested original documents by the given deadline against a copy and acknowledgement of receipt;

c) upon the request of the auditor provide a declaration on the completeness of the documents (papers, data);

d) on the basis of the audit findings and recommendations elaborate an action plan stipulating the responsible persons and the deadlines, and perform the necessary measures within his/her scope of responsibility by the given deadline and inform the head of the organisation or unit performing the audit and the chief audit executive on the implementation of the action plan;

e) provide adequate working conditions for the auditors. Scope The PFA and the IAD set forth the scope of internal audit.

The scope of authority of the chief audit executive and the internal auditor covers the following:

They have unlimited access to all of the activities, records and property of the audited organisation;

They may turn at any time to the head of the PBO directly; In the interest of attaining the audit aims, manage over the available resources, define

the frequency of the audits, the subject and scope of the audits, as well as select the applied audit methods;

For the implementation of the audits, they are entitled to ask for information from any of the audited organisation's employees, and in instances demanding expert knowledge they may utilise expert help form other organisational units or organisations for the conducting of the audit activity.

The scope of authority of the chief audit executive and the internal auditor does not extend to the following:

Participation in any implementation or management activity of the PBO; Initiation or approval of financial transactions outwith those related to the internal

audit unit; The management of the activity of any employee of the organisation not employed by

the internal audit unit, except where these employees have received assignment to participate in the audit, or aid in another way the internal auditors.

Standards pertaining to internal audit activity

The internal auditor shall carry out their activities based on the relevant legislation, international internal audit standards, the methodological guidelines issued by the Minister of

10

Finance, the sample manual, and in accordance with the internal audit manual prepared by the chief audit executive and approved by head of the PBO. Within the framework of provision of the coordination and harmonisation tasks of the internal audit system the Minister of Finance shall regularly check the management guides and methodological guidelines related to the organisation and conducting of internal audits, including the sample manual.

Date: __________________________ _________________________________ _________________________________ Head of PBO Chief audit executive

11

III. Professional code of ethics for internal auditors The professional code of ethics relating to the organisation's internal auditors and which his approved by the organisational manager comprises a part of the organisation's internal audit manual. The code of ethics relates to all persons and organisations conducting internal audit activity carried out in the framework of public internal financial audit. The aim of the forming of the code of ethics is the promoting of the strengthening of ethical culture within the internal audit profession, and with attention to ethical regulations pertaining to public servants the erecting of a requirements system securing the regulations for behaviour of internal auditors, which during the provision of the internal auditors tasks, must be followed.The work and behaviour of the auditors must always and under all circumstances by impeccable. Any mistakes made during the carrying out of tasks, any unworthy behaviour certified in their private lives can lead to bad light for the state administration, the system of audit and the honesty of the auditors, and can bring into question the reliability and proficiency of the audit. Acceptance of the codex and adherence to the issues covered the codex at the same time increases trust in the auditors and their work. On the basis of point s) of article 48 of the PFA, taking into consideration the standards of the IIA, the Finance Minister, within the framework of coordination and harmonisation of the public internal financial audit system has, as a proposal, published the below sample professional ethics code of internal auditors.

PROFESSIONAL ETHICS CODEX OF INTERNAL AUDITORS

INTEGRITYThe integrity of the internal auditor establishes trust in the professional opinion of the auditor. The internal auditor:

1. Shall carry out their work with respect, and the honesty, professional accuracy, understanding and responsibility expected from them;

2. Carry out their work and form their professional opinion in compliance with the regulations and professional requirements;

3. Refrain from any activity which is in breach of legislation or internal regulations, or is not worthy of the internal audit profession;

4. Hold in respect the aims of the organisation, contribute to their realisation, and carry out their work keeping common interest in mind.

INDEPENDENCE, OBJECTIVITY AND IMPARTIALITYThe internal auditor shall in all instances, objectively and without partiality provide at the examination of any activity or processes the collection, analysis and communication of information and during the formation of job specifications and the communication thereof. The internal auditor shall maintain their independence from the examined organisation, and other external interested parties. The internal auditor shall weigh, evaluating all important

12

events. When forming their opinion their own, or the interests of a third party, may not hold influence. The internal auditor:

1. Refrain from any activity or relationship which may detract from the impartiality of their evaluation, or damage the interest of the audited organisation;

2. Carry out their activity without political interference;3. Prepare a suitably grounded and objective report in which the conclusions are

exclusively based on suitable and sufficient auditing evidence existing in harmony with the internal audit standards issued by the Finance Minister;

4. Cannot accept any gifts, income or unauthorised advantage which may influence the formation of objective professional opinion;

5. All essential and important facts must be presented in their report, which ensure the wholeness of the audit report on the examined activity;

6. Shall consider all information and opinion available to them published by the examined organisation or other parties, however, these may not influence the own conclusions of the internal auditor.

SECRECYThe internal auditor shall handle confidentially all data and information that comes to their knowledge during the course of the audit. Without suitable authority they cannot make any of this information public or disclose it to unauthorised persons, except where the communication of the information is a legal or professional obligation. The internal auditor:

1. Shall handle prudently information coming to their knowledge during the course of the audit and provide for the suitable protection thereof;

2. Shall not use any data or information coming to their knowledge for their own personal aims or profit, shall not use it in a manner contrary to legal regulations, to the injury of other institutes or persons, nor in a way as to damage the interests of the audited organisation or common interest.

EXPERTISEThe internal auditor shall provide for their internal audit tasks for the execution of the internal audit with the necessary knowledge, expertise and experience. The internal auditor:

1. Shall carry out strictly such audit for which they possess the necessary knowledge, expertise and experience, or provide for the involvement of a suitable external expert;

2. Shall perform the internal audit activity in harmony with the guidelines recommendations and methodological guidelines published by the Finance Minister and based on the standards of the IIA;

3. Endeavour to continually develop their professional knowledge, activity and quality. COOPERATIONThe internal auditor is obligated to certify behaviour which promotes cooperation between the auditors and within the profession and the formation of good relations. The internal auditor:

13

1. through cooperation promotes professional development; 2. cooperates with their colleagues.

INCOMPATIBILIITYIf the internal auditor carries out consultancy or other non- auditing activity for the examined organisation it must be ensured that these activities do not lead to incompatibility.

The internal auditor:

1. May not, in the framework of advisory or other non-audit activity, take over responsibility belonging to the scope of authority of the manager of the audited organisation;

2. Guard their independence and avoid all possible forms of incompatibility, thus refusing all gifts or benefits which influence or may influence their independence and integrity;

3. Avoid such relationships with the manager of the audited organisation and employees, or with third parties, which may influence or endanger their independence;

4. May not use their official position for personal aims, and avoid such relationships which in themselves contain danger of corruption, or which could raise doubt in relation to their objectivity and independence.

Pursuant to article 15 (1) of the IAD, in respect of the internal auditor or the chief audit executive, incompatibility exists and they may not participate in the audit if:

a) If pursuant to point b) of article 685 of 1959 Act IV on the Civil Code they are a close relative of the manager or an employee of the audited organisation or organisational unit;

b) If they previously belonged to the employer sphere of the manager of the audited organisation or organisational unit, within three years calculated from the cessation of the legal relationship;

c) They have cooperated in the performing of a program or task jointly with or related to the professional area or institute to be audited, within the three years following the closing of the program or the performance of the task;

d) The conducting of an objective audit due to other reasons is not expected of them.

Pursuant to article 15 (2) of the IAD on incompatibility, in the event of incompatibility affecting the chief audit executive or the manager of the internal audit unit the manager of the PBO shall arrive at a decision within 8 (eight) working days following becoming aware of the reason for incompatibility. Until the decision is made on incompatibility the auditor and/or the manager of the internal audit unit are in relation to the incompatibility exempt from auditing activity. ______________________________ ______________________________ Chief audit executive Head of PBO _________________________________Date

14

IV. Functional independence of Internal Auditing The organisational diagram showing the functional independence of the internal auditors must be prepared in compliance with the characteristics of all public bodies, the PFA, and the specifications of the IAD. The appearance of the OOR part pertaining to internal audit activity, and the organisational diagram, is recommended.

15

V. INTERNAL REGULATIONS, PROCESSES, PROCEDURES, RISK ASSESSMENT RELATED TO INTERNAL AUDITING ACTIVITY

Internal audit analyses operational processes from the perspective of evaluating the suitability of the controls serving risk-management that are established by management. Such controls are, for example: separation of regulations, scope of authority and responsibility, organisational division-, Implementation, control-, and approval functions, the four eyes’ principle, financial management and control, provision of information, monitoring, and IT controls, etc. Internal audit originates from operational and activity processes, meanwhile comprising a control process in itself in the PBO’s management and regulatory (internal control) system.

The current manual introduces the internal audit activity and the elements thereof, in compliance with its process characteristics. The main elements and steps of internal audit are as follows:

Planning preparation Risk assessment Planning of internal audit Preparation for auditing Implementation of auditing Preparation of internal auditing report Follow-up, ex-post audit

Appendix Number 1 contains the process diagram of internal audit activity. The division of responsibility for all steps of the process can also be found in the process diagram.

1. Management of internal auditing activity

Pursuant to article 12 of the IAD, the tasks of the chief audit executive are:

a) preparation of the internal audit manual; b) compilation of the strategy underpinned by risk assessment and the annual audit

plans, implementation of the plans - in accordance with the internal audit charter - following approval from the head of the PBO, and the follow-up of the realisation of the plans;

c) organisation of internal audit activity, management of the implementation of audits; d) coordination of the audits;

16

e) As reasons coming to their knowledge of incompatibility relating to their assignment or person, they must immediately make a report to the head of the PBO, for which negligence or delay of performance carries disciplinary responsibility;

f) if during the course of the audit, the suspicion of actions, negligence, or insufficiency giving rise to reason for initiating criminal-, petty offences-, damages or disciplinary proceedings is found the immediate notification of the head of the PBO or in case he/she is involved, of the manager of the supervisory body, with recommendations for the initiation of the suitable procedures;

g) following the close of the audit, to send in compliance with article 28 of the IAD, an audit report to the manager of the audited organisational unit and the head of PBO operating the organisational unit;

h) to compile the annual audit report and the summary audit report in compliance with article 31 of the IAD;

i) to provide, during the course of the internal audit activity, that the internal audit quality-assurance procedures be applied, and the methodology guides issued by the Minister of Finance be enforced;

j) to provide for the recording of audits, the keeping of audit documents for at least 10 years, and the secure storing of the documents and data;

k) to ensure the professional training of internal auditors in the interest – approved by the head of the PBO – to prepare an annual training plan and provide for its realisation;

l) annually evaluate the audit’s material and personal conditions, and recommendations to the head of the PBO on the harmonisation of the actual conditions and the annual plan;

m) to notify the head of the PBO on the realisation of the annual audit plan, and on any deviations;

n) to follow up the implementation of the action plans, based on the notification of the head of the PBO.

If one person performs the internal audit at the PBO, he/she shall perform the activities pursuant to article 12 of the IAD.

If at the PBO – in accordance with the internal audit charter – the PBO’s internal audit activity is performed with the involvement of an external resource, in the agreement pertaining to this it must be provided for that the activities pursuant to article 12 of the IAD are performed by the external resource.

A. Internal audit human-resource management, principles for the continuous further vocational training of internal auditors

The internal auditing tasks at the PBO can only be performed by an internal auditor who matches the requirements of article 11 of the IAD.

The responsibility of the chief audit executive is to ensure that the internal auditors and the internal auditing unit as a whole should possess the expected expertise and professional skills. The internal auditors must work together with the employees of the organisation and at the same time must remain objective. The internal auditors must give a well-grounded evaluation and must show discretion, steadiness and honesty during the performance of their profession.

17

Every internal auditor has responsibility for efficient and successful coordination and communication.

For the aims of the current manual we assume that at the PBO the internal auditors can be allocated into four groups:

chief audit executive, deputy audit executive, audit team leader, internal auditing colleague.

Categorisation is dependent on the expected expertise. Appendix Number 2 contains the internal audit skills expected from those performing internal audit.

Expertise can be grouped into four spheres of characteristics: professional qualification internal auditing skills, special knowledge, management skills, experience.

Appendix Number 3 contains the competence matrix which establishes relationship between the categories and the necessary expertise and defines among the internal auditors, who shall perform which tasks and in what breakdown of work.

Where possible, the tasks of the internal auditors must be rotated. Consideration must be given to the incompatibility criteria when the chief audit executive designates auditors for a given audit. Notification on incompatibility must be given prior to the start of the audit, upon receipt of the letter of assignment, to the person carrying out the audit.

Capacity-assessment

Pursuant to article 4 (6) of the IAD, the number of internal auditors employed at the PBO must be allocated so that it shall be proportional to the number of tasks supplied by the organisation, the amount of the handled tools, and the contents of the strategic plan.

The aim of capacity assessment is to determine of how much and what kind of human and material resources are necessary for the internal audit to ensure provision of suitable certainty for the head of the PBO, concerning the efficient operation of risk management, (financial) management and control procedures.

The assessment prepared according to the above must be regularly updated.

Evaluation

The chief audit executive is thus responsible for the internal auditors receiving continual feedback and evaluation of their personal performance. In case of a new recruit, as well as annually, the chief audit executive must fill in the evaluation sheet according to Document sample Number 1. The evaluation process involves:

18

The review of the skill- and knowledge inventory and development plan of the preceding year in the interest of evaluating the performance of steps aimed at development;

The evaluation of the expertise of the internal auditor trough the actual filling in of the skill- and knowledge inventory- and development plan. The plan must contain the agreed development steps which serve as a basis for the formation of the individual training plan in respect of all internal auditors;

The summarising and analysis of the post- audit assessments.

The internal audit performance evaluation will be set forth in a detailed manner in point B of this chapter “Evaluation of performance of internal auditors” in relation to all audits,, while in point C “Regulations ensuring quality of internal audit performance” in relation to the ensuring of suitable quality of internal audit activity.

Substitution

The chief audit executive must prepare a substitution plan in case employees are absent from the execution of the auditing tasks due to holiday or illness. The internal audit substitution matrix details the possible deputies from among the employees. The matrix sample can be seen in Appendix Number 4.

Principles related to the continuous further vocational training of internal auditors

It is the task of the chief audit executive to ensure the further vocational training of the internal auditors, in the interest of which – approved by the head of the PBO – he/she shall prepare an annual training plan and provide for the realisation thereof.

The training requirements are partly the result of the personal evaluation process, and also have to be defined based on the expertise expected of the auditors. The chief audit executive must prepare and update annually for every internal auditor their individual training plan, which relates directly to the defined development steps agreed and aid the professional development of the internal auditors in harmony with the desired expertise. The accepted training plan must support the auditor in acquiring qualifications which recognise, as well as prove the endeavours of the auditors, professional knowledge and quality.

The individual training plan sample can be found in Document sample Number 2.

B. Performance evaluation of internal auditors

The chief audit executive is responsible for the evaluation and follow-up of the performance of internal auditors, and if necessary for taking the steps required to restore the adequate functioning. The performance evaluation provides information on the efficiency and effectiveness of the internal audit operation, and aids the chief audit executive in identifying the possibilities related to the improvement in performance of internal audit.

The primary tool of performance evaluation is the audit assessment sheet, as well as the application of key performance indicators.

19

The internal auditor performance evaluation shown in the current manual is not the same as the performance evaluation defined in article 34 (1) on Act XXIII of 1992 on the legal position of public servants, according to which the work performance of public servants is evaluated in writing proceeding in the legal scope of the annual reflection of the practicing of employer rights, based on the performance requirements defined in consideration of their scope of duties and the objectives of the PBO.

Audit assessment sheet

The audit assessment sheet is the primary tool of collecting opinion related to incoming feedback on the audited organisational units and the performance of the internal audit. The audit assessment sheet provides help:

In the collecting of information related to the efficiency and effectiveness of the internal audit;

In the identification of opportunities and in the collecting of ideas and opinions related to the development of internal audit performance.

The audit assessment sheet must be used during the course of all performed audits. The audit team leader sends the audit-following assessment sheet to the manager of the audited area within one week following the sending of the report on the completed audit. The cover letter shall contain the purpose of the assessment and the deadline for the return of the filled out form. Following the arrival of the assessment sheets the audit team leader and chief audit executive evaluate and sum up the results of the assessment.

The audit assessment sheet can be found in Document sample Number 2.

Key performance indicators

The key performance indicators (KPI) are performance index-numbers which make it possible for the chief audit executive to carry out quantitative measurements and evaluate the internal auditor performance based on this. The performance indicator analysis, e.g., number of used work-hours, number of accepted proposals, implementation of the auditing plan, etc., aid the chief audit executive in performing a comparison in relation to the performance of the internal audit for the given time period and to identify the areas where development is required.

The KPIs can be calculated with the use of basic information defined in the annual audit plan and audit information appearing in the audit record. The audit team leader must ensure that the necessary data is recorded in relation to all performed audits, so that from them the chief audit executive is to be able to calculate the KPIs on a quarterly basis.

The list of KPIs used by internal audit and the sample form for audit records can be found in Document sample Number 19 and Number 20.

20

C. Regulations ensuring the quality of internal auditing activity

It is the responsibility of the chief audit executive to provide for, during the course of the internal auditing activity, the application of the procedures ensuring the qualitative implementation of the internal auditing activity.

The chief audit executive must thus form and operate procedures which ensure and continuously develop quality in relation to the complete internal auditing activity and at the same time accompany the efficiency thereof with constant attention. The quality assurance procedures must be planned so as to aid internal audit to improve through its activity the economy, efficiency and effectiveness of its operation and with certainty, serve that the internal auditing activity is in accordance with the relevant Hungarian and European Union legislation and requirements, the Professional Experience Guide of the IIA, and the internal auditors’ code of ethics.

The internal quality assurance and development procedures contain the following: suitable review of the implementation of audits; regular internal evaluations and the constant follow-up of the quality; regular external evaluations.

Review

It is the responsibility of the chief audit executive to ensure the suitable professional-management review of the auditing activity. The review extends to planning, examination, agreement and post-examination processes alike. Within the review framework, in accordance with the IIA Practice guide number 2340-1 the lead internal auditor:

shall ensure that those performing the internal audit possess the knowledge, skills and expertise necessary for the performing of the audit;

during the course of planning the audit they shall give suitable directions, and approve the audit program;

verify that the approved audit program is implemented in accordance with as planned, that modifications are noted, and approved in the adequate manner;

verify that the audit worksheets suitably support the audit findings, conclusions and proposals;

ensure that during the course of the audit the communication is suitable, objective, clear, concise, constructive, and takes place in a timely manner;

ensure the fulfilment of the audit objectives; ensure the opportunity for the development of the internal auditors' knowledge, skills

and professional understanding.

The chief audit executive is completely responsible for the review process; however, he/she may designate an employee in the field of internal audit possessing suitable experience to examine the work of less-experienced internal auditors.

The review process extends to the training and development of colleagues, the performance evaluation of employees, verification of the length of time taken to complete a given task, and also to similar administrative fields. In accordance with this the chief audit executive is responsible for the follow-up of the time it takes the auditor designated to perform a given audit to complete the task.

21

Internal evaluation and the continuous follow-up of the quality

Internal evaluations constitute the continuous review of the performance of internal audit. The continuous reviews may be carried out according to the following:

The application of checklists and other tools, which ensure that during the course of the auditing activity the auditors have proceeded in accordance with the procedures prescribed in the legislation and the manual.

The checklist serving the evaluation of internal audit activity and performance provides help during the audit planning and implementation. These checklists help ensure that the necessary steps of the audit process have been taken. The audit team leader must verify the audit steps carried out. During completion of the audit these forms must be attached together with the worksheets and the chief audit executive must examine and sign them. (See Document sample Number 22: Quality-assurance checklist)

The feedback received from the audited field or from the organisational unit.

The primary tool of collecting feedback and opinion arriving from the audited units and relating to the internal auditing activity is the audit assessment (see the chapter entitled “Performance evaluation of internal auditors” for more details).

The analysis of performance-evaluation indicators, e.g., the work-hours used, the number of accepted proposals, the implementation of the audit plan, etc.

The performance-evaluation indicators make it possible for the chief audit executive to also measure and evaluate the internal auditing performance (see the chapter entitled “Performance evaluation of internal auditors” for more detail).

In the framework of the internal evaluation the chief audit executive shall pay attention to the quality of the provision of the internal auditing tasks, and on the basis of the evaluation shall also follow up whether suitable developments have been made.

The results of the internal evaluation must be summarised in the report on the annual internal audit activity (see the chapter entitled “Performance evaluation of internal auditors” for more details). In the interest of accountability the chief audit executive shall notify the head of the PBO about the results of the internal quality assurance evaluation.

External evaluation

It is recommended to conduct an external evaluation on the operation of internal audit – as a quality-assurance examination – once every five years by a professionally qualified, independent, auditing body operating outside of the organisation.

Within the framework of this the external evaluation must evaluate whether the internal auditing activity complies with the relevant domestic and European Union legislation and requirements, the professional standards of the IIA, the internal auditors’ code of ethics and, - if necessary – recommendations must be formulated in relation to the development of the internal auditing activity.

22

The person or organisation conducting the evaluation must be independent from the organisation and the internal audit. The evaluation must be performed by persons experienced in the professional practice of internal audit and in external evaluation procedures alike. Persons professionally qualified and suitable for external evaluation, internal auditors not belonging to the organisation and who offer other professional services, and professional consultants (e.g. MoF, CHU), can be external evaluators.

Upon completion of the evaluation official notification must be given by those performing the evaluation (e.g. State Audit Office, Government Audit Office, and Ministry of Finance) to the head of the organisation. The notification must contain the following:

Evaluation of the compliance of the internal auditing activity with the relevant domestic and European Union legislation and requirements, the professional practice standards of the IIA, and the internal auditors’ code of ethics;

Recognition and evaluation of the so-called best practices (in part the best practices observed during the course of the evaluation, in part the communication of the best practices which are used at other organisations but can be applied for the examined internal audit);

Where possible, recommendations made in the interest of development of the internal auditing activity;

The observations and replies of the chief audit executive, which contain the action plan and implementation deadlines related to the discovered insufficiencies.

D. Provisions for the involvement of external experts

Pursuant to point m) of article 2 of the IAD, persons employed in the framework of an assignment contract at the PBO may also perform the internal auditing activity.

Legislation gives opportunity – in accordance with the internal audit charter – for the involvement of external audit experts in the implementation of internal auditing tasks of the PBO, which can arise for two reasons:

The PBO does not possess an internal audit unit or internal auditor,

The chief audit executive is entitled to make a recommendation to the head of the PBO for the involvement of an external resource if the existing internal auditing resources are insufficient for the amount of tasks to be performed, or in relation to their characteristics (audits demanding special expertise: e.g., IT audit, Environmental audit, FIDIC auditor, etc.);

If the PBO does not employ an internal auditor the head of the PBO is obligated to provide for the arranging of involving external recourses for the internal auditing activity. The agreement pertaining to this must prescribe for the external resource to cater for the tasks defined by the IAD as tasks of chief audit executive.

The head of the PBO shall make a contract with the external expert, either be a person or an economic entity, which defines in detail the services to be performed, the guiding legislation (Act on Public Finance, IAD etc.), as well as the other conditions (e.g., correspondence, deadlines, charges). The form of such agreements can be assignment- or contract-based, depending on the goals of the agreement.

23

The relationship between the PBO and the external service provider can be of two types:

Without prior definition of concrete tasks, the external service provider undertakes the obligation that for a defined period they shall be available to the PBO and shall in accordance with the demands of the PBO, perform the internal auditing tasks that arise. The type- and characteristics of the tasks can however in this case be pre-defined.

In the other case the external service provider shall perform the defined tasks within the given deadline;

The external service provider shall perform its auditing tasks in accordance with the relevant domestic and foreign legislation and internal auditing standards. Professional and ethical norms are likewise relevant for them.

When the expert auditor delegated by the external service provider works at a PBO then the audit manual and methodology descriptions formulated by the given body, as well as the requirements of „international best practice” must be applied entirely, and this must be included in the service contract.

From the perspective of expected effectiveness of the work it is highly important that the PBO proceeds with adequate thoroughness when involving the external auditor. From the perspective of the tasks to be performed an experienced service provider with suitable practice should be contracted. The agreement shall define in detail the purpose, subject and steps of the audit in such way as it is done in the audit program. The audit program may form an appendix to the contract tied with the service provider.

The external auditor must also be provided with a letter of commission, which shall be signed by the chief audit executive.

Standard number 2050 of the IIA defines that it is the task of the chief audit executive to coordinate and supervise all related auditing, advisory, service provision and assignment so that it should be possible to ensure the suitability of the work and the avoidance of possible overlapping.

E. Guidelines for the advisory activity of internal auditors

Advisory tasks may extend from the official assignment - from the contract secured in writing - to advisory tasks such as participation in permanent or ad-hoc committees or project groups.

1. Objective related to value creation – Internal audit activity objectives related to value creation are realised within every organisation where the internal auditors may work in such way that their activity can fit in with the organisational culture and resources. Objectives related to value creation also appear in the definition of internal audit and concern themselves with assurance-producing and advisory activity which was developed to improve the operation of the given organisation and give value to activity. It aids the organisation in achieving its objectives through a system-based approach and methodically evaluates and develops the efficiency of the organisation's risk management and organisational management and control procedures.

24

2. In consonance with the definition of internal auditing – every internal auditing activity applies a system-based and methodical evaluation methodology. The list of services can generally be placed in the wider context into the assurance-providing and advisory category. At the same time, in accordance with the wider-meaning definition of internal audit they can also mean forms of value-increasing services.

3. Activities beside assurance-providing and consultancy– Many kinds of internal audit activity exist. Audit and consultancy are not mutually exclusive and are not excluded from other audit activities such as, for example, investigation or other non-audit characteristic activity. The majority of persons conducting internal audit also provide certainty and act as consultants.

4. Connection between assurance-providing and consultancy – the advisory activity of internal audit further enriches the growth in value of internal audit. While advisory assignments are frequently the direct results of assurance-providing activity, it must be seen that assurance-providing tasks can also derive as a result of advisory assignments.

5. Appearance in the internal audit charter of the authorisation related to advisory activity – Internal auditors traditionally provide many kinds of advisory services. These includes analysis of controls, which are built into the system developments, participation in workgroups concerned with analysis of operation processes and formulating recommendations, etc. Executive management must authorise internal audit to provide further services - where there is no incompatibility or cause of damage to the provision of other tasks. This given authority internal audit must appear in the internal audit charter.

6. Objectivity – During provision of advisory services the auditors get to know better the business processes or the problems related to the assurance-providing task. It is not necessarily true that the objectivity of the internal audit activity should be reduced. Internal audit is not one scope of decision-making tasks carried out by management. Management makes decisions in the matter of the acceptance or implementation of recommendations made by internal audit. This is precisely why decisions made by management do not influence the objectivity of internal audit.

7. Internal audit as a foundation of advisory services – The majority of advisory tasks are the natural continuation of assurance-providing and examination tasks. This can mean official or informal consultancy, analysis or evaluation. That special position covered under internal auditing activity provides opportunity for this kind of advisory work being carried out (a) in accordance with the highest possible norms of objectivity and (b), on the basis of in-depth knowledge of the processes, risks and strategies of the organisation.

8. Communication of basic information – The primary importance of internal audit is that it should provide assurance for executive management. The provision of advisory tasks is not possible if, according to the personal judgment of the chief audit executive, information that needs to be divided among managers and executive management members is suppressed. All advisory tasks must be interpreted in this relation.

9. Principles of consultancy in the interpretation of the organisation – Organisations must possess basic regulations which are understood by all organisation members, and which relate to the performance of advisory services. These regulations must be recorded in the basic regulations approved by executive management and must be made known to everyone within the organisation.

10. Official advisory tasks – Management often entrust external consultancy firms with official advisory tasks which can be drawn-out affairs. At the same time, the organisations can realise that internal audit activity is also highly prepared for the

25

provision of official advisory tasks. Should the internal audit undertake the provision of official advisory tasks, the internal audit group must carry out work using a system-based and methodical approach.

11. Tasks of the chief audit executive – By means of the advisory tasks the chief audit executive may conduct discussions with management in the interest of solving all management problems. In these discussions the time available for task completion and the scope of duties shall be defined in accordance with management demands. At the same time, the chief audit executive maintains the right to define the auditing techniques to be applied, and should report to executive management if, on the basis of the characteristic and seriousness of the results the organisation is exposed to serious risk.

12. Perspectives of solving conflicts and developing problems – Above all, the internal auditor is an internal auditor. Thus, they must take all steps related to their auditing work on the basis of the IIA code of ethics, and standards formed for practicing of the internal audit profession, describing the basic requirements, and implementation. Unforeseen problems must be solved on the basis of the Code of Ethics and the Standards.

Definition of advisory services

The glossary attached to the standards defines advisory services as follows: "Advisory and other joint contracted service activity is on the character and scope of which an agreement is borne with the contractor, and which is aimed at the increase in value and the improvement of the organisation's operation. Types of activity can be: advice, making recommendations, cooperation and training related to the carrying out or planning of processes.”It is the task of the chief audit executive to decide on the method of the allocation of tasks within the organisation. In some cases it may be useful to apply a so-called “mixed” method, which in a concentrated approach combines the elements of the assurance-providing and the advisory tasks. In other instances though, the suitable method may separate the assurance-providing- and the advisory functions.Internal auditors may perform advisory tasks as a part of their routine or usual activity, but can also perform them on the basis of management request. Every organisation decides itself on the types of advisory activity to be offered, and also defines whether separate regulations or the processing of procedures in accordance with all types of activity, is necessary. The possible categories are as follows:

Official advisory assignments – pre-planned, written contract necessary. Informal advisory assignments – routine activity, for example, participation in

permanent committees, deadline projects, ad-hoc discussions, and the routine exchange of information.

Special advisory assignments – participation in a workgroup concerned with organisation mergers, system restructuring.

Urgent advisory assignments – participation in a workgroup concerned with following a catastrophe or other business event, correcting or maintaining its operations, which is entrusted with providing temporary help and tasks with unusual deadlines.

Auditors generally cannot accept advisory assignments of which goal is the avoidance of requirements, or which makes this possible for a third party, which would exist during the course of an auditing task if they would perform the service in question as an auditing task in a more suitable manner. This does not exclude the application of methodology where they previously performed audit, but the provision of advisory services would be more applicable in the interest of attaining the objective.

26

Independence and objectivity during the provision of advisory tasks

Pursuant to Standard Number 1130 C1 of the IIA, internal auditors can provide advisory services in relation to all activities which they were previously responsible for.

Internal auditors sometimes get requests to provide advisory tasks which concern areas which they have been previously responsible for or where they have already performed an assurance-providing audit previously. Prior to the advisory service pledge the chief audit executive must ensure that executive management understands and accepts the concept of performing the advisory task. Internal auditors must maintain their objectivity in the deduction of conclusions and in recommendations given to management. If factors that reduce independence or objectivity are discovered prior to or following the start of the provision of the advisory service, this must be reported to the management immediately.Independence and objectivity can be endangered if the audit task is performed within one year following the official advisory tasks. Steps can be taken to reduce such danger, so that other auditors are entrusted with these tasks, independent management and supervision is being set up, separate accounting obligations are defined for each achievement of the project, and the conditions and the factors endangering independence and objectivity are published. It is the task of management to accept and implement the recommendations.Care must be taken that – especially in the instance of advisory tasks performed with particular regularity – the internal auditors do not undertake, mistakenly or unintentionally, management tasks which did not appear among the original objectives of the task and exceed the scope of it.

Proper professional care during the provision of advisory tasksIn the knowledge of the following the internal auditors must proceed with the proper professional care during the course of performing the official advisory tasks:

The demands of the members of management, including the character, timing and communication of the results of the advisory task.

The motivations and aims of the service requester. The scope of work necessary for the realisation of the objectives of the advisory task. The preparedness and resources necessary for the performance of the advisory task. The effect of the provision of the advisory task on the audit plan previously accepted

by the manager of the organisation. The possible effect of the advisory task on future audit tasks and assignments. From an organisational perspective, the potential advantages deriving from the

implementation of the advisory task.

The evaluation rests on the abovementioned independence and objectivity, and aside from taking into consideration the perspectives of proper professional care the internal auditor has the following tasks:

Holding of discussions necessary for the performance of the auditing task, collection of the information necessary for defining the character and spread of the service.

It must be ensured that those making use of the service understand and agree with the relevant guide of the Internal audit charter, internal audit activity regulations and procedures and other related guides that regulate the conducting of advisory activity. The internal auditor must refuse any request to provide advisory tasks which is prohibited by the internal audit charter, is contradictory to the internal audit activity

27

regulations and procedures, or has no benefits at the organisation, does not serve its interests.

It must be evaluated how reconcilable the advisory task is with the comprehensive task-plan of the internal audit activity. The task-plan of the internal audit activity, based on risk evaluation, can contain advisory tasks up to a suitable level and may build on these, at the same time ensuring suitable auditing coverage for the organisation.

The general conditions, agreements, allocation of material to be prepared and other important factors of the advisory task must be documented in a written plan or agreement. It is essential that the internal auditor and the recipient of the advisory task are in agreement and also come to an understanding on what the reporting and communication requirements are.

Scope of work in the instance of advisory tasksAs we have seen in the above the internal auditors must come to an agreement with the recipient of the service in respect to the goals and scope of the advisory task. Any reservations related to the advisory task, the value, property or possible negative effect must be communicated with the service recipient. The internal auditors must plan the scope of their work, ensuring that the expertise, compatibility, authenticity and reputation of the internal auditing activity shall be maintainable. When planning the provision of the official advisory task the internal auditors must define objectives with which they are able to fulfil the expectations of the service recipient. In the instance of special management requests the internal auditors may choose from the following steps if they see that the objectives to be reached go beyond those originally determined by management.

Management must be convinced to involve the additional objectives among the tasks of the advisory activity; or

The fact that the realisation of these objectives has not taken place must be documented and must be made known in the closing document relating to the performance of the advisory task; and

The objectives must be attached to a later, independent assurance-providing task. For the work-programs of the official advisory tasks the task objectives and scope must be documented, in the same manner as the method necessary and to be applied for the realisation of the objective. The form and content of the program can change depending on the character of the task. When defining the scope of the advisory task the internal auditors may increase or reduce this in line with the demands of management. At the same time the internal auditors must be comfortable that the planned scope of the work shall be suitable for the fulfilment of the task objectives. The advisory task objectives, scope and conditions must be reviewed from time to time and during the process performance of work the necessary adjustments must be made.During the course of performing the official advisory task the internal auditors must pay attention to the effectiveness of the risk-management and the control processes. Exposure to substantial risk or substantial control insufficiencies must be set before management. In all instances the auditor must confide with the managers and/or executive management in relation to their concerns. The auditors are entrusted to their professional judgment on, (a) evaluation and determining of the exposure to risk and the importance of the insufficiencies, evaluation and determining of the necessary steps in connection to these risks, (b) clearing up what the opinion of managers and executive management is in relation to the reporting of all these towards them.

28

The publication of the results of advisory task Pursuant to Standard Number 2410. C1 of the IIA the publication related to the execution and advancement of advisory tasks may differ in content and format depending on the type of the task and the expectations of the client.Pursuant to Standard Number 2440. C1 of the IIA the chief audit executive is responsible for informing the clients about the results of the execution of the advisory duties. The publication related to the execution and advancement of advisory tasks may differ in content and format depending on the type of the task and the expectations of the client. The reporting requirements are usually outlined by the client who requested the advisory duty, and the requirements also have to comply with the objectives discussed with the management. At the same time the format of the publication of the results of the advisory tasks has to accurately describe the type of task and every restraint, obligation or other attribute that the users of the information have to know about. In certain cases the internal auditor may decide to inform others than who requested or are entitled to the service about the results. In such cases the internal auditor has to extend the circle of the addressees of the report in order to send it to everyone competent. For a satisfactory solution the following steps have to be taken when extending the circle of addressees of the report:

1. The content of the contract concerning the advisory task and the related communication have to be determined.

2. A trial to persuade who requested or are entitled to the service about voluntarily extending the circle of communication to everyone competent.

3. The instructions concerning the communication of advisory duties given by the Internal audit charter and other regulations ruling the auditing activity and procedures have to be determined.

4. The instructions given by the organizational behaviour codex, ethics codex or other relevant regulations, administrative or procedural directives have to be determined.

5. The instructions given by the Standards of the IIA and the Ethical Code of the IIA or other standards and rules applicable for the auditor and any other legislation or legislative obligation related to the matter have to be determined.

The internal auditors have to inform the management, the executive management or any other managing body of the organization the type and scope of the advisory task and its general results. This has to be fulfilled as well as any other reports about the internal auditing activity. The internal auditors have to inform the management about the use of funds available for the audit. Neither the reports related to the advisory tasks nor the specific results have to be communicated. The accurate description of the advisory task and the communication of the major recommendations are obligatory and also important so that the internal auditor fulfils the requirements involved in Standard Number 2060 of the IIA (“Reporting to executive management and management”).

Requirements of documentation when executing advisory tasks Pursuant to Standard Number 2330. C1 of the IIA the chief audit executive has to determine the rules of data storage and preservation related to the execution of the tasks and also has to regulate how the data can be transferred to internal and external parties. These rules have to comply with the instructions of the organization and all other related regulations and requirements. The internal auditors have to document and support the results of the executed tasks in order to fulfil the official advisory task and achieve the objectives. However the documentation requirements of the tasks providing proof does not always match the advisory tasks.

29

It is advisable for the auditors to determine and apply a regulation regarding data preservation and also to deal with related problems. These problems include for example the handling of register prepared during the execution of advisory tasks for the adequate protection of the organization and also to avoid any misunderstandings due to the request for the use of registers. Special handling of registers related to the advisory task might be necessary in the case of situations resulting in legal procedures, concerning legislative requirements, tax and accountancy matters.

The follow-up of the execution of the advisory tasksPursuant to Standard Number 2500. C1 of the IIA, during the internal auditing activity the results of the advisory tasks have to be followed up to the extent agreed with the client.The internal auditing activity has to follow up the results of the execution of advisory tasks to the extent agreed with the client. The different types of advisory tasks require the application of a variety of types of monitoring techniques. The monitoring task depends on various attributes for example on the management’s particular interest in the execution of the advisory tasks and is also dependant on the way the internal auditor evaluates the risk of the project or the value of the project to the organization.

2. Preparation of the internal audit planning, risk assessmentPursuant to point b) of article 12 of the IAD, it is the duty of the chief audit executive to “assemble the strategic and annual audit plans supported by risk assessment, the execution of plans after the approval of the head of the PBO and the follow up of their implementation”.

The preparation of the planning involves the steps prior to risk assessment and the risk assessment itself.

During the preparation prior to the risk assessment the internal audit body:

analyses the external and internal control environment in order to identify changes that have to be taken into account during the audit planning;

identifies the processes and process owners[1] and discusses the relative importance of the individual processes to the objectives of the organizations with the management.

discusses what the management expects of the internal audit; interprets the objectives of the organization; determines the internal audit focus together with the mangement; prepares the risk assessment criteria matrix together with the management, that is a

primary tool of risk evaluation;

The chief audit executive directs the preparation process of the planning; the internal auditors actively contribute to their work. Standard Number 2010 and the related practice manual of the IIA give an overview of the main criteria of the planning process.

Document sample Number 23 belonging to this manual contains the checklist applicable when preparing the internal audit planning.

A. The steps of planning preparation

30

http://www1.pm.gov.hu/web/home.nsf/portalarticles/140EAC4B146A1276C12571BE0033CEB8?OpenDocument#_ftn1

General assessment

As part of the general assessment the external and internal control environment of the PBO have to be evaluated. During the evaluation the internal audit body assembles and analyses the provided information related to the changes in the operational conditions and processes of the organization.

Main sources of change of the environment:

Changes in legislation in Hungary and in the European Union; Changes in the economical, political environment; Changes in the strategy and objectives of the organization; Changes in the internal organization; Changes in the internal procedures, audit trails, manuals;

These changes are especially important in order to identify the risks within the processes of the organisation; this is why the internal audit body has to aim for gathering all information about the management of the PBO and the individual departments.

The general assessment does not mean that the internal audit body regularly carries out specifically general assessments but that it continuously gathers up-to-date information about the (financial) management and control environment of the PBO. The aim is to get to know the main attributes of the area that has to be classed as auditing tasks during the planning or as tasks to be fulfilled during the actual internal audit or has to be assessed during the actual internal audit. As the result of the general assessment the basic operational questions of the PBO have to be “open books” to the internal audit body.

Identification of processes and process owners

The internal audit activity focuses on the audit of operational processes of the organization. These processes are set up and function in order to achieve the objectives of the organization. Therefore it is especially important to take into account the operational processes of the organization, to identify the process owners, such as the persons within the organization who are primarily responsible for the execution and operation of a given process. (See Document sample Number 3: List of processes)

The processes of the organization have to be grouped according to main processes (e. g.: administrative background), which can be divided into sub processes (e.g.: human resources, legislative background). The prepared audit trails help in the identification and understanding of the processes of the organization. The audit trails and operational processes are not the same and are not synonyms. The preparation of the audit trails presumes that the operational processes have been accurately and fully identified at the given PBO.

The audit trail is the description of the executive, financial operational and control processes in a textual form or presented in a table or with flow charts. The audit trail is prepared by the head of the PBO.

Laying down the internal control focus

31

The internal control focus includes the view and ideas of the management of the PBO about which areas the internal audit body has to concentrate its resources to. The determination of the internal control focus during work meetings and reunions is one of the most important steps of the planning preparation process. The internal control focus helps the internal audit body to rank the high-risk processes and to determine the resource allocation between the audited activities and departments.

The internal control focus has to be determined considering the special requirements for the internal audit of the objectives of the organization and the management of the organization.

The objectives of the organization

The internal audit body has to discuss and evaluate the annual objectives of the organization with management of the PBO in order to use its audit resources to achieve these goals. Whereas some objectives remain unchanged over a long period of time (e.g.: compliance with EU operational directives), every year new objectives can emerge (e.g.: smooth introduction of new IT system for data processing). The attributes critical to the fulfilment of objectives have to be discussed with the management of the organization.

The discussions about these questions are held on executive level by the management of the PBO and the internal audit body. During the risk assessment and the execution of the audit these matters are determined in detail together with the process owners.

The requirements of the management

The requirements of the management mean the determination of which questions, tasks the management wants the internal audit body to deal with during the proof provision and advisory activity.

The management may have special requirements from the internal audit body. These requirements arise from the main individual concepts regarding the operation of the organization (e.g.: compliance with a special operational directive). These requirements have to be taken into account when preparing the annual audit plan.

The management’s requirement to use the audit resources on peremptorily chosen audits is due to agreement. Besides management’s requirements that aim at the basic operational order of the internal audit (if any) are also due to agreement.

The establishment of the internal control focus

Pursuant to the accepted organizational objectives and agreed managerial requirements the internal control focus has to be formed by the internal audit body and the management together. The internal control focus determines the primary elements along which the auditors will assess the risks and the internal audit body will concentrate on in order to fulfil their tasks (see. Document sample Number 4: Internal control focus sample)

Analysis and discussion on the critical processes with the management of PBO.

The relative significance of operational procedures compared to the internal audit focus can be high-, mid-level- or low-level depending on:

32

the relative importance of each element of the internal audit focus (e.g.: What is the most important objective?);

the relative importance of the processes (e.g.: Is the given process critical in respect of achieving the objectives?);

This analysis shall be carried out jointly with the management of the PBO. A joint agreement shall be made on the global assessment of the importance of the processes. It is expedient to use the matrix specified in Document sample Number 5 for the purpose of the analysis.

It is important to note that all this is not a debate on the relative risk of the processes, but a method for defining the most important processes in respect of the accepted internal audit focus. Findings of both the analysis and mapping as well as those of the global risk assessment of the processes shall be considered with a view to establish the final findings of the risk assessment.

Preparation of the Risk Criteria Matrix (RCM)

The Risk Criteria Matrix is the primary tool used for carrying out consistent risk assessment on the processes of the organization (see Document sample Number 6, sample RCM). Every risk can be determined on the basis of the following criteria: the negative impacts of the risk on the objectives of the organization and the probability of its occurrence.

Practical Guide Number 2120 A4 issued by the IIA specifies that appropriate criteria are necessary to be developed for the assessment of the controls. Internal auditors have to examine the conditions on the basis of which the management of the given organization sets up the criteria that ensure compliance with the objectives.

First of all the internal audit unit – jointly with the management of the PBO – shall define the analysis criteria. Criteria shall mean “aspect/condition” while criteria matrix shall mean “system of aspects/conditions”.

Requirements in respect of the RCM:

it shall be developed jointly with the management of the relevant organizations and shall be approved by them;

it shall include risk factors harmonized with the elements specified in the internal audit focus;

it shall be based on the accepted “risk appetite” (tolerance level).

The RCM provides the following analysis order for defining the impact of an identified risk: impacts of the risk factor on the objectives (which may be high, medium or low) and probability of occurrence of the risk factor (which may also be high, medium or low).

The analysis categories ordered to each risk factor of the RCM are based on the risk tolerance of the management of the relevant organizations. These tolerances correspond to the management' attitude to risks as well as the significance of the objective the risk factor evolves from.

33

In the course of the risk assessment each identified risk shall be assessed by using the RCM. Following such assessment, available information and estimates on the impacts and probabilities shall be integrated to analyse the identified risks comprehensively (see the chapter on Risk assessment).

It is important to mention the fact that application of the RCM cannot provide for total objectivity of the risk assessment process. Nevertheless, in order to facilitate the process, it provides guidance, thus providing the opportunity for internal audit units and management of organizations to carry out more consistent analysis on the organization. Since criteria are developed and defined jointly with the management of the organization, this risk assessment method shall reduce probability of disputes between process owners.

B. Risk assessment

Standard Number 2110 of the IIA stipulates that the internal audit unit shall provide the organization with assistance in identifying and assessing the fields exposed to significant risk and shall contribute to the improvement of risk management and control systems.

The risk assessment process is aimed at identifying, analysing and documenting risks along the processes of the organization and at the main organizational units. Risk assessment is the first step in harmonizing the annual audit activities with the internal audit focus developed jointly with the management of the PBO It is risk assessment that provides the most important information necessary to prepare the internal audit activities (concrete audits).

The risk assessment process is managed by the Chief audit executive, who involves internal auditors in the work when necessary and informs them on every single step. Standard Number 2110 of the IIA stipulates that internal audit planning shall be based on risk assessment.

The checklist for the risk assessment is included in Document sample Number 24 which comprises a part of this manual.

Understanding of the processes

In order to identify the main risks of the processes, as the first step, internal auditors have to understand the main processes. To fully understand the processes it is necessary to make interviews and organize working meetings with the persons in charge of the processes (process owners) and if necessary key persons involved in the process.

The meetings with the process owners shall be aimed at understanding the specific characters gradually taking general relationships as starting points. Besides concentrating on the internal audit focus, the meetings shall be aimed at identifying the following:

aims and subjects of the processes:This means it is necessary to learn the aims and subjects of the processes as well as the main factors defined by the management considered to be important with a view to achieving the aims. Aims of the processes have to be directly linked to the objectives of the organization as well as other existing objectives (e.g.: compliance with legislation).

general description of the process:

34

Starting and ending points, key inputs and outputs as well as changes of the processes, partial processes, and technological impact of information on the process as well as other relevant and important information.

Key performance indicators (KPI), with special regard to the following:o key performance indicators may be used for monitoring the process from the

aspect of critical success factors and organizational objectives;o applicable procedures in case key performance indicators are poor;o external and internal benchmarking of the key performance indicators with a

view to improve process performance continuously.

Identification of risks

Having learned and understood the main process in detail, the internal audit unit shall be able to identify significant risks related to the process. Every event, activity and omission which hinders achieving the organization’s objectives shall be qualified as risk. Every risk has two basic characteristics:

cause (e.g.: any event, activity or omission that is likely to occur, i.e. has a probability);

impact (e.g.: impact or influence on achievement of the organizational objectives).

Answering the following questions related to the internal audit focus and the characters of the procedure helps to identify significant risks:

Which factors have to function well in order to have the process functioning in compliance with the objectives?

What errors or weaknesses within the process may hinder achievement of the objectives?

Is any condition involved in the process that may result in financial or other losses?

Identification of the main check points

Check or control points are process elements, i.e. critical points developed by process owners where important control steps are implemented in order to provide for effective functioning of the process. During risk assessment the most important check points need to be identified, i. e. the internal audit unit has to see the system of check points. While identifying such points, it is important that the internal auditor have to understand and document information in order to link check points and significant risks identified (see Document sample Number 7, Risks and audits of processes).

Analysis of unique risks

While identifying risks, unique risks of each main process shall also be assessed and aggregated; this procedure provides for obtaining general and risk centred evaluation on the main processes. Consistency of the evaluation is ensured by the RCM – as a basic tool for risk assessment – developed during preparation of planning. Appendix Number 5 of this manual includes two further risk assessment models as assistance.

In order to provide an initial assessment on the unique risks, the internal audit unit shall compare probability of occurrence and impacts of the risks with the evaluation criteria as per

35

the RCM. However, the RCM serves solely as guidance to carry out this task since it may happen that the unique character of the risks is not covered by the characteristics specified in the RCM, or they may relate to other elements of the RCM. Thus the internal audit unit shall define risk values in respect of the RCM on the basis of its own opinion.

After this the internal audit unit may aggregate the evaluation of impacts and probabilities relevant to the unique risks. Based on this, the unit classifies the risk comprehensively and indicates its weight and importance by using the RCM as shown below:

Impact

High M H H

Medium L M H

Low L L MLow Medium High

Probability

Standard Number 2120.A.1 of the IIA stipulates that the internal audit unit shall evaluate appropriateness and effectiveness of the regulations that regulate the management, operation of and the information system of the organization on the basis of the results of risk management.

Aggregation of unique risks by processes

Having identified and classified unique risks from the aspect of importance, they shall be classified by processes. Based on this classification, the internal audit unit shall make up a list of the risks of the main process. This list is the so called inherent risk list. Inherent because no in depth analysis has been conducted into the controls at this stage. Such in depth analysis shall be conducted in a later stage of the internal audit.

In this stage of the risk assessment the effectiveness of risk management by the controls must not be considered. Since at this point details and effectiveness of the identified check points and/or processes need to be verified, the internal audit unit cannot take into account the impacts of check points or processes on the risks. This process shall be carried out during the internal audit.

Preparation of a complete assessment on the process

In order to come up with the final results of the risk assessment, the internal audit unit shall compare the results of comprehensive risk assessment of each process with those of the identification and analyzing of significance of operational processes. In this comparison the following components shall be described:

the significance, importance of the examined process,

36

the risk of the examined process.

The final consequences, i.e. the “global risk assessment”, shall be developed on the basis of these two factors.

The final outcome of the assessment shall provide appropriate information on the priorities in respect of the allocation of audit resources in the planning stage of auditing. (See Planning of internal audit and Document sample Number 8 Aggregation of the risk assessment).

It is important that the internal audit unit shall rely on its own professional judgement when developing the final results of the risk assessment. The final results of the risk assessment shall be discussed with the management of the PBO and persons responsible for the most important processes in order to provide a joint interpretation of the logical principle applied as well as an agreement on the results of the risk assessment.

Standard Number 2100 of the IIA stipulates that the internal audit unit shall asses the risk management activities, management and control systems of the given organization methodically via system-based approach and shall facilitate their improvement.

3. Planning of internal auditing Pursuant to Article 18 of the IAD, the chief audit executive shall prepare a strategic plan and an annual audit plan based on risk assessment. The strategic and the annual audit plan shall be approved by the head of the PBO. Standard Number 2100 of the IIA stipulates that internal audit planning shall be based on risk assessment. A check list used for internal audit planning can be found in Document sample Number 25 which comprises a part of this manual. The following basic principles shall be observed during internal audit planning: Planning shall be based on risks and processes. On elaborating the priorities of audit tasks the chief audit executive shall proceed by considering the results of the process-based risk assessment. b) Planning shall be future-oriented Planning shall cover four to six years. The earliest dates shall be set for the examination of processes with the highest risk. Such processes shall be involved in the internal audit plan regularly, in every 1-2 years. c) Planning shall be continuous The principle of rolling planning shall always be observed in the course of planning; the strategic audit plan shall be upgraded every year. At the end of the year concrete tasks shall be

37

determined for the next year and the objectives set for the period covered by the strategic audit plan shall be revised. d) Planning shall be flexible and upgraded Audit planning shall be adjusted to changes affecting the organization. It may happen that fields classified as significant risk factors one time may turn out to be non-significant factors later on, and vice versa. Thus, it is necessary to assess the risk structure of the organisation every year and audit plans have to be modified accordingly. A. Strategic planning Pursuant to Article 19 of the IAD, the chief audit executive – in accordance with the long term objectives of the PBO – shall elaborate a strategic plan that specifies strategic developments in the field of internal auditing.

The internal audit strategic plan, similar to the long term plans of the PBO shall cover 4 to 7 years. The strategic plan – pursuant to the Internal Audit Charter –shall be approved by the head of the PBO. With regard to Article 19 of the IAD, the strategic plan shall contain the following:

long-term objectives of the organization and internal audit objectives harmonized with the long-term objectives;

material and informational requirements of internal auditing; evaluation on the internal (financial) management and control system; risk factors as well as their assessment; the internal audit development plan; appraisal of the number of auditors and qualifications required; long term training plan for the internal auditors; audited fields, taking into consideration changes necessary to be implemented in the

structure or activity of the organization. The internal audit strategic plan shall contain statements on the comprehensive objectives of internal auditing, risks of processes as well as on the development directions of internal auditing instead of concrete audit programmes. A proposed sample of the strategic plan specified by Article 19 of the IAD can be found in Document sample Number 9. B. Annual audit plan Pursuant to Article 21(1) of the IAD, the annual audit plan shall be elaborated by the chief audit executive in line with the strategic audit plan before the consequent year and it shall cover one year. The annual audit plan shall describe in detail the audits planned for the consequent year. Pursuant to Article 21(2) of the IAD, the annual audit plan shall be based on the priorities laid down by risk assessment and the resources available for internal auditing. Pursuant to Article 21(3) of the IAD, the annual audit plan shall contain the following:

38

analysis that served as a base for the audit plan, with special respect to the risk

assessment; the subjects of the planned audits; the aims of the audit tasks; the period to be audited; the necessary audit capacities (resource demand); types and methods of audits; the schedule the of audits; the names of the audited organizations or units.

The annual audit plan shall be established in a way enabling implementation of ad hoc audit tasks not included in it, if required. Pursuant to Article 21(6) of the IAD, ad hoc audits shall be executed if the head of the PBO proposes so or the chief audit executive initiates them. Ad hoc audits shall be necessary in the case of unexpected occurrences, thus it is impossible to define the exact number of ad hoc audits and the resources needed to implement them. As a general rule 20-30% of the available annual audit resources shall be separated during annual planning for ad hoc audits. Pursuant to Article 22(2) of the IAD, the chief audit executive of the PBO shall send the annual audit plan for the year following the consequent year to the head of the internal audit unit of the PBO managing the relevant chapter, by 15 November every year.The chief audit executive – in agreement with the head of the PBO – is entitled to amend the annual audit plan. Standard Number 2020 of the IIA and the related Practical Guide stipulates that the chief audit executive shall submit the internal audit plan to the head of the organization, and shall provide them with information on the resource demand as well as on possible changes of these. The chief audit executive shall also be responsible for informing the head of the organization about resource problems endangering the implementation of the plan. A sample of the annual audit plan can be found in Document sample Number 10. C. Division of resources The division of resources is a key step from the point of assuring the realisation of the auditing plans. In the course of assessing the resource needs of the planned audit first of all the following must be considered:

The importance of identified risks; The level and type of the planned audit; The complexity of the activities to be audited; The level of the knowledge available in connection with the activity; Auditing experience gathered earlier in connection with the activities and within the

fields to be audited; Qualifications and competence of the auditors.

39

The number of audit days necessary for the planned audits can be assessed by way of a survey on resource need. The inspection processes and methods necessary for the realisation of the audit must be selected on the basis of the audit objectives and tasks and due to the result of the risk assessment Standard Number 2030 of the IIA defines that the chief audit executive must ensure the division of resources adequate and effective for the realisation of the internal auditing plan.

4. Preparation for auditing Execution of auditing means the systematic accomplishment of the audits included in the annual auditing plan. The mail goal of the execution process is to define whether the controls created to handle the main risks within each audited process and field are adequate and to declare whether the processes work in accordance with the expectations, and to realise whether the needed auditing points or processes are incomplete. The audits are completed by the internal auditors who take responsibility for the quality and the completeness of the completed auditing job. The chief audit executive appoints the audit team leader, who is the person responsible for elaborating the program of the given audit and for performing the auditing tasks. In the course of the preparation for the auditing, the chief audit executive must ensure that the objective and the subject of the auditing is defined, whether the adequate auditing resources are available, and whether the audit program (see 5.1.5 for details) is prepared. The preparation process must be based on the main risk factors and with regard to the audit objectives identified in the course of the risk assessment. A check list to be used for the preparation for the internal auditing can be found in Document sample number 26 attached to the present manual. A. Planning of implementation Standard Number 2201 of the IIA defines that when planning the execution the internal auditors must pay attention to the following:

The objectives of the activity / process to be examined and the tools with the help of which the performance is being controlled during the activity;

The important risks, objectives, resources and operations connected to the activity and all the tools with the help of which the potential impact of the risk can be held at an acceptable level;

The effectiveness, adequacy of the risk management and control system of the activity compared to a valid control frame regulation or model.

The available possibilities to significantly improve the risk management and control system of the activity.

Collecting available background information

40

The audit team leader examines the information available in connection with the audited process, organisational unit and activity; these resources may be the following:

The risks and objectives identified during the course of the risk assessment and audit planning;

Relevant laws, decrees, regulations and guidelines; Prepared audit trails; Operational manuals and other written rules of procedures, internal regulations; Making use of the work of others;

a) Internal audit documentation from previous years; b) Audit reports of audits previously performed by external auditors or other organisations (European Audit Office, Auditors of the European Committee, State Audit Office, and Government Audit Office etc.).

Defining the objectives of the audit The task of the audit team leader is to specify and finalise the objectives of the audit formulated during the course of the audit planning. The formulation of the objectives of an audit is in a broader sense means defining what the audit is oriented. The objectives must consider the characteristics of the risks identified in the course of the risk assessment. Standard Number 2210 of the IIA emphasises that the objectives of the audits must be defined for each audit task. In connection with the above, Standard Number 2210 A1 points out that for the definition of the objectives the internal auditors have to perform an ex ante audit risk assessment regarding the examined activities. The objectives of the audit task must reflect the result of this risk assessment. There is an example for the objectives of audits in Document sample Number 10 (Annual audit plan sample). The audit approach method There are basically two options in order to obtain sufficient and adequate audit evidence necessary for the realisation of the objectives of the audit: A) System-based or B) direct substantive testing method. If there are no limitations regarding the audit approach method, depending on the estimated and assessed risks, one has to decide on the approach methods to be used on the basis of professional judgement, with the requirement of the efficiency of the audit work in view in each case. The decision regarding the audit approach method to be used must be made in the course of the planning and preparation of the audit task. A) The system based method Applying the system based audit approach method (SBA) means that to obtain the necessary audit assurance the auditor has to rely on the examination and evaluation of the reliability of the internal control system and control approaches of the audited organisation, activity or project, and performs only the least necessary direct, detailed inspections.

41

Making use of the system-based approach occurs by way of the following steps: identification (definition), thorough analysis and evaluation of the relevant key

internal control functions in order to decide to what extent the created internal management, regulation and control system (internal control system) and its operation may be trusted;

examination of the key control element in order to establish whether they were operating effectively during the whole the period examined;

Evaluation of the result of the examination of the key control elements to establish whether the experienced reliability level is acceptable;

Detailed examination of a certain number of transactions, for example to establish () whether the annual budget report of the audited is accurate and complete, the included transactions were lawful and regular and/or whether the economical, efficiency, effectiveness criteria are fulfilled.

The condition of application the system-based approach is that the control system or the relevant control approaches assure a certain audit evidence level usable by the auditor. If the control risks are assessed at middle or low level, it is theoretically possible to apply the system-based approach. B) Direct substantive testing Direct substantive testing (DST) has to be used when the objectives of the audits cannot be achieved by relying on the examination of control systems. In such cases the examination of the systems is inadvisable, except when there is a specific expectation upon the audit to assess the operation of the internal financial management, regulation and control systems of the organisation. Through direct substantive testing no evidence can be obtained about the adequate operation of the internal control system (because in this approach the examination of these systems does not take place and there is no evidence for their efficiency). The final decision therefore depends on the consideration of which approach is more economical and efficient for performing the whole audit task, and within this, from the point of reaching all the objectives. For the decision, the basic requirement must be considered that in application of the system-based approach alongside with the detailed testing of the controls in order to achieve a high level of evidence, certain number of direct examination must be completed in any case. Defining the scope and the subject of the audit During the course of setting up the subject of the audit the audit team leader defines what the audit should include and towards what the audit is orientated. This can be defined with the help of the knowledge gained about the process in the course of risk assessment, background information and the objectives of the audit. The subject of the audit must consider all relevant and important systems, registers, employee and material assets, etc., which are connected to the activity. The subject definition is adequate if it assures that the auditor can make a well-founded judgement on the adequacy of the controls which are to manage the identified risks and can furnish proper evidence connected to it. There is an example for audit subjects in Document sample Number 10 (Annual audit plan sample).

42

Exact definition of the resources The audit team leader completes the resource estimation set up during the audit planning again on the basis of the objectives and subject of the particular audit, and makes sure that the extent of the necessary resources is adequate for the achievement of the defined objectives. In the course of final definition of the number of auditors taking part in the audit the nature and complexity of the audit, the time-frame and the experience, know-how and expertise of the auditors must be taken into account. Preparation of the audit programme According to Article 23 (1) of the IAD, the chief audit executive or an auditor appointed by him/her (audit team leader) shall develop an audit programme for each audit task and shall appoint the internal auditors for the task Based on the identified risks, the objectives and scope of the audit, the audit team leader - on the basis of Article 23 (1) of the IAD-, has to consider the following questions upon the elaboration of the detailed audit programme:

the available information on the operation, management of the audited organisation, or unit;

subject and scope of the audit tasks; the objectives of the audit tasks;

results of previous audit tasks performed at the audited organisation or unit; expertise and capacity necessary for the accomplishment of the given audit; time and scheduling necessary for the accomplishment of the given audit; the potential incompatibility between the auditor and audited organisation or unit, its

managers and employees. objectives and extent needed to achieve the audit objectives including the used

sampling methods (see Appendix Number 6: Sampling); nature and range of the needed testing, including the way of testing the control points

and processes (controls), the substantive testing and the usage of check lists (see Appendix Number 7: Testing of control points or processes and Appendix Number 8: Substantive testing);

The audit programme, Article 23 (4) of the IAD, contains the following:

name of the organisation or unit performing the audit, name of the audited organisation or unit, the subject of the audit task, the detailed tasks of the audit task, the objective of the audit task, the period to be audited, reference to rules of law or other authorisation enabling the audit, methods to be used, audit questionnaires, names of auditors, experts and the audit team leader, the identification number of

their letter of appointment and the separation of responsibilities, the estimated time needed for the audit activity, deadlines for preparing the

reports, date of issue,

43

the signature and seal of the person entitled to grant approval.

Pursuant to Standard Number 2240 A1 of the IIA the procedures with the help of which the information is being discovered, analysed, assessed and registered in the course of performing a task must be recorded in the work programmes. Pursuant to Article 23 (2) of the IAD, prior to the audit the person performing the audit activity has to get acquainted with the relevant legislation, regulations,, internal rules of the organisation or unit to be audited, previous audit reports regarding the field to be audited, and the annual reports prepared within the audited field with reference to the period to be audited. The internal auditor shall also assess the audit trail of the audited organisation or unit; and use it as a guideline for his audits. In accordance with Article 23 (3) of the IAD, the audit programme must be approved, prior to commencement of the work, by the chief audit executive. The audit programme can only be extended with the approval of the chief audit executive; the amendment of the audit programme can only be initiated by the audit team leader.

Pursuant to Article 23 (5) of the IAD, the chief audit executive shall supervise the accomplishment of the audit programme. There is an example for audit programme in Document sample Number 11.

Examination procedures and methods

In accordance with Article 26 (1) of the IAD, the audit procedures and methods must be selected in accordance with the audit objectives and tasks and based on the basis of risk assessment, which may be as follows:

a) analysis and assessment of the rules of procedures and system regulations;b) analysis and assessment of financial, accounting and statistical data, budgets,

reports, contracts and programmes; c) testing of the operation of processes and systems;d) evaluation of documents and records;e) auditing based on direct observation (interviews, stock-taking, on-the-spot visits,

experiments, sampling);f) information system testing procedures.

B. Administrative preparation Preparation of the letter of appointment In accordance with Article 24 (1) of the IAD, the internal auditor, including the external experts, must be provided with a letter of appointment, signed by the chief audit executive. The letter of appointment of the chief audit executive shall be signed by the head of the organisation. If at a PBO the internal audit tasks are executed by one person, the letter of appointment, based on what is included in the Internal Audit Charter, shall be signed by the head of the PBO.

44

In accordance with Article 25 (4) of the IAD, at the beginning of the field work the auditor is bound to present his letter of appointment to the head of the audited organisation or unit or to their authorised representative. The example for a letter of appointment can be found in Document sample Number 12.

Notification of the head of the audited organisation In accordance with Article 25 (3) of the IAD, the on-the-spot audit must be notified to the head of the audited organisation or unit orally or in written form at least 3 working days prior to the start of the audit. Within the scope of this, the chief audit executive informs with reference to the objective and form of the audit, the authorisation, and the expected duration of the audit. Prior notification does not have to be done if, on the basis of the available information, it could prevent the successful undertaking of the audit. It is the chief audit executive, who decides on the omission of the prior notification. An example for a notification letter can be found in Document sample Number 13.

Registry of the time requirement of the audit It is important to keep a registry of the audit days accurately, because it indicates the efficiency of the internal audit, helps in the planning of the time requirements of subsequent audits, and provides a basis for the strategic development of the internal audit. The internal auditors keep a registry of the accounted working hours devoted to the accomplishment of the given audit. On the basis of the audit days the working hours used for the given audit are defined in the time requirement registry part of the audit register.

5 Implementation of auditingField work means the execution of the audit programme, which leads to the detailed analysis and the assessment of the risks of the particular procedures and the related control points or processes (controls) and then ends with the testing and the assessment of these controls. A check list, which can be used in the execution of the internal audit, is included in Document sample Number 27 of this manual. The major tasks of the field work are as follows:

Confirmation of the recognition and the understanding of the processes and activities on grounds of the interviews with the process owners and by personal monitoring of the processes;

Confirmation of the recognition and the understanding of the risks and controls connected as well as assessing the additional risks identified in the course of the interviews;

Testing and assessing the controls; Obtaining adequate, sufficient and reliable evidence related to the audit objective in

order to reach audit findings; Maintaining continuous communication with the audited executives and notifying

them about the audit findings.

45

In order to achieve the audit objectives and properly execute the audit programme, the internal auditor should:

Be aware of those issues which were not examined by the previous audits (the work-sheets of the previous audits will help to judge this),

Ask about all unusual records or facts; Base his/her findings and conclusions on the analysis and assessment of the evidences; Keep a record of the exceptions and deficiencies recorded in the course of the field

work, which will constitute the basis of the consultation with the audited executives in the final discussion.

A. Opening discussion The opening discussion usually takes place on the first day of the field work with the participation of the executive in charge of the audited area (i.e. the process owner), auditors taking part in the audit activity and (if possible) the chief audit executive. The main objectives of the opening discussion include:

Information about the objective, the scope and the process of the audit; Collecting data necessary to commence the audit tasks; Setting up the time frame of the audit work to be performed at the audited

organisation; Presenting the letter of appointment to the head of the audited organisation.

The opening discussion is the first step of the field work therefore it plays a critical role in forming working relationships with the audited persons. The appropriate communication and cooperation with the audited organisation ensures that:

The internal auditors receive the data necessary for the execution of the internal audit tasks in the requested form and within the required deadline;

The audited persons could speak more openly about the tasks performed, the anticipated problems and their possible solutions;

The findings and conclusions drawn by the internal auditors as well as the proposals for measures based on them will be more effective and more acceptable by the audited persons.

In order to achieve the abovementioned aims, continuous communication should be maintained with the audited persons during the execution of the audit, where the internal auditor should:

be cooperative; develop professional relationships; inform the management about problems as they emerge; discuss the potential observations and proposals with the audited entity before writing

the internal audit report. B. Use of audit work-sheets

46

The primary aim of the audit work-sheets is to support the findings and conclusions included in the audit report. From the outset of the audit, the work-sheets serve as the documentation of the work carried out by auditor. They unequivocally attest to the nature and the scope of the work carried out, the procedures taken, the tests done and the conclusions drawn. The work-sheets should be prepared in such a way that the work performed, and the documents and the findings could be understood by people who have little knowledge about the procedure. The work-sheets should enable the person revising the audit or the external auditor to follow the work procedure and the different stages of the audit and it should establish a direct link between the conclusions and the planning. In general the audit work-sheets:

are the basis of the communication during the audit; form the basis for the discussions with the audited persons; serve as a basis for the revision of the audit procedure and its execution; provide assistance in planning, executing and revising the audits; give documentation on whether the audit objectives have been reached; facilitate the revisions carried out by a third party; form the basis for the assessment on the quality assurance process of the internal audit

activity; promote the professional development of the internal audit staff; provide help with the training of the newly employed internal auditors; demonstrate that the internal audit activity complies with the International Standards

for the Professional Practice of Internal Auditing; serve as a guide, background information and reference for the audits in the future.

Requirements regarding the work-sheets Given the nature of the audit, the systematisation, the format and the content of the audit work-sheets can be different. However, in each case at least the following facts should be documented:

the fact of planning of the internal audit including the fact of preparing the audit work program;

the examination and assessment of the adequacy and efficiency of the control system; the executed auditing procedures, the collected information and the conclusions

drawn; the revision of the audit job; the communication between the auditor and the audited person; follow up of the audit and ex-post audits.

Documents which are frequently used as an audit work-sheets include:

the audit trail of the audited organisation; the original document (or its duplicate) formed or applied by the audited organisation

in regard to the process or the task which constitutes the subject of the audit; documents of former audits; the minutes taken of the discussions with the audited persons; the flow description or the flow chart of the operation of the audited organisation; the description of testing performed by the internal audit units;

47

the questionnaires made by the internal audit units; the duplicates of the laws and decrees regulating the field or procedure which

constitutes the subject of the audit; written guidelines and processes applied by the audited organisation.

The work-sheets made by the auditor (e.g. minutes of discussions, flow descriptions) summarize the key information related to the execution of every single step included in the audit programme. In order to achieve this, the work-sheet should contain the information below (see the sample in Document sample Number 14):

the heading, the audit objective, the source of the information obtained, the description of the procedure and / or the control, the findings and conclusions of the audit, the list of evidence, comments made in the course of the revision, signature.

The work-sheets should be prepared with consistent content and formal elements and in a transparent way so that they can facilitate revision. Therefore they should:

be clear, concise and complete; be ‘economical’, i.e. they should avoid unnecessary repetitions or lists; be logical and written in a consistent style; confine to the relevant and significant information; be written in a simple style.

Each work-sheet should be numbered so that it could make possible to systematize the work-sheets:

The number on the work-sheet should refer to the steps of the audit programme. The steps of the audit programme should be numbered in an appropriate order, e.g. the

1st step of the audit programme should be referred to by the 1st work-sheet. If more than one work-sheet is made for one programme step, the work-sheets should

be numbered in the following way: 1-1, 1-2, 1-3, etc. Cross-reference should be made in order to facilitate the revision by the chief audit executive, the identification of the information on the worksheet and the preparation of the audit report. The cross-reference links a particular, individual number or fact to another work-sheet, thereby it can be ensured that:

information on one work-sheet is identical with the information on the other work-sheet;

every single step of the audit programme is performed and documented; every finding is supported by adequate evidence.

48

The cross-reference should be marked by writing the number of the relevant work-sheet (reference number) next to the cross-referred information. Cross-reference between work-sheets should only be made in the case of key information. Revising work-sheets It is the responsibility of the chief audit executive to ensure the appropriate management revision with respect to the quality and adequacy of the work-sheets. Following the revision the auditor puts his/her signature and the date on each worksheet as the evidence of the revision. If possible, the managerial revision should take place immediately after closing the work-sheets. The observations of the auditor should be attached to every work-sheet package as revision comments. The work-sheet cannot be regarded as complete until the questions raised by the auditor are settled and the fact of the settlement is recorded on the work-sheets. The revision should define whether…

the audit procedure, and the individual audit steps have been performed in accordance with the audit programme;

the responses to the particular instructions have been recorded properly; the audit work has been performed properly; the observations and the conclusions are reasonable, sufficient and based on adequate

evidence; the audit programme and the audit steps have been fully accomplished; the consultations with the audited entity have taken place; any arguments with the audited organisation have been settled; and the abovementioned instructions regarding the preparation of the work-sheets are

followed. Access to audit documents In general, the audit folder including the audit work-sheets remain in the possession of the internal audit unit in the course of the field work as well as in the following period. It should be ensured that access to the documents of the internal audit unit is impossible for any unauthorized persons. Any request regarding the access to audit materials should be addressed to the chief audit executive, who is responsible for the supervision of the audit documents. This rule is reinforced by Standard Number 2330.A1 of the IIA. The management of the PBO, other members of the organisation or an external party (e.g. external auditors) can request access to the audit work-sheets as they are indispensable for them to verify the audit findings and suggestions or to define them, and to use the documents for other purpose. These access requests should be approved by the chief audit executive but in case the access request comes from an external party, it should also be approved by the head of the organisation. As a general rule, the audit work-sheets should be retained by the internal audit unit. The audit work-sheets and documents should be stored in a safe place. Data and secret protection

49

The internal auditor is liable to learn the provisions and the regulations regarding the protection of qualified data, and to declare that in writing and to act accordingly. Infringing any regulation on secret protection involves legal actions (criminal, infringement and employment law), therefore it is necessary that persons performing the audit should be aware of the general and specific rules and regulations concerning the given audited organisation and subject. C. Fundamental examination procedures, techniques

In the course of the audit, the internal auditor may and should apply different direct and indirect methods to draw his/her findings and conclusions, to form opinions and to obtain supporting evidence, and additionally he/she may and should also apply logical procedures and techniques which serve the processing of the information obtained with the help of these. Analytical procedures The analytical procedures mean the examination of the relevant proportion and trends of the gained information in order to decide whether the audited information about the audited entity and the activities suits the knowledge of the internal auditor as a whole. The analytical procedures should be applied during the preparatory phase of the audit (planning) as well as in the course of the field work. (e.g. interview; assessment of the control points or procedures)If the analytical procedures show a result which contradicts the information gained from different sources, the inducing circumstances and causes should be examined, and adequate evidences should be obtained for their explanation. Therefore it should be carefully considered whether the analytical procedures are suitable to obtain the evidences which are necessary to achieve the objectives of the audit. Sampling procedures Sampling is a special technique for the performance of the itemized audit procedures, when the internal auditor projects the findings drawn by testing the items selected from the data file to be audited to the entire data file (e.g. testing). On planning of the audit sampling the particular audit objectives, the population of the sampling and the size of the sample should be considered. Sample items should be selected in such a way that it can represent the population of the sampling. Following the testing of the items selected for the sample in accordance with the audit objectives, in the course of the assessment of the sampling results, any mistakes discovered in the sample should be analysed and they should be projected to the entire population and the sampling risk should be re-assessed. The itemized tests can only be interpreted for the individual operations, transactions and data but not for the transfers (wages, cash, miscellaneous etc.) used in the accounts. When forming and analysing the samples, the internal auditor should consider the use of professional assistance.

50

The sampling unit depends on the objective of sampling. The internal auditor may reduce the degree of uncertainty related to the sampling by increasing the size of the sample or by applying – if there is such –a more effective procedure. When selecting the samples it should also be considered that prior to sampling the big and significant items should be singled out from the population for itemized control, therefore the samples should represent the rest of the population. Further specification of the sampling can be found in Appendix Number 6.

D. Interview, as a tool for analysing processes and risks The auditors make interviews with the process owners and the staff involved in the processes in order to assess the processes and the risks. The aim of the interviews is to expand the auditors’ knowledge of the processes, activities and the related control points. (See Document sample Number 15: Document for preparing interviews). Based on the interviews, the auditor can describe the process with textual explanations or flowcharts, then can expand his/her knowledge during the detailed audit of the processes when:

the process is examined under operation; one or more transactions are followed through the whole process, from the beginning

to the end. In order to ensure effectiveness it is important that the auditor notes and assesses all identified risks and control points or processes (controls) that are not part of the original risk assessment or are not present in enough detail. E. Assessment of control points or processes (controls) Based on the appraisal of control points and processes and the risks, the auditor assesses how efficiently the controls reduce the risks or how successfully they handle the risks. In this aspect the tasks of the auditor involve:

to directly relate the identified controls to the risks; to assess the efficiency of controls in order to prevent, identify and reduce risks; to assess the properties of controls (IT or manual); to assess whether the control point or process efficiently reduces the risk if there is

only one control to be elied upon; to assess whether the control point or process is only efficient if it works together with

other controls; to identify and note the areas that have an impact on the efficiency of the processes

and related controls (e.g.: repeated or missing control points or processes). During the assessment of control points or processes the auditor should continuously be looking for answers to the following questions:

“What failures can occur in the process?” “What measures ensure that failures do not happen in the process?” “Are these measures suitable to reduce the risk to an acceptable level?”

51

The auditors have to pay particular attention to the fact that in most cases many control points or processes coexist to reduce a certain risk. In such cases, the auditor has to assess the combination of controls in order to determine whether it is efficient or not due to unnecessary control points or processes of less important process activities. F. The role of testing in the assessment of control points or processes

(controls) If the undergoing assessment of control points and processes justifies, then the original testing plan, which is part of the audit programme, has to be reassessed, revised and adapted according to the results of the assessment. The aim of the testing is to determine whether the controls of major risks fulfil the requirements. For this purpose he auditor has to:

identify which controls have to be tested taking into account the following directives:o Ensured efficiency: The control point or process has to be noted but not tested o Efficiency only with other controls: every relevant control point or process has

to be tested;o Non-ensured efficiency: check control or process has to be tested;

determine the nature of testing (see Appendix Number 7 – Testing of control points and processes and Appendix Number 8 about individual testing).

determine how controls have to be tested (see techniques of testing). determine what size of sample has to be used for testing (see Appendix Number 6:

Sampling). Testing is efficient if the test gives detailed information about the nature, necessity time and extent of the procedure to be followed. When choosing the testing technique the following has to be considered:

The evidences (quantity and scope) to be attained from the tests in order to determine whether the controls work according to the plan and intention;

The type of the assessed process (e.g.: a process with frequently repeated transactions such as the claim process which probably requires a different technique in comparison with a process that occurs infrequently such as research and development).

The main testing techniques are the following:

Certification (revision of documents): the follow-through of items up to the basic document in order to verify the operation of control points or processes.

Reassessment: repeated assessment of already existing control points or processes, comparison of the audit results, the results achieved by the employees and measures executed by managers.

Observation: the observation of the operation of a control point or process; especially if there is no physical evidence of the execution.

Interrogation: inquiry about the way the control is executed, who the executer is, and what measures exist to determine the effective operation of control point or process.

Analytical methods: the technique where the inquiry concerns the applied data is very effective in the case of large quantity transactions and data; it can also be used to determine trends and statistical lines, to carry out effect analysis, for the selection of samples and the justification of the effectiveness of the control and testing processes.

52

During the testing of a control point or process it is essential to answer the following question: “Can the risk occur if the control works adequately?” During any testing procedure the auditor has to collect evidence to justify that the controls work according to their intention. The documentation has to contain competent evidence for the supervisor to determine what was tested and what the result of the testing was. If the testing shows that the control did not match expectations, there are two possibilities to handle the objections against the control points or processes, before appearing in the audit report:

Assessment of attributes of weaknesses and shortcomings of the control points or processes. In order to understand the characteristics of the error it is important to check the deficiencies of the control points or processes with the person responsible for the control. (Does it concern the whole population or only a certain part of it, e.g.: certain units or departments?) This also enables a greater understanding of the timescale of the error (e.g.: during the month’s end processes) as well as providing enough information so that the auditor is able to develop an overall opinion about the deficiency.

Every control point or process that either targets the risk influenced by the objected control or replaces or influences the objected control has to be taken into account.

G. Gathering and registering of evidence, and the declaration of completeness

The auditor has to identify, assess and register necessary information in order to achieve the objectives of the audit and to execute the audit programme. This requirement is supported by Standard Number 2310 of the IIA that states that sufficient, relevant, important and beneficial information has to be identified in order to achieve the audit objectives. The information and proofs registered by the auditor have to comply with the following aspects:

An independent, well-informed person would come to the same conclusion as the auditor (sufficient);

Authoritative, and according to possibilities it is based on the application of a professionally correct method (reliable);

There is a logical relation with what it intends to prove (relevant and important). Main types of evidence presented with examples: 1 Physical observation of the existence of processes and items (activities, properties and IT

systems)

data medium equipment stored off- premises; safety system of the computer room during operation

2 Evidence based on documentation (paper or other data medium)

result of data query; recording of transactions;

53

program list; invoices; activity and control registers; documentation of system development

3 Sample

preparation of a written sampling strategy and presentation of the sampling process; flowchart of the sampling system

4 Analysis (comparison, simulation, calculation, logical steps)

comparative analysis of the execution of internal audit standards in relation to other

bodies or data of a previous period; comparison of the error rate between the applications, transactions and users

The auditor has to register all the information that provides evidence for the findings, conclusions and audit results. Pursuant to Article 14 (2) of the IAD, the following evidence can be used for supporting the findings:

Original document, that is the primary document of the financial operation; Copy, which is an authenticated and exact copy of the original document. The

authentication shall contain the word "copy" along with a reference indicating that the copy is fully equivalent in content with the original document;

Extract, which is the authenticated and exact copy of part(s) of the original document. The authentication shall contain the word "extract" along with a reference indicating the part of the text and the page in the original document;

Certificate, which contains parts of the text and figures from several original documents as selected by the auditor. The authentication shall contain the word "certificate" along with a reference indicating the original documents used to compile the certificate;

Joint statement, which certifies facts otherwise not supported by documents, and whose authenticity is jointly established by the auditor and the head (employee) of the audited organisation or unit, and certified by their signature;

Photographs, videos or other image, voice or data recording devices, which are suitable for the authentic certification of the status found by the auditor. Photographs and information recorded otherwise shall be authenticated by the employee of the audited organisation or unit present, indicating the date and place and the object recorded;

Expertise, which is an evaluation given by the expert requested to analyse certain special issues;

Declaration, which is a written or oral statement of the employee of the audited organisation or unit on a fact not supported by or conflicting with the existing documents;

Multiple declaration, which is a statement made separately or jointly by a number of persons on the same fact..

The copy, extract or certificate has to be exemplified by the head of the audited organisation or unit or a person entitled by him. The attester certifies the reality of the document with his signature.

54

Pursuant to Article 121/A (7) of the Budget Act, the person carrying out the internal audit activity may enter any room of the audited organisation or unit has to have free access to any documents, data or IT system, may request written or oral information from any employee of the audited organisation or unit in order to fully execute its task. Pursuant to Article 26 (2) of the IAD, during the audit, if necessary, a declaration of completeness can be requested from the head of the audited organisation or unit. In this letter the head of the audited organisation or unit confirms that all documents and information related to the engagement of the audited task and in the range of responsibility of the head have been fully provided to the auditor. A sample of declaration of completeness is available in Document sample Number 16.

Pursuant to point i) of Article 14 (1) of the IAD, the auditor shall return all original documents in full at the closure of the audit, or if in the course of the audit activity a suspicion of an act, negligence or deficiency arises giving rise to the start of a criminal, infringement, liability or disciplinary procedure, the auditor hands the original documents over with a recommendation to the head of the PBO against an acknowledgement of receipt in order to take the necessary measures.

H. Audit protocol, serious insufficiency

Pursuant to Article 26 (3) of the IAD, in case of suspicion of negligence, deficiency, damage or other illegal act arises which infringe the order of financial activities and may result in personal or financial responsibility, the internal auditor shall prepare an audit record, on which the person concerned shall comment within three working days.If during the audit a serious insufficiency is discovered and on the basis of which the threat of a subsequent risk with substantial negative effect, then the auditor must without delay request the execution of all necessary measures at the process owner and has to inform the chief audit executive and through him the head of the PBO. The latter cannot be delayed until the internal audit report or its plan is prepared.

6. Regulations on the structure and content of the internal audit report

A. The preparation of the internal audit report The auditor or the auditing organization examine the compliance with legislation and internal regulations, and examine the economy, efficiency and effectiveness, as the main result of the internal audit process findings, conclusions and suggestions are drawn up for the heads of both the PBO and the organization supervising the PBO and for the employees of the audited organization whose cooperation is indispensable for the elimination and correction of the deficiencies and errors determined during the audit. The Internal Audit Report has to be prepared with due professional care laid down by the standard Number 1220 of the IIA. Due professional care means that the auditor has to execute the audit tasks with adequate expertise, prudence and care. Due professional care does not mean infallibility.

55

Pursuant to article 27(1) of the IAD, the auditor prepares an audit report containing the subject, findings, conclusions and recommendations of the audit or prepares a summary audit report on the basis of audit reports of related subjects. The checklist for the preparation of the internal audit report can be found in document sample Number 28 which is part of this manual. The findings and recommendations stated in the audit report have to comply with the following:

Criteria – referring to the aspects of the expected functioning of processes and controls (as they should be);

Real conditions – relying on factual proofs identified by the auditor during the audit (what the real conditions are);

Cause – revealing the cause of the difference between the expected and real conditions (why there is a difference);

Effect – presenting the risk and the exposure to risk. The organization is faced with this risk due to the fact that the given condition is not in accordance with the requirement laid down by its own criteria (the effect of difference).

Pursuant to article 27(4) of the IAD the internal auditor is obliged to reveal in the audit report all relevant/ every important fact, finding, deficiency and contradiction, which ensure the completeness of the audit report. Pursuant to article 27 (5) of the IAD, in the audit report the internal auditor is obliged to evaluate all information and opinion provided by the audited organization and other parties, although these opinions can not influence the internal auditor’s factual findings and conclusions. Pursuant to article 27(6) of the IAD, in the audit report a brief, quintessential evaluation has to be given that collects the results and the deficiencies, furthermore recommendations and suggestions have to be made to eliminate the deficiencies and in order to achieve a more effective and efficient operation. Pursuant to article 27(3) of the IAD, the findings in the audit report have to be formulated so that the management and the operation of the audited field, unit or the audited activity should be objectively assessable, in addition the advantageous and disadvantageous effects have to be taken into account in relation to the operations, management and activity. Every case, finding and conclusion has to be discussed with the head of the audited field before the audit report is to be closed down/finalised. It is usually practical to do so during the audit process as the audited field has the chance to express its opinion and clarify the findings and conclusions. In this way it will be ensured that the facts couldn’t be misunderstood or misinterpreted. The person responsible for the preparation of the audit report Pursuant to article 27 (8) of the IAD, the audit team leader is responsible for the preparation of the audit report and the conclusions, whereas the auditors are responsible for giving proof and actuality/authenticity of findings.

56

As the audit team leader is responsible for the preparation of the audit report he has to review the findings - stated on the work-sheets - prepared during the audit and also has to prepare the plan of the audit report based on these findings. The audit report has to contain every answer of the heads of the audited field that were agreed upon during the audit. As the next step, the chief audit executive has to revise the audit report and the supporting worksheets to make sure that each finding and conclusion is accurate and duly supported with proofs.

The content requirements of the internal audit report In order to provide transparency all audit reports have to be of the following standard format which incorporates the information concerning the audit (see Document sample Number 17: Audit report and executive summary sample). Executive summary The executive summary has to highlight the most important information about the audit:

Title and line number of the audit; The period of the audit; The objectives of the audit; The scope of the audit (identification of the audited processes and units); Significant findings of the audit; Conclusions and recommendations of the audit: the internal auditor’s assessment and

opinion (pursuant to the standards Number 2410 and 2410.A1 and the related practical manual of the IIA) about the effect of findings on the audited field. (See Appendix Number 9. the conclusions of the audit);

The result of the conciliation (closing) interview. The chief audit executive sends the executive summary to the heads of the PBO and the audited field. The content of the audit report Pursuant to article 27(2) of the IAD, the audit report contains the following:

the name of the auditing organization or unit, the name of the audited organization or unit, the specification of the legislative empowerment relevant to the audit, the subject of the audit, the period of the audit, the beginning and the end of the on-the-spot visit, the objectives and tasks of the audit, the applied audit methods and procedures, the audit findings according to the audit program, the conclusions and recommendations, the name and title of managing directors in charge during the audit period

(managing director of the PBO, chief finance officer, the date of the report and the signature of the auditors.

The findings

57

The findings provide the understanding of the audit case. The findings show the weaknesses and risks of controls. The findings:

are accurate and supported by audit proofs; refer to the audit program; are ranked by importance.

The standard Number 2320 of the IIA requires the auditors to base their findings on sufficient analysis and assessment. The ranking of findings The findings have to be ranked according to their effect on the processes including the effects on efficiency and effectiveness of the check points or processes. The ranking of the findings has to comply with the ranking of risks relating to findings. (See Appendix Number 10: The ranking of audit findings). Risk and effect Short summary of the possible effects of the findings on the objectives of the operation of the process and organisation. Recommendation Recommendations made by the auditor to correct the weaknesses of the check point or process described in the finding. Status Whether the (given) measure has been executed or is in process. The audit report also has to contain:

Positive remarks – the executed measures by the audited, the progress achieved since the last audit;

the development of the process – not only the simple statement of findings and risks, but recommendations about the development of the process.

Forwarding the draft report for conciliation and the closure of recognition Pursuant to article 28 (1) of the IAD, the chief audit executive sends the draft audit report for conciliation to the head of the audited organisation or unit, and to those for whom the draft report contains findings or recommendations. The chief audit executive sends the draft audit report in printed (and electronic) version to the head of the audited organization or unit for conciliation and specifying the available time for giving opinion and the deadline. Until the closure of the report the word “Draft” has to be indicated on the document. Along with the draft audit report the closure of recognition also has to be sent. The closure of recognition is the declaration of the head of the audited organization or unit, or the person - to whom the draft audit report contains findings – about the recognition and the acknowledgement of the content of the draft audit report, and whether he wishes to make an observation on the findings of the draft audit report. The above-mentioned people are

58

obliged to send their observations within 15 calendar days to the auditing organization or unit pursuant to article 28 (2) of the IAD. The expiry of the 15-day deadline has to be regarded as consent, to which the attention of the audited has to be drawn in the closure. Conciliation (closing) discussion Pursuant to article 28 (3) of the IAD, if the audited organization or unit argues the findings of the internal audit, a discussion has to be held within 8 working days from receipt of the observation. The objective of the discussion is the analysis of the findings and conclusions and the conciliation of the compiled recommendations. Pursuant to article 28 (4) of the IAD, at the interview the audit team leader, the auditors, the chief audit executive, the managing director and chief audit executive of the audited organization or unit (if the chief audit executive of the audited organization is not the same person as the chief audit executive of the auditing organization), the heads of the units involved in the audit and every other person whose presence is necessary due to the subject or the findings of the audit have to be present. Pursuant to article 28 (5) of the IAD, the audit team leader decides on the acceptance or rejection of the observation, and shall inform in writing the persons involved within 5 working days from the date of the conciliation discussion, explaining the rejected observations. Pursuant to article 28 (6) of the IAD, the audit team leader modifies the report based on the accepted observations.

Pursuant to article 28 (7) of the IAD, the observations of the head of the audited organization or unit and the response of the audit team leader have to be attached to the audit report and thereafter it has to be handled as one document. If the conciliation (closing) discussion does not lead to an accordance between the audited field and the internal audit unit, that is to say, a disagreement persists in one of the matters after the discussion, the executive summary has to present both points of view, that is, of the audited field and the internal audit unit in the discussed matter. The closure of report Pursuant to article 28 (8) of the IAD, the audit report is closed after the conciliation procedure. The chief audit executive - after the signature of the report by the audit team leader and all the auditors involved - sends the report to the head of the audited body (in case of audit of a PBO) or the head of the audited unit and the head of the PBO managing the unit (in the case of audit of a unit). The chief audit executive is responsible for the signature and publication of the final, closed version of the audit report. In the case of errors committed in the audit report the standard number 2421 of the IIA determines the necessity that the chief audit executive informs the people who received the original version of the report, document or communication about the correction of defaults and omissions. The sending of closed audit report

59

The closed audit report has to be sent to the heads and members of the organization who can ensure the utilization of the results of the audit. This is also emphasized by the standard Number 2440 of the IIA. Every audit report has to be sent to:

pursuant to the internal audit charter, the head of the audited body (in the case of the audit of PBO) who is responsible for the preparation and ordainment of the action plan;

pursuant to the internal audit charter, the head of the audited unit and the head of the PBO (in case of audit of a unit)

other organizations as determined by legislation. Pursuant to article 28 (9) of the IAD, in case of audits carried out at subordinate PBOs by the internal audit unit of the PBO managing the chapter, the head of the PBO managing the chapter sends the audit report to the head of the audited organization or unit and requests/asks the head of the audited organization or unit to prepare the action plan. B. Annual report evaluating the internal audit Standard Number 2060 of the IIA states that the chief audit executive regularly reports to the heads of the organization involved about the internal audit activity’s objective, authorization, responsibility and operation compared to the plan. The report also has to contain references to the most important risk elements and controls, the questions in reference to the management of the whole organization and any other question that is of interest for the heads of the body. Annual audit report and Annual summary audit report

Pursuant to article 31 (1) of the IAD, the head of the PBO is responsible for the elaboration of the annual audit report. The head of the PBO sends the annual audit report to the head of the PBO managing the chapter no later than 28th February of the year following the respective year. Pursuant to article 31 (2) of the IAD, the heads of the PBO managing the chapter are obliged to send to the Minister of Finance its annual audit report and an annual summary audit report concerning the whole chapter - on the basis of the annual audit reports of the subordinated PBOs - no later than 31st May of the year following the respective year. The head of the PBO managing the chapter provides information of the internal audit systems of the organisations subordinated to the chapter. The above-mentioned annual and annual summary audit reports contain – elaborated in accordance with the methodological guidline published by the Minister of Finance - the presentation of audit activity in the given year, the summary of achieved objectives and annual performance, and the observations of the utilisation of findings and recommendations based on the audits. The report has to consist of two parts with the following content (article 31 (3) of the IAD): - first section prepared by the chief audit executive:assessment of performance of tasks detailed in the audit plan, reasons for deviating from the plan, and the justification of the ad-hoc audits;

the personal and material conditions of the audits, factors promoting/supporting and hindering the activity;

60

the main findings of the audits; the number and short summary of reports on suspicion of acts, failures or deficiencies

identified in the course of the audits giving rise to the starting of criminal, infringement, compensation or disciplinary proceedings;

main proposals made to improve the regularity, economy, efficiency and effectiveness of the financial management and control system.

- second section prepared by the head of the PBO: the report on the execution of the action plans, the observations of the utilisation of findings and recommendations based on audits,

recommendations for the improvement of audit activity. Financial audit report Pursuant to point e) of article 2 of the IAD, financial audit is the assessment of the adequacy of the ex-ante and ex-post management system and internal audit system, the compliance of the basic annual budgetary reports with accounting principals, and the regularity of budgetary management of the reporting period. The financial audit of annual basic budgetary reports has to be carried out pursuant to the methodology prepared by the State Audit Office and issued by the Finance Minister. Pursuant to article 31 (5) of the IAD, the chief audit executive of the PBO managing the chapter shall send the audit reports of the financial audits to the Minister of Finance immediately after finalising them but no later than 31st May of the year following the respective year.

61

7. Regulations of the utilisation of audit statements and of the establishing of actions following the audit

A. Action plan Pursuant to article 29 (1) of the IAD, within 15 calendar days of receiving the closed audit report (if necessary the chief audit executive may extend the deadline up to 30 days) the head of the audited organization or unit prepares an action plan specifying the people responsible for the execution of the measures and the related deadlines. The chief audit executive may call the audited organization’s or unit’s attention to the obligation of elaborating the action plan by referring to the deadline in the executive summary of the audit report. Pursuant to article 29 (2) of the IAD, the head of the audited organization or unit sends the prepared action plan without delay to the chief audit executive of the auditing organization or unit who shall send his/her remarks within 8 working days from the receipt of the action plan. Pursuant to article 30 (1) of the IAD, in the case of audits carried out by the internal audit unit of the organizations managing the chapter the head of the unit shall send the action plan to the head of the organization managing the chapter, who shall endorse the plan. In case the action plan is disputed by the auditing organization or unit the head of the audited organization or unit has to be informed in writing and if necessary a discussion has to be held where the head of the audited field, the audit team leader and the auditors have to be present. (Article 29 (3) of the IAD.) If the action plan is disputed in case of carrying out audit by the internal audit unit of the organization managing the chapter the head of the organization managing the chapter also has to be present on the discussion. (Article 30 (2) of the IAD.) Pursuant to article 29(4) of the IAD, the head of the audited organisation or unit shall send the action plan endorsed by the head of the PBO carrying out the audit to the chief audit executive of the auditing organisation or unit. Pursuant to article 29 (5) of the IAD, the head of the audited organization or unit is responsible for the execution and the follow-up of the action plan. B. The follow-up of the audits During the follow-up process of the audits the internal auditing unit of the PBO evaluates the compliance, efficiency and actuality of actions carried out by the head of the audited field pursuant to the findings, conclusions and recommendations of the audit report. Primary tools of follow-up of audit findings:

following with attention the execution of the action plan; ex-post examination.

62

Pursuant to Standard Number 2500 of the IIA the chief audit executive has to develop and operate a system that helps him to follow up the completion of findings communicated to the leaders. The follow-up of the execution of the action plan The head of the audited field has to inform the chief audit executive about the accomplishment of the action plan. The information related to the execution of the action plan and new information emerging during the follow-up process has to be registered in the actual audit folder. Pursuant to point n) of article 12 of the IAD, the chief audit executive has to follow up the execution of the action plan on the basis of the information provided by the head of the PBO. The auditing unit regards an audit finding, conclusion or recommendation closed if the tasks in the related action plan have been completed. The efficiency of the completed actions/measures has to be reviewed in the frame of an ex-post examination or the next audit of the field. Ex-post examination The ex-post examination (if it is justified) takes place in the quarter when the latest deadline in the action plan expires. The objective of the ex-post examination is that the auditing unit could make sure of compliance of carrying out the adopted actions or the fact if the head of the audited field doesn’t or not properly execute the measures. This rule is a recommendation of the Standard Number 2500. A1 and related practical manual of the IIA. The ex-post examination resembles a traditional audit but the objectives and scope of the audit is narrower which only incorporates the weaknesses of the audit report. In the course of ex-post examination the planning, executive and reporting procedures are identical to those of any other audits taking into account the following:

The findings of the original audit have to be reviewed in order to determine the scope of the ex-post examination;

The audit testing and procedure utilized for the evaluation of actions have to be planned;

An on-the spot visit has to be carried out and the audit activities have to be documented;

The due date of the execution has to be certified and if necessary revised; A report on ex-post examination has to be prepared.

If the internal auditor concludes that adequate actions were not taken to eliminate the deficiencies revealed in the course of the previous audit the head of the organization has to be informed. Standard Number 2600 of the IIA states that if the chief audit executive concludes that heads of the audited organization undertake unacceptable risk threats, the fact has to be discussed with the related leaders. If a solution is not found to solve the question the problem has to be taken to the highest level of senior officers.

63

8. The procedure a pplicable in the case of exploration of acts, failures or deficiencies giving rise to the starting of criminal, infringement, compensation or disciplinary proceedings in the course of the audit

The tasks of this chapter incorporate the exploration of acts, failures or deficiencies giving rise to the starting of criminal, infringement, compensation or disciplinary proceedings. These acts are referred to a summarized name: irregularities in the manual. Irregularity means the deviation from any existing rule (legal provision, internal regulation, regulatory requirement) according to this manual. Two groups of irregularities can be distinguished:

1. intentionally caused irregularity (deception, fraud, etc.)2. unintentionally caused irregularity (carelessness, negligence, etc.)

Considering that this manual does not differentiate between the two cases, but handles the irregularities equally, as the question of intention is evaluated during the procedures and imposition of appropriate sanctions. Pursuant to article 145/A.(5) of Government Decree 217/1998 (30.12.) on on the Rules of Operation of Public Finance the head of the PBO is obliged to regulate the order of procedure of irregularities that has to be an appendix of the organizational and operational regulations. The general objective of the handling of irregularities is to support the prevention and hindrance of violation of provisions of laws and regulations, and in the case of violation of laws or regulations to restore the adequate conditions, to correct the errors, deficiencies and mistakes, to assign responsibility and to carry out effective provisions.

The internal auditor has to identify and differentiate the following serious/grave cases of irregularities and the possibility of their occurrence: I. In the category of crime against individuals the most frequent cases of crime against freedom and human dignity are: violation of privacy, misuse of personal data, misuse of public data, violation of the privacy of correspondence, libel, slander.II. In the category of crime against public administration, justice and the public ethics:

A) cases within the violation of state and ministerial secrecy: violation of state secrecy, violation of ministerial secrecy, failure to report a violation of state secrecy.B) in the case of misuse of office crimes the most frequently occurring case is malfeasance.C) in the case of crimes against public ethics the most frequently occurring case is bribery.

III. In the category of crimes against international public ethics the most frequently occurring case is bribery in international relations. IV. In the category of crimes against public order cases violating public trust: falsification of public document; falsification of private document; misuse of documents; provision of false data.V. In the category economic crimes:

64

A) In the case of violation of management obligations and order of management: achievement of unjust advantage, violation of the order of accounting standards, crime against information systems and data; money laundering; failure of reporting money laundering; violation of financial interest of the European Community.B) In the case of crime against property: theft; embezzlement; fraud; malpractice; negligence; violation of copyright or rights related to copyright; evasion of technical measure securing copyright or rights related to copyright.

The auditing unit plays a decisive role in identifying signs referring to the perpetration of the above-mentioned activities. The internal auditors of the PBO have to possess adequate knowledge to identify these signs, but an expertise equal to that of the professionals and authorities carrying out the revealing and inquiry of irregularities as a primary task cannot be expected. General requirements The internal audit unit is responsible for preventing the occurrence of irregularities by assessing and evaluating the adequacy and efficiency of (financial) management and control system. This mainly refers to those activities of the PBO where the risk of occurrence of irregularities is high. The prevention of the aforementioned things is made up of implementation of tasks which eliminate the possibility of occurrence and reduce the extent of the damage Standard Number 2130 of the IIA emphasizes the claim for prevention. The standard underlines that the internal audit unit has to monitoring whether the organization or its individual activities are in accordance with the announced values, ethical norms. The main task in order to prevent irregularities is to establish and operate a control system, which is primarily the responsibility of the head of the organization. Besides – in order to support the efforts of the head of the organization to prevent frauds and irregularities – the internal auditors have to evaluate the following:

Does the office ambience promote conscious audit? Have real organizational objectives been set? Are there written rules of procedure that determine unlawful activities and necessary

measures if the violation of these provisions have been identified? Is the rules of procedure determining the approval of transactions established and is it

observed? Are there directives, procedures, reporting systems and other mechanisms to follow up

activities and protect assets especially in high-risk areas? Do the information channels provide relevant and reliable information to the

management? Are cost-effective controls in operation to prevent unlawful activities? Have an adequate (financial) management and control system been established and is

it operated efficiently? Does the principal “four eyes” prevail? Is the separation of tasks and scopes of responsibility adequate within the

organization?

65

The internal audit unit plays a decisive role in identifying the signs of irregularity or fraud. The internal auditors of the organisation have to possess adequate knowledge to identify the signs of irregularity or fraud. By continuously evaluating the abovementioned questions the internal auditors have to make recommendations and proposals to the head of the PBO for the more efficient operation of the control system. The adequate establishment and continuous development of the control system is the obligation of the head of the PBO in order that the procedures and regulations within the organization prevent the occurrence of irregularities and to minimize the risk of its occurrence in the most effective way. The role of the internal audit unit in prevention The internal audit unit promotes the prevention of irregularities and fraud with the examination of the adequate operation and efficiency of the (financial) management and control system. It also evaluates how much the above-mentioned efficiency is in accordance with the activity of the organization and the possible risk necessary to reach the objectives and to operate its systems adequately. The prevention of irregularities and fraud consist of the execution of activities that hinder the possibility of committing irregularities and fraud and lessen the damage if irregularities or fraud occur. In order to prevent irregularities and fraud the primary task is to establish and operate an efficient and effective (financial) management and control system and an internal audit system. In order to prevent the occurrence of irregularities and fraud the most important task is the establishment and operation of the (financial) management and control system, and internal audit system, which is primarily the responsibility of the head of the PBO. The role of the internal audit unit in identifying the irregularities

a) If the internal auditor perceives suspicion of acts, failures or deficiencies (called irregularities) giving rise to the starting of criminal, infringement, compensation or disciplinary proceedings in the course of audit, he has to notify the chief audit executive without delay. (Point (e) of article 14 of the IAD).

b) In the case of any suspicion of defaults, infringements, damage or other illegal acts

which infringe the order of financial activities, concerning personal and financial responsibility the internal auditor is obliged to prepare an audit record on which the person concerned shall comment within 3 working days (article 26 (3) of the IAD), identify and document every relevant proof underpinning the suspicion.

c) In the case of suspicion of irregularity observed by the internal auditor, or the chief

audit executive, he is obliged to inform immediately the head of the PBO or if the head of the PBO is concerned the head of the supervisory organization and make a proposal for initiating the appropriate procedure.. (article 121/A (9) of the Public Finance Act, point f) of article 12 of the IAD.)

d) The head of the PBO (if the head of the PBO is concerned the head of the supervisory

organization) is obliged to make the appropriate measures and to start the necessary procedures.

66

e) The internal audit is also in charge of the follow-up of the measures of the head of the PBO. (Point (f) of article 8 of the IAD.)

Additional rules The internal auditor is obliged to return all original documents in full at the end of the audit, or if in the course of the audit activity the suspicion of acts, failures or deficiencies giving rise to the starting of criminal, infringement, compensation or disciplinary proceedings hand the original documents to the head of the PBO against a acknowledgement of receipt in order to take the necessary measures. (Point (i) of article 14 of the IAD.) The annual audit report and the annual summary audit report contain the number and short summary of reports on suspicion of acts, failures or deficiencies identified in the course of the audit activity giving rise to the starting of criminal, infringement, compensation or disciplinary proceedings. Government Decree No. 360/2004. (26.12.) on the establishment of financial management, accounting and control systems related to the reception of funds of the operative programs of the National Development Plan, the EQUAL Community Initiative program and the projects of the Cohesion Fund contains the special rules of handling irregularities committed in the course of using EU funds. Related legislation Pursuant to article 10(1) of Act 4 of 1978 on the Criminal Code, a criminal offence is intentionally –or if law punishes acts committed due to carelessness– carelessly committed act that poses a threat to society and to which the law orders punishment. Article 6 (1) of Act 19 of 1998 on Criminal Proceedings (hereinafter: Cp.) states that the court, prosecutor, and investigatory authority is obliged to start criminal proceedings in the case of conditions represented in the law. Article 171 (2) of the Cp. states that a public official is obliged to report all criminal offences obtained on duty. The report has to be made at the prosecuting or investigatory authority. Pursuant to article 1 (1) of Act No. 69 of 1999 on Infringements, an infringement is an illegal act or omission that is declared infringement by an act, government decree or local government decree and is sanctioned with penalty specified in the law. The second part of the law deals with the infringement procedure in detail, article 82 (1) states that an infringement procedure may start on the basis of a report or an observation or cognizance of an official of the infringement authority. Article 339 (1) of Act No. 4 of 1959 on the Hungarian Civil Code declares that a person who causes damage to another person in violation of the law shall be liable for such damage He shall be relieved of liability if he is able to prove that he has acted in a manner that can generally be expected in the given situation. Regarding the start of the indemnification procedure the provisions of Act No. 3 of 1952 on the Code of Civil Procedure (primarily the 8th (general) and 23rd (special) section), trials from labour relation and alike status) are relevant. In the question of indemnificatory liability the provisions of Act Number 23 of 1992 on the Labour Code (Lc.), Act No. 23 of 1992 on the Legal Status of Civil Servants (Lscs.) and Act No. 33 of 1992 on the Legal Status of State Employees (Lsse.) are also relevant.

67

In disciplinary procedures and responsibility the appropriate provisions of the Lc, Lscs, and Lsse are relevant.

9. Formal requirements of audit documentation and the order of safekeeping

Requirements of registration and filing, safekeeping Pursuant to article 32 (1) of the IAD, the chief audit executive of the PBO is obliged to keep record of the executed audits and has to ensure the safekeeping of audit documentation. The registry shall contains:

The name of the audited organization or unit, the subject of the executed audit, the objectives of the executed audit, the period of audit, the type and methods of the executed audit, the opening and closing dates of the audit, the name of the auditors, the major findings and recommendations, the execution of the action plans.

The internal auditor has to note down and document all important information about the executed auditing task that provides evidence for the findings, conclusions and opinions, and proves that the audit was carried out in accordance with the requirements of the IAD. The audit task is documented in written or electronic notes, documents or data in other format (altogether working documents) that were prepared, or collected and kept by the auditor during the auditing activity. The worksheets prepared or received during the audit have to be ordered and registered to facilitate the supervision carried out by the chief audit executive and the audit information retrieval. For this reason every audit document, record has to be securely bound in the permanent folder or the folder relating to the given audit or in both.

The permanent folder (General internal audit folder) contains - in chronological order - organizational, financial and legal documents and records with general scope that can be used in future audits (e.g.: in the audit of an organization or unit);

The folder relating to the given audit (actual audit folder) is used for the binding of every worksheet and other important data concerning the audit in a specific order (see document sample Number 18: Audit folder sample).

The registry of audits is stored in a so-called audit folder (see: glossary) that can exist both in electronic or in paper format. There are two types of folders considering their content: one is called Actual audit folder, the other General internal audit folder. The former contains the worksheets of the current audit, whereas the latter includes relevant information related to previous audits and the control system. The Actual audit folder is handled by the responsible internal auditor by placing the worksheets in the folder. The worksheets are in the possession of the auditor who has to

68

ensure their safety and the confidential handling of their content due to their importance. The worksheets have to be prepared after the on-the-spot visit. The content of the folder shows whether the audit was carried out properly or not. The folder has to contain the following:

Audit plan, audit program, deadlines, Register and extract of discussions, Internal audit report, Worksheets of executed tests and certificates;

The General internal audit folder provides background information for the auditor about the specific organization, process or control, i.e.: about the system. This folder has to be revised and updated every year. Its contents are the following:

Contracts, cooperation documents, Description of the activities and procedures of the organization, Administrative and control elements, audit trail, flowcharts, rules of accounting

procedures, Organization diagram marking the name and position of responsible employees,

and their range of responsibility, Previous audit reports, Useful administrative information;

Pursuant to Standard Number 2330. A2 of the IIA the chief audit executive develops the rules of safe-keeping the documents concerning the audits; these rules have to comply with the directives and other regulations of the organization. Pursuant to the instructions (article 9) of Act No. 66 of 1995 on Public Records, Public Archives, and the Protection of Private Archives all public sector organizations have to possess a document handling and archives plan (a registry is ground for for the systematization and the sorting of public documents from the point of view of the possibility of rejecting them) that contain the detailed rules and requirements of handling and protection of public documents. The head of the public sector organization is responsible for the adequate handling and protection of public documents, the establishment and operation of archives that stores public documents professionally and securely, and the provision of necessary technical and personal conditions. For the interpretation of the concepts personal data and handling of personal data the instructions of Act No. 63 of 1992 on the Protection of Personal Data and Public Access to Data of Public Interest are relevant. Pursuant to point j) of article 12 of the IAD, the chief audit executive is obliged to ensure the registration of audits, the safekeeping of audit documents for at least ten years and the safe storage of data and documents. Article 32 (1) predicates that the chief audit executive is obligated to keep record of the executed audits, and ensure the safekeeping of audit documents.

69

VI. Methodological guidelines, important steps and sections of individual auditing methods

1. International internal auditing standards “International Standards for the Professional Practice of Internal Auditing” issued by the IIA have been published in Financial Gazette No 16 of 2003 (XII. 22.) in Hungarian.

2. System audit

Pursuant to point c) of article 2 of the IAD, system audit is: „the extensive assessment of the operation of (management, implementation, financial transactions, reporting and auditing) systems where regularity, regulatedness, economy, efficiency and effectiveness are evaluated.” Main steps and sections of system audit can be found in detail in the document “System audit methodology”.

3. Performance audit Pursuant to point d) of article 2 of the IAD, performance audit is: “the assessment of economy, efficiency and effectiveness of the operation and the use of resources at a well-defined area of activities, programs carried out by the organization.” Main steps and sections on performance audit can be found in detail in the document “Performance audit methodology”.

4. IT system audit

Pursuant to point f) of article 2 of the IAD, IT system audit is: “the assessment of the reliability and safety of IT systems used at the PBO as well as the completeness, accuracy, regularity and protection of data stored in the system.” The main steps and sections of the audit of IT systems can be found in detail in the document “IT audit methodological guidline for internal auditors”.

5. Auditing of the Structural Funds See “Internal Audit Manual Sample for system audits based on sampling related to the Structural Funds” for details. .

6. Auditing of the Cohesion Fund

70

http://www1.pm.gov.hu/web/home.nsf/(PortalArticles)/6BBBB5F54D162D64C1256E890026F66F

http://www1.pm.gov.hu/web/home.nsf/(PortalArticles)/66DFCDA44D824122C1256E890026D738

http://www1.pm.gov.hu/web/home.nsf/(PortalArticles)/1535184B86F85524C1256E16003B6FC1

See “Internal Audit Manual Sample for system audits based on sampling related to the Cohesion Funds” for details. .

VII. Uniform document samples

VIII. Appendices

IX. Glossary

[1] Process owner: person responsible for the operation and control of the process.

Issued on 08.02.2006

71

http://www1.pm.gov.hu/web/home.nsf/portalarticles/140EAC4B146A1276C12571BE0033CEB8?OpenDocument#_ftnref1

http://www.pm.gov.hu/web/home.nsf/(PortalArticles)/E780B0A72BE95319C1256E85002C4AEF/?opendocument