Internal Audit Methodology

Transcription

1 Approved by the Order #1013 July Government of Georgia Internal Audit Methodology 1. Introduction Unlike external audit, internal audit is a new profession in Georgia, as well as all over the world. Hence, it is natural that this profession is entity to permanent changes and improvements. This document provides definition of the internal audit and discussion of the key principles thereof; it provides detailed explanation on how internal audit function should be performed in accordance with the International Professional Practices Framework developed by the International Institute of Auditors (IIA). It should be noted that the feature of internal audit is unique for each institution and depends upon environment in the institution. Therefore, to perform internal audit, culture, policies and business processes of the institution should be studied and understood in details. Contemporary internal auditors study the systems, watch effectiveness achievement of maximization of results from the resources used in the activities of the audit object, cost-effectiveness, effectiveness degree of meeting of the stated objectives by the audit object, regarding actual and expected results and, if required, provide recommendations. Internal auditors study financial, operational, strategic and compliance risks to ensure sustainability of the institution s control system. They conduct assessment and identify required improvements. Main function of the internal audit is assistance to the management in achievement of the institution s goals. 2. Definition and Principles of Internal Audit What is internal audit? According to IIA definition, internal audit is independent activity, including objective evidences and consultancy activities, adding value and improving operation of the institution. It helps the institution in achievement of its goals, in evaluation and improvement of the autonomous process of risks management, control and management, using systemic and organized approach.

2 2. Charter of the Internal Audit Entity, Internal Audit Entity Charter of internal audit entity is the official document stating purpose of internal audit activities, as well as authorities and responsibilities. Internal audit charter specifies the place of internal audit entity, as integral part of the organizational structure, availability of tangible and intangible assets, as well as entitlement to the staff information and various assets, as required for fulfillment of the internal audit function. Internal audit charter states also the scopes of internal audit. Head of the internal audit entity should periodically review the internal audit charter to ensure its compliance with the modern internal audit concept, code of ethics of internal auditors and internal audit standards. Head of the internal audit entity shall provide implementation of the internal audit entity work quality assurance, maintenance and improvement strategic program (which shall be developed by the head of internal audit entity and approved by the head of institution, upon agreement with the center), which covers all aspects of internal audit entity activities. By means of the mentioned program compliance of internal audit entity activities with the internal audit definition, internal audit standards and internal audit code of ethics shall be provided. Implementation of this program should allow evaluation of effectiveness and efficiency of internal audit function, as well as identification of the improvement opportunities. 4. Internal Audit Independence Internal audit entity shall be independent and the internal auditors shall be unbiased in internal audit performing. To ensure independence of internal audit the internal audit entity shall be directly subordinated to the head of institution (minister, state attorney, major etc.), in the organizational respect. Internal auditor should have possibility of open professional communication with the head of institution, though, internal audit entity shall be entitled to freely select (even if the opinion of internal audit entity s head is different) and inspect any sphere, where he/she regards that there is the risk of substantial errors.

3 Head of internal audit entity shall be independent in selection of the sphere of internal audit entity work, implementation of its activities and reporting of the results. 5. Overview of Internal Audit Function, Audit Evidences Audit evidence is collected analysed and evaluated information, on which the audit findings are based. Evidences shall meet the following conceptual requirements and shall be: a) Sufficient is the measure of quantity of the evidence; should be collected and evaluated sufficient information so that the reasonably informed unbiased person agreed with the auditor s conclusions. b) Reliable comprises the measure of reliability and adequacy of the source of evidence and the method of seeking thereof; generally, information received from the third, independent party is more reliable than that, received from the audit objects; the evidence is reliable where it is gained via direct physical examination, observations and inspection and where it is received in the documentary form, rather than verbally. Degree of information reliability increases where it is received from several sources; c) Adequate is the measure of adequacy of the evidence; the evidence shall be in logical relation with that, for evidencing of which it is sought. Audit evidence may be physical, recognitive, documentary and analytical. 6. Methods of Seeking of the Evidences As a rule, for gaining the audit evidences various techniques and methods are used. Selection of the evidence collection method is provided based on the characteristics of the methods and specific purposes of audit. Methods of collection of the audit evidences differ significantly (e.g. the method may be reliable, though requiring high costs; it may require greater technical knowledge and experience etc.). Widespread methods of collection of audit evidences include: a) Interview this method is often used for collection of evidences. For conducting the interview, adequate training and respective skills are required. Interview may identify the problem, provide evidences for confirmation of the audit findings and the positions of the auditor and audit object may be compared with respect of the breaches identified via audit and recommendations;

4 b) Audit test testing means examination of the selected actions / measures or operations doe identification their qualitative properties. Audit tests are of two types: compliance testing and detailed inspection. Purpose of compliance test is examination of the control adequacy and effectiveness. Key procedures imply detailed examination of the selected operations/records. In many cases the test serves for both purposes. E.g. examination of calculations may show, whether internal control mechanisms operate properly (compliance test), as well as how accurately the system provides the amount (this test, simultaneously, serves to the goals of detailed examination). After selection of the test type the operations / records to be tested will be identified. The specific object of testing may be selected on the basis of judgment (e.g. taking into consideration the scopes, risks or other properties). Conclusions made in such case would be applicable to the given objects of testing. Test object may be selected so that the selected set was representative for the group/population of certain operations/records. Conclusion made in such case would be applicable to the entire population (group) and not only to the test objects. c) Selection the process, by means of which the part of the population is selected for determination of the characteristics and parameters of the population. This method significantly reduces the costs and makes internal audit functioning more effective and therefore, it is very widely used. Though, selection has its weaknesses as well: One of its weaknesses is the selection risk risk that the selection by the internal audit entity may be not representative (selection scopes may not fully cover the field under consideration) for the entire population, resulting in inadequate findings; There is also the risk of non-selection e.g. the error may be not identified. There are two basic types of selection: Statistical selection, which relies upon the statistical science; Selection through judgment, or non-statistical selection, where the auditors provide selection on the basis of judgment and determine the scopes of the selected set. Statistical selection has the following advantages:

5 Generally, reduced sizes of the selected sets mean that audit/inspection activities are more effective; Allows risks assessment; Is better protected from biased approach and inadequate efforts; d) Questioning structural approach to collection of information from the large population. Example of use of monitoring is finding out of the opinions of the service beneficiaries about quality and timeliness of the services. Its key element is tested, structured questionnaire. Questioning could be conducted either via personal meetings, by phone, internet or mail; e) Inspection confirmation of presence of the records, documents or material resources. Inspection of the material assets provides reliable information about presence of the material assets and their condition. Inspection of records can confirm or reject existence of the primary documentation of the accounting records; f) Diagram graphical description of the process or system allowing analysis of the complex operations/systems, examination of presence of the control mechanisms and identification of the excessive/useless actions in the process; g) Modeling method facilitating decision-making by simulation of the actual processes by means of mathematical and statistical models. The models may be descriptive or cognitive. Descriptive models provide classification of variables and clarification of their interrelations between them. By means of the cognitive method the prognosis is developed how the interrelation between variables would change, if one or more of them changes; h) Observation similar to the inspection. Observation implies personally examining the processes and procedures. There are some cases, where evaluation of functioning of the operations and internal control mechanisms is possible only via direct observations over their operation; i) Confirmation written request to the audit object or the third party to provide written confirmation of one or another information;

6 j) Analysis study of the gained information and its use for conclusions, to compare with the indicators of the results of the audit objects activities, past achievements or results of similar operations in the other institution, or for finding out compliance with the institution policies and effective legislation. 7. Planning of Internal Audit Head of the internal audit entity, based on the requirements of the legislation, in agreement with the head of the institution and the center, should develop the strategic plan of internal audit and annual plan of internal audit. Strategic plan of internal audit, similar to the annual plan of internal audit, should be developed on the basis of audit risks assessments, taking into consideration of the experience of past audits, available resources (time and human resources). Process of development of the internal audit plan assists the head of audit entity to clarify such issues as: Allocation of human resources to the different spheres of audit assignment of the staff based on their knowledge, skills and experience to the complex / high risk operations / systems and audits requiring relatively limited technical knowledge; How management and supervision of the audit process will be provided; Development of the quality assurance program etc. Upon development of the internal audit strategic plan the internal audit annual plan should be developed. Internal audit strategic plan should be developed once and further reviewed (at least once in two years). Annual plan of internal audit shall be developed in the end of each year, at least one month before commencement of the new financial year. Head of the internal audit entity shall submit strategic plan of internal audit, as well as annual plan of internal audit to the head of institution. Annual plan of internal audit provides more details, compared with the strategic plan of internal audit. Internal audit annual plan, primarily, provides analysis of risks assessment results and further

7 plans of implementation of the other procedures of audit. This includes both, the nature of audit procedures and sphere of audit, as well as terms for each audit. Annual plan of internal audit should provide for (based on the past experience) certain amount of free time (for conducting off-schedule audit of the staff with different experience, knowledge and skills, on the basis of request of the head of institution, or suspicion of alleged abuse). 8. Implementation of Internal Audit First step in most internal audits is informing of the management of the respective structural subdivision / body of the structure / institution, where audit is planned, about conducting of the audit. This is done via formal letter, by which the management of the audit object is officially notified about planned audit. The mentioned letter should provide information about when the audit is scheduled; who is in charge of audit and why the audit is conducted (current, scheduled, upon the management s request etc.). Mentioned official letter should be sent, in addition to the management of the audit object, to the immediate manager and shall state the following information: a) Audit purposes and scope; b) Date of audit commencement and its duration; c) Names and surnames of the persons (at least the team leader) bearing responsibility for the audit. From the audit object the financial statements, statistical reports and other reports corresponding to the goals of specific audit should be requested in advance; this would assist the auditors to better understand the situation and identify the trends. There are some cases where no formal letter is sent to the audit object, e.g. where the audit is conducted unexpectedly, in relation with the abuse and only administration of the institution may be informed. Though, it should be taken into consideration that off-schedule audit breaks the normal course of work of the audit object and causes complication of fulfillment of their duties properly. Therefore, off-schedule audit should be conducted in the extremal situations. In addition, frequent off-schedule audits may endanger implementation of the internal audits states in the annual internal audit plan.

8 9. Study of the Object within the Internal Audit Scopes These studies are of great significance for clarification of the direction of audit efforts, specific spheres and scale; this is the first stage, which is implemented in the site of audit. Internal auditor shall not commence audit of the documents or observation over some activities without specific goal or objectives. Study at the object allows the auditor: a) Familiarization with different systems; b) Examine various system control structures and control risk in the spheres of audit. If the audit group members do not know the location of audit object and its administration, it is necessary to familiarize with them; in addition, any question in the letter about commencement of the audit should be clarified. At the same time, team leader auditor shall develop the requirements for the planned interviews and work schedule. For implementation of the typical study at the object the team leader auditor and team members should take into consideration the following components: Organization In conducting study at the object the auditors shall cross-check the structure of institution, including, whether the names and surnames of key staff members related to the specific audit operation are provided correctly. Auditor shall get familiar with the functional responsibilities and key persons participating in the activities. In many cases, in the structures of the institutions, the titles of the positions do not adequately reflect actual functions of specified position. The formal job descriptions shall be requested. If the given structural subdivision (unit) and/or unit subordinated to the institution has no functional distribution, the auditor shall prepare the brief sketch of the organizational structure and consider his/her propositions with the administration of such structure, which is subject to audit.

9 Manuals and instructions Copies of the respective policies and procedures manuals and required data, for the auditor s work documents could be obtained online, with special access authorities. The respective laws and regulations should be studied, as well as the administration s directives, which shall be fulfilled. Regarding common objectives of the audit, the copies of correspondence should be considered as well, to familiarize with the respective materials. Reports Respective reports and records of the meetings related to the audit to be performed should be analysed (submitted by the leader), like budgeting, operations, costs analysis and personnelrelated issues, as well as the results of any external audit or survey conducted by the administration and implemented measures. The examples may include the feasibility reports or conclusions made by the Chamber of Control of Georgia. Such reports may provide to the auditor some hints, as well as the summaries of the existing problems, recommendations offered and results achieved via their implementation. Personal observations Visual examination of the object allows the internal auditors to get familiar with the given structural subdivision (unit) and/or unit subordinated to the institution, its key activities and staff. This also allow audit group to put the questions and observe the activities of the unit. The auditors are often criticized because they pend all their time in accounting or administrative office and perform audit so that they have no clear idea of the activities in relation with which the audit is conducted. As the final work of the auditor may lack some significant issues, impressions of the visual examination should be stated in the auditor s work documents. Compliance with the procedures of the audit object should be observed and documented as well.

10 Discussion with the staff related to the specific audit Arrangement of the discussion with the staff members engaged in the audited sphere is useful for identification of the problematic issues, results of the activities of structural subdivision (unit) and/or unit subordinated to the institution and planned changes or reorganization. Questions should be stated on the basis of data considered in advance or findings of the visual examination. Study of the object is the first step for the purpose of any type of survey in the audited entity; at this point the management meets with the audit group and the auditors assigned for the given task have the first contact with the audited structural subdivision (unit) and/or unit subordinated to the institution. At this stage the problems or disagreements may arise. Though, it is desired that these issues were resolved at a time of letter of the commencement of audit. Head of the structural subdivision may be unaware of what the internal auditors are interested in, or the internal auditors may have no proper awareness about the structural unit, irrespective of preliminary planning. Consequently, it may become necessary to change the planned overview, audit procedures or even the sphere of audit. In such case the audit official should contact the head of internal audit entity for further instructions. Regarding the number of the internal audit service staff and the contents of letter on commencement of audit the overview may be conducted by one or more internal auditors. One of them shall be always nominated by the head of internal audit group as the chief auditor of the audit group, whose responsibilities include making of the auditor s decisions in situ. Normally, responsibilities of the chief auditor are imposed over the senior auditor in the composition of auditors, though these responsibilities should be vested upon the other auditors as well, by the rotation, to allow the less experienced auditors to gain the audit process management skills. 10. Documenting of the Studies over the Object within Internal Audit Scopes Normally, survey of the object (territory of the internal audit object territory) takes one or two days. In case of wider examination the survey may be conducted separately, at a time of preliminary visit,

11 before the auditor implements the key procedures and performs the analytical work. In both cases, the implemented work, as well as the summaries of the data collected at the object, in the course of survey, should be stated in the auditor s work documents. The copies of the reports and available written procedures should be collected, as well as summary of the records, documented observations at a time of all interviews and visual examination of the object. In addition, for each system or process the diagrams should be prepared. Survey of the object is the means for identification of the new and innovative approaches to the audit. Such new methods should be taken into consideration against the background of the changed procedures or work conditions. For example, some function, which was previously performed manually, now is automated (by means of certain technological innovations). The schemes should be developed for description of the key processes, controlled risks and internal control mechanisms. Via graphical expressions of the series of operations and data summaries the diagrams present the complex systems, processes and control mechanisms. There are many approaches for building of the diagrams, but diagrams should always depict relations between different operation components and the control mechanisms in the processes. Upon completion of work on them the diagrams will become the permanent part of the auditor s work document for given structural subdivision (unit) or unit subordinated to the institution. This is also useful for meeting of the requirements according to which the institutions shall maintain the documents and disclose the internal control mechanisms. In many cases the staff member of internal audit entity has already prepared diagrams, from the previous surveys, which require only updating. Sometimes the institutions, themselves have prepared internal diagrams for the purpose of process documenting or any other purpose. Of course, these diagrams should be used, though the auditor shall make sure that they are accurate and up-to-date. 11. Auditor s Conclusions Resulting from Object Surveys Within the scopes of internal audit, purpose of the object survey is cross-checking of the actual nature of considerations developed in the course of preliminary planning of audit. In addition, the key systems and processes should be studied as the information, upon which the preliminary planning of audit rely is not complete in many cases. This is the important stage, where, the audit

12 group assigned for conducting of given audit can make changes to the scales and objectives of the planned audit. At a time of wider scale audits, in many cases, it is useful that the head of the audit entity visited the group, which conducts field survey and consider the results. In this way all changes in the sphere of audit requiring approval from the side of administration could be made. In result of the field visit many potential questions, which would further arise, could be answered. Internal auditor may find him/herself in the situation, where, based on the information resulting from the object survey the audit group can make corrections to the audit sphere planned in advance, or even cancellation of the audit work completely. In some cases, the audit group participating in the preliminary planning may contact the remote object of audit and receive information about absence changes in the sphere of interest. After visiting of the object some significant changes could be revealed in result of object survey, e.g. introduction of the new information system, what completely changes the control environment and internal audit group may need to assign one more specialist for work with the project, leading to corrections both, in staffing and audit testing strategy. In the other cases the audit group may establish that the changes are insignificant and planned audit should be cancelled or postponed. Though, mostly, the field survey provides to the audit group additional data, assisting them to make changes to the planned procedures. Survey at the object conducted within the scopes of internal audit should be used for the purpose of documenting or for updating of the permanent work file. If at the object there is no administration of audit service the survey results should be summarized in written and sent to the chief by , in which case it is deemed that the chief is familiar with the given conclusion. 12. Use of the Audit Programs for Internal Audit Internal audit shall be organized and implemented consistently, for the purpose of minimization of the arbitrary or useless procedures. Fir assistance and guidance the internal auditors shall use so called audit programs to perform audit procedures consistently and effectively at a time of implementation of the similar audit. term program denotes the number of audit procedures, which are similar to the computer programs and

13 contain instructions, which, each time, in the course of the process, pass one and the same program instructions. E.g. computer program, providing calculation of salaries, contain the instructions for reading of the files of the cards recording the worked days, position benefits of the employed, seeking of the information saved in the other file and calculation of the aggregate salaries. For each employee one and the same stages are repeated, with the exclusion of cases where the program specifies the overtime work. Similarly, the audit program contains the set of predetermined stages to be implemented by the internal auditor. Audit program is the mean for planning, directing and controlling of the auditor s work and outline of the actions, which specifies the stages to be implemented for fulfillment of the audit objectives. This is the set of the best methods of the auditor for conducting of audit and ensures documenting of the performed stages. Entity of internal audit, desiring that its activities were evaluated as effective and professional, shall have prepared the number of audit programs for performing of the recurrent audit operations. Many such programs (e.g. one of them is observation over inventory) are applied by number of years by many institutions only with minor changes. In the other case the auditor may have to modify the standard program, to adjust it with the unique aspects of the specific audit. And in some cases use of the standard audit program is not reasonable. For example, where internal auditor desires to examine the structural subdivision (unit) or the unit subordinated to the institution for special / unique control characteristics, or if the administration of the audit service desires to apply different approach to overcome the problem identified in the previous survey. Advantage of the standard programs that they contribute to perform the work in reasonable manner; play the role of completed control questionnaire and ensure that all issues significant for the audit are dealt with. Standard programs improve audit effectiveness and facilitate delegation of works and control processes. Though, the standard programs have the weaknesses as well: if the decision on their application is not reasonable, thi can suppress the professional judgment. In performing of his/her work the auditor always needs professional judgment, as all audit operations are different and thus, the tests shall be developed bearing in mind different conditions of each audit operation. According to the planned audit objectives and base on the data collected at a time of preliminary and field surveys the chief auditor can make decision on correction of the audit program. This may

14 include minor local changes or unique audit procedures based on the preliminary planning and field survey results. To develop the program, the internal auditor, primarily, shall study the characteristics comprising adequate audit program 13. Formats of Audit Programs and their Development Audit program is the document describing the stages, procedures and tests to be performed by the auditor at a time of actual implementation of audit. Development of the program shall be completed before field survey and further, before implementation of actual auditor work in situ. It shall be developed taking into consideration number of criteria, the most significant of which is that the program identified the aspects of the sphere requiring further examination and sensitive spheres (high risk spheres are implied), which require auditor s attention. One of the most significant purposes of audit program is that it provides guidance for both, beginners and experienced auditors. For example, the administration can require from the audit entity to observe over the annual inventory. Such survey consists of quite standard procedures. Unexperienced auditor can be unaware in these procedural stages; even experienced professionals can forget some of them. Audit program contains all necessary stages of audit. Gradually entity of internal audit develops the library of programs with time for such tasks as inventory observation or survey of long-term assets. In planning of such survey, for which the developed programs are available, the administration of audit service will use given program, taking into consideration the changed situation, which would become known to it at a time of preliminary ot field survey. Audit programs are reviewed as required; changes shall be approved by the administration of audit service, before commencement of the survey. Many entities of internal audit may have no formulated audit programs for many years. This is caused by the fact that normally, the internal auditors have to conduct audits in wide and versatile spheres, though they have no time or resources to regularly survey each sphere. Audit programs developed on the basis of past audits often become obsolete due to introduction of the new systems or changes to planning. Auditor responsible for field survey or one of the audit service managers should update the available audit programs, i.e. prepare the updated reviewed versions of the audit programs for the planned audit. Regarding the type of planned audit, normally, on of the three general formats is used: set of general

15 audit procedures; audit procedures with the detailed instructions for the auditor and the checklist (the latter is for the compliance audits). Audit program containing detailed instructions or procedures implies that the auditor using such program has no sufficient technical knowledge required for survey. In many cases such programs are used for one-time surveys for certain specific spheres, developed by the audit service administration so that the auditor with the adequate knowledge for planning of all procedures detailed in the audit program, perform audit upon certain instructions. Application of such program format is useful for the audit management group by audit entity, the auditors of which perform their activities in the remote locations and it desires that its auditors implemented one and the same general procedures. The audit programs with the checklists were the most widespread format int he internal audit sphere. It consisted of the long list of the questions and required answers yes, no, or N/A. Implementation of such programs is provided via study of documents or the interviews. Answers yes/no to the questions in the information collection context are acceptable in many cases. Though, audit program in checklist format has two weaknesses. First, the experienced auditor, at a time of yes/no type interviews can consider the problematic spheres or put the different question, but the beginner can miss such nuances and he/she would simply complete the questionnaire, without passing beyond the yes/no questions and would not provide in-depth study of the problems pointed by thee questions. Procedures-oriented audit program is more conductive with respect of the additional questions about the issues, to which the questions may arise based on the collected information. Questionnaire-type audit program, where the auditor puts the questions only, also leads to ignoring of the issues requiring evidences by the auditor. Unexperienced auditor can simply tick yes without finding out, whether such positive answer is based on the respective audit evidences or not. For example, question about whether the significant documents are approved regularly or not. It is easy to put the question and receive positive answer, but whether these documents were actually approved or nor, will be never checked. Each format of the audit program is useful for different types of survey, if the internal auditor takes some time to thoroughly understand the questions of the program.

16 The main problem is that audits should be based on the audit program of certain type, which provides documentation of the performed stages of survey. Such approach allows the audit service administration to be aware in which procedures were conducted by the auditors and which were not at a time of given survey. Good and consistent audit programs are very significant for improvement of the internal audit quality. Reliability of the evidences to be considered and other information should be also taken into consideration in finalization of the audit program. There is no use in maintaining of the obsolete systems and procedures in audit program. In development of the audit program internal auditor shall select the significant stages which ensure collection of the reliable audit evidences. For example, in many cases, it is necessary that the audit program contained the key procedures in the high risk significant sphere, rather than recommendations on collection of information via interviewing. Contemporary audit methods also contain audit software, where this is practicable. For example, by the computer-based audit methods (CAATS) some audit stages could be implemented similarly to the procedure of up-to-date audit procedure (e.g. statistical selection procedures), to allow the auditor embracing the wider range of issues. In preparation of such audit the consultations should be provided by the staff members of audit service, who have experience in information systems audit or other technical skills. For the audit program no best format or one stated format exists, though, the program should be the document, which could be studied by the auditors to direct their efforts for the purpose of documentation of such activities. Audit program will be further attached to the audit work documents and play the role of the table of contents for the activities described in such work document. 14. Implementation of Internal Audit Procedures in Situ Audit may result in delays in everyday operation of the institution s system bodies and cause problems where the audit takes place.

17 Chief auditor and audit group members should commence their work at the audit object with the meeting with the respective members of the audited object to present them the audit plan, identify the spheres to be examined, as well as the special reports or required documentation and introduce the staff members, who will participate in the interviews. Internal audit processes could be summarized as follows: Risk assessment for the purpose of identification of potential control risks; On the basis of risk analysis, regarding available time and other resources, development of internal audit strategic plan and internal audit annual plan and amendment thereof; Audit planning and resources allocation; Notification of the audit object on commencement of audit; Conducting of the audit survey; Preparation of the work documents; Implementation of the audit procedures; Study of the key control mechanisms and procedures documenting; Summarization of the audit results and their consideration with the audit object management. 15. Internal Audit Work Documents This section of the methodology contains instructions dealing with preparation, consideration and maintenance of the audit work documents. Necessity of maintenance of the work documents is caused by need of the linkage between performed work and audit report Requirements Related to Work Documents Work documents provide linkage between performed audit work and the audit report. Work documents comprise organized system of records fully reflecting performed work and include all documents and electronic information collected or generated by the auditor, including evidences confirming auditor s findings, auditor s opinions and conclusions. Evidences stated in the work documents should be adequate for confirming auditor s findings and supporting the auditor s report. Work documents should be developed and considered in accordance with the generally recognized audit standards.

18 15.2 Planning Creation and Organizing of Preparation of the Internal Audit Work Documents Well systematized work documents are critical for conducting of audit at the professional level. For creation and preparation of the professional work documents adequate planning is required. Before preparation of the work documents the auditor shall gain clear understanding of the basic and additional purposes of preparation of the work documents. In the process of creation, planning, preparation and organizing of the work documents the following instructions shall be taken into consideration: 15.3 Planning of Work Documents Preparation Creation of the work documents shall be planned so that to disclose all data on all audit aspects, in addition, the documents shall not contain data available from the other sources; Each audit plan shall contain instructions on preparation of the audit documents, as well as instructions dealing with the structure of files, procedures of assigning of indices, marks for linking of the different documents. The instructions dealing with review of the work documents shall be taken into consideration as well. Respective work documents prepared in the course of audit shall be placed into the files and kept; Work documents shall contain supervisory directives, performed reviews/revisions and comments. Of the decision dealing with auditing of any specific aspect was made, the work document shall state the reasons thereof. Where any of the audit findings is not stated in the final report the reasons of omitting of such finding shall be stated so that the person considering/examining the audit was able to find the preliminary findings/results Preparation of the Work Documents Work documents shall be complete and accurate to support audit findings, provide judgments, bases for conclusions and demonstrate the nature and scale of performed audit work; For the readers aware in audit the work documents shall be understandable and shall not require any additional verbal clarifications;

19 Work documents shall be clear and transparent; Work documents shall state only information dealing with the substantial issues and fit to the goals of given audit Organizing of the Work Documents Files of the work documents are divided into two main groups: permanent and current ones. Permanent files shall contain information, which is transferable and useful for the future audits. For example, the permanent files shall provide the input data, results of the previous audit and reports of inspecting; Current files shall be organized in accordance with the files structure developed for the given audit. Current files of the large-scale audits can consist of the following sections: one file for each examined sphere; other files on general part of the entire audit and one file for the issues of audit administration. Current file shall contain the following minimum information: contents; survey pages; audit summary; audit program with cross-references, analysis, calculations and other supplementary information Principle of Documenting of the Work Documents a) Work documents shall be in proper order so that to be understandable for the aware reader and the latter should make the conclusion similar to the one made by auditor, without any additional verbal clarifications. Work documents shall provide complete, clear and laconically. Adequately prepared work documents provide possibility of continuation of given audit by the other auditor at any time (for example upon completion of the inspection stage); b) As a rule, all work documents or closely linked packages of work documents shall contain certain basic information. Exclusion may be, e.g. the files of correspondence, administrative files etc., where it would be reasonable to provide required information on the title page or the first page of the file. Decision about said exclusions shall be made by the chief of audit or a person responsible for given audit; c) It is required that most work documents included the following information: Title of the work document or heme;

20 Activity or function which is audited, names of the person who has prepared, considered/inspected the work document; Dates of preparation and consideration of the work document; Explanation of the used marks, symbols or abbreviations; Reference index of the work document, for placing into the respective file and reference. Any other information shall be stated as well, so that to clarify purpose, source, sphere, methodology, criteria and conclusions of the specific work document Summary of the work documents Work documents shall contain brief description of each sphere prepared by the auditor, irrespective, whether the violations were found or not. Information provided in the summary shall support audit findings and specify the shortcomings. Summary shall also contain the recommendations by the auditor Indexing of the Work Documents System of indices shall be simple, but with the potential of extension. It shall be adjusted for the specific audit, in accordance with the purpose, significant spheres in given case and audit plan. Indexing of the work documents shall be provided in the process of developing of work documents, or immediately upon their completion Cross-references of the Work Documents Cross-references of work documents ensure taking into consideration of all relevant facts and conclusions, which support auditor s opinion (on the copy of draft auditor s report the references are made to the work documents). In the event of adding of new information to the final report this information shall have the relevant reference as well Review of the Work Documents Work documents shall be periodically reviewed to ensure compliance with the internal audit standards. Frequent reviews allow evaluation of the quality of work documents, linkage between audit goals and conducted work, as well as evaluation of completeness of the performed inspection. In addition, review allows evaluation of audit conclusions and identification of any additional work, if required.

21 The reviewer (person who provides review and who is assigned by the internal audit entity) shall prepare the written notes upon completion of the review; and the auditor shall revise the work documents as required and perform additional work. Reviewer and auditor shall agree upon the comment and additional work scope. This process shall be documented. For the purpose of securing accuracy of the supporting facts and figures of the audit report the copy of the report with the references shall be considered by the independent reviewer. Independent reviewer shall be the chief auditor, who does not participate in given audit operation. In addition, if possible, the independent reviewer should not be the direct subordinate of the person responsible for given audit. Documenting of the review shall be provided in the work documents, where the comments of independent reviewer are stated, as well as the actions for addressing of the identified problems (participation of the independent reviewer is not the mandatory component) Maintenance and Security of the Work Documents Files Work documents shall be maintained for at least 6 years from the date of publication of the final report, unless maintenance of the work documents for longer period is required for the other reasons (e.g. investigation). Materials collected in the audit process and are no more needed shall be destroyed and not archived. Files of the work documents shall be protected and only staff members with relevant authorities shall have access to them. 16. Reporting of Internal Audit (Conclusion) Internal audit report is the final result of the work performed by the internal auditor. There are number of reasons or set of reasons for development of the internal audit report, in particular: a) Development of the recommendations and initiation of the organization changes on the basis of recommendations provided in the unbiased, independent report prepared by the entity the institution can implement the fundamental organizational changes; b) Study and consideration of the problems with respect of internal control internal control report helps the administration in properly understanding and studying of the problems and issues related to internal audit; c) Taking of the facts revealed in result of audit and relevant recommendations and taking respective measures by the management submission of the formal written

22 recommendations and further monitoring of the relevant response from the side of management ensures implementation of the changes according to the recommendations in a timely manner; d) Documenting of the performed audit work internal audit report provides documentation of the audit evidences. In addition, it shall specify the scope of performed work, issues considered and basis for the conclusions, together with the issues, which were not studied within the scopes of given audit; e) Collection of the proper evidences by internal auditor for the administration and submission of the respective information function of the internal audit is providing of the respective evidences to the administration, what is implemented via official submission of the audit report. In addition the report provides advices and information on risks and corporative management developed by the independent party. Before submission of the final, official report the internal auditor submits draft report to the management of the audit object. Further the mentioned draft report is considered to ensure full understanding of the report by the audit object management, open discussion of the issues and recommendations provided in the report and conciliation of the positions, before submission of the final report. In result of the mentioned discussion the draft report may be modified. 17. Contents of the Internal Audit Report Internal audit report shall state the following key issues: title page of the report shall state the issue of audit, names and positions of the persons to whom the report is sent and the dates of preparation and submission of the report. Body text of the report shall consist of two parts: I key audit findings and recommendations; II detailed information about identified facts and agreed actions. Before the body text of the report the summary is provided, stating the key results and consisting of the following parts: Brief overview of internal audit; Introduction; Sphere of internal audit;

23 Key risks; Opinions of the internal auditor; I part of the internal audit report considers the key findings, risks and their significance, as well as the recommendations; II part provides more detailed consideration of the results of performed work. Internal audit report provided below shall contain the following information: Risks; Agreed measures; responsibilities; Terms of implementation of the agreed measures. Generally, internal audit report shall include the annex providing detailed clarifications and respective analysis, providing basis for the recommendations and opinions stated in the report. 18. Internal Control Definition of the internal control is provided in the international audit standards (International Standard of Audit 400 Risk Assessment and Internal Control). According to the mentioned international standard the internal control system is the set of control environment and control procedures. Internal control system contains all directions and procedures set by the managers of the respective units, within their capabilities, for achievement of the well organized and effective activities, including consistent implementation of the policies set by the management, protection of the assets, prevention of the breaches and errors and their identification, for ensuring completeness and accuracy of the accounting records and timely preparation of the reliable financial information 19. Quality Control Head of the internal audit entity shall develop the quality assurance program embracing all aspects of internal audit function and ensuring effective performing the audit at high quality. In addition, the head of internal audit entity shall perform program implementation monitoring and amendment thereof, for the purpose of taking into consideration the changes in the rapidly developing profession of the internal audit. Effectiveness and efficiency of internal audit shall be evaluated, as well as opportunities for improvements shall be identified and used. Quality assurance program, which shall be developed in each entity of internal audit, shall provide for review of the audits performed by the staff members of internal audit entity, what implies