1
Part 2 Main features of the internal
audit function
• The institutional framework (slides 3 to 18):
1. Legal basis
2. Auditing Standards and Code of ethics
3. Audit charter
4. Audit manual
• The basic methodology for performing
the internal audit function (slides 20 to 40)
3
Legal basis
• The position of the audit function in the management shall be defined by law
• In particular the law shall outline the institutional arrangements, define auditors’ authority and competence, and entitle them to have access to any register, document or file
4
Auditing standards and rules of
ethics
Internal audit shall be performed
• based on standards, which are usuallybeen set up in accordance withinternationally recognised Standards
• and according to rules of ethics.
5
What are standards?
The purpose of Standards is:
• to delineate basic principles that represent the practice as it should be,
• provide a framework for performing and promoting activities,
• establish the basis for measuring performance, and foster improved organizational processes and operations.
6
Internationaly Recognised Auditing
Standards
The most largely disseminated auditingstandards are those issued by the Instituteof Internal Auditors (IIA): the « International Standards for the practice of internal audit »
The IIA is a widely recognised standards setter; at the outset created for the private sector, its guidance has been extended to the public sector.
7
Internationaly recognised auditing
standards
According to the IIA, Auditing Standards consist of:
• Attribute Standards,
• Performance Standards,
• Implementation Standards.
8
Attribute Standards
Attribute Standards address the characteristics of units performing internal audit activities. They mainly cover:
1) independence and objectivity and
2) professional proficiency
9
Attribute Standards
• Independence and objectivity
Internal auditing is an independent and objective assessment: the internal audit unit is not involved in the internal control process which it is required to assess. On the contrary it acts independently from the managerial structure. It directly reports to the head of the entity.
• Professional proficiency
The internal audit activity shall possess or obtain the knowledge and skills needed to perform its responsibilities and apply due professional care.
10
Performance Standards
• Performance Standards describe the nature of internal audit activities and provide quality criteria against which the performance of audit services can be evaluated. They mainly cover:
• scope of work,
• performance of audit work and
• management of the internal audit activity
11
Performance Standards
• Scope of work
• No activity is excluded from the audit scope; any process or operation may be considered for review following the risk assessment ; the auditor shall have unrestricted access to all files and documents
12
Performance Standards
• Performance of audit work
• The internal audit carefully examines the risk
assessment performed by the management and
produces its own risk assessment
• All stages of audit work (planning, testing,
reviewing, reporting) shall be performed with
due professional care, in accordance with
appropriate professional auditing practices, as
described in the Audit Manual.
13
Performance Standards
• Management of the internal audit activity
Adequate resources shall be given to the audit units.
Hiring and training an adequate number of auditors shall endeavour to create an audit structure with a critical mass.
14
Implementation Standards
• Implementation Standards apply to specific types of audit engagements
There are multiple sets of Implementation Standards: a set for each of the major types of internal audit activity
15
Code of Ethics
The purpose of the Code of Ethics is to promote an ethical culture in the internal auditing profession .
The IIA also has issued a Code of Ethics: This code contains:
• Principles relevant to the profession and practice of internal auditing,
• Rules of Conduct that describe behaviourexpected of internal auditors.
16
Code of ethics
• A code of ethics applies both to the audit
entities and to the individuals.
• It defines principles:
1. Integrity
2. Objectivity
3. Confidentiality
4. Competency
• It describes rules for applying these principles
17
Audit charter
The audit charter is approved by the Head of the agency
It addresses:
• Objectives
• Scope
• Authority and responsibility, (including provisions on the audit network)
of Internal Audit
It is a used as a framework for the relations between the auditor and the audited party
18
Audit manual
The key function of the audit manual is to give practical guidance on good audit practices
• It sets out audit requirements and procedures
• It describes the methodology in accordance with the auditing standards
• It outlines the main issues faced in performing audit
20
The basic methodology for
performing
the internal audit function
• Organisational features
• Internal audit annual planning
• Internal audit process
• Internal audit reporting, supervision andfollow-up
21
Organisational features (1)
Position of the Internal Audit in the organisational
structure :
According to the International Standards the
internal audit function within an administrative
entity is directly placed under the authority of
the head of the entity:
• Minister
• Head of the agency
• Head of the regional body
22
Organisational features (2)
Why this position ?
To ensure:
• An independent view on the control system
• An assurance given to the head of the entity (the manager)
• A set of recommendations for improvingthe internal control
• A dialog with the head of the entity
23
Organisational features (3)
• Usually a network is established,
- linking the agencies auditors to the line Ministry audit unit
- and the line Ministry Audit unit to a central body in the Ministry of Finance
(This important point will be addressed later in the part 3 of the presentation )
24
The annual audit plan
• The audit unit prepares an annual audit plan, which shall be endorsed by the Head of the Agency
• This plan is established according to the risk assessment performed by the audit unit itself (this assessment may be different form the assessment performed by the management)
• The Head of the Agency may supplement this audit plan. This plan may also be adapted during the year according to circumstances
25
The three main types
of internal auditThe three main types of internal audit are:.
• Compliance audit: assesses compliance in relation to applicable laws, rules, regulations and also standards and good practices.
• System-based audit: examines the soundness of internal controls put in place by the management.
• Performance audit: assesses the result of management action against the objectives of the management and the resources placed at its disposal
26
The main stages of the internal audit process
• The opening meeting
• The understandig of the business (analysis of
the objectives and riks of the management)
• The identification of the internal control process
• The testing, core audit process
• The closing meeting
• The final report
• The follow up of the recommendations
27
The opening meeting
The auditor and the audited party shouldagree in a opening statement
on the main features of the internal control system to be audited
• on the risks to be analysed
• On the objectives of the audit
• On the date of the production of the draftreport
28
Understanding the internal control system
• The auditor needs to have a comprehensive and pertinent understanding of the business (control environment, control objectives, risks)
• He shall have a thorough insight of the audit trail
• For theses purposes he shalldevelop a good collaboration with the auditee
29
The identification of the internal
control system
• No appropriate testing without a preliminary assesment of the audit trailbuilt by the manager
• Who (is responsible for….)
• What (….which operation…)
• Why (…for achieving which objectives …)
• Where ( with which risk in mind….)
• How (with which procedures, controls, systems....)
30
Evaluation of controls
5 Final evaluation
Including draft recommendations
4 Testing3 Initial evaluation of the controls
2 Existing controls
1 Risks to the objectives of the system
31
The tests, core process of audit (1)
• A total independance in preparing andperforming tests
The auditor
– has a free access to
– and performs an independant evaluation of
all files, documents, tables and any kind of
information he requests from the
management
32
The tests, core process of audit (2)
• A field work (tests), performed in close contact with the management
• A reasonable scope of the tests (commensurate to the nature andimportance of the risks) for giving a reasonable assurance.
• A basis for recommendations for improvement of the internal control system
33
Sampling for performing tests
• As it is too cost effective ant time consuming to check all transactions, statistical sampling is a standard method for auditing
• Size of the sample and method of sampling shall be determined according to the nature of risks and various circumstances
• In any sample, it is advisable to include the largest transactions
• In case of risk of fraud, every transaction may be included
34
The closing meeting
A key phase in the audit process ; why?
1. The first presentation of allrecommendations to the manager in a structured way in the DRAFT REPORT
2. An opportunity for the manager to challenge the conclusions of the auditor
After this meeting the audit team producesits FINAL REPORT
35
The working papers
• Why : because evidence shall be provided for supporting all findings of the report
They include in particular
• Background documentation
• Audit planning information
• Control analysis
• Testing and audit evidence
36
Audit reporting, supervision and
follow-up
• FINAL REPORT includes, with the opinion, recommendations agreed on by the manager (facts from which recommendations are derivedand timetable for the implementation ofrecommendations should also be agreed on)
• It should be a milestone in the road of the management towards a more efficient andeffective management
• It is the reference document for the next audit of the same or a similar topic
37
Audit supervision
The auditor (or the team of auditors) performs the audit under his own responsibility)
Supervision is needed
• for maintaining the quality of work
• for ensuring that conclusions are relevant and adequately evidenced
38
The follow up of the recommendations
• Management is responsible for ensuringthat corrective action is taken
• Plans of implementation and follow upof recommendations are critical for monitoring the implementation of internalaudit recommendations
39
Relations with the inspection
function in case of fraud
• Fight against fraud is vital for the proper management of public finance
• Various arrangements can take place according to the institutional framework. However some key principles shall be applied:
Next presentation
Challenges and achievements in responding to International
Standards:some national experiences and their
lessons
41
Relations with the inspection
function in case of fraud
1. Auditors help to detect and limit the opportunity for fraud. However they are not well equipped for combating fraud
2. Where they encounter fraud, they must refer to the head of the entity and eventually to the inspection function
3. Relations between the internal audit function and the inspection shall be confident. However they shall be governed by procedural rules considering the specific remit of both functions