Audit Methodology
A STEP-BY-STEP GUIDE THROUGH THE SURA INTERNAL AUDIT PROCESS
To maximize Audit coverage with limited Internal Audit Resources, SURA Internal Audit utilizes a "stop and go" audit approach, which focuses on continuous risk assessment throughout all audit phases, which are outlined below.
By continuously evaluating risk, we may determine at any phase of the audit, that no further work is needed to conclude on the control environment. Upon validating this conclusion with the customer, the audit may be ended and an audit report issued. The use of this "Stop and Go" approach enables us to focus on performing value added cost effective audits.
STEP #1 - PRELIMINARY RISK ASSESSMENT PHASE
Internal Audit facilitates discussions with operating management to identify business processes and risks. Key high-level information, including financial data and customer contact names, is obtained. Additionally, we solicit management's concerns and work with them to define expectations.
Internal Audit will analyze the business and supporting technical risks to define the audit scope and to identify key business control objectives. The business control
objectives are validated with the customer to ensure that Audit's approach is in line with the business.
STEP #2 - PLANNING STAGE
Internal Audit gathers information on how management is controlling risks. Through discussions and/or walk-throughs with key contacts, the Internal Audit identifies business control processes.
An assessment is then performed to ensure that the control environment is adequate. Issues or control weaknesses are communicated and validated with the customer immediately to ensure ongoing communication throughout the audit.
Internal Audit's define the testing strategy based on the assessment of the control environment and management's concerns. If testing is necessary to determine that controls are functioning effectively, detail test programs are developed.
STEP #3 - TESTING PHASE
Internal Audit executes the test programs defined above. Throughout this phase, test results are analyzed to determine if additional test work is required, or if no further testing is necessary to conclude on the sufficiency of the control environment. We ensure timely communication of issues arising as test work is executed. Issues are communicated, validated, and drafted with the customer as they are identified. STEP #4 - COMMUNICATING RESULTS
Communicating Results is not considered a separate phase. It is embedded in all of the above processes. Throughout the audit, all issues identified are validated with the customer and action plans are immediately developed by management. Audit recommendations and management responses are included in the Audit Report including an action plan of what will be done, by whom, by when, and to fix what problems. Reports are issued within 5 days from the end of fieldwork.
CUSTOMER SURVEY
Customers are asked to contribute to Internal Audit's continuous improvement process by providing feedback on our . Customers are asked to provide written comments about the work performed, as well as asked to rate Internal Audit on the following key areas:
Performance of Audit Work
? Communicating Results
? Professional Proficiency of Auditors
? Scope of Work ?
?
? Audit Client Survey NOTE: For Illustration Purposes Only. Audit Client Surveys are designed and intended for use by customers who have recently received services from
Internal Audit.
?
? Memorandum To:
From: Rich Rafter, Internal Audit
Date:
Subject: Audit Client Survey
Internal Audit recently completed an audit of ________________________, Audit No. _________ in your organization. As part of the continuous effort to improve the overall quality of audit services provided to clients, I would appreciate a few minutes of your time to complete the attached survey. ? One of the goals of Internal Audit is to be regarded as a strategic value-added resource by the organization. To achieve this goal, I am interested in your
candid feedback related to the audit and the audit process. I request that you do not delegate completion of the survey to another individual.
? Please return the completed survey by ___________________________. If you have any questions, please call me directly at (757) 269-7522.
? Thank you for your constructive comments.
Standards for the Professional Practice of Internal Auditing
THE INSTITUTE OF INTERNAL AUDITORS
247 Maitland Avenue
Altamonte Springs, Florida 32701-4201
Copyright ? 2001 by The Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. Under copyright laws and agreements, no part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical,
photocopying, recording, or otherwise — without prior written permission of the publisher. To obtain permission to translate, adapt, or reproduce any part of this document, contact: Administrator, Practices Center
The Institute of Internal Auditors
247 Maitland Avenue
Altamonte Springs, Florida 32701-4201
Phone: +1 (407) 830-7600, Ext. 256
Fax: +1 (407) 831-5171
ISBN 0-89413-454-X
October 18, 2001
Introduction
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Internal audit activities are performed in diverse legal and cultural environments; within organizations that vary in purpose, size, and structure; and by persons within or outside the organization. These differences may affect the practice of internal auditing in each
environment. However, compliance with the Standards for the Professional Practice of Internal Auditing (Standards) is essential if the responsibilities of internal auditors are to be met.
The purpose of the Standards is to:
1. Delineate basic principles that represent the practice of internal auditing as it should be.
2. Provide a framework for performing and promoting a broad range of value-added internal audit activities.
3. Establish the basis for the measurement of internal audit performance.
4. Foster improved organizational processes and operations.
The Standards consist of Attribute Standards (the 1000 Series), Performance Standards (the 2000 Series), and Implementation Standards (nnnn.Xn). The Attribute Standards address the characteristics of organizations and individuals performing internal audit activities. The Performance Standards describe the nature of internal audit activities and provide quality criteria against which the performance of these services can be measured. The Attribute and Performance Standards apply to internal audit services in general. The Implementation
Standards apply the Attribute and Performance Standards to specific types of engagements (for example, a compliance audit, a fraud investigation, or a control self-assessment project).
There is one set of Attribute and Performance Standards, however there may be multiple sets of Implementation Standards: a set for each of the major types of internal audit activity. Initially, the Implementation Standards are being established for assurance activities (noted by an "A" following the Standard number, e.g., 1130.A1) and consulting activities (noted by a "C" following the Standard number, e.g., nnnn.C1).
The Standards are part of the Professional Practices Framework. This framework was proposed by the Guidance Task Force and approved by The IIA's Board of Directors in June 1999. This framework includes the Definition of Internal Auditing, the Code of Ethics, the Standards, and other guidance. The Standards incorporate the guidance previously contained in the "The Red Book," recasting it into the new format proposed by the Guidance Task Force and updating it as recommended in the Task Force’s report, A Vision for the Future.
The Standards employ terms that have been given specific meanings that are included in the Glossary.
The Internal Auditing Standards Board is committed to extensive consultation in the preparation of the Standards. Prior to issuing any document, the Standards Board issues
exposure drafts internationally for public comment. The Standards Board also seeks those with special expertise or interests for consultation where necessary. The development of standards is an ongoing process. The Standards Board welcomes input from IIA members and other interested parties to identify emerging issues requiring new standards or revision to current standards. Suggestions should be sent to:
The Institute of Internal Auditors
Senior Manager Technical Services
247 Maitland Ave.
Altamonte Springs, Florida 32701
USA
E-mail: standards@theiia.org
Additional guidance regarding how the Standards might be put into practice can be found in Practice Advisories that are issued by the Professional Issues Committee.
ATTRIBUTE STANDARDS
The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the board.
1000.A1 - The nature of assurance services provided to the organization should
be defined in the audit charter. If assurances are to be provided to parties
outside the organization, the nature of these assurances should also be defined in
the charter
1000.C1 - The nature of consulting services should be defined in the audit
charter.
The internal audit activity should be independent, and internal auditors should be objective in performing their work.
1110 – Organizational Independence
The chief audit executive should report to a level within the organization that
allows the internal audit activity to fulfil its responsibilities.
1110.A1 - The internal audit activity should be free from
interference in determining the scope of internal auditing,
performing work, and communicating results.
1120 – Individual Objectivity
Internal auditors should have an impartial, unbiased attitude and avoid conflicts
of interest.
1130 – Impairments to Independence or Objectivity
If independence or objectivity is impaired in fact or appearance, the details of
the impairment should be disclosed to appropriate parties. The nature of the
disclosure will depend upon the impairment.
1130.A1 – Internal auditors should refrain from assessing
specific operations for which they were previously responsible.
Objectivity is presumed to be impaired if an auditor provides
assurance services for an activity for which the auditor had
responsibility within the previous year.
1130.A2 – Assurance engagements for functions over which the
chief audit executive has responsibility should be overseen by a
party outside the internal audit activity.
1130.C1 - Internal auditors may provide consulting services
relating to operations for which they had previous
responsibilities.
1130.C2 - If internal auditors have potential impairments to
independence or objectivity relating to proposed consulting
services, disclosure should be made to the engagement client
prior to accepting the engagement.
Engagements should be performed with proficiency and due professional care.
1210 – Proficiency
Internal auditors should possess the knowledge, skills, and other competencies
needed to perform their individual responsibilities. The internal audit activity
collectively should possess or obtain the knowledge, skills, and other
competencies needed to perform its responsibilities.
1210.A1 - The chief audit executive should obtain competent
advice and assistance if the internal audit staff lacks the
knowledge, skills, or other competencies needed to perform all or
part of the engagement.
1210.A2 – The internal auditor should have sufficient
knowledge to identify the indicators of fraud but is not expected
to have the expertise of a person whose primary responsibility is
detecting and investigating fraud.
1210.C1 - The chief audit executive should decline the
consulting engagement or obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other
competencies needed to perform all or part of the engagement.
1220 - Due Professional Care
Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.
1220.A1 - The internal auditor should exercise due professional
care by considering the:
? Extent of work needed to achieve the engagement's
objectives.
Relative complexity, materiality, or significance of
matters to which assurance procedures are
applied.
Adequacy and effectiveness of risk management, control,
and governance processes.
Probability of significant errors, irregularities, or non-
compliance.
Cost of assurance in relation to potential benefits. ? ? ? ?
1220.A2 – The internal auditor should be alert to the significant
risks that might affect objectives, operations, or resources.
However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks
will be identified.
1220.C1 - The internal auditor should exercise due professional
care during a consulting engagement by considering the:
? Needs and expectations of clients, including the nature,
timing, and communication of engagement results.
Relative complexity and extent of work needed to achieve
the engagement’s objectives.
Cost of the consulting engagement in relation to potential
benefits. ? ?
1230 – Continuing Professional Development
Internal auditors should enhance their knowledge, skills, and other competencies through continuing professional development.
The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. The program should be designed to help the internal auditing activity add value and improve the organization’s operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics.
1310 – Quality Program Assessments
The internal audit activity should adopt a process to monitor and assess the
overall effectiveness of the quality program. The process should include both
internal and external assessments.
1311 – Internal Assessments
Internal assessments should include:
o Ongoing reviews of the performance of the internal audit activity; and
o Periodic reviews performed through self-assessment or by other persons within the
organization, with knowledge of internal auditing
practices and the Standards.
1312 – External Assessments
External assessments, such as quality assurance reviews, should
be conducted at least once every five years by a qualified,
independent reviewer or review team from outside the
organization.
1320 – Reporting on the Quality Program
The chief audit executive should communicate the results of external
assessments to the board.
1330 – Use of "Conducted in Accordance with the Standards"
Internal auditors are encouraged to report that their activities are "conducted in
accordance with the Standards for the Professional Practice of Internal
Auditing." However, internal auditors may use the statement only if assessments
of the quality improvement program demonstrate that the internal audit activity
is in compliance with the Standards.
1340 – Disclosure of Non-compliance
Although the internal audit activity should achieve full compliance with
the Standards and internal auditors with the Code of Ethics, there may be
instances in which full compliance is not achieved. When non-compliance
impacts the overall scope or operation of the internal audit activity, disclosure
should be made to senior management and the board.
PERFORMANCE STANDARDS
The chief audit executive should effectively manage the internal audit activity to ensure it adds value to the organization.
2010 – Planning
The chief audit executive should establish risk-based plans to determine the
priorities of the internal audit activity, consistent with the organization's goals.
2010.A1 - The internal audit activity’s plan of engagements
should be based on a risk assessment, undertaken at least
annually. The input of senior management and the board should
be considered in this process.
2010.C1 - The chief audit executive should consider accepting
proposed consulting engagements based on the engagement’s
potential to improve management of risks, add value, and
improve the organization’s operations. Those engagements that
have been accepted should be included in the plan.
2020 – Communication and Approval
The chief audit executive should communicate the internal audit activity’s plans
and resource requirements, including significant interim changes, to senior
management and to the board for review and approval. The chief audit executive should also communicate the impact of resource limitations.
2030 – Resource Management
The chief audit executive should ensure that internal audit resources are
appropriate, sufficient, and effectively deployed to achieve the approved plan.
2040 – Policies and Procedures
The chief audit executive should establish policies and procedures to guide the
internal audit activity.
2050 – Coordination
The chief audit executive should share information and coordinate activities
with other internal and external providers of relevant assurance and consulting
services to ensure proper coverage and minimize duplication of efforts.
2060 – Reporting to the Board and Senior Management
The chief audit executive should report periodically to the board and senior
management on the internal audit activity’s purpose, authority, responsibility,
and performance relative to its plan. Reporting should also include significant
risk exposures and control issues, corporate governance issues, and other
matters needed or requested by the board and senior management.
The internal audit activity evaluates and contributes to the improvement of risk management, control and governance systems.
2110 – Risk Management
The internal audit activity should assist the organization by identifying and
evaluating significant exposures to risk and contributing to the improvement of
risk management and control systems.
2110.A1 - The internal audit activity should monitor and
evaluate the effectiveness of the organization's risk management
system.
2110.A2 - The internal audit activity should evaluate risk
exposures relating to the organization's governance, operations,
and information systems regarding the
? Reliability and integrity of financial and operational
information.
Effectiveness and efficiency of operations.
Safeguarding of assets.
Compliance with laws, regulations, and contracts. ? ? ?
2110.C1 - During consulting
engagements, internal auditors
should address risk consistent with
the engagement’s objectives and
should be alert to the existence of
other significant risks.
2110.C2 – Internal auditors
should incorporate knowledge of
risks gained from consulting
engagements into the process of
identifying and evaluating
significant risk exposures of the
organization.
2120 – Control
The internal audit activity should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
2120.A1 - Based on the results of the risk assessment, the
internal audit activity should evaluate the adequacy and
effectiveness of controls encompassing the organization's
governance, operations, and information systems. This should
include:
? Reliability and integrity of financial and operational
information.
Effectiveness and efficiency of operations.
Safeguarding of assets.
Compliance with laws, regulations, and contracts. ? ? ?
2120.A2 - Internal auditors should ascertain the extent to which
operating and program goals and objectives have been
established and conform to those of the organization.
2120.A3 - Internal auditors should review operations and
programs to ascertain the extent to which results are consistent
with established goals and objectives to determine whether
operations and programs are being implemented or performed as
intended.
2120.A4 - Adequate criteria are needed to evaluate controls.
Internal auditors should ascertain the extent to which
management has established adequate criteria to determine
whether objectives and goals have been accomplished. If
adequate, internal auditors should use such criteria in their
evaluation. If inadequate, internal auditors should work with
management to develop appropriate evaluation criteria.
2120.C1 - During consulting engagements, internal auditors
should address controls consistent with the engagement’s
objectives and should be alert to the existence of any significant
control weaknesses.
2120.C2 – Internal auditors should incorporate knowledge of
controls gained from consulting engagements into the process of
identifying and evaluating significant risk exposures of the
organization.
2130 – Governance
The internal audit activity should contribute to the organization's governance process by evaluating and improving the process through which (1) values and goals are established and communicated, (2) the accomplishment of goals is monitored, (3) accountability is ensured, and (4) values are preserved.
2130.A1 - Internal auditors should review operations and
programs to ensure consistency with organizational values.
2130.C1 – Consulting engagement objectives should be
consistent with the overall values and goals of the organization.
Internal auditors should develop and record a plan for each engagement.
2201 - Planning Considerations
In planning the engagement, internal auditors should consider:
? The objectives of the activity being reviewed and the means by which the activity controls its performance.
The significant risks to the activity, its objectives, resources, and
operations and the means by which the potential impact of risk is kept to an acceptable level.
The adequacy and effectiveness of the activity’s risk management and control systems compared to a relevant control framework or
model.
The opportunities for making significant improvements to the activity’s risk management and control systems.
2201.C1 - Internal auditors should establish an understanding with consulting engagement clients about objectives, scope, respective
responsibilities, and other client expectations. For significant
engagements, this understanding should be documented. ? ? ?
2210 – Engagement Objectives
The engagement’s objectives should address the risks, controls, and governance
processes associated with the activities under review.
2210.A1 - When planning the engagement, the internal auditor
should identify and assess risks relevant to the activity under
review. The engagement objectives should reflect the results of
the risk assessment.
2210.A2 - The internal auditor should consider the probability of
significant errors, irregularities, non-compliance, and other
exposures when developing the engagement objectives.
2210.C1 – Consulting engagement objectives should address
risks, controls, and governance processes to the extent agreed
upon with the client.
2220 – Engagement Scope
The established scope should be sufficient to satisfy the objectives of the
engagement.
2220.A1 - The scope of the engagement should include
consideration of relevant systems, records, personnel, and
physical properties, including those under the control of third
parties.
2220.C1 – In performing consulting engagements, internal
auditors should ensure that the scope of the engagement is
sufficient to address the agreed-upon objectives. If internal
auditors develop reservations about the scope during the
engagement, these reservations should be discussed with the
client to determine whether to continue with the engagement.
2230 – Engagement Resource Allocation
Internal auditors should determine appropriate resources to achieve engagement
objectives. Staffing should be based on an evaluation of the nature and
complexity of each engagement, time constraints, and available resources.
2240 – Engagement Work Program
Internal auditors should develop work programs that achieve the engagement
objectives. These work programs should be recorded.
2240.A1 - Work programs should establish the procedures for
identifying, analysing, evaluating, and recording information
during the engagement. The work program should be approved
prior to the commencement of work, and any adjustments
approved promptly.
2240.C1 - Work programs for consulting engagements may vary
in form and content depending upon the nature of the
engagement.
Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement's objectives.
2310 – Identifying Information
Internal auditors should identify sufficient, reliable, relevant, and useful
information to achieve the engagement’s objectives.
2320 – Analysis and Evaluation
Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations.
2330 – Recording Information
Internal auditors should record relevant information to support the conclusions and engagement results.
2330.A1 - The chief audit executive should control access to
engagement records. The chief audit executive should obtain the
approval of senior management and/or legal counsel prior to
releasing such records to external parties, as appropriate.
2330.A2 - The chief audit executive should develop retention
requirements for engagement records. These retention
requirements should be consistent with the organization’s
guidelines and any pertinent regulatory or other requirements.
2330.C1 - The chief audit executive should develop policies
governing the custody and retention of engagement records, as
well as their release to internal and external parties. These
policies should be consistent with the organization’s guidelines
and any pertinent regulatory or other requirements.
2340 – Engagement Supervision
Engagements should be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed.
Internal auditors should communicate the engagement results promptly.
2410 – Criteria for Communicating
Communications should include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans.
2410.A1 - The final communication of results should, where
appropriate, contain the internal auditor’s overall opinion.
2410.A2 - Engagement communications should acknowledge
satisfactory performance.
2410.C1 – Communication of the progress and results of
consulting engagements will vary in form and content depending
upon the nature of the engagement and the needs of the client.
2420 – Quality of Communications
Communications should be accurate, objective, clear, concise, constructive, complete, and timely.
2421 – Errors and Omissions
If a final communication contains a significant error or omission,
the chief audit executive should communicate corrected
information to all individuals who received the original
communication.
2430 – Engagement Disclosure of Non-compliance with
the Standards
When non-compliance with the Standards impacts a specific engagement,
communication of the results should disclose the:
?
?
? Standard(s) with which full compliance was not achieved, Reason(s) for non-compliance, and Impact of non-compliance on the engagement.
2440 – Disseminating Results
The chief audit executive should disseminate results to the appropriate
individuals.
2440.A1 - The chief audit executive is responsible for
communicating the final results to individuals who can ensure
that the results are given due consideration.
2440.C1 - The chief audit executive is responsible for
communicating the final results of consulting engagements to
clients.
2440.C2 – During consulting engagements, risk management,
control, and governance issues may be identified. Whenever
these issues are significant to the organization, they should be
communicated to senior management and the board.
The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management.
2500.A1 - The chief audit executive should establish a follow-up process to
monitor and ensure that management actions have been effectively implemented
or that senior management has accepted the risk of not taking action.
2500.C1 – The internal audit activity should monitor the disposition of results
of consulting engagements to the extent agreed upon with the client.
When the chief audit executive believes that senior management has accepted a level of
residual risk that is unacceptable to the organization, the chief audit executive should discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive and senior management should report the matter to the board for resolution.
Organizations exist to create value or benefit to their owners, other stakeholders, customers, and clients. This concept provides purpose for their existence. Value is provided through their development of products and services and their use of resources to promote those products and services. In the process of gathering data to understand and assess risk, internal auditors develop significant insight into operations and opportunities for improvement that can be extremely beneficial to their organization. This valuable information can be in the form of consultation, advice, written communications, or through other products all of which should be properly communicated to the appropriate management or operating personnel.
- Present if management has planned and organized (designed) in a manner that provides reasonable assurance that the organization's risks have been managed effectively and that the organization’s goals and objectives will be achieved efficiently and economically.
- An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the
organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.
- A board of directors, audit committee of such boards, head of an agency or legislative body to whom internal auditors report, board of governors or trustees of a non-profit organization, or any other designated governing bodies of organizations.
- The charter of the internal audit activity is a formal written document that defines the activity’s purpose, authority, and responsibility. The charter should (a) establish the internal audit activity’s position within the organization; (b) authorize access to records, personnel, and physical properties relevant to the performance of engagements; and (c) define the scope of internal audit activities.
- Top position within the organization responsible for internal audit activities. In a traditional internal audit activity, this would be the internal audit director. In the case where internal audit activities are obtained from outside service providers, the chief audit executive is the person responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to senior management and the board regarding internal audit activities, and follow–up of engagement results. The term also includes such titles as general auditor, chief internal auditor, and inspector general.
The purpose of the Code of Ethics of The Institute of Internal Auditors (IIA) is to promote an ethical culture in the global profession of internal auditing. A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk, control, and governance. The Code of Ethics applies to both individuals and entities that provide internal audit services.
- The ability to reasonably ensure conformity and adherence to organization policies, plans, procedures, laws, regulations, and contracts.
Any relationship that is or appears to be not in the best interest of the organization. A conflict of interest would prejudice an individual’s ability to perform his or her duties and responsibilities objectively.
which are agreed upon with the client and which are intended to add value and improve an organization’s operations. Examples include counsel, advice, facilitation, process design, and training.
- Any action taken by management, the board, and other parties to enhance risk
management and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
The attitude and actions of the board and management regarding the significance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements:
o Integrity and ethical values.
o Management’s philosophy and operating style.
o Organizational structure.
o Assignment of authority and responsibility.
o Human resource policies and practices.
o Competence of personnel.
The policies, procedures, and activities that are part of a control
framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process.
– A specific internal audit assignment, task, or review activity, such as an internal audit, Control Self-assessment review, fraud examination, or consultancy. An
engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives.
- Broad statements developed by internal auditors that define intended engagement accomplishments.
- A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan.
- A person or firm, independent of the organization, who has special knowledge, skill, and experience in a particular discipline. Outside service providers include, among others, actuaries, accountants, appraisers, environmental specialists, fraud investigators, lawyers, engineers, geologists, security specialists, statisticians, information technology specialists, external auditors, and other auditing organizations. The board, senior management, or the chief audit executive may engage an outside service provider.
- Any illegal acts characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by individuals and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.
The procedures utilized by the representatives of the organization’s stakeholders (e.g., shareholders, etc.) to provide oversight of risk and control processes administered by management.
Impairments to individual objectivity and organizational independence may include personal conflicts of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations (funding).
– A department, division, team of consultants, or other
practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization's operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control, and governance processes. An unbiased mental attitude that requires internal auditors to perform
engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others.
The uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk is measured in terms of consequences and likelihood.
________________________
ANNEXURE B
RUSTENBURG LOCAL MUNICIPALITY
INTERNAL AUDIT CHARTER
A.
B.
C.
D.
E.
F.
G. Introduction Internal Audits Authority Definition of Audit Scope Internal Audits Responsibility Reporting responsibilities of Internal Audit and Auditees The mission of the internal audit activity. Amendments to this Charter
A. Introduction.
This charter establishes the mandate conferred by the Council on the Internal Audit section.
B. Internal Audits Authority
The Chief Audit Executive is authorised to direct a broad, comprehensive program of internal auditing within the municipality. The Internal Audit function is an independent, objective assurance and consulting activity designed to add value and improve business operations. In this regard it assists management to accomplish its objectives by applying a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. To accomplish these activities, the Chief Audit Executive and authorised persons by him have full, free and unrestricted access to all of the municipality's functions, records, property and personnel.
C. Audit Scope.
? Risk management – Internal Audit has to assist the Council, Directors and Managers in identifying and evaluating the municipalities risk management processes to give an opinion on the adequacy and effectiveness of risk management and internal control systems. Regarding the risk management processes – management should determine the role internal audit can play, but without taking ownership thereof or managing the process.
? Controls - Internal Audit has to assist the Council, Directors and Managers in maintaining effective controls by evaluating those controls to determine their effectiveness and efficiency, and by developing recommendations for enhancement or improvement. Accounting controls are designed to safeguard assets and ensure the accuracy of financial records.
? Governance - Internal Audit has to assist the Council, Directors and Managers in achieving the goals of the municipality by evaluating and approving the process through which;
a) goals and values are established and communicated
b) the accomplishment of goals is monitored
c) accountability is ensured
d) councils values are preserved.
? Fraud investigations - Internal Audit has to assist the Council, Directors and Managers in these audits as determined by the Fraud Policy. The section doesn’t need to get permission before proceeding with such audit, but must immediately afterwards informs the relevant level of management of the outcome. [These Audits have priority over the approved audit program.]
? Performance management – Internal Audit has to audit performance management according to legislation and the Performance Framework approved by Council. The basis of performance auditing is economy, efficiency and effectiveness.
? Financial audits – financial audits addresses accounting and reporting of financial transactions, including authorizations, receipt and disbursements of funds.
? Compliance audits – compliance audits determine the degree of adherence to laws, policies, procedures, and resolutions.
? Operational audits – operational audits review operating information and the means used to identify, measure, classify and report such information; review the means for safeguarding assets; provide analysis and evaluation of operational results with comparison to established goals, objectives, policies, plans, laws, procedures and resolutions.
? Surprise audits – Internal audit must do surprise audits in order to be effective especially where money is involved. The section doesn’t need to get permission from any directorate before proceeding with such audit, but must immediately afterwards informs the relevant level of management of the outcome.
D. Internal Audits Responsibilities.
The responsibilities of the Internal Audit Activity are derived from this Charter and the Standards for the Professional Practice of Internal Auditing (SPPIA) as determined by the Institute of Internal Auditors (IIA).
Internal auditors have no direct responsibility or any authority over any of the activities or operations that are reviewed. Internal auditors are not allowed to develop and install procedures or engage in activities that would normally be subjected to their reviews.
The existence of internal audit does not diminish the financial and operational responsibilities of the departments for the proper execution and control over their activities, including the responsibilities for the periodic conduct of system appraisals.
The Internal Audit Section;
- Shall undertake audits according to programs approved by the Audit Committee. These programs should be risk-based and developed in consultation with management, and
- Shall have access to all personnel to require from them information, explanations, verbally or written to fulfil its responsibilities.
Where the Internal Audit Section does not have or possess all the necessary time, skills or experience, external resources or firms may be used, subject to the availability of funds.
E. Reporting responsibilities of Internal Audit and Auditees.
After every engagement if necessary a written report/query will be prepared and issued by the auditors to report and/or to obtain information. The individual who receives the report/query must respond in writing within 30 days thereon. If co-operation is not received during this time, the matter must be referred to the Municipal Manager to resolve the matter or to consider disciplinary action, because an employee shall be guilty of misconduct if he/she is negligent or indolent in the discharge of his duties.
F. The mission of the internal audit activity.
? Review directorates within the municipality at appropriate intervals to determine
whether they are efficiently and effectively carrying out their functions of planning,
?
?
?
?
?
?
?
?
?
?
?
G. Amendments to this Charter.
The Chief Audit Executive (CAE) is responsible for maintaining this Audit Charter in a current state. Amendments of this Charter are subject to the approval by Council, after reviewed by the Audit Committee.
organizing, directing and controlling in accordance with Councils instructions, policies and procedures. Determine the adequacy and effectiveness of the controls encompassing the municipality's governance, operations and information systems. Review the reliability and integrity of financial information and the means used to identify, measure and report such information. Review the established systems to ensure compliance with those policies, plans, procedures, laws and regulations that could have a significant impact on operations and reports, and determine whether the organisation is in compliance. Review the means of safeguarding assets and as appropriate, verify the existence of such assets. Appraise the economy and efficiency with which resources are employed, identify opportunities to improve operating performance and recommend solutions to problems if appropriate. Review operations and programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned. Coordinate activities with other internal and external providers of assurance and consulting services. Participate in the planning, design, development, implementation and operation of major computer-based systems to determine whether; a) adequate controls are incorporated in the system; b) thorough system testing is performed at appropriate stages; c) system documentation is complete and accurate; and d) the needs of user organisation are met. Review compliance with the council's guidelines for ethical business conduct and see that the highest standard of personal and councils performance are met. Submit annual engagement plans to the Audit Committee for review and approval. Provide adequate follow up to ensure corrective action is taken and that it is effective.