ABC Company

InternalAudit Manual

1|Page
General DefinitionofInternalAudit

InternalAuditis a central administrative unit ofABC Company. InternalAuditreports operationallyto theVice President
Finance withdotted linerepresentation to the ABC CompanyBoardof Directors. InternalAudit's coverageand service extendsto
all company entities. InternalAudit is also acontrol whichfunctionsbyexaminingand evaluating the adequacyand
effectivenessof othercontrolsthroughout ABC Companyfor managers, the Board of Directors, and external auditors.
Finally,InternalAudit providesassistance to the external auditors in their performance of the annual auditsof ABC
Companyfinancial statements.
CHARTER
INTRODUCTION
ABC Companysupports InternalAuditas an independent appraisalfunctionto examine and evaluateABC Companyactivities as
a serviceto management andtotheBoardof Directors.
The missionof InternalAuditis to support managers of ABC Companyinthe effective discharge of their responsibilities.To this
end, InternalAuditwillfurnish themwith analyses, recommendations, counsel,andinformation concerning the activities
examined.
ORGANIZATIONAND BOARD REPORTING
TheDirector of InternalAuditshallreportto theVice PresidentFinance withdotted line reporting to theAudit
Committee.TheAudit Committeeshallhave final approval of the hiring, firing, and salarychangesfor theDirector of
InternalAudit.
Annually,the Director of InternalAuditshall submit to the Boardof Directors a written report on the internal audit
activityduring the preceding fiscalyear.TheDirector shall also make an oral report to the Audit Committee.
TheDirector of InternalAuditshallmakea written reportto the Audit Committee whenever there is evidenceof defalcations or
other problems exceeding€25,000. In addition,if the circumstanceseverwarrantsuch action, the Director of InternalAudit
maycircumventnormal ABC Companyreporting lines and communicate directlywith theAudit Committee.
AUTHORIZATIONAND RESPONSIBILITIES
InternalAudithas the authoritytoaudit all parts of ABC Companyandshall have full and completeaccessto anyof the
organization'srecords, physical properties, and personnel relevant tothe performance of anaudit. Documents and information
givento internal auditors during a periodicreviewwill be handled in the same prudent manneras bythose employees
normallyaccountable for them.
InternalAuditshall have no direct responsibilityor authorityfor anyof the activitiesor operations theyreview.Theyshould
notdevelopand installprocedures,prepare records, or engage in activities that would normallybe reviewed byinternal
auditors.Furthermore, an internal audit does not inanywayrelieve other persons in ABC Companyof the
responsibilitiesassignedtothem.
REPORTING RESPONSIBILITIES
Awritten reportshallbe prepared and issued bytheDirector of InternalAuditatthe conclusion of everyaudit. Copiesof the
reportshall be distributed as appropriate.The managerof theentityreceiving the reportshallrespond withinthirtydays
andforwarda copy of the response tothose included on thedistributionlist.Theresponseshall indicate what actions were taken
regardingspecificreport findings and recommendations Themanager receiving the report is responsiblefor ensuringthat
progress is made toward correcting anyunsatisfactoryconditions.InternalAudit is responsiblefor determiningwhether the
actiontakenis adequate to resolve auditfindings. If the actionis not adequate, Internal Auditshallinform ABC
Companymanagement of the potential risk and exposure in allowing the unsatisfactoryconditionsto continue.

2|Page
MISSION OBJECTIVE
InternalAudit's objectivesin accomplishing its mission shallinclude the following:
Determine the accuracyand proprietyof financial transactions
Evaluatefinancial andoperational procedures for adequacyof internal controls and provide advice andguidance on
control aspectsof new policies, systems, processes, and procedures
Verifythe existence of ABC Companyassetsand ensurethatproper safeguardsare maintained to protect themfromloss
Determine the level of compliance withABC Companypolicies and procedures,and laws and regulations
Evaluatethe accuracy,effectiveness, and efficiencyof ABC Company's electronic information andprocessingsystems
Determine the effectivenessand efficiencyof the auditedentitiesinaccomplishing their mission and identifyoperational
opportunitiesfor costsavings and revenue enhancements
Coordinate audit efforts with, andprovide assistance to, the external auditors
Investigate fiscal misconduct
STANDARDSAND ETHICS
In all of its activities, InternalAudit will adhere to GenerallyAcceptedAuditingStandards and the Code of Ethics adopted
bythe Institute of InternalAuditors.

MISSION STATEMENT/OBJECTIVES/VALUES
MISSION STATEMENT
InternalAuditexists to support theBoard of Directorsin the effective dischargeof their responsibilities.Using our
knowledgeandprofessional judgement,we willprovide an independent appraisalof ABC Company's financial, operational, and
control activities.We willreport on the adequacyof internal controls, the accuracyand proprietyof transactions, the extent to
whichassets areaccounted for and safeguarded, and the level of compliance with companypolicies and government laws
andregulations.Additionally,we willprovide analyses, recommendations, counsel, and informationconcerning the
activitiesreviewed.

OUR OBJECTIVES INACCOMPLISHING OUR MISSIONINCLUDETHE FOLLOWING:

Determine the accuracyand proprietyof financial transactions
Evaluatefinancial andoperational procedures for adequacyof internal controls and provide advice andguidance on
control aspectsof new policies, systems, processes, and procedure
Verifythe existence of ABC Companyassetsand ensurethatproper safeguardsare maintained to protect themfromloss
Determine the level of compliance withABC Companypolicies and procedures,laws and regulations
Evaluatethe accuracy,effectiveness, and efficiencyof ABC Company's electronic information andprocessingsystems
Determine the effectivenessand efficiencyof audited entitiesinaccomplishingtheir mission and identifyoperational
opportunities for cost savings and revenue enhancements
Provide assistance and a coordinated audit effort with the external auditors
Investigate fiscal misconduct

VALUES
In carryingout our mission, we share certain beliefs and values.
Our primaryfocus is toprovide excellent service toABC Company. Our examinations shall be performedin

3|Page
 accordance withapplicable GenerallyAcceptedAuditing Standards.
Weare committed tothe highest degree of fairness,integrity,andethical conduct in the performanceof our
mission.Wewilladhere to the Code of Ethics as established by the Institute of InternalAuditors. Furthermore, we
willnot issue a reportwithoutfirst allowing the recipient the opportunityto review,challenge, question, and respond to
our findings and conclusions.
Our relationships with ABC Companyemployees willbe characterised byrespect, helpfulness,sharing,patience, and
openness.
Weare committed tomaintaining our professionalismas internal auditors through continuance of our education and
training.
Although we area part ofABC Companywe are committed tomaintaining our independence indefining the scope
andobjectives of our examinations.
GENERALLYACCEPTEDAUDITINGSTANDARDS
100 INDEPENDENCE
Internal auditorsshouldbe independent of the activities theyaudit.
Internal auditorsare independent when theycan carryout their work freelyand objectively.Independence permits
internal auditorstorender the impartial and unbiasedjudgments essential to the properconductof audits. It is achieved
through organizational status and objectivity.
110 ORGANIZATIONALSTATUS
The organizationalstatusof theinternal auditing department should be sufficient to permitthe accomplishment of its audit
responsibilities.
Internal auditorsshouldhave the supportof managementand of the board of directors so that theycan gain the
cooperation of audited entitiesand performtheir work free from interference.
1. The director of the internalauditing departmentshouldbe responsible to an individual in the organizationwithsufficient
authorityto promote independence andto ensure broad audit coverage, adequate consideration of audit reports, and
appropriate action on audit recommendations.
2. The director should have direct communicationwith the board. Regular communication withthe board helps assure
independence and providesa means for theboard and the director to keep each other informed on matters of mutual
interest.
3. Independence is enhanced when theboard concurs in the appointmentor removalof thedirector of the internal auditing
department.
4. The purpose, authority,and responsibilityof theinternal auditing department shouldbe defined in a formal written
document (charter).Thedirector should seek approval of the charter bymanagement as wellas acceptance bythe
board.The charter should (a)establish the department's positionwithinthe organization; (b) authorizeaccess to records,
personnel,and physical properties relevant tothe performance of audits;and(c) define the scope of internal auditing
activities.
5. The director of internal auditing should submitannuallyto management for approval and to the board for its information
a summaryof the department's audit work schedule, staffingplan, and financial budget.The director should also
submitall significant interimchangesfor approval and information.Audit work schedules, staffing plans,and
financialbudgets shouldinform managementand the board of the scope of internal auditing work and of any limitations
placed on that scope.
6. The director of internal auditing should submitactivityreports to management and to the board annuallyor
morefrequentlyas necessary.Activityreports shouldhighlight significant audit findings and recommendations and should
inform management andthe boardof anysignificant deviationsfromapproved audit work schedules, staffing plans,
andfinancial budgets, and thereasons for them.
120 OBJECTIVITY
Internal auditorsshouldbe objective in performingaudit.
Objectivityis an independent mental attitude whichinternal auditors should maintain in performing audits.Internal
4|Page
 auditorsare not tosubordinate their judgmenton audit matters to that of others.
Objectivityrequiresinternal auditorstoperformaudits in such a manner that theyhave an honest belief intheir work
productand that no significant qualitycompromises are made.Internal auditorsare not tobe placed in situations in
whichtheyfeel unable to makeobjective professional judgments.
1. Staff assignments should bemadeso that potential and actual conflicts of interest and bias are avoided.The
director should periodicallyobtain fromthe audit staff information concerning potential conflictsof interest
and bias.
2. Internal auditorsshouldreport to the director anysituationsinwhicha conflict of interest or bias is presentor
mayreasonablybe inferred.The director should then reassignsuch auditors.
3. Staff assignments of internal auditorsshouldbe rotatedperiodicallywhenever it is practicable to do so.
4. Internal auditorsshouldnot assumeoperating responsibilities. But if on occasion managementdirectsinternal
auditorstoperformnon-auditwork, it shouldbe understood that theyare notfunctioning as internal auditors.
Moreover, objectivityis presumedto be impaired when internal auditors audit anyactivityfor which theyhad
authorityor responsibility.This impairment shouldbe considered whenreporting audit results.
5. Persons transferredto or temporarilyengaged bythe internal auditing departmentshouldnot be assignedtoaudit
those activities theypreviously performeduntil a reasonable period of timehas elapsed.Such assignments are
presumed toimpairobjectivityand should beconsideredwhen supervisingthe audit work andreporting
auditresults.
6. The resultsof internal auditing work should be reviewed before the related audit report is releasedtoprovide
reasonable assurancethatthe work was performedobjectively.
The internal auditor'sobjectivityis notadverselyaffectedwhen the auditor recommends standardsof controlfor systems
or reviewsproceduresbeforetheyare implemented. Designing,installing, and operating systems arenot audit functions.
Also, the drafting of proceduresfor systems is not an audit function. Performing such activities is presumed
toimpairaudit objectivity.
200 PROFESSIONALPROFICIENCY
Internal auditsshouldbe performedwith proficiencyanddue professional care.
Professional proficiencyis the responsibilityof theinternal auditingdepartment and each internal
auditor.Thedepartment should assign toeachaudit those persons who collectivelypossess
thenecessaryknowledge,skills, and disciplinesto conduct the audit properly.
210 STAFFING
The internal auditing departmentshouldprovide assurance that the technical proficiencyand educational background of
internal auditorsare appropriate for the auditstobe performed.
The director of internal auditing should establish suitable criteria of education and experience for filling internal
auditing positions, giving dueconsideration to scope of work andlevel of responsibility.
Reasonable assurance should be obtainedas toeach prospective auditor's qualifications and proficiency.

220 KNOWLEDGE,SKILLS,AND DISCIPLINES

The internal auditing departmentshouldpossess or shouldobtain the knowledge, skills, and disciplines needed to carryout its
audit responsibilities.

5|Page
 The internal auditing staff should collectivelypossess the knowledgeand skills essential to the practice of the
profession withinthe organization.Theseattributes include proficiencyinapplyinginternal auditing standards,
procedures,and techniques.
The internal auditing departmentshouldhave employees or use consultants who are qualified in suchdisciplines as
accounting, economics, finance, statistics,electronic data processing,engineering, taxation, and law as needed to meet
audit responsibilities.Each member of thedepartment,however,need notbe qualifiedin all of thesedisciplines.
230 SUPERVISION
The internal auditing departmentshouldprovide assurance that internal audits are properly supervised.
The director of internal auditing is responsible for providing appropriate audit supervision. Supervisionis acontinuing
process, beginningwith planning and ending with the conclusion of the audit assignment.
Supervisionincludes:
1. Providing suitable instructions tosubordinates atthe outset of the audit and approving the audit program.
2. Seeingthat the approved audit programis carried out unless deviationsare both justified andauthorized.
3. Determining that audit working papers adequatelysupport theauditfindings, conclusions,andreports.
4. Making sure that audit reports areaccurate, objective, clear, concise, constructive, and timely.
5. Determining that audit objectives are being met.
Appropriate evidenceof supervisionshould be documented and retained.
The extent of supervisionrequired willdepend on the proficiencyof the internal auditorsandthe difficultyof the audit
assignment.
All internal auditing assignments, whetherperformedbyor for the internal auditing department,remainthe
responsibilityof its director.

240 COMPLIANCEWITH STANDARDS OFCONDUCT

Internal auditorsshouldcomplywithprofessional standardsof conduct.
The Codeof EthicsofTheInstitute of InternalAuditorssets forth standardsof conduct and provides abasis for
enforcement amongits members.The Code calls for high standardsof honesty,objectivity,diligence, and loyaltyto
whichinternal auditors shouldconform.
250 KNOWLEDGE,SKILLS,AND DISCIPLINES
Internal auditorsshouldpossess the knowledge,skills, and disciplinesessential to the performance of internal audits.
Each internal auditor should possess certain knowledge and skillsas follows:
1. Proficiencyin applying internal auditing standards,procedures,and techniques is required in
performinginternal audits. Proficiencymeansthe abilityto apply knowledge tosituations likelyto be
encountered and to deal with themwithout extensive recoursetotechnical researchandassistance.
2. Proficiencyin accounting principles and techniques is required of auditors who work extensivelywith
financial records and reports.
3. An understanding of management principlesis required torecognizeand evaluate the materialityand
significance of deviations from good business practice.An understanding means the abilityto applybroad
knowledgeto situations likelyto beencountered,to recognizesignificant deviations, and to be able to carryout
the researchnecessaryto arrive at reasonable solutions.
4. An appreciation is required of the fundamentalsof such subjects as accounting, economics, commercial
law,taxation, finance, quantitative methods, and computerizedinformationsystems.An appreciation means
theabilityto recognizethe existence of problems or potential problems and to determine the further research
to beundertaken or the assistance to beobtained.

6|Page
260 HUMAN RELATIONSAND COMMUNICATIONS
Internal auditorsshouldbe skilled in dealing withpeopleand in communicating effectively.
Internal auditorsshouldunderstand humanrelations and maintain satisfactory relationships with audited entities.
Internal auditorsshouldbe skilled in oral and written communications so thattheycan clearlyand
effectivelyconveysuchmatters as auditobjectives, evaluations, conclusions,andrecommendations.
270 CONTINUING EDUCATION
Internal auditorsshouldmaintain their technical competence throughcontinuing education.
Internal auditorsare responsible for continuing their education in orderto maintain their proficiency.Theyshouldkeep
informed aboutimprovements and current developments ininternal auditing standards,procedures, and techniques.
Continuing education maybe obtained throughmembershipand participation in professional societies; attendance at
conferences, seminars, college courses, andin-house training programs; andparticipation in research projects.
280 DUE PROFESSIONALCARE
InternalAuditors should exercisedueprofessional care in performing internal audits.
Dueprofessional care calls for the application of the care and skill expected of a reasonablyprudent and competent
internal auditor in the sameor similar circumstances.Professionalcareshould, therefore, beappropriate to the
complexities of the audit being performed.In exercising due professionalcare,internal auditors shouldbe alert tothe
possibilityof intentional wrongdoing, errors and omissions, inefficiency,waste,ineffectiveness, andconflicts of
interest.Theyshould alsobe alert to those conditions andactivities whereirregularities are mostlikelyto occur. In
addition, theyshouldidentifyinadequatecontrolsand recommendimprovements to promotecompliance with acceptable
proceduresand practices.
Duecareimplies reasonable careand competence, not infallibilityor extraordinary performance. Due care requiresthe
auditor to conduct examinations and verifications to a reasonable extent,but does not require detailed auditsof all
transactions. Accordingly,the internal auditor cannot give absolute assurancethat non-compliance or irregularities do
not exit. Nevertheless, the possibilityof material irregularitiesor non-compliance shouldbe considered whenever the
internal auditor undertakes an internal auditingassignment.
When an internal auditor suspects wrongdoing,the appropriate authorities within the organizationshouldbe
informed.The internal auditor mayrecommendwhatever investigationis considerednecessaryin the
circumstances.Thereafter,the auditor shouldfollow up to seethat the internal auditing department's
responsibilitieshave been met.
Exercising due professionalcaremeans using reasonable audit skill and judgment in performingthe audit.To this end,
the internalauditorshould consider:
1. The extent of audit work needed to achieve audit objectives
2. The relative materialityor significance of mattersto which audit procedures are applied
3. The adequacyandeffectiveness of internal controls
4. The costof auditing in relationto potential benefits
5. Dueprofessional care includes evaluatingestablished operating standardsand determiningwhether those
standardsare acceptable and are beingmet.When suchstandardsare vague,authoritative interpretationsshould
besought.If internal auditors are required tointerpret or select operating standards,they shouldseek
agreementwithaudited entitiesas tothe standardsneeded to measureoperating performance.

7|Page
300 SCOPEOFWORK
The scope of the internalauditshould encompass the examinationand evaluationof the adequacyand effectivenessof
theorganization's systemof internal control and the qualityof performance in carrying outassignedresponsibilities.
The scope of internal auditing work, as specified in thisstandard,encompasses what audit work should beperformed.
Itis recognized, however, that management and the board of directors provide generaldirection as to the scope of
work and theactivities to be audited.
The purpose of the reviewfor adequacyof thesystemof internal control is to ascertain whether the systemestablished
provides reasonable assurance that the organization's objectivesandgoals willbe metefficientlyand economically.
The purpose of the reviewfor effectiveness of thesystemof internal control is to ascertain whether the systemis
functioning as intended.
The purpose of the reviewfor qualityof performance is to ascertainwhether the organization's objectivesand goals
have been achieved.
The primaryobjectives of internal control are to ensure:
1. The reliabilityand integrityof information.
2. Compliance with policies, plans, procedures, laws, and regulations.
3. The safeguarding of assets.
4. The economical andefficient use of resources.
5. The accomplishmentof established objectives and goals for operations or programs.
310 RELIABILITYAND INTEGRITYOFINFORMATION
Internal auditorsshouldreviewthe reliabilityand integrityof financial and operating information andthe means
usedtoidentifymeasure, classify,and reportsuch information.
Information systems providedatafor decision making, control, and compliance with external requirements.Therefore,
internal auditorsshouldexamineinformation systems and, as appropriate, ascertain whether:
1. Financial andoperating records and reports containaccurate, reliable, timely, complete,and useful
information.
2. Controlsover recordkeeping and reporting are adequate and effective.
320 COMPLIANCEWITH POLICIES, PLANS, PROCEDURES, LAWS, AND REGULATIONS
Internal auditorsshouldreviewthe systems established to ensure compliance with those policies, plans, procedures,laws and
regulations which couldhave asignificant impacton operations and reports, and should determine whetherthe organizationis
incompliance.
Management is responsible for establishing the systems designedto ensurecompliance with such requirements as
policies, plans, procedures,and applicable laws and regulations. Internal auditors are responsible for
determiningwhether the systems are adequate and effective andwhether the activities audited are complyingwith the
appropriate requirements.
330 SAFEGUARDING OFASSETS
Internal auditorsshouldreviewthe means of safeguardingassets and, as appropriate, verify the existence of suchassets.
Internal auditorsshouldreviewthe means used to safeguardassetsfrom various types of losses such as those resulting
fromtheft, fire, improper or illegal activities, and exposure to the elements.
Internal auditors,when verifying theexistence of assets,should use appropriate audit procedures.

340 ECONOMICALAND EFFICIENTUSE OFRESOURCES

8|Page
Internal auditorsshouldappraisethe economyand efficiencywithwhich resourcesare employed.
Management is responsible for setting operating standardsto measurean activity's economical and efficient useof
resources.Internal auditorsare responsible for determiningwhether:
1. Operatingstandardshave been established for measuringeconomyand efficiency.
2. Established operating standardsareunderstood and arebeing met.
3. Deviations from operating standardsareidentified, analysed, and communicated to those responsible for
corrective action.
4. Corrective action has been taken.
Audits related tothe economical and efficient use of resourcesshould identifysuch conditions as:
1. Underutilised facilities.
2. Non-productive work.
3. Procedureswhich arenot cost justified.
4. Overstaffing or understaffing.
350ACCOMPLISHMENTOFESTABLISHED OBJECTIVESAND GOALS FOR OPERATIONS
ORPROGRAMS
Internal auditorsshouldreviewoperations or programs to ascertain whether resultsare consistent with established
objectivesand goals and whether the operations or programs are being carried out as planned.
Management is responsible for establishing operating or programobjectives and goals, developing and
implementingcontrol procedures,and accomplishing desiredoperating or programresults. Internal
auditorsshouldascertain whethersuchobjectivesandgoals conformtothose of theorganizationandwhether theyare being
met.
Internal auditorscan provide assistance tomanagers who aredeveloping objectives, goals, and systems bydetermining
whether the underlying assumptions are appropriate;whether accurate, current,and relevant informationis being
used;and whether suitable controls havebeen incorporated into the operations or programs.
400 PERFORMANCE OFAUDITWORK
Audit work shouldinclude planning the audit, examiningand evaluating information, communicating resultsandfollowingup.
The internal auditor is responsible for planning and conductingthe audit assignment, subjectto
supervisoryreviewandapproval.
410 PLANNINGTHEAUDIT
Internal auditorsshouldplan each audit.
Planningshould bedocumented and should include:
1. Establishing audit objectivesandscope of work.
2. Obtaining background informationabout the activities to beaudited.
3. Determining the resourcesnecessarytoperformtheaudit.
4. Communicating with all who need toknow abouttheaudit.
5. Performing, as appropriate, an on-site surveyto becomefamiliar with the activities and controls to be audited,
to identifyareasfor audit emphasis, and to invite audited entitycomments and suggestions.
6. Writing the audit program.
7. Determining how, when, and towho audit resultswill be communicated.
8. Obtaining approval of the audit work plan.

420 EXAMININGAND EVALUATING INFORMATION

9|Page
Internal auditorsshouldcollect, analyse, interpret, and document informationto support audit results.
The process of examiningand evaluatinginformation is as follows:
1. Information should be collected on all matters related to the audit objectives and scope of work.
2. Information should be sufficient, competent, relevant, andusefulto provide a sound basis for audit
findingsand recommendations. Sufficient informationis factual, adequate,and convincingso thata prudent,
informed person would reach the sameconclusionsas theauditor.Competent information is reliable and the
best attainable throughthe use of appropriate audit techniques. Relevant informationsupports audit findings
and recommendations and is consistent with the objectives for theaudit. Useful information helps the
organization meetits goals.
3. Audit procedures,including the testing andsampling techniques employed, shouldbe selected in advance,
wherepracticable, and expanded or altered if circumstanceswarrant.
4. The process of collecting, analysing, interpreting, and documenting information should besupervisedto
provide reasonable assurance that the auditor'sobjectivityis maintained andthat auditgoals are met.
5. Workingpapers that documenttheauditshould be preparedbythe auditor and reviewed bymanagementof the
internal auditing department.Thesepapers shouldrecord the information obtained and the analysesmadeand
should supportthe bases for thefindings and recommendationstobe reported.
430 COMMUNICATING RESULTS
Internal auditorsshouldreport the resultsof their audit work.
Asigned, written reportshouldbe issued after the audit examination is completed. Interimreports maybe written or
oraland maybetransmittedformallyor informally.
The internal auditor shoulddiscuss conclusions and recommendations at appropriate levels of managementbefore
issuing final written reports.
Reportsshould be objective, clear, concise, constructive,and timely.
Reportsshould presentthe purpose, scope, and results of the audit;and, where appropriate, reports should contain an
expressionof theauditor'sopinion.
Reports mayinclude recommendations for potential improvements and acknowledge satisfactoryperformance and
corrective action.
Theaudited entity's views aboutaudit conclusionsor recommendations maybe included in the audit report.
The director of internal auditing or designee should reviewandapprove the final audit report before
issuanceandshoulddecide to whom thereport will be distributed.
440 FOLLOWING UP
Internal auditorsshouldfollow up to ascertainthatappropriate action is taken on reported audit findings.
Internal auditing should determinethat correctiveaction was taken and is achievingthe desired results,or that
management or the board has assumedtherisk of not taking corrective actionon reportedfindings.
500 MANAGEMENTOFTHEINTERNALAUDITING DEPARTMENT
The director of internal auditing should properlymanagethe internal auditing department.
The director of internal auditing is responsible for properlymanaging the department so that:
1. Audit work fulfilsthegeneral purposes and responsibilitiesapproved by managementand accepted bythe
board.
2. Resourcesof the internal auditing departmentare efficientlyandeffectively employed.
3. Audit work conforms to GenerallyAcceptedAuditing Standards.
510 PURPOSE,AUTHORITY,AND RESPONSIBILITY
The director of internal auditing should havea statementof purpose,authority,and responsibilityfor theinternal auditing
department.
The director ifinternal auditingis responsible for seekingthe approval of management and the acceptance bythe
boardof a formalwritten document(charter) for the internal auditing department.
520 PLANNING
10 | P a g e
The director of internal auditing should establish plans tocarryout the responsibilitiesof the internal auditingdepartment.
Theseplans should beconsistent with the internal auditing department's charter and with the goals of theorganization.
The planning process involvesestablishing:
1. Goals.
2. Audit work schedules.
3. Staffing plansand financialbudgets.
4. Activityreports.
The goalsof the internal auditing departmentshouldbe capable of being accomplished withinspecifiedoperating plans
and budgets and,to the extent possible, should be measurable.Theyshould beaccompanied bymeasurement criteria
and targeteddatesof accomplishment.
Audit work schedulesshould include (a)whatactivities are tobe audited;(b) when theywill be audited; and (c) the
estimatedtimerequired, taking into account the scope of the audit work planned and the natureand extent of audit
work performed byothers. Matterstobe considered in establishing audit work schedulepriorities shouldinclude (a)
thedateand resultsof thelastaudit; (b) financial exposure; (c) potential loss and risk; (d) requestsbymanagement;(e)
major changesinoperations,programs, systems, and controls; (f) opportunities toachieveoperating benefits; and (g)
changes to and capabilities of theaudit staff.The work schedulesshould be sufficientlyflexible to cover unanticipated
demands on theinternal auditing department.
Staffing plansand financialbudgets, including the number of auditors and the knowledge, skills, and disciplines
required to performtheir work, should be determinedfrom audit work schedules, administrative activities,education
and training requirements, andaudit researchanddevelopment efforts.
Activityreports should besubmitted periodicallyto management and to the board. Thesereports should compare(a)
performance with the department's goals andaudit work schedules and (b) expenditures withfinancial
budgets.Theyshould explain the reasons for majorvariances and indicate anyaction taken or needed.
530 POLICIESAND PROCEDURES
The director of internal auditing should provide written policies and proceduresto guide the audit staff.
The formand content of written policies and procedures shouldbe appropriate to the sizeandstructureof the internal
auditing department andthe complexityof its work. Formal administrative and technical audit manuals maynotbe
needed byall internal auditing departments.Asmall internal auditingdepartment maybe managed informally.Its
auditstaffmaybe directed and controlledthrough daily,close
supervision and written memoranda.In a largeinternal auditing department, more formaland
comprehensivepoliciesandproceduresareessential to guide the audit staff in the consistent compliance with the
department's standardsof performance.
540 PERSONNELMANAGEMENTAND DEVELOPMENT
The director of internal auditing should establish a programfor selecting anddeveloping the human resourcesof the
internalauditing department.
The programshould provide for:
1. Developing writtenjob descriptions for eachlevel of the audit staff.
2. Selecting qualified and competent individuals.
3. Training and providing continuing educational opportunities for each internal auditor.
4. Appraising each internal auditor's performance at leastannually.
5. Providing counsel to internalauditorson their performance andprofessional development.

550 EXTERNALAUDITORS
The director of internal auditing should coordinate internal and external audit efforts.

11 | P a g e
 The internal and external audit work should be coordinated to ensure adequateaudit coverage and to minimise
duplicate efforts.
Coordination of audit efforts involves:
1. Periodic meetings to discuss matters of mutual interest.
2. Accessto eachother's auditprograms and working papers.
3. Exchange of audit reports and management letters.
4. Common understanding of audit techniques, methods, and terminology.
560 QUALITYASSURANCE
The director of internal auditing should establish and maintain a qualityassuranceprogramto evaluate the operations of the
internal auditing department.
The purpose of thisprogramis to provide reasonable assurancethat audit work conformstotheseStandards,the internal
auditing department's charter, and other applicable standards.Aqualityassurance program shouldinclude the following
elements:
1. Supervision.
2. Internal reviews.
3. External reviews.
4. Supervisionof thework of theinternal auditors should be carried out continuallyto assureconformance with
internal auditing standards,departmentalpolicies, and audit programs.
5. Internal reviewsshould be performed periodicallybymembers of theinternal auditing staff to appraise
thequalityof the audit work performed.Thesereviewsshould be performedin the same manneras
anyotherinternal audit.
External reviews of the internalauditing departmentshouldbe performedto appraise the qualityof the department's
operations.Thesereviews shouldbe performedby qualified persons who are independent of the organization and who
do not haveeither a real or an apparent conflict of interest. Such reviewsshould be conducted at least once everythree
years. On completion of the review,a formal,written report should be issued.The report should express an opinionas
to the department's compliance with theGenerallyAcceptedAuditingStandards and,as appropriate, should include
recommendations for improvement.

12 | P a g e
CODE OFETHICS
STANDARDS OFCONDUCT
1. Internal auditorsshall exercisehonesty,objectivity,and diligence inthe performance of their dutiesandresponsibilities.
2. Internal auditorsshall exhibitloyaltyin all matters pertaining to the affairs of ABC Companyor towhomever
theymayberenderinga service.However, internal auditors shall not knowinglybe apartyto anyillegalor improper
activity.
3. Internal auditorsshall not knowinglyengage in acts or activities whichare discreditable to the professionof internal
auditing or to ABC Company.
4. Internal auditorsshall refrain fromentering into anyactivitywhichmaybein conflict with the interest of ABC
Companyor whichwouldprejudice their abilityto carryout objectivelytheir dutiesandresponsibilities.
5. Internal auditorsshall not accept anythingof value from an employee,client, customer,supplier,or business associate of
ABC Companywhich would impair or be presumed toimpairtheir professional judgment.
6. Internal auditorsshall undertake onlythose serviceswhichtheycanreasonablyexpect to complete with
professionalcompetence.
7. Internal auditorsshall adopt suitable means to complywith GenerallyAcceptedAuditing Standards.
8. Internal auditorsshall be prudent inthe use of informationacquired in the course of their duties.Theyshall notuse
confidentialinformation for anypersonalgain nor in anymannerwhich would be contrarytolaw or detrimental tothe
welfare of ABC Company.
9. Internal auditors, whenreporting on the resultsof their work, shallreveal all material factsknown to themwhich, ifnot
revealed, could either distort reports of operations under reviewor concealunlawfulpractices.
10. Internalauditorsshall continuallystrivefor improvementin their proficiency,andin the effectiveness andqualityof their
service.
11. Internalauditors, in the practice of their profession, shallbe evermindfulof their obligation to maintainhigh
standardsof competence, moralityand dignity.
INDEPENDENCE/OBJECTIVITY/CONFIDENTIALITY/CONDUCT
INDEPENDENCE/OBJECTIVITY
To be effective in performingauditsthe internalaudit staff mustbe independent andobjective both in actualityand
perception.Wemaintain our independence byour organizationalposition
(Including reporting line to the Board) and our BoardapprovedAUTHORIZATIONAND RESPONSIBILITIES(see
CHARTER).
In order to maintain objectivity,auditorsshall immediatelyinformtheDirector ofAuditingof anyfactorsthatmaybe perceived as
impairing their objectivityon anassignedaudit.Also, auditorswill take great careto prevent even a perception of
partialitybymaintaining a professional distance fromthe staff of an audited entitywhileperformingan audit. Questions
concerning anyrelationshipswithaudited entitiesor potentialaudited entities(i.e.,preparing tax returns,attending parties, etc.)
shouldbe brought tothe attention of the InternalAudit Department. Finally,auditors will not accept anything of value from
anemployee, supplier,or business associate ofABC Companywhich would impair or beperceivedto impair their professional
judgementor objectivity.Anygifts accepted will be immediatelyreported tothe InternalAuditDepartment.
CONFIDENTIALITY
Muchof the informationavailable to internal auditorsis of asensitive or confidential nature. Auditors shouldbe prudent in their
use of information acquired inthe courseof theirduties or information whichis available to them.Theywillnot discuss
anymatters pertaining to the auditsperformed bythedepartments inother then an official manner.
Auditors shall not useconfidential information for anypersonal gain or in a manner which wouldbe detrimental to ABC
Companyor anyemployeeof ABC Company. (Seethe Code of Ethics).
Auditors willtake adequate measures to prevent the unauthorizedrelease of confidential materialsor information in
anymediumincluding paper copies, microfiche, or computer files. Such materialsshouldbe adequatelysecuredfrom theft,
reproduction, or casual observation.

13 | P a g e
Confidential materialsincludeanyinformation (except public information)associated with employeenames,
socialsecuritynumbers, or identification numbers. Examples of confidential information include,but are not limitedto the
following:
1. Employeemedical or psychological records.
2. Employeebenefitor payroll information.
3. Anyinformation which could causeABC Companyembarrassment or liability.
CONDUCT
The following guidelines areestablished regarding personal conduct and the confidentialityof audit or business
informationacquired through audit assignments.
As a memberof the InternalAudit staff, youarerepresenting the highest level of management.Conductyourselfin a manner that
reflectsfavourablyupon yourselfand those yourepresent.You are expected to exercise professionalskill, integrity,maturityof
behaviour, and tact inyourrelations with others. In general, youareencouraged to be friendlywithall ABC Companyemployees
without affecting your objectivity.You should guard against any conduct or mannerisms which permitan impressionthat
youconsideryourself an"expert"
sent to check on employees.As far as possible, take the position of an independent/objective analystand advisor.Avoid the
imageof policing.
In the courseof yourassignments, youwillbe in contact with personnelat all levels of authorityandposition.At all
times,independence in mental attitudeis to be maintained. Reportsresulting from your efforts should alwayscontain full and
unbiaseddisclosure of all but minoraudit findings.Althoughyoureport totheInternalAudit Department, youhave
responsibilitiestoboth managementand the personnelbeing audited.
Muchof yourwork is confidential; therefore, be discreet on and off thejob indiscussing current or past auditsor your
personalassessments of audited entities. Judgmentshould be exercised in the securityof auditworking papers, programs,
records, and informationat all times.
Never indiscreetlydiscuss anyinformation youobtain during audits. Avoid extremes of dress or personal grooming.

AUDITPROCESS
PLANNING
The assessment of audit risk is anintegral part of our planning process.Theaudit planning process encompasses allactivities
related to the development of the internal audit plan and schedule and the determination of the audit scope andobjectives,
timing,designof detailed procedures,and audit recourse planning for the individual auditable entities.The primary objective of
the audit planning process is to design our audit approach to ensurethat auditsare performedin the mosteffective andefficient
manner. In undertaking this process we attemptedthe following:
Definethe potential audit universeat ABC Company
Definefactors to be used inassessing risk
Quantifythepotential risk associated with each of the defined audit areas
Schedule auditsand allocate InternalAudit resourcesaccordingto the priorities established and the current leveland
expertise of internalauditors
PLANNING-RESEARCH,SCHEDULING,ANDAUDITS
InternalAudit's schedulingprocess begins with requestsfor audit services (requests,or suggestions, comefrom several sources).
One obvious sourceis our own InternalAudit staff. Our in-depth knowledge of ABC Companygivesus a unique perspective
on the types of projects in which we canreduceABC Company's risk. Hence,someof our projects originate in our own group
or as a resultof the annual audit of ABC Companyas a whole,whichis conducted bythe external auditors.
Several factorsinfluence the selectionand scheduling of projects:the degree of risk or exposure to loss; typeof audit; current
and planned work in othermajor audit projects requiring substantial timecommitments of InternalAudit staff;the availabilityof
staff in entitiesselected for review;andthe availabilityof InternalAuditstaff with theappropriate skills.

14 | P a g e
An analysiswillbe performedannuallyin order toquantifyrisk and schedule audits.This analysis willcombine
factualinformation andInternalAudit Department's judgment in the selection, ranking, and weighing of the various audit risk
factors. It should be emphasised that the final determination as to which areasshouldbe included in the audit plan cannot
bebased solelyon theresultsof thisauditrisk assessment.Rather,the performance of the assessment is a tool for use
byInternalAuditDepartment.

Types ofAudits
1.AUDIT
Operational - Refers to acomprehensive examination of an entityto evaluate its performance, as
measuredbymanagement's objectives.An operational auditfocuses on the efficiency,effectiveness,and economyof
operations.
Financial - Determine the accuracyand proprietyof financial transactions.
Compliance -Theobjective of these auditsis to determinewhether, andto what degree, an audited entityconforms to
certain specific requirements of policy, procedures,standards, or laws and regulations.Theauditor must know
preciselywhat policies, procedures,standards,etc.are required. Usually,compliance audits require little
preliminarysurveywork or reviewof internal controls, except to outline preciselywhat requirementsare being
audited.The auditfocuses almost exclusively upon detailedtestingof conditions.
AssetVerification -An independent appraisal of ABC Companyoperations is provided throughthe verification of
accountability,physical safeguards, and valid use of ABC Companyassets.This is oftenperformedin conjunction with
an audit.
2. LOSS
Loss/fraud investigations- Conducted to determineexisting control weaknesses,assist ABC CompanyRisk
Managementin determiningthe amount of the loss/fraud,and assisttheaudited entitybyrecommendingcorrective
measuresto prevent subsequent recurrences. Investigation of allegations mayalso be conducted.
3. INFORMATION SYSTEMSAUDIT
The primarymissionof the Information Systems audit function of InternalAudit is to supportthe internal audit
function in the evaluation of the accuracy,effectiveness, and efficiencyof ABC Company's electronic and information
processingsystems which are inproduction or under development.
4. MISCELLANEOUS
Consultant Services - Information,encouragement, andreviewwill be provided on issues concerningABC
Companypolicies, procedures,andinternal controls.Withthe addition of an informationsystems audit function
consultation services are expanded to include:
1. Assistanceon evaluationof backup proceduresand contingencyplanning
2. Assistanceon whetheradefinedarchitecture has proper controls
3. Information on computer controls
4. Assistanceon implementation of internal financial system
ComputerSystemDesign and Enhancement- InternalAuditactivelyparticipatesin the development of new systems
or enhancementsto current systems to promotethe design of adequate internal controlspriorto implementation and
reduce the need for corrective measures at alater date.
OtherDepartmental Duties - Such as organisingthe annual retreat, preparingthe annual report, etc., as
assignedbytheDirector.
5. ADMINISTRATIVE REVIEWS
Pre-approvedprograms are used to audit accuracyandproprietyof expenditures and payrolltransactions.
Incomewillbeaudited if the amountis material.Thesereviews mayalsoinclude assetconfirmations.
6. FOLLOW-UPREVIEW
Follow-up reviewsareperformed toappraise management of post audit actions and provide assurance that
15 | P a g e
 implemented changesadequatelyresolvedaudit findings.These reviewsalso ensure that uppermanagementhas
beenproperlynotified of ABC Companyexposure related to unresolved audit findings.

16 | P a g e
7. CASH COUNT
Acash countis performed todeterminecustodial fund accountabilitywhichmay include one or moreof the following
types of funds: pettycash fund, change fund, or revolving fund.Apre-approvedcash countaudit programis used for this
typeof audit.
AuditAssignment
All audits/taskswillbe authorizedbytheInternalAudit Departmentusingan audit assignment sheet.Theobjective of this process
is to assure thatwork is performed on onlyauthorized activity.This formwillprovide sufficient information on the audit/task
scope, objectives, and resourcerestrictions(allocated hours, expected completion date) so the assignedauditor(s)
willhave a clear understanding of InternalAudit Department's expectations for their particular assignment.
DefinitionofTerms on theAssignment Sheet
Task Number:Afive digit numberusedto identifytheproject
Type:The typeof projectindicated on the assignmentform:
o A=audit;
o L=loss;
o C=cashcount;
o F=follow-up;
o M=miscellaneous;
o T=continuing education- no trackable hours;
o E=continuing education;
o D=information Systems audit;
o X=taskcancelled;
o R=administrative review.
Location of audit:
o BRU=Brussels;
o PAR=Paris;
o BLN=Berlin;
Title of Project:Ashort description of the project
Assignment Date: Beginning date that hours canbe chargedto the project
Allocated Hours:Timebudgetedfor this project.Anydeviationfrom thesehours must be approvedbytheInternalAudit
Department
Expected Completion Date:Thedate the report is expected to be issued in final
Assigned Staff:Names of theReviewer,ProjectManager,Assigned Staff, Project Consultant, Participant,Instructor,
andNon-active staff shouldbe listed on assignment sheet withprojecthours thatare assignedto each
Scope & Objectives:Ashort descriptionof the scope andobjectives that will be covered
FiscalYear:Fiscal yearto be audited

17 | P a g e
Scope and Objectives
The scope sectionshalldefine the limitationsof the audit/task assignment.Thescope will generallyinclude
atimeperiod, andwhatrecords, processes,funds, transactions,policies, controls,etc., we shallbe reviewing. Scope
limitationsthatverynarrowlyrestrict audit work shouldbe mentionedin the audit report. (Example:We didnot test
actual expenditure transactions.)

The objectives willexplain whatthe audit is trying to accomplish.Auditobjectives will generallyinclude oneor
more of the following:
1. Determine the accuracyand proprietyof financial transactions;
2. Evaluatefinancial andoperational procedures for adequacyof internal controls and provide advice and
guidance on control aspectsof new policies,systems, processes,and procedures;
3. Verifythe existence of ABC Companyassetsand ensurethatproper safeguards are maintained to protect
themfrom loss;
4. Determine the level of compliance withABC Companypolicies and procedures,laws and regulations;
5. Evaluatethe accuracy,effectiveness, and efficiencyof ABC Company's electronic information
andprocessingsystems;
6. Determine the effectivenessand efficiencyof audited entitiesinaccomplishing their mission and
identifyoperational opportunitiesfor costsavings and revenue enhancements;
7. Provide assistance and a coordinated audit effort withtheexternal auditors;
8. Determine ifa loss occurred, ifso theamountof the loss and circumstances (control weaknesses) that
contributed to it.
Duties/Responsibilities
INTERNALAUDITDEPARTMENT
o InternalAuditDepartment, theDirector andAssociate Director of Internal Auditing,
willberesponsible for ensuring that audit resourcesareefficiently and effectivelyemployedand that
the audit work performed fulfils the mission of the department.
AUDITMANAGER
o The auditor incharge of the task will normallybe an audit manager andwill have the
followingdutiesand responsibilities:
1. Attendentrance and exit interviews
2. Discuss, direct, advise, etc., the assignedauditors during thecourse of the assignment
including writing the report
3. Will be responsible for assuringthe audit programsteps accomplish the
objectives,address major risk and exposures, and reasonablyassure the completionof the
assignment within allocated resources.Finalapproval of the audit programwillbe done
byInternalAudit Department
4. Review, edit, and approve the draft report
5. Assure theaudit is performed according todepartmentstandards, staying within the scope
and resourceallocationlimits (hours and dates),andmeetstated assignedobjectives.

ASSIGNEDAUDITOR(S)

18 | P a g e
 o
Assigned auditor(s) willbe responsible for performing theaudit and will have the following
duties and responsibilities:
1. Perform thepreliminaryreview, including the internalcontrol evaluation,with guidance
from theAuditManager
2. After discussionswith theAudit Manager,prepare an audit program and time estimate for
each programsection
3. Perform all assignedactivitiesinconformance with department standards,stayingwithinthe
scope and resourceallocation limits of the assignedactivityor programsection
4. Write the draft audit report
o An assignedauditor who is also theAuditManagerof theproject will have the additional
dutiesofAuditManager.
REVIEWER
o All working papers should beindependentlyreviewed to ensurethereis sufficient evidence to
support conclusions and that all audit objectiveshave been met.Adetailed review will be
conducted bytheAudit Managerfor assignedstaff's working papersand a less
comprehensivereview willbe conducted bydepartmentadministration or an assignedstaff person.
Initialling workingpapers (see "review/approval form") signing the "review/approval form," and
filing "cleared" reviewnotes inthe current working papers will serve as documentation of
thereviewprocess.
o The reviewer should:
1. Determine working paper's compliance to the department working paper standards;
2. Reviewfromaudit programsteps to thereferenced working papers ensuring cross-
referencing is proper, theworking papers support the steps performed,and all steps have
beencompleted;
3. Reviewworking paper's from the report(s) tothe Digestof Significant Findings to the
workingpaper summaries to the detailed working papers to ensure that all findingsare
stated adequatelyand documented and support theopinions, findings,
andrecommendationsstatedin the report;
4. Ensure that working papers "standalone"in that theyclearlystatewhat work was
performed,how and from where samples were selected, the purposeof the working
paper,what findingsweremade,etc.
5. Documentreviewcomments on review notes form;
6. After all audit reviewnoteshave been resolved,sign off on working paper section of final
working paper/report approval form;
7. Determine report(s)compliance with thedepartment report standards;
8. Sign off on report(s) section of final workingpaper/report approval form;
9. Determine PermanentAudit File'scompliance with department standards.
PROJECTCONSULTANT
o The projectconsultant'sprimarydutiesand responsibilitiesare to advise and provide guidance tothe
assignedauditors.The projectconsultant does not take an active role in the project, butwillbe on
callto answer questionsor volunteer suggestionsas applicable.

REPORTREVIEWER
19 | P a g e
 o The Report Reviewer primaryresponsibilityis to provide a final independent reviewof audit
reports tohelp ensurethatproper grammar, spelling, and formathave beenused.The Report
Reviewerwill also performor supervise the:
1. Print reviseddraft copies for Directorsapproval
2. Print final report copyfor auditorsand director signature
3. Mailfinal report copy
4. Filing of electroniccopyon LAN
5. UpdateWorking Papers files: markcomplete, recommendation categories, markcomplete,
create follow-up when necessary,etc.
6. Mailing feedback questionnaire
7. Updating feedback spreadsheet when feedback received
8. Addingresponseto electronic copyof reportand filing paper copywith final report
9. Creating follow-up working papers, trustee report, electronic copyof report on LAN, etc.
10. UpdatingDirectors report

20 | P a g e
Announcement Letter
Theaudited entityshall be informedof the audit projectthroughan announcementletter from the InternalAudit
Director.However,InternalAudit will not provide advance notifications for cash counts and
fraudinvestigations.Additionally,InternalAudit maynot send an announcement letter for requested consulting services.
The announcementlettershallcommunicate the scope and objectives of the audit, the period covered, and the auditor(s)
assignedto the project.InternalAudit's mission statementshall also be enclosed for theaudited entity’sinformation.
Preliminary Review
The objective of the PreliminaryReview is to gainsufficient knowledge of the entitybeing reviewed so theauditor can design
anaudit programtoaccomplish theassignedobjectives. The review willhelp the auditor to determineif the assignedobjectives
areattainable with the allocated resourcesand what audit procedures shouldbe performed,based on assessed risks and
exposures, to achieve the objectives.
The preliminaryreviewwork canbe broken down intofour distinct phases:
1. Familiarization
2. Identification of potential problemareas
3. Evaluationof internal controls
4. Planningthe detailed audit
Oneof the problems in performing an effective preliminaryreviewis thefailure to complete all phases of the
reviewbeforepreparing the formalaudit programand beginning the fieldwork.
Initial Research (Familiarization)
Before meetingwith the audited entity, theassigned auditor(s)shall obtain abasic understanding of the operation or
systemunder review.Thisreviewwill normallyinclude:
Reviewof PermanentAudit File (if one exists)
Reviewof PreviousAuditWorkingPapers, Reports,Management letters(ifavailable) Reviewof department financial
statements (transactions) includinghistorical trends ifavailable
Reviewof department organization and staffing (payroll/personnel listing) Reviewof department
equipmentlistingConsultations with otherauditorsthat have been involved in similarauditsor are familiarwith this
department, relatedANAELfiles, systems, etc.
Reviewdepartmentfocus
Reviewdepartment's missionstatement, organizationchart and other information requested in the
"announcementletter"
Reviewandresearch for applicable laws, regulations, anddepartmental policies and procedures
Conductthe initial meeting withaudited entity
IdentificationofPotential ProblemAreas
An objective of the preliminaryreviewis theidentificationof potential problemareas. Oneof the first steps in
determiningproblemareasis to identifythose programs, activities,and functionswhichare significant.
Thesecan be identified as those programs or activities:
Which are susceptible to fraud,abuse, or mismanagement
In which there is a large volumeof transactions or largeinvestments in assetswhich are subject toloss ifnot
carefullycontrolled
Aboutwhich concernshave been expressedbymanagement
In which prior audits have disclosed major weaknessesor deficiencies
This phase of thepreliminaryreviewshould identifythesignificant activitiesof the area and what inherent risks
exist.Oncetheseactivities and risks havebeen identified, thenext step is to evaluate controls.

21 | P a g e
The auditor is responsiblefor determininghow muchreliance can be placed on the entity's controlstoprotect its assets,assure
accurate information, assure compliance with applicable laws and regulations, promote efficiencyand economy,and
produceeffective results produceeffective results.
Acomplete reviewof all controls is not alwaysnecessarybecause some controls maybe irrelevantto basicissues which arethe
subject of the audit effort.Therefore, theauditormust identifythose controls which arethe mostimportant and critical to the
operationand concentrate on them. Somecontrolswhichcan normallybe identified as critical are those which aredesigned to
protectagainst:
Substantial financial losses
Program violations
Mismanagement
Legal violations
Adversepublicity
Lack of programor missionaccomplishment
The auditor's evaluation should include identification of areasin which essential controls appear to be weak, non-
functioning,or missing.
Vast amounts of data are storedelectronically.InternalAudithas alibraryof standardized ANAEL queries that
willassistinobtaining some of this information.
Reviewand Evaluationof InternalControl Environment
The auditor will reviewtheaudited entity's internal control structure. In doing this,the auditor uses avarietyof tools and
techniques,including flow charts,interviews,data gathering, and analysis.Thereviewof internal controlshelps the auditor
design teststobe performedin the fieldworksection of the audit.
The evaluation of the systemof internal controls should providereasonable, but not absolute, assurance that the fundamental
elements of the systemare sufficient to accomplish their intended purpose.The studyand evaluation should be
adequatelydocumentedand properly supported byresultsof tests,observations, and inquiries.Theuse of electronic data
processing methods that can affect the reliability,accuracy,or usefulnessof financial or statistical data, and reports should
beincluded as part of the studyand evaluation.
Internal controlsare evaluated throughout the audit examination.AuditManagers should prepare the programto assistassigned
auditors in performing this aspect of the audit work. Generally,theguidelines are incorporated into an audit programin the
form of internal control questionnaires, checklists, and specific audit testsandprocedures.Although the written audit
guidelines (programs) areinvaluable aids,Audit Managersmustensure that each assigned auditor is familiarwith the scopeand
objectivesof the internalcontrolreview.
The review of the systemof internal controls is performedbydiscussing the control procedures, methods, and planof
organizationwithaudited entity’sofficials.Theauditor may useinternal control questionnaires or checklistsas wellas written
narrative memoranda, flow charts,atransactionwalk through,and other applicable techniquesindeterminingthe adopted control
proceduresand the methodand plan of organization.Thesetechniques arepreferred becausetheyprovideadequatedocumentation.
In addition todiscussions withauditcustomer officials, auditors make inquiries and performobservationsrelating to the
systemof internal controls.Theseinquiries and observations, andresulting findings and conclusionsare also documented
intheworking papers.This documentation includesidentifyingcontrol strengths and weaknessesand cross-referencingthemto
the audit testsand proceduresconcerned with substantive testing.

22 | P a g e
To assist in evaluating the system of internal control the auditor should consider the following:
Typesof errors andirregularities that could occur.
Controlprocedures to prevent or detect such errors andirregularities.
Whether the procedures have beenadopted and are being followedsatisfactorily. Weaknesses whichwouldenable
errors and irregularities to pass through existingcontrol procedures.
The effect these weaknesses haveon the nature, timing,and extent of auditing procedurestobe applied.
Audit methods usedto studyand evaluate existing internal controls include:
Internal ControlQuestionnaires-Theseguide the auditor to queryresponsiblemanagersregardingspecific or
generalinternal controls.Thequestionnaires aredesignedso that a negativeresponse indicates a potential internal
control weakness.A negative response willcausethe auditor to determinewhether compensating controls are
inexistencewhich would offset thenegative response.
Narratives -Thesedescribe the systemof internal control.
Flow Charts-Aflow chart is beneficial because it visuallydepicts processesdesigned or intended for control purposes.
Flow-charting provides the auditor with agood understanding of the process beingevaluated.
Documentationsupports theauditor'sunderstanding of the internal controls.Audit workingpapersprovide the support
for theconclusionsreached bytheauditor regarding the studyand evaluation of internal controls.Onlythoseinternal
control functions,whichare deemed critical or important to the strengthwithin a particular transaction cycle, should
betestedand evaluated.Working papers should be prepared to highlight the internalcontrolattributes within the
processesto beevaluated.
Tests of compliance are performedto obtain sufficient evidence that the systemis operating in accordance with the
understanding the auditor obtained fromthe review. Theseareperformedfor those control proceduresor methods upon
whichtheauditor has chosen to rely.Conversely,whenthe auditor determines that certain controls cannot be relied
upon;testsof compliance arenot ordinarilyperformed.
The nature, timing, andextent of testsof compliance arecloselyrelated to the control proceduresand methods
studiedbythe auditor.Additionally,the auditor mustconsider the availabilityof evidence andthe audit effortrequiredto
testcompliance. In considering the required audit effort, the auditor assesses whetherprecludingcertain testsof
compliance will reducethe reliance on the controls and procedures,and whether such reduced reliance
significantlyaffects subsequent audit testsand procedures.
Flowcharting
The primarypurpose of preparinga flow chart is to identifythe keycontrol attributes - those attributesthat achieve
controlobjectives.This canefficientlypoint out casesof under/over control and processingredundancy.
Clarityand simplicityinpresentation are essential.Mistaken use of extreme detail maytend to conceal rather than expose
keypoints.Complexitiessuch as exception controlscan be better explained in attached memoranda.However,narrative
explanations shouldbe kept brief. In mostcases,the combination of the flow chartand a narrativedescription tends to be far
superior toeither documentalone.
Onlytransactions/documents with control significance should be shown (i.e., control over authorization, recording,
safeguarding, reconciliation, and valuation).This cangenerallybe accomplishedbyincluding onlythose activitieswithin an
application wheredatais initialised, changed, or transferredtoother departments.For aprocess tobe flow charted, it must be
broken down into its componentparts, namelyactions and decisions.Also, thename(s) and position(s) of thepeople performing
the transactions should be indicated for each action.The names of each document should also beincluded withinthe document
symbols.
The auditor usuallyobtainsinformation necessaryfor preparing or updating flow chartsby interviewingpersonnel at each site
about procedures followed,andbyreviewingprocedure manuals,existing flow chartsand other systemdocumentation. Sample
documents are collected and each departmentinvolvedis questioned about its specific duties. Inquiriescan be
madeconcurrentlywiththe performanceof transactionreviews,particularlywhen flow chartsarebeing updated. If possible,the
auditor should observe theprocess.

23 | P a g e
InternalControl Questionnaires
The primarypurpose of completing theinternalcontrol questionnaire is toidentifycritical areas,strengths,andweaknesses
inprocess.
PLANNINGTHEDETAILEDAUDIT
The elements of materialityandrelative risk mustbe considered in performing theaudit.The due professionalcarestandardsdo
notimplyunlimitedresponsibilityfor disclosureof irregularities and otherdeficiencies.Theauditor'sprincipal effort should be
inthose areas wheresignificant problems or deficiencies mayexist,rather thanin areasthat are relatively
unimportant.Timeshould not bespentexamining or developingevidencebeyond what is necessaryto afforda sound basis for
aprofessional opinion.
The resultsof the preliminaryreviewshould beanalysedto determinethe need for a detailed audit and the specific areasto
becovered.Thedetailed audit programshould be prepared allocating the projectbudget timeestablished for the fieldwork to
thespecific areastobe covered in the audit.
Statement of Risk and Exposure
Rationale:
o Arisk/exposureanalysiswillbe performedto prioritise audit testing that must be performedto achieve the audit
objectives.Thisdetermination is essential for providing reasonable assurance that internal audit
resourcesaredeployedin an optimal manner (i.e.the mosttimeis spent examiningareaswith the greatest risk
exposure).
o The three types of risks thatwillbe considered are:
 Inherent Risk -Therisk related to the fundamental characteristics of the assignedarea (i.e., anareathat
receives income inthe formof currency and coin has a greater inherent risk of theft of that
incomethenone that receives internal billingincomeform another department).
 ControlRisk -Therisk that the assignedareas internal control system wouldfail to prevent or detect
asignificant intentional or unintentional error in the process.
 Detection Risk -Therisk thatthe internalauditwould fail to detect errors thathad occurred.
o Exposure is thepotential loss or liabilitytoABC Company. Itis not onlyloss of moneybutalso ABC Company's
reputation, etc.
o ARisk/Exposureanalysiswillinvolve determining the highestpossible
combinedfactors.(highrisk/highexposureas opposed tohigh risk/low exposure or low risk/highexposure)
Policy:
o Duringthe preliminaryreview/internalcontrolevaluation stage of the audit, the auditor will makea
determination of what areascontain the greatest risks and potential exposures.This determination will be
discussedwith theInternal Audit Departmentbefore the audit programis written.
Process:
o Duringthe preliminaryreview/internalcontrolevaluation stage of the audit, the auditor will complete a
schedule detailingthe greatest risks and potential exposures and discuss withInternalAuditDepartment.
PermanentAudit Files
Apermanent file should givethe auditor general knowledge abouttheaudited entity.The information inthe file is notexpectedto
change significantlyfrom year-to-year, butit is pertinent tothe current year's audit.Prior year's financialstatements wouldaid
the auditor in gathering general knowledge abouttheaudited entity. Itmightalso be useful incomparingthe current year to the
prior yearor performinganalyses.Apermanent file should onlybe prepared for auditsthat we continuallydo or if the areaaudited
is a systemsuch as payroll, accounts payable,etc.Before a permanentfile is established, consultwiththeAuditManager and
InternalAudit Department. If a permanent file is notprepared,usefulinformation can be filed in section D of the working
papers.

24 | P a g e
AUDITPROGRAM
Preparation of theauditprogramconcludes the PreliminaryReviewphase.Theaudit program outlines the necessarysteps to
achieve the objectivesof the audit withinthe defined scope as listed on the assignment sheet.Theaudit programis adetailed
plan for thework tobe performedduring the audit.Awell-constructed programis essential tocompleting the audit project in an
efficient manner.
Awell-constructedprogramprovides:
Asystematic plan for each phase of the work that can becommunicated to all audit personnelconcerned
Means of self-control for the audit staff assigned
Means bywhichthe audit supervisor/managercan review and compareperformance with approvedplans
Assistancein training inexperienced staff members andacquainting themwiththe scope, objectives,andwork steps of
anaudit
An aid to supervisor/managermakingpossiblea reduction inthe amount of direct supervisoryeffort needed
Assistancein familiarisingsuccessiveaudit staff with thenature of work previously carried out
The programconsistsof specific directions for carryingout the assignment.It should contain a statementof the objectives of the
operationbeing reviewed. For eachsegment of the audit the programshould (1) listthe risks that must be covered in that
segment;(2) show for each risk the controls that existor that are needed to protect against theindicated risk; (3) show for each
of the listed controls the work steps requiredto test the effectivenessof those controls, or set forth the recommendations that
willbe required to install needed controls; and (4) provide space for referencingthe relatedauditworking papers.
Standardizedaudit programs are available andshouldbe used or modified to achieve the audit objectives.Theauditor
shallinclude anestimate of the hours necessaryto complete the project.InternalAudit Departmentreviewstheauditor's work to-
date (preliminaryreview work) andthen discussesanyconcernsor proposed programchanges.
Objectives
The audit program shallcontain astatement of the objectivesof the area being reviewed.The statementof objectives in the audit
programshallcorrespond withthe audit objectives stated in the assignmentsheet.Theseobjectives shouldbe achieved
throughthe detailed audit programsteps.
Audit Steps
Awell-constructedauditprogramprovides specific, detailed steps (procedures)for achieving the audit objectives.
Standardizedaudit programs with specific audit steps for achieving objectivesare available and should be used or modified.
Time Budget
Aproject time budget provides overall guidelinesfor the performance of the audit. In addition, it enablesthe audit manager to
control the audit work inprocess. It is essential that we control our timecarefullyinorder that it maybe used inthe
mosteffective manner possible.The detailed projecttimebudget should be completed at the conclusion of the
preliminaryreview.
Each projectwillhave a timebudget that will be approved bythe audit manager andInternal Audit Department.This budget will
include all time necessaryto complete the audit, from assignmentthrough issuanceof the final
report.Thepreliminaryreviewphase should be completedwhen no more than 25 percent of the totaltimebudget has been
depleted.
The budget process willbebroken down into two phases.Aportion of the budget should be allocated for the planning
process.This will provide the necessarycontrol overthis phase of audit work.

25 | P a g e
Near thecompletion of the planning process, the remainingbudget should beallocated to the rest of theaudit and recorded on
theTimeBudgetSummary.For purposes of overallcontrol, the timebudget should be broken down into the followinggeneral
categories (more maybe usedif warranted):
Planning- initial planning, preliminarysurvey,audit program
Fieldwork- allocated to the various segments of the audit project
Audit report and wrap-up - audit manager's review, qualityassurancereview, report writing and editing, reportreview,
audited entity's review,exit conference, etc.)
Preparation andApproval-The projecttimebudget should bepreparedbytheaudit managerand
approvedbyInternalAuditDepartment.
BudgetRevisions- Anyrevisions to theprojecttimebudgetshouldbe discussedwith InternalAuditDepartmentatthe
earliest possible time and,whenapproved byInternal Audit Department, documented on theTimeBudgetSummary.
FIELDWORK
Evidential Matter
Evidential matter obtained during the courseof the audit provides the documented basis for the auditor's opinions, findings,
andrecommendationsas expressedin the audit report.As internal auditors, we are obligated byour professional standardstoact
objectively,exercise due professionalcare,and collect sufficient, competent, relevant, andusefulinformationto provide asound
basis for audit findings andrecommendation (see examiningand evaluating information).
Audit Sampling
Audit sampling is performingan audit test on less then 100 percent of apopulation. In
'sampling' theauditor accepts the risk that some or all errors willnot be found andthe conclusionsdrawn (i.e.all transactions
were proper and accurate) maybe wrong.
Types of Sampling:
Statistical or probabilitysampling allows the auditor tostipulate, with agiven level of confidence, the condition of a
largepopulation byreviewing onlyapercentage of the total items. Several sampling techniques are available to the auditor.
Attribute sampling- Isused when theauditor has identifiedthe expected frequencyor occurrence of an event.
Variables sampling - Is used when the auditor samples for valuesina population which varyfromitemto item.
Judgment sampling - Is used when it is notessential to have a precise determination of the probable condition of the
universe,or whereit is not possible,practical, or necessaryto use statistical sampling.
The typeof samplingusedand the number of items selected should bebased on the auditors understanding of the relative risks
and exposures of the areas audited.
Policy/Process:
All audit testing willinclude sampling.The typeand samplesizeshallbe described in the programandapproved
bytheInternalAuditDepartment.
Testing andWorkingPaperDocumentation
Policy/Purpose:
Workingpapers serve both as toolsto aid the auditor in performing his work, and as written evidence of the work doneto
support the auditor'sreport. Informationincluded in working papers should be sufficient, competent, relevant, andusefulto
provide a sound basis for audit findings and recommendations.GenerallyAcceptedAuditingStandards define sufficient,
competent,relevant,and useful as follows:
Sufficient information is factual, adequate, and convincing so that a prudent, informed person wouldreachthe
sameconclusionsas theauditor.
Competent informationis reliable and the best attainable through the use of appropriate audit techniques.
Relevant informationsupports audit findings and recommendations and is consistent with the objectives for theaudit.

26 | P a g e
 Usefulinformation helpsthe organization meetits goals.
In addition to serving as a reference for thepreparerwhen called upon to report findings or answerquestions,other individuals
mayfindit necessaryto use the working papers.
The InternalAudit Departmentwilluse the papers to review thequalityof the audit project and to evaluate the audit staff
assignedto the work.
The manager whose entityis beingaudited may usedetails included in the workingpapers to help implementcorrective action
to a problemor refute the assertion that a problemexists.
ABC Companymanagement or other individuals who mayhaverequested the audit require timelyreports.Well-
organisedworking papers help to accomplish this goal.
External auditors reviewthework performed bythe Department andevaluate the effect that its activities had on ABC
Company's systemof internal control.
In fulfilling their public responsibility,certain regulatoryagencies monitorABC Company operations, and the Department's
working papers maybe subjected to their review. Solid workingpaper documentation is essential for questions from theseand
other potential outside reviewers.
Qualities of GoodWorking Papers
Good working papersshouldbe:
Complete -Workingpapers must be able to "standalone."Thismeans that all questions must beanswered,all points
raisedbythe reviewer must be cleared, and a logical, well-thoughtout conclusion must be reached for each audit
segment.
Concise-Workingpapers must be confined to those that serve a useful purpose.
Uniform-Allworkingpapers shouldbe of uniformsizeand appearance. Smaller papers should be fastened to standard
workingpapers, and largerpapers should be folded toconformtosizerestrictions.
Neat -Workingpapers shouldnot be crowded.Allow for enough spaceon each schedule so that all
pertinentinformation can be included in alogical and orderly manner.At the sametime,keep working papers
economical. Forms and procedures shouldbe included onlywhen relevant to the audit or to an audit recommendation.
Also, tryto avoid unnecessarylisting and scheduling.All schedulesshould havea purposewhichrelates to the audit
proceduresor recommendations.
Working PaperTechniques
DescriptiveHeadings -Allworkingpapers shouldinclude the audit stamp,titleof the audit, audit projectnumber,title of the
working paper,preparer'sinitials, date prepared, sourceof information, andpurposeof the working paper.
Tick-marks-The auditor makesfrequentuse of avarietyof symbols to indicate work that has been done.Thesesymbols are
commonlyreferred toas tick-marks.Asthesetick-marks have no special or uniform meaning inthemselves,an explanationof
eachtick-markshould be madeon the schedule on which it appears.
Cross-referencing - Cross-referencing within working papers should becomplete and accurate.Working papers should
becross-referenced totheAudit Findings.AuditFindings shouldbe cross-referenced to the exit conference memoand/or the
audit report,to indicate final disposition of the item. Cross-referencingshould be done inthe margins of audit report
drafts.Thesereferencesreadilyprovidedirect access tothe working papers.
Indexing -Thesystemof indexing audit workingpapers should be simple, yetleave roomfor flexibility.Acapital letter should be
used to identifyeachsegment of the audit, andArabic numeralsusedto identifyscheduleswithinthe segments.
Carry forward -The auditor should makefulluse of the working papers developed in the prior audit. Flow
charts,systemdescriptions,andother data maystill be valid.Those papers which remain useful should bemadea part of the
current workingpapers.Theyshould be updated with current information, renumbered, referenced, initialled,and dated bythe
current auditor.

27 | P a g e
Types of Working Papers
All working papers should be maintained in binders. Schedules, analyses, documents, flow charts, and narratives should be
filed in a standard binder. Documentation which is not of standard size should be mounted on standard size paper or
referenced to a non-standard binder.
1. Schedules and Analyses
Schedules and analyses are useful for identifying statistical trends, verifying the accuracy of data, developing
projections or estimations, and determining if tasks or records have beenproperly completed. Each record review,
data schedule, or analyses should include the following items:
An explanation of its purpose (reference audit step)
The methodology used to select the sample, make the calculation, etc.
The criteria used to evaluate the data
The source of data and time frame considered
A summary of the results of the analyses
The auditor's conclusion
2. Documents
Copies or actual samples of various documents can be used as examples, for clarification, andas physical evidence to
support a conclusion or prove the existence of a problem. Thesedocuments can be memos, reports, computer
printouts, procedures, forms, invoices, flowcharts, contracts, or any of numerous other items. Any copied document
should serve a usefulaudit purpose.

The following suggestions are offered for preparation of working papers using documentsrather than the auditor's
notes:
Indicate both the person and/or file that the document came from (source).
Copy and insert only that portion of the report, memo, procedure, etc., which is neededfor purposes of
explanation or as documentation of a potential finding. Do not includethe entire document in the working
papers unless absolutely necessary.
Fully explain the terms and notations found on the document, as well as its use. This isespecially true when
including maps, engineering drawings, or flow charts in thepapers. These explanations may be made on an
attached preceding page or on the faceof the document itself.
Each document should be cross-referenced either to the page or separate analysiswhere it was discussed.
No document should be included in the working papers without an explanation of whyit was included.
Documents larger than A4 size should be reduced when practicable.
3. Process Write-ups and Flow charts
In many audits, it is necessary to describe systems or processes followed by the audited entity.Describe such
procedures or processes through the use of write-ups or flow charts or somecombination of the two. The choice of
which method to use will depend on the relativeefficiency of the method in relation to the complexities of the system
being described.

Write-ups are often easier to use, and should be used, if the system or process can bedescribed clearly and concisely.
However, when write-ups would be lengthy, and descriptionof related control points difficult to integrate in the
narrative, flow-charting (or a combinationof write-ups and flow-charting) is an appropriate alternative. Flow charts
convenientlydescribe complex relationships because they reduce narrative explanations to a picture of the system.
They are concise and may be easier to analyse than written descriptions.
4. Interviews
Most verbal information is obtained through formal interviews conducted either in person orby telephone. Formal
interviews are most desirable because the interviewees know they areproviding input to the audit; however,
impromptu interviews, or even casual discussions canoften provide important information. Any verbal information
which is likely to support aconclusion in the audit working papers should be documented. Interviews are useful
inidentifying problem areas, obtaining general knowledge of the audit subject, collecting datanot in a documented
form, and documenting the audit customer's opinions, assessments, orrationale for actions. Interview notes should
contain only the facts presented by the personinterviewed, and not include any of the auditor's opinions.

28 | P a g e
In preparing interviews for working papers, consider the following suggestions:
Be sure to include the name and position title of all persons from whom informationwas obtained. This includes data
gathered during casual conversations.
Indicate when and where the meeting occurred.
Organise notes by topic wherever possible.
Identify sources of information quoted by interviewee.
5. Observations
What the auditor observes can serve the same purposes as interviews. If observations can beused to support any
conclusions, then they should be documented. They are especially usefulfor physical verifications.
Observations used as supporting documentation should generally include the following items:
Time and date of the observations
Where the observations were made
Who accompanied the auditor during the observations
What was observed (when testing is involved, the working papers should include thesample selections and
the basis of the sample)
6. Findings
All audit findings must be documented in a SECTION SUMMARY (see next section)schedule in the working
papers. Unfavourable findings shall be summarised on a Digest ofSignificant Findings working paper whether or not
they are to be included in the audit report.All findings should be documented immediately by the auditor discovering
the situation.
STATING FINDINGS/CONCLUSIONS
Upon the conclusion of the fieldwork, theauditor shallsummarisethe audit findings,
conclusions,andrecommendationsnecessaryfor preparation of the audit report discussion draft. Each audit finding willhave
documented in the SECTION SUMMARYthefollowing ATTRIBUTES
1. Statementof Condition (Whatis!)
2. Criteria (What should be!)
3. Effect (So what?)
4. Cause(Whydid it happen?)
5. Recommendation (What should be done?)

1. Statement of Condition
The conditionidentifies thenatureand extent of the findor unsatisfactorycondition. It often answers thequestion: "What
was wrong?" Normally,a clear andaccurate statementof condition evolves from the auditor's comparisonor results with
appropriateevaluation criteria.
2. Criteria
This attribute establishes the legitimacyof the finding byidentifying the evaluation criteria and answers the question:
"Bywhat standardswas itjudged?" In financial andcompliance audits,criteria could be accuracy,materiality,consistency,or
compliance withapplicable accounting principlesandlegal or regulatoryrequirements.
In auditsof efficiency,economy,and programresults(effectiveness),criteria mightbe defined in mission, operation,or
function statements; performance,production, and cost standards; contractual agreements; programobjectives; policies,
procedures,andother command media; or other external sourcesof authoritative criteria.
3. Effect
This attribute identifiesthe real or potential impact of the condition and answers the question: "What effectdid it have?"
The significance of a condition is usuallyjudgedbyits effect. In operational audits,reduction in efficiencyand economy,or
not attaining programobjectives (effectiveness),areappropriate measures of effect.Thesearefrequentlyexpressedin
quantitative terms;e.g., value, number of personnel,unitsof production, quantities of material, numberof transactions, or
elapsed time. If therealeffect cannot be determined, potential or intangible effectscan sometimes be useful in showing
29 | P a g e
 thesignificance of the condition.
4. Cause
The fourthattribute identifies theunderlying reasons for unsatisfactoryconditions or findings, and answers the question:
"Whydidit happen?"
If the conditionhas persisted for a longperiod of time or is intensifying,the contributing causesfor thesecharacteristicsof
the condition should also be described.
Identification of the causeof an unsatisfactorycondition or finding is aprerequisite to making meaningful
recommendations for corrective action.The cause maybequite obvious or may
be identified bydeductive reasoning if the audit recommendation points outa specific and practical wayto correct the
condition. However,failure to identifythe cause in a finding may also meanthe cause was notdeterminedbecauseof
limitation or defects in audit work, or was omitted to avoid direct confrontation with responsibleofficials.
5. Recommendations
This final attribute identifiessuggestedremedial action and answers thequestion: "What shouldbe done?"
The relationship between the audit recommendation and the underlying causeof the condition shouldbe clear and logical.
If a relationship exists,the recommended action will most likely be feasible and appropriatelydirected.
Recommendations in the audit report should state preciselywhat needsto be changed or fixed. How the change will be
madeis the auditedentity's responsibility.More generalised recommendations (e.g., greater attention be given,
controlsbere-emphasised, astudymade, or consideration be given) should not beusedin the audit report, but theyare
sometimes appropriate insummaryreports todirect top management's attention to compliance-type findings disclosed in
several areas.
Unless benefits of taking the recommended actionare obvious, theyshouldbe stated.The cost of implementing
andmaintaining recommendations shouldalwaysbe compared torisk.
Recommendations shouldbe directed to an individual capableof taking action.
6. Policy/Process
Audit findings will include: the nature of the findings, the criteria used todetermine the existence of the condition; the
causeof the condition; the significance of its impact; and what the auditors thinkshouldbe done to correctthe situation.

QUALITYASSURANCE
The purpose of "qualityassurance"is to provide reasonable assurance that audit work performedbyABC Company-
InternalAudit conforms toGenerallyAcceptedAuditing Standards.
QualityAssurancePolicy
All working papers shallbe independentlyreviewed to ensure there is sufficient evidence to supportconclusions,document the
extent of audit work performed,and ensurethat all audit objectiveshave been met, as wellas substantiate compliance with
applicable auditing standards.
Adetailed reviewshallbe conducted bytheAuditManagerfor assignedstaff's working papers.Aless comprehensive
reviewshallbe conducted byInternalAudit Departmentor an assignedQualityAssurance staff person. EXCEPTION:If theAudit
Manageris the onlystaff memberassignedto the audit/taskthen the detailed review shall be performedbydepartment
administration or an assignedQualityAssurancestaffperson.
Initialling (Director/QualityAssurancestaff person and theAudit Manager)workingpapers (Section Summaries,Audit
Programs, Draft Report)and completing the "QualityAssurance Reviewform,"willserve as documentation of the
reviewprocess andwillbefiledwith the workingpapers.
NOTE:Auditors areencouraged to performan "informal" self-reviewof their working papers. However,this reviewwouldbe for
their benefit onlyandtherefore this document SHALL NOTbe apart of the working papers.

30 | P a g e
QualityAssuranceReview Process
In performingthe review the reviewer should:
Reviewworking papers fromaudit programsteps tothe referenced working papers ensuring cross-referencing is
proper, theworking papers support thesteps performed, and all steps have beencompleted (or whysteps were
notcompleted).
Reviewworking papers fromthe report(s)to the digestto the working paper summariesto the detailed working papers
toensure that all findings arestated, adequatelydocumentand support the OPINIONS, FINDINGS, and
RECOMMENDATIONS stated in the report.
Determine working paper's compliance todepartment working paperstandards. Determine report(s) compliance
withdepartmentreport standards.
Determine PermanentAudit File'scompliance with department standards.
Recordanydeficiencies,comments,etc.on aWorking PaperReviewNotes form.
The auditor(s) who preparedtheworking papers willthen respond (ifnecessary)to thesepointson the sameform.
After the reviewerhas "cleared" the points and completed(initialled) the"Quality AssuranceReviewform," theworking
papers willbe forwarded toInternalAudit Department.
InternalAuditDepartmentwillreviewthe working papers and discuss thefindings and reviewcomments
withtheAssignedAuditor,Audit Manager,and Reviewer,then completethe relevantparts of the
"QualityAssuranceReview form," andapprove the draft report for theexitconference.
The Report Reviewer willperforma pre-exit conference editcheck for spelling, cursorygrammatical,
andconsistencyreview.
The assignedauditor will forward a copyof the draftreport totheaudited entityprior to the exit conference.
After exit conference amendments,the Report Reviewer willperforma spell check,as wellas acursorygrammatical and
consistencyreview,then print out the FINAL version of thereport.
TheAudit Manager,assignedAuditor(s) and Director will reviewandsign the final report.
NOTE:The working papersand report will be factors usedin the Performance Evaluation process.
GENERALSTANDARDS FORWORKING PAPERS
Functions ofWorking Papers
Support auditor'sopinion
Aid in the conduct and supervision of the engagement
Provide a recordof:
1. Proceduresapplied
2. Testperformed
3. Information obtained
4. Pertinent conclusions reached
Provide evidence that the audit was conductedin accordance withGenerallyAcceptedAuditing Standards
CompletenessofWorkingPapers
Workingpapers should be accurate and complete
1. No significant questionswithinthe scope or related to the objective of the audit shouldgo unanswered
2. Working papers must"standalone," in that theyclearlystate whatwork was performed,how andfrom where
sampleswereselected, the purposeof the workingpapers, what findingsweremade,etc.
Each itemin the workingpapers should contain:
1. Adescriptive heading.
2. Identification of source ifnot obvious
3. Thedateof preparation and theauditor'sinitials
4. Theindexnumber of the work paper

31 | P a g e
 Workingpapers should be sufficient, competent, relevant, andusefulto provide a sound basis for audit findingsand
recommendations
1. Consistent, neat, notcrowded
2. Onlyessential items included
3. Arrangedin a uniformstyle
Workingpapers should prove that standardshavebeen followed suchas:
1. Adequate planning andsupervision
2. Adequate review of internal control
3. Sufficient competent evidential matter
Examples ofWorking Papers
Workingpapers mayinclude anyor all of the following:
1. Auditprograms, summaries, schedules,computations, or analysis prepared or obtained
2. Memoranda, interviews,lettersof confirmation or representation
3. Data stored on tapes, films, disk, or other media
The working papers listedbelowconstitute the minimumREQUIREDsupport for an assignment
1. WorkingPapers Index
2. Assignment Form
3. Draft Report
4. Digestof Significant Findings
5. QualityAssuranceReview
6. Audit Program
7. Section Summariesfor eachaudit programsection
8. Worksheetor Lead Schedules
9. FinalReport
The following working papers should generallybe prepared, but maynotbe considered mandatoryfor all assignments:
1. PermanentAuditFile
2. SummaryofAudit ObjectivesandTime Control
3. AnnouncementLetter
4. Contact List
5. AuditedEntityFinancial Statements
6. InterimMemoranda andMeetings
7. Exit Conference Record
Cross-ReferencingofWorking Papers
All significant amounts and items should be cross-referenced
Indexing ofWorking Papers
Everypageshould have anindex number
The index should be simple
The index should be capable of infinite expansion

32 | P a g e
GENERALSTANDARDS - REPORT(S)
Reportsconformto the department format guidelines. Reporttitle specificallystateswhatwas audited.
Reportis copied toright people (at a minimumthis should be theVice Presidentin InternalAuditreporting line, and the
report addressee'sdirectsupervisor, reporting line, etc.)
Audit objectives are stated clearlyandin agreementwith those stated in the announcement letter orAuditAssignment
form(if no announcementletter sent).
Scope clearlystates what we examinedincluding, if applicable, what period, transactions, documents, and limitations.
Opinion (where appropriate) aresupportedbyauditfindings.
Backgroundcontains mission andother informationof value to reader.
Findings are presented clearlyand containthefollowingelements:
o Statementof Condition - Isstated in first sentence
o Criteria - Policy,etc.,
o Effect - potential or actual exposure toABC Company
o Cause- how did ithappen (if known)
o Recommendation

Recommendations are specific enoughso theaudited entityunderstandswhatis expected, something that can
beaccomplished,costbeneficial, followed-upon, etc.
Draft Report is referenced to the workingpapers.
Reportsareobjective, clear,concise,constructive, and timely.
The auditor presentstoappropriate management a draft of thefinalreport for discussionbefore issuance of the final
report.
If appropriate, a ManagementLetter maybe issued.
REPORTINGAND FOLLOW-UP
The mostsuccessfulaudit projectsare those inwhichthe auditedentityand the Internal Auditorshave aconstructive working
relationship.Our objective is to havethe audited entity's continuinginvolvementas wellas communicationat everystage,so that
the audited entityunderstandswhatwe are doing andwhywe aredoing it.
Although everyaudit projectis unique, the audit process is similar for most engagements.The audit process
normallyconsistsof four stages:PreliminaryReview, Fieldwork,AuditReport, and Follow- up Review.
Audit Report,Transmittal Letterand Management Letter
Our principal productis the final report in which we express our opinions aboutthe audit findings and discuss our
recommendations for improvements.Therefore, inorder for Internal Audit to be effective, our reports mustclearlyand
persuasivelyconveythe results of our auditsandconvince readersto recognizethevalidityof the findings andthe benefit of
implementing anyrecommendations.
To facilitate communication and ensure that the recommendationspresentedinthe final report are practical,
InternalAuditALWAYS discussesthe rough draftwiththeaudited entitypriorto issuing thefinal report.

InternalAuditprints and distributes thefinal report tothe auditedentity's operating management,the auditedentity's reporting
supervisor, theFinance Directorandother appropriate members of senior ABC Companymanagement.This report is
33 | P a g e
primarilyfor internalABC Companymanagementuse.The InternalAuditDirector'sapprovalis required for release outsideof
ABC Company.The resultsof the audit are alsoincluded intheInternal Audit's annual report to the Board of Directors.
The firstpage (transmittal letter) of the report is a letter requesting the auditedentity's written responseto the report
recommendations within 30 days.The audited entityshouldexplain, in the written response, when and how reportfindings will
be resolvedwithan implementation timetable.Weencourage the auditedentityto copythis responseto all recipients of thefinal
report.Theaudited entity's response is included in InternalAudit's annual report to the Board of Directors.
Amanagementletter written to and distributed to onlythe auditedentitymanagermaybe issued.This letter will contain
suggestionsfor improving controls, operations,and anything InternalAuditDepartmentfeels needs to bein writing.

CONFIDENTIALITY- REPORTS
Although InternalAudit reports are internal documents exclusivelyfor the use of ABC Company, certain reports willcontain
information that SHOULD NOTBEDISCLOSED OUTSIDE OFTHEAREAS RECEIVINGTHE REPORT.
Policy
Audit reports will be classified as CONFIDENTIALif theymeetthefollowingcriteria:
Reportdisclosesa weakness(potentiallyresulting in a loss) which has not been corrected at the timeof distribution
Reportdisclosessensitive information which couldprove an embarrassmentto ABC Company(ifmade public)
Reportdisclosesinformation classified as "restricteddata"
At the discretionof the Director of InternalAudit

Audit reports classifiedas CONFIDENTIALwillcontain the words CONFIDENTIAL

REPORTon the title page and the footnote "Confidential - Do notdiscloseinformationin this document."on each page.
Process
TheAudit Managerwill discuss theirrecommendation and rationale regarding the classification of a reportwhenit is given to
the Director of InternalAudit for initial review.

34 | P a g e
EXITCONFERENCE
After the draft report has been approvedbyInternal Audit Department, the auditor(s) meet withtheaudited entity's
managementteamto discuss the findings,recommendations,and text of the draft.At this time,the
auditedentitycomments on thedraft report, and anyinaccuracies or impractical recommendationsresolved to the
extent possible.
Pre-exitconferenceitems
There shouldbe no surprises - everythingin the draft should havebeen discussed during the fieldwork.
Be sure youcan easilyfindsupportingdocumentation for findings inthe working papers in
casequestionsariseat the exit conference.
Tryto anticipate potential questions/conflicts
Exitconferenceagenda
Go throughverbal recommendations:
Discuss thefollowingandgo through report and managementletter:
o Do theywant torespond afterreceiving the final report or would theylike their responseeither
included or attached to the finalreport (departmentpreferenceis to include or attach the audit
response with thefinal report)?
o Afollow-up will be done within one yearto review action taken.
o Resultsof audit, response, and follow-up will be included in our annual report to the Board of
Directors.
o Wherethere anyquestions about the scope and objectives?
o Arethere anyquestionsaboutthe opinion?
o Arethere anyquestions,comments, additions, or deletions on background?
o Anycommentsor questionsabout other sections (go through each)?
o General comments about audit process?
CLOSING OFTHEAUDIT
The auditor then preparesa draft, taking intoaccount anyrevisionsresulting from the exit conference and other
discussions.Whenthe changes have beenreviewedbyInternalAudit Departmentandthe auditedentity, the final
report is issued.
The report is then printed in final bythe report reviewer and distributed totheaudited entity's reporting
supervisor,theFinance Director, and other appropriate members of ABC Company management.This report is
primarilyfor internalABC Companymanagement use.The InternalAuditDirector'sapprovalis required for release
outsideof ABC Company.
Input in Board of DirectorsReport
The establishment of a clear reporting structure with the Boardof Directorsenhances Internal Audit's
independence and strengthens our abilitytofunction freelywithinABC Company. It also provides us
theopportunityto acquaint the Board with anycritical audit findings or issues, our assessments of operations
during the past year,and our concerns,goals and plans for the next fiscal year.
The resultsof allreport findings andrecommendations,the response from theaudited entity, and the follow- up
shall be reported in an annual reportto theBoardof Directors.

35 | P a g e
Audit FeedbackQuestionnaire
An audit feedback questionnaire willbesent to the audited entityimmediatelyafter an audit report (excludingcash count
andfollow-up reports) has beenissued. Questionnaires returned shall be recordedandsummarised.
Follow-up Review
Within one yearof the final report, InternalAuditshall performa follow-up reviewof audited entitiestoascertaintheresolution of
the reportfindings.
The actions taken to resolve the findings shall be reviewed and maybetestedto ensure that the desired resultswere achieved.
In somecases,managers maychoose notto implement an audit recommendation and to accepttherisks associated withan audit
finding- thefollow-up reviewwill notethis as an unresolvedfinding.
The follow-up report will list the actions taken bythe auditedentityto resolve the original report findings. Unresolvedfindings
will also appear in the report andwillinclude abrief description of thefinding, audit recommendation, client response,
currentcondition, and the continued exposure to ABC Company. In addition to the original report recipients and other
officials as deemedappropriate, the follow-up reviewresultswillalso be included inthe InternalAuditAnnual Reportto the
Board of Directors.
PERSONNEL
JOB DESCRIPTION: DIRECTOROFAUDIT
ReportsTo:Boardof Directors, Finance Director
SUMMARY:
Direct and coordinate internal auditing within ABC Companyas an independent appraisal of the variousoperationsand
systems of control to determineif acceptable policiesand proceduresarefollowed,establishedstandardsmet, resourcesare used
efficientlyand economically,planned missions areaccomplishedeffectivelyand the organization's objectives are being
achieved.
DUTIESAND RESPONSIBILITIES:
Superviseand coordinate internal audit programs ofABC Companyaccounting and financialoperationsto include the
review of accounting procedures, confirmationof accounts, inspection of physicaloperations,and investigations of
irregularities and errors.
Superviseexamination and analysisof records to insurethe effectivenessof accounting and managerial controls at
reasonable cost, accuracyof transactions, and compliance with applicable laws and establishedABC Companypolicies
and procedures.
Direct and coordinate analysisof operating departments andfunctionsand make recommendations to promote
maximummanagerial effectiveness and operational efficiencywhen appropriate.
Ascertainthe extent towhichABC Companyassetsareaccountedfor and safeguarded from losses.
Counsel and guide auditorstoensure that approved audit objectives are metand practical coverage is achieved.
Identifythose activities subjectto audit coverage, evaluating their significance and assessing thedegree of risk
inherent in the activityin terms of cost, schedule,and quality.
Monitor work performance for accuracyandcompletenessto ensure compliance with established departmental
objectives.
Superviseaudit participation and participate in systems and procedures development and testing.
Supervisereviewof proceduresand records for their adequacytoaccomplish intended objectives,appraising
policies,andplans relating tothe activityof function.
Train andinstruct supportive staff.
Reviewandascertain the reliabilityof managementdata developed withinthe organization. Recommend and develop
internal auditing policies, standardsof performance, procedures,and programs.
Authorize thepublication of reports on theresults of audit examinations,including recommendations for
improvements.

36 | P a g e
 Serve in advisorycapacityfor ABC Companyofficials. Make recommendations for improvedfiscal
managementsystems.

Appraise theadequacyof corrective action taken byoperating management and prepare a varietyof related reportsand
analysis.
Serve as liaison with manydepartments and offices to assistwith problems and determineneed for audits.
Contact withstaff, outsidebusinessesandagencies regardingABC Companyaudit related or business problems.
Provide executive managementwith annual reports on theresultsof audit activities. Direct various personnelfunctions
including, butnot limitedto hiring, meritrecommendations, promotions, transfers, vacation schedules,anddismissals.
Determine fiscal requirements of internal auditing operations and prepare budgetary operations. Monitor, verify,and
reconcile expenditure of budgeted funds.
Perform special reviews as requested bytheFinance Director.
ReviewABC Companypolicyand structural changes thatmight alter auditsand coverage.
Serve on various ABC Companycommittees.
Represent ABC Companyatprofessional organizations, associations, and committees. Perform otherdutiesincidental
to the work described herein.

JOB DESCRIPTION:ASSOCIATE DIRECTOROFINTERNALAUDIT

ReportsTo: InternalAuditDirector
SUMMARY:
Provide administrativeand supervisorysupportto the Directorfor the coordinationand administration of system-wide audits,
the planning and developmentof department operations, and the supervision of department staff.

DUTIESAND RESPONSIBILITIES:
Superviseprofessionalstaff byevaluating performance,hiring, and terminating when necessary.
Reviewaudits to ensure that theyare conducted accordingto audit standards, sufficient evidence is obtained,
andthatprocedures are properlydocumented to supportaudit findings.
Plan and prepare formal written reports addressedtodepartment managers or external agencies.
Attendentrance and exit conferences for auditsinthe absence of theDirector. Appraise theadequacyof departmental
replies to audit reports.
Manageday-to-dayoffice operations such as ensuringauditsare on schedule,weekly timereports aresubmitted, and
assignment forms areissued.
Assist theDirector in developing and implementingnew and reviseddepartment policies and proceduresnecessaryfor
providinginternal auditing services to all entitieswithinABC Company. Determinethe direction and extent of audits.
Serve as departmenthead inthe absence of the Director and assisttheDirector with budget planning.
Recommend toABC CompanyAdministration control issues thatshouldbe addressed withABC CompanyInstitutional
policies.
Designtechnicallycomplex audit programs for specialized computersoftwareto retrieve informationfrom ABC
Companycomputersystems.
Maintain an effective liaison with ABC Companymanagers andexternalauditors to coordinate audits of ABC
Companyrecords.
Certifyfinancial reports at the requestof external agencies.
Serve on various ABC Companycommittees in an advisorycapacity.
Assist theDirector in developing an audit plan that provides for theeffective audit coverage of ABC Companysystems
based on an assessmentof potentialrisk and exposure to ABC Company.
Surveyfunctionsandactivities of units to evaluate nature of operations and existence and adequacyof internalcontrols.

Provide guidance, training, and assistance toauditors.Continue todevelopexpertisein specializedareas to adviseother

auditors or ABC Companyunits.
Maintain knowledgeof current accounting and auditing practices through continuing professional education.
37 | P a g e
 Perform otherrelated duties incidental to the work described herein.

JOB DESCRIPTION: INFORMATION SYSTEMS AUDIT MANAGER

Reports To: Internal Audit Director

SUMMARY:
Using specialized knowledge of accounting, auditing, and electronic data processing (EDP) to perform audits of
adequacy of internal controls and the accuracy of institutional data in ABC Company's data processing areas. Attest
to the accuracy, effectiveness, and efficiency of ABC Company's information (EDP-based) systems. Determine level
of compliance with institutional policies and procedures, laws and contractual obligations regarding privacy and
security in data processing areas. Provide support to internal auditors in the development of computer-assisted audit
techniques.
Requirements needed for this position are a minimum of an undergraduate degree in accounting, business
administration, finance or computer science, and a certificate or licensing for CPA and/or CIA. Four years experience
as an EDP auditor, two years experience as a financial auditor, and knowledge of computer environment similar to
the one at ABC Company.
DUTIESAND RESPONSIBILITIES:
Participate in the developmentof newABC Companysystemapplications to:
1. Ensure that adequate controls are establishedandinstalled tomeet managementobjectives,
2. Verifythat users and computeroperation'sstaff havebeen trained in the system functionsandcontrols
3. Determine whetherlevel of securityis appropriate
4. Verifythat backup and recoveryproceduresare complete
Perform audits of existing financialandsecurityapplications, the related network links and the supportingcomputer
data centres.
1. Basedon a review and evaluation of current internal controls, assess potential risk, and exposure toABC
Company, andpreparedetailed audit program describing teststo be performed.
2. Obtain sufficient competent and relevant evidential matter,analyseand summarise data to support an
objective informed opinionon the adequacyand effectivenessof internal controls, theaccuracyof institutional
data, and the level of compliance withABC Companypolicies.
3. Draft written reports expressingopinions on the adequacyandeffectiveness of systemcontrols,the accuracyof
institutional data, and the levelof compliance with relevantpolicies and procedures. Recommend changesin
policies and procedurestoenhance controlsor correct deficiencies.
Appraise theadequacyof replies to final audit reports and performpost-audit reviews to determinethe extent to which
audit recommendations havebeen implemented.
Assign work and superviseEDPauditstaff(whenapplicable) so that the audit is conducted in a professional mannerand
the audit objectives areaccomplished. Review workingpapers and conduct performance appraisalsso thatstandardsare
complied with and evaluations can beaccuratelycompleted.
Serve on various ABC Companycommittees addressingsuch items as data access, computerand network
security,systemdesign, etc.
Provide guidance, training, and assistance tostaff auditorsinusingcomputerizedaudit techniques, maintaining libraryof
standardaudit programs, administeringthe department's computer network, etc.
Staycurrent with technical changes in auditing, data processing,accounting, ABC
Companypolicies,andgovernmentregulations so that auditsare conducted professionallyand in accordance with
departmentstandards.
DevelopanEDPaudit plan that providesfor the effective audit coverage of ABC Company's EDPapplication systems
based on an assessment of potential risk and exposure to ABC Company.

JOB DESCRIPTION:AUDITMANAGER

38 | P a g e
ReportsTo: InternalAuditDirector /Associate Director
SUMMARY:
Using specialized knowledge of accounting, auditing, and electronic data processing,planand conduct complexand technical
financial and managerial audits of ABC Companyoperations.Analyseevidential data as a basis for aninformed, objective
opinion. Preparecomprehensive reports addressedto campus and ABC Companyadministration and external agencies.
DUTIESAND RESPONSIBILITIES:
Plan and performcomplex, technical financial and managerial audits of ABC Companyoperations in accordance with
accepted professional standards.Determine whether areas reviewedareperformingtheir planning, accounting,
custodial, and control activities in compliance with managerial guidelines, applicable statements of policyand
procedures,andin a manner consistent with bothABC Companyobjectives and high standardsof administrative
practice. Obtain and analysedata to provide an objective, informedopinion on the accuracyand fairness of financial
statements.This includes performingadvanced and complexanalytical procedures and recommending material
adjustments (i.e.toABC Companyfinancialstatements).
Developanauditplan that provides for theeffective audit coverage of ABC Company operations, based on an
assessment of potential risk and exposure.Surveyfunctions and activities of units toevaluate nature of operations and
existence and adequacyof internal controls.
Perform audits of ABC Companyoperations to ensureeffectiveness of accounting and managerial
controlsandaccuracyof recordeddata,promote efficiency,safeguard
ABC Companyassets,and monitor compliance withapplicable laws and ABC Companypoliciesandprocedures.
Superviseand direct staff assignedto assiston audits.Monitorperformance of staff and evaluate performance of
supervisedstaff.
Exercise professional judgmentto determinematerialityof findings and adequacyand effectivenessof the operation.
Conductspecial reviews requestedbyadministration.Arrive atindependent decisions concerning recommendations for
administration.
Maintain an effectiveliaisonwith managersand externalauditors to coordinate audits of ABC Companyrecords.
Determine the direction andextent of assignedaudits.Prepare theprogramand establish procedures,which mayinclude
statistical sampling and electronic data processing.Prepareandevaluate working paperssupportingopinions presented
in the report toadministration and externalagencies.
Appraise theadequacyof replies to audit reports and performpost-audit reviewsto determinethe extent towhichaudit
recommendations have been implemented.
Establish audit proceduresinvolving statistical sampling and electronic data processing. Usespecializedknowledgeto
retrieve information fromABC Company mainframecomputers.
Discuss deficiencies and recommendcorrective actions to improve operations and reduce costs. Planand prepare
formalwritten reports addressedto managers or external agencies.
Continue to develop expertise in specialized areastoadviseother auditorsor ABC Companyunits.
Reviewandevaluate the adequacyof the overallaccountingand non-accounting controlsof computerizedinformation
systems residingon departmental computers. This requiresa general understanding of departmental activities in
relation to computerizedinformationsystems under review.
Perform general administrative tasks including those assignedbytheDirector.
Maintain knowledgeof current accounting and auditing practices through continuing professional education.

JOB DESCRIPTION:INFORMATION SYSTEMSAUDITOR

ReportsTo: Information SystemsAudit Manager
39 | P a g e
SUMMARY:
Using specialized knowledge of auditingand information technology,participate in audits of ABC Company's information
systems, systems developmentprocesses,LANs, and related resources/processesto determine the adequacyof general and
application controls and to assess compliance with applicable policies,procedures, statutes, and contract requirements. This
entails analysing evidential data as a basis for aninformed, objective opinion and preparing comprehensive reports
addressedtoABC Companyadministration.
DUTIESAND RESPONSIBILITIES:
Withguidance from theInformation SystemsAuditManager, planand conduct audits in accordance withapplicable professional
and office standards.
Exercise professional judgmentto determineadequacyof controls, materialityof findings, and sufficiencyof evidence
to support opinions andfindings presented in audit reports. Prepareworking paperscontaining sufficient, competent,
and relevant evidence to support findings and opinions inaudit reports. Draft audit reports containing the resultsof
theaudit, including findings, recommendations, opinions.
Assist financial and operational auditorsinapplyinginformation systems audit principles and concepts, identifyingthe
relevantautomated controls to include in the audit scope, designingaudit programs/procedurestoassess
theiradequacy,and documenting the impact of strengthsor weaknesses tocurrentaudit procedures/objectives. Perform
post-audit reviews todeterminethe extent towhich audit recommendations have been
implemented.Appraisetheadequacyof replies to final audit reports, and performpost-audit reviewsto determinethe
extent to which audit recommendations have been implemented.
Discuss deficiencies with management andrecommendactions to improve controls, enhance information
integrity,streamlineprocesses,and reducecosts.Where appropriate, recommendchangesin policies and
procedurestoenhance controlsor correct deficiencies.
Write/develop computer assistedaudittechniques (CAATs) to extract and manipulate data from complex computer
systems and tofacilitate audit compliance and substantive testing procedures.
Assist in administering andsupportingthe InternalAudit LocalArea Network (LAN).
Maintain knowledgeof current auditing,dataprocessing, and accounting practices and ABC
Companypoliciesandgovernmentregulations. Provide in-houseinformation systems audit and technical training for
internal audit staff.
Perform otherdutiesas assigned.
QUALIFICATIONS:
Required Degreein business, accounting, or information systems discipline or equivalentcombination of education
and experience. Oneyear of related work experience ininformation systems auditing or related field (e.g.,
informationsystems analysis, or development). Excellent planning, organization, research,analysis, writing, and
interpersonal skills.
Abilityto communicate effectivelywithindividuals and groups at all organizational levels.
Able to work in ateam-oriented environment.
Preferred: Certification preferred. (e.g.,ACCA, CPA, CIA)
Proficient in providing mainframeand PC supportto internal audit staff using computerizedaudit toolsto retrieve
andanalysedata stored on mainframeand departmental systems.
Familiar withdiversecomputing environmentsand architecture, including mainframe, client-server,network, and
personalcomputers.
Familiar withoperations, policies,and proceduresinABC Companyenvironment.

JOB DESCRIPTION:AUDITOR
40 | P a g e
ReportsTo:Director of InternalAudit Department
SUMMARY:
Provide assistance to the audit managerin performingfinancial and managerial auditsof general ABC
Companyoperations.Thedutiesinclude analysing evidential data as a basis for an informed,objective opinion and preparing
comprehensive reports addressedtoABC Companyadministration and/or external agencies.
DUTIESAND RESPONSIBILITIES:
Participate in performing financial and managerial audits of general ABC Company operations in accordance
withaccepted professional standards.
Aid the audit manager indeterminingwhether areasreviewedareperformingtheir planning, accounting, custodial,
andcontrolactivitiesin compliance with managerial guidelines and applicable statementsof policyand procedures,and
in a manner consistent with bothABC Companyobjectivesandhigh standardsof administrative practice.
Obtain andanalysedata to provide an objective, informedopinion on the accuracyand fairnessof financial
statements.This includes performinganalytical procedures and recommendingadjustments to ABC
Companyfinancialstatements.
Withguidance from theaudit manager,determinethe direction and extent of assigned audits.Prepare the programand
establish procedureswhichmayincludestatistical
samplingand electronic data processing.Prepareworking paperssupportingopinions presented in the report to
administrationand external agencies.
Participate in audits of ABC Companysystems to ensureeffectiveness of accounting and managerial controls and
accuracyof recordeddata, promoteefficiency,safeguard ABC Companyassets,and monitor compliance withapplicable
laws and ABC Companypoliciesandprocedures.
Exercise professional judgementto determine materialityof findings and adequacy and effectivenessof theoperation.
Assist in the reviewand evaluationof the overall accounting and non-accounting controlsof computerizedinformation
systems residingon departmental computers. This requiresa conceptual understanding of the departmental
activitiesinrelation to computerizedinformationsystems under review.
Discuss deficiencies and recommendcorrective actions to improve operations and reduce costs. Planand prepare
formalwritten reports addressedto department managersor external agencies.
Perform post-audit reviewstodetermine the extent to which audit recommendations have been implemented.
Assist in the performance of special reviews requestedbyadministration.
Maintain knowledgeof current accounting and auditing practices through continuing professional education.
Perform otherrelated duties incidental to the work described herein.
PERFORMANCE EVALUATION
Performance evaluationwillserve two major functions in our department. First, it willbe usedfor employeedevelopment.The
feedback thatemployees receive from theappraisal process shouldprovide themwith information theycan use to improve job
performance. Second, performance appraisalprovides bottom-line evaluations of employees that can be usedfor
administrative decisions suchas promotion, salaryevaluation, recommendation for training, or remedial action.
Performance EvaluationPolicy
All InternalAudit full-timeappointed employees willhave anevaluation of their work performance at least everysemester
andonce a fiscal year.The resultsof theseevaluations willbethe primarymeans for administrative decisions.
Performance EvaluationProcess
The evaluation process willbe a twofold approach (interimevaluationand annual evaluation). Theseevaluations
willbeperformed inSeptemberand Marchrespectively.

41 | P a g e
42 | P a g e
43 | P a g e
TRAININGAND PERSONALDEVELOPMENT
Certification Programs
Oneaspectof professional developmentis obtaining professionalcertification as a Certified PublicAccountant,
Certified InternalAuditor,Certified Information SystemsAuditor, or Certified Fraud Examiner.To increase the
professionalismandcredibilityof the audit staff, the department supports employees'efforts in achieving
certification through obtainingstudy aids and providing reimbursementfor sitting for exams. Support is also given
bymaking
studytimeavailable during working hours and allowing time off tosit for exams. Professional certification is
afactor used inthe department's annual employeeperformance appraisal.
Professional developmentthrough certification, membership,and participationin professional organizationsis
encouraged.InternalAudit Departmentfunds maybe available andbudgeted to support this activity.
Continuing Education
InternalAudithas a responsibilityto provide for themosteffective use of available continuing education funds in
supportingstaff memberrequestsfor professionaltraining.
Process:
Auditors shouldreviewseminar material.
Staff members who desireto attend aparticular seminar should (iftotal expenditures willexceed€100)
complete the above mentioned form. (Requeststo attend seminars that willcostless than€100 canbe
communicated informallyto the Director.)
The Director will makethe decision for theexpenditure based on availabilityof funds and the staff
members’current professional developmentresponsibilitiesand requirements inmaintaining their technical
competence and proficiency.
ADMINISTRATIVE PROCEDURES
MANAGEMENTOFAUDITRESOURCES
The principal resourcethat InternalAudit has to accomplish its mission is the amountof available staff
hours.Therefore, it is paramount that we havea process that willprovide the information necessaryto
effectivelymanagethis resource.
Audit Resource ReportingPolicies
All professionaltraining requirespriorapproval of the InternalAudit Director.
The departmental standardfor staff hours is expected tocharge to projectseach yearis 1,500 hours.
Auditors shall performfieldworkat the audited entitylocation whenever possible.
All staff members willsubmit aweeklyprogress report, using theelectronicAuditReporting and Management
System(ARMS) detailingthe hours spent on assignedprojects.The MISCELLANEOUS UNBUDGETEDTASK
will be used tolistduties that youperformed that were not budgeted and for daysthat youwere notin the office
because of paid timeoff or sick time. Progress reports must be completed byFriday6:00 p.m.
Projectswill be reported inhalf-hour incrementsusingthe projectcontrol numbers assigned bythe director.The
comments field will be used toprovide a brief description of the work performedor if no work was performed an
explanation of why.The comments field should also include a statement of how manyhourswas spent performing
fieldwork at the audited entitylocation
Anyaudit work or otheractivitythat is material (e.g. expected to accumulate more than 8 hours or for whicha
written report/memowillbeissued)willbe assigned a project control number.

44 | P a g e
STANDARD ELECTRONICTOOLS
ANAELQueries
To establish a libraryof standard'off the shelf' ANAELqueries, these querieswill be written so that theycan
beeasilyexecuted,bychanging well-defined parameters, or simplymodified to OUTPUTdata in adifferent format.
The librarywillbe controlled bythe departmentANAEL LIBRARIANwho willbe responsible for updating
the libraryand informingstaff of thecurrentlibrary's contents.]
Queries will be written bystaff members who havedeveloped an appropriate understanding of the
structure and the data in the accessedfiles.
Queries will be written according to standardsestablishedbythe department. Queries will be
thoroughlyreviewedandtestedbefore being placed in the librarybythe librarian.
Whenever practical thesequeries willbeusedto extract data fromANAELdefined filesfor use inaudit
testing.
ElectronicWorking Papers
To assure standardisation of workingpapers and reports, standardizedreports,programsand workingpapers have
been developed asWord templates. In addition, there is anAudit Macros toolbar that willenable youtoinput your
information in aform that willautomaticallyaddthe information tothe newWorddocument.
MISCELLANEOUS POLICIES
PurgingWorkingPapers
Workingpapers shall be retained for fiveyears afterthe date of the report.Theworking
papersshall be purged once a year after the Directors' approval.Theexception tothis policyis whenwe are required
to retain working paperslonger bylaw or byagreement.
Paid Time Off
Whenever possible,paidtimeoff (PTO) should be requested and scheduled in advance. If you are SICK
youshouldcall or e-mailthe Director or the secretaryas soon as youcan.
ComputerSoftware
Onlycomputersoftwarethat the department orABC Companyownsthe rights to should be installed on department
computers. If youwish toinstall other softwareon a department computer, youmust receive prior approval from
theDirector and provide evidencethat you own the rights tothe software.
Housekeeping
Good housekeeping bears adirect relationship toorderlyand efficient work habits.Whenout of the office, material
in work areasshouldbe straightened. Careis to be exercisedtoavoid exposure of confidential or potentiallysensitive
documents.

45 | P a g e
APPENDIXA–AuditAnnouncement Letter
{Date}

{Name ofAudited Entity}

Attn:
{Address}

{Address}

RE: Auditof{Name ofAudited Entity}

Weare in the process of planning the audit for {Name ofAudited Entity}.Theaudit is presentlyscheduledto
begin{BeginDateofAudit}, andwe anticipate being on site between two to three weeks.We understandthat some scheduling
adjustments maybecomenecessary to accommodate your staff’s schedules.Please reviewthe audit schedule with your
managementteamto ensure the timing is coordinated with them.Wewillwork with {name of person}as our main contact.
Our audit will be conducted in accordance withgenerallyacceptedauditing standardsand, accordingly,will include such testsof
theaccounting recordsand other auditingproceduresas we considernecessaryto accomplish our audit objectives.We will
follow-up on previously raisedaudit issues, reviewinternal controls,the humanresourcefunction, operating efficiencies,
computersystems, year 2008 status,andother audit proceduresconsidered necessarybased on thecircumstancesencountered.

Weappreciateyoursupportand the cooperation of yourstaff as we work togetheron this engagement. If youwould like to
discuss theaudit, areasthat need special audit attention or this schedule, please call meat555-323-4123.

INTERNALAUDITDEPARTMENT

Audit Manager

46 | P a g e
APPENDIXC – Internal Audit Glossary
A
AddingValue:Byvirtue of our position within the Company,InternalAudit is able to gather data to understandand assess risk
and developsignificant insight into operations and opportunities for improvementthat can bebeneficialto the Company.This
valuable information can be in the form of consultation, advice, written communications, or through other products.
Adequate Control:Presentif managementhas planned and organised(designed) their operations in a manner that provides
reasonable assurancethatthe Company'srisks have been managedeffectivelyand that its goals andobjectives will be achieved
efficientlyand economically.

AnalyticalReview:The examination of ratios, trends and changes in balancesand other valuesbetween periods toobtain a
broad understanding of the Companyfinancial or operationalposition and identifyareasthat mayrequirefurther or
closerinvestigation.

AssuranceServices: An objective examination of evidence for the purpose of providing an assessmenton risk
management,control, or governance processesfor the Company. Examples mayinclude financial, performance, compliance.
Audit Committee:Committee of theCompanythat has no operational responsibilities for anyof theactivities undertaken bythe
Company.Their primaryfunction is to helpABC Companyfulfil its stewardshiprole byreviewingthe systems of risk
management, governance and internalcontrol.TheCompany'sAudit Committeemeets three times a year.
Audit Scope:Referstothe activitiescovered byan internal audit.Auditscope often includes:

Audit objectives: Natureandextent of auditing proceduresperformed

Time periodaudited: Related non-audit activities that delineate the boundaries of the audit

When planning audit assignmentsat the Company,we alwaysagreethe scope of our reviews with the unit managers
beforestarting the audit.

AuditTest Matrices:AuditTest Matrices include:

Risks
The Expected Controls
The ComplianceTest

AuditWorkingPapers: Recordthe information obtained, the analysesmade, andthe conclusionsreached duringan

audit.Auditworkingpapers supportthe bases for thefindings and recommendations to bereported.Audit working papers area
keypartof theevidence used by us inarriving at our conclusions and recommendations.

AuditableActivities: Consistof those subjects,units, or systems, which arecapableof being defined and evaluated.Auditable
activities mayinclude:
Policies, proceduresand practices
Costcentres,
General ledgeraccount balances
Information systems (manual and computerized)
Major contracts and programmes/projects,
Functionssuch as informationtechnology,finance, accounting, personnel etc,
Transaction systems for activities such as income,expenditure, treasurymanagement, payrolland capital assets
Financial statements
Laws and regulations
Wehave adopted risk-basedapproachin recent years as anapproachthat uses the Company's Risk Register as a means of
identifyingour audit universe.
47 | P a g e
Audit Universe: An inventoryof audit areasthat is compiled and maintained to identifyareas for audit during the audit
planningprocess.Traditionally,the list included all financialandkeyoperational systems audited as part of the overall cycle of
planned work.The audit universeserves as thesourcefrom which thefive-year audit planand the annual audit schedule are
prepared. Developments in the approach to auditing and audit planning havemeant that the audit universeis determined byrisk
(i.e.a risk universe)andthatthe risk-based approach to auditing resultsinplanning that is driven bytheCompany'srisk
register.The universewill be periodicallyrevisedto reflectchangesin the overall risk profile.An inventory of audit areas,or
audit universe, willbe complied and maintained.
Authorization: Implies that the authorizing authorityhas verified and validated that the activityor transaction conforms to
established policies and procedures.

Authorizing: Includes initiating or granting permissionto performactivitiesor transactions.

C
Charter:The charter of the internal audit activityis a formal written document that defines the activity'spurpose,
authority,and responsibility.
Compliance: Theabilitytoreasonablyensureconformityand adherence toCompany's policies, plans, procedures,laws,
regulations, contracts, ordinances and statutes.

Conclusions:Our evaluation of the effectsof the findings on the activities reviewed. Conclusionsusuallyput the findings in
perspectivebasedupon their overall implications, particularlyin a risk-basedaudit approachwhich willprovide an audit
viewpoint in relations to the aims and objectives of theCompany.
ConflictofInterest: Anyrelationshipthat is or appearstobe not in the best interest of the Company.Aconflictof interest
wouldprejudice an individual's abilityto performhis or her dutiesandresponsibilities objectively.
Consequence:Theoutcomeof an event expressedqualitativelyor quantitatively,being a loss, injury,disadvantage or gain.
Control:Anyactiontakenbymanagement, the board, andother parties to enhance risk managementand increase thelikelihood
that established objectives and goals will be achieved. Management plans, organises,and directs the performanceof sufficient
actions to provide reasonable assurance that objectives and goalswillbeachieved.(See internal control also).
ControlEnvironment:Theattitude and actions of the members and management regarding the significance of control
withinthe organization.Thecontrolenvironmentprovides the discipline andstructurefor the achievement of the
primaryobjectives of thesystemof internal control.The control environment includesthe followingelements:

Integrityand ethical values

Management's philosophyand operating style
Organizational structure
Assignment of authorityandresponsibility
Human resourcepolicies and practices
Competence of personnel
ControlFramework:Arecognizedsystemof control categories that covers all internal controlsexpected in an organization.

ControlProcesses: The policies,procedures, and activities that are part of a control framework, designedto ensure that risks
are contained withinthe risk tolerancesestablished bythe risk management process.
ControlRisk:Thetendencyof the internal control systemto loseeffectiveness over time and to expose, or fail toprevent/detect
weaknessesin thesystems of control.

48 | P a g e
ControlSelf-Assessment:Aclass of techniquesusedin an audit or in place of anaudit to assess risk and control strength and
weaknessesagainstaControlFramework.The"self" assessmentrefers to the involvementof managementand staff in the
assessment process,often facilitated byinternalauditors.There are manyself-assessment techniques inuse.At theCompany,we
operatean annual self-audit systemthat is a formof self-assessment.

D
DetectionRisk:The probabilitythat an incorrect audit conclusion will be drawn from the resultsof theexamination or that the
audit work willfail to detect anyserious errors.

Detective Controls: Actionstakento detect and correct undesirableeventswhich have occurred.

Directive Controls: Actionstakento causeor encourage a desirable event tooccur.

Due ProfessionalCare: Callsfor the application of the careand skill expected of a reasonablyprudent and competent internal
auditor in the sameor similar circumstances. Due professional care is exercised when internal audits areperformed
inaccordance with GenerallyAcceptedAuditingStandards.Theexercise of due professionalcarerequires that:

Internal auditorsbe independent of the activities theyaudit

Internal auditsare performedbythose persons who collectivelypossess thenecessary knowledge skills and disciplines
to conduct the audit properly
Audit work be planned and supervised
Audit reports beobjective, clear,concise,constructive and timely
Internal auditorsfollow up on reported audit findings to ascertain that appropriate section was taken.
At ABC Company,we have agreed proceduresin place to ensurethatwe work to recognized professional audit standards.

E
Effect:Effect is the risk or exposure theaudited entityand/orothers encounter because the condition is not the same as
thecriteria (the impact of the difference).

EffectiveControl:Present when managementdirects systems in such a manner as to provide reasonable assurance that the
organization'sobjectivesandgoals will be achieved.
Error: As it relatestointernal audit reports, it is an unintentional misstatementor omission of significant informationin a final
audit report.

ExternalAuditors:Referstothose audit professionalswho perform independent annual auditsof anorganization'sfinancial

statements.

F
Findings: Pertinent statements of fact.Audit findings emerge byaprocess of comparingwhat shouldbe with whatis.

Follow-up:Thisis a process thatwe use todetermine the adequacy,effectivenessand timelinessof actions taken
bymanagementon previous audit findings andrecommendations.
Fraud: Anyillegal acts characterised bydeceit, concealment or violation of trust.Theseacts are notdependent upon the
application of threatof violenceor of physical force. Frauds are perpetrated byindividuals and organizations to obtain
money,propertyor services; to avoid paymentor loss of services;or tosecurepersonalor business advantage.

49 | P a g e
G
Goals:Goals arespecific objectivesof specific systems and maybe otherwisereferredto as operations or
programmes,objectives or goals, operatingstandards,performance levels, targets or expected results.

Governance Process: The procedures used bythe representatives of the Company's stakeholders to provide oversight of risk
and control processesadministered bymanagement. Governance is the Company'sstrategic response torisk, whichbrings
together related componentssuchas strategic planning, risk management,assurance that goals andobjectives willbeachieved,
and internal auditing.

I
Inherent Risk:Risks that anaccount or classof transactions contains material misstatements irrespective of the effectsof the
controls.

InternalAudit:The Company's in-house teamthat provides independent, objective assurance and consulting
servicesdesignedto add value andimprove the Company'soperations.
InternalControl:Aprocess withinanorganization designedto provide reasonable assurance regarding the achievement of the
following primaryobjectives:

The reliabilityand integrityof information

Compliance with policies, plans, procedures, laws, regulation and contracts
The safeguarding of assets
The economical andefficient use of resources
The accomplishmentof established objectives and goals for operations or programmes.
Irregularities: Referstothe intentionalmisstatementor omission of significant information in accountingrecords, financial
statements, other reports, documentsor records. Irregularities include:

Fraudulent financial reporting whichrenders financial statements misleading, and

Misappropriation of assets. Irregularitiesinvolve:
Falsificationor alteration of accounting or other records and supporting documents
Internal misapplication of accounting principles
Misrepresentation or intentional omissionof events,transactions or othersignificant information.

L
Likelihood:Aqualitative description of a probabilityor frequency.

M
Management: Used toindicate, firstly,thelevel of management to whom theDirector of InternalAuditis responsible and
secondlyanyone who has responsibilitiesfor setting and/or achieving objectives.
Monitoring:Encompasses supervising,observing and testingactivitiesandappropriately reporting to responsible individuals.
Monitoring provides an ongoing verification of progress toward theachievementof objectivesandgoals.

N
Net Risk:Seealso Residual Risk.

50 | P a g e
O
Objectivity:An unbiasedmental attitude that requiresinternal auditorstoperform engagements in such amanner that theyhave
anhonest belief in their work productand thatno significant qualitycompromises aremade.Objectivityrequiresinternal
auditorsnotto subordinate their judgmenton audit matters to that of others.

Operations:Referstothe recurring activitiesof anorganizationdirectedtoward producinga product or rendering a service. Such

activities mayinclude, but are not limited to, marketing, procurement, personnel, finance and accounting.

Opportunity:An uncertain event with a positive probable consequence. Related torisk, the possibilitythat one or
moreindividual organizations willexperience beneficial consequences from an event or circumstance.

P
PlanningRisk:The risk that the planning process is flawed.In risk assessment, it is the risk that the assessment process is
inappropriate or improperlyimplemented.

Preventative Controls:Actionstaken to deter undesirable events from occurring.

Probability:Ameasure(expressedas a percentage or aratio) of estimation sometimesused as a basis of measuringthe

likelihood and impact of risks when undertaking risk assessments.

Q
QualityAssurance:Aprogrammebywhichthe Headof InternalAudit evaluates operations of the internal auditing service.

R
Recommendations:Actionswe believe are necessaryto correct existing conditions or improveoperations.

ResidualRisk:Also known as 'netrisk'.Thisis the level of risk remainingafter the relevant controlshave been
appliedbymanagementto the gross (or 'absolute') risk. Residual risk representstheactual level of exposurethatthe
Companyfaces.

RiskAnalysis:Theassessmentof risk, the management of risk, andthe process of communicating about risks.Asystematic use
of available informationto determinehow often specified events mayoccur andthe magnitude of the consequences.
RiskAssessment:Theidentificationof risk, the measurementof risk, and theprocess of communicating about risks.Asystematic
process for assessingand integrating professional judgments about probablyadverseconditions and/or events.Therisk
assessmentprocess measures risk bytheuseof two factors:impact and likelihood.
Risk-BasedAuditing:An approach that focuses upon how an organization responds tothe risks it facesin achieving itsgoals
and objectives; itaims to provide assuranceon the managementof the identified risks withinthe context of the
Company'scorporate plans and aims..
Risk Classification:Part of therisk assessmentprocess thatcategorises risks, typicallyinto high, medium, low,and intermediate
values.

Risk Evaluation:Seerisk measurement.

Risk Factors: Measurableor observable characteristicsof aprocess that eitherindicates the presenceof risk or tends to increase
risk exposure.

Risk Identification:The method of identifyingand classifyingrisks. See risk classification.

Risk Management:Proactive steps that management can take to assess and manage business risks.Theculture, processesand
structuresthat are directed towardthe effective management of potential opportunities and adverseeffects.

51 | P a g e
Risk Management Process: The systematic application of managementpolicies, procedures and practicestothe tasks of
establishingthe context, identifying,analysing,assessing (evaluating),managing(treating), monitoringand communicating risk.

Risk Management Strategy:Astructure for linking thecompany's business strategyand organization to its risk management
objectives.

Risk Management Systems:Principles relating tothe design, development, and management (primarilyinformation
technology)of systems for providingreliable, accurate and timely information related to risk management.
Risk Measurement:Theevaluationof the magnitude of risk whichusuallyinvolves developing a set of risk factors that are
observedand measuredto detect the presence of risk.

Risk Prioritisation: Abilityto measurerisks into a logical order byestablishinghow significant theyare incomparisonto the
achievementof business goalsand objectives.The relation of acceptable levelsof risks amongalternatives.

Risk Register:Acentral register of theCompany'skeyrisks thatidentifies theclassification of risks byarea, impact and
likelihood.
Risk:Thechance of somethinghappening thatwill have an impact on the Company'sor one of its unit's objectives.It is
measuredin terms of impact and likelihood. Importantly,risk can be both positive andnegative,although most positive risks
are sometimes known as opportunities and negative risks arecalled simplyrisks.

S
SignificantAudit Findings:Those conditionswhichin the judgmentof theDirector of Internal Auditcouldadverselyaffect the
Company. Significant audit findings mayinclude conditions dealing with irregularities,illegal acts, errors,
inefficiency,waste,ineffectiveness, conflicts of interest, and control weaknesses.
System:System(process operation,function or activity)is anarrangement, aset,or a collection of concepts, parts, activities
and/orpeoplethat are connected or interrelated to achieve objectivesand goals. (This definition applies to both manualand
automatedsystems). Asystem mayalso be a collectionof subsystems operating together for acommonobjective
or goal.

T
Threat: Acombination of risk, the consequences of that risk, and thelikelihood that the negative event will take place.
Oftenused in analysisin place of risk.The possibilitythat oneor more individuals or organizationswill experience
adverseconsequences from an event or circumstance.

U
Uncertainty:Aconditionwherethe outcomecan onlybeestimated dueto incomplete or imperfectknowledge of the area/
subjectin question. In practice, uncertaintyimpacts upon the qualityof risk assessments bymanagers.

Understanding:Means the abilityto applybroad knowledgetosituations likelyto be encountered, to recognize significant

deviations and to beable to carryoutthe research necessaryto arrive at reasonable solutions.

52 | P a g e
AUDITING STANDARDS
The general, field work, and reporting standards (the 10 standards) approved and adopted by the membership of the
AICPA, as amended by the AICPA Auditing Standards Board (ASB), are as follows:

General Standards
1. The audit is to be performed by a person or persons having adequate technical training and proficiency as an
auditor.
2. In all matters relating to the assignment, an independence in mental attitude is to be maintained by the
auditor or auditors.
3. Due professional care is to be exercised in the performance of the audit and the preparation of the report.
Standards of Field Work
1. The work is to be adequately planned and assistants, if any, are to be properly supervised.
2. A sufficient understanding of internal control is to be obtained to plan the audit and to determine the nature,
timing, and extent of tests to be performed.
3. Sufficient appropriate evidential matter is to be obtained through inspection, observation, inquiries, and
confirmations to afford a reasonable basis for an opinion regarding the financial statements under audit.
Standards of Reporting
1. The report shall state whether the financial statements are presented in accordance with generally accepted
accounting principles (GAAP).
2. The report shall identify those circumstances in which such principles have not been consistently observed
in the current period in relation to the preceding period.
3. Informative disclosures in the financial statements are to be regarded as reasonably adequate unless
otherwise stated in the report.
4. The report shall contain either an expression of opinion regarding the financial statements, taken as a whole,
or an assertion to the effect that an opinion cannot be expressed. When an overall opinion cannot be
expressed, the reasons therefor should be stated. In all cases where an auditor’s name is associated with
financial statements, the report should contain a clear-cut indication of the character of the auditor’s work, if
any, and the degree of responsibility the auditor is taking.

53 | P a g e