NSW TREASURY CLUSTER Internal Audit Manual March 2014

Transcription

1 NSW TREASURY CLUSTER Internal Audit Manual March 2014 NSW Treasury Cluster Audit Manual 1

2 CONTENTS 1.0 INTRODUCTION BACKGROUND PURPOSE SCOPE AUTHORITY GENERAL POLICIES AND STANDARDS INTERNAL AUDIT CHARTER AUDIT STANDARDS AND GUIDING PRINCIPLES AUDIT & RISK COMMITTEE CHARTERS LONG SERVICE CORPORATION COMMITTEE CHARTER PERSONNEL AUDIT & RISK COMMITTEE CHIEF AUDIT EXECUTIVE (CAE) AN OUTSOURCED SERVICE PROVIDER MODEL Proficiency and Due Professional Care RESOURCE USE PLANNING THE INTERNAL AUDIT PROGRAM STRATEGIC AUDIT PLANNING ANNUAL AUDIT PLAN FIELD AUDIT PLAN (DETAILED SCOPE) AUDIT METHODOLOGY THE AUDIT CYCLE - SUMMARY ENGAGEMENT PLANNING (DETAILED SCOPING) Project Approval Project Brief Planning Meeting Audit Criteria Detailed Scope (Terms of Engagement) UNDERTAKING THE AUDIT Opening ( Kick-off ) Meeting Risk Assessment (Risk and Control Matrix) Control Analysis (Risk and Control Matrix) Audit Programs (Field Audit Program) Audit Evidence Working Papers Conclusion and Evaluation Working Paper Review Current Working Papers Exit Interviews (End of Fieldwork Meetings) AUDIT REPORTS Basic Components of an Internal Audit Report Report Writing Style DRAFT REPORTS EXIT MEETING CLOSE-OUT MEETING FINAL REPORT AUDIT & RISK COMMITTEE REPORTING CLOSING OUT THE AUDIT EXTERNAL AUDIT LINKING INTERNAL WITH EXTERNAL AUDIT THE ANNUAL AUDIT PROCESS: STATUTORY RULES Agencies

3 6.2.2 Crown Total State Sector Accounts (TSSA): PRACTICAL ARRANGEMENTS CLIENT SERVICE PLANS (CSPS) (EARLY MAY) Drafting and Finalising the CSP CSP Due Date Role of Audit Committee: AO COMMENT ON EARLY CLOSE PROCEDURES (LATE MAY) CLIENT SERVICE REPORT (MID SEPTEMBER) MANAGEMENT REPRESENTATION LETTER (LATE SEPTEMBER) STATEMENT OF ASSURANCE ACCOMPANYING FINANCIAL STATEMENTS CHANGES TO THE FINANCIAL STATEMENTS AFTER SUBMISSION FOR AUDIT INDEPENDENT AUDITOR S REPORT (LATE SEPTEMBER) STATUTORY AUDIT REPORT (LATE SEPTEMBER) MANAGEMENT LETTER (MID LATE OCTOBER) AUDITOR-GENERAL S REPORT TO PARLIAMENT (DRAFT PROVIDED OCTOBER) RELATIONSHIP BETWEEN EXTERNAL AUDIT AND THE AUDIT & RISK COMMITTEE EXTERNAL AUDIT ROLE IN INTERNAL AUDIT PLANNING ENGAGEMENT EVALUATIONS & PERFORMANCE REVIEWS QUALITY ASSURANCE AND IMPROVEMENT PROGRAM Internal Assessments External Assessments Reporting on the Quality Assurance and Improvement Program ANNEXURE A ASAE 3000 COMPLIANCE QUALITY ASSURANCE IMPROVEMENT CHECKLIST DELIVERABLES CHECKLIST (PROVIDER) ANNEXURE B INTERNAL AUDIT PROVIDER SELECTION Appointment and Contract ANNEXURE C Audit Sampling When to Use Statistical Sampling When to Use Non-Statistical Sampling

4 1.0 INTRODUCTION 1.1 Background Treasury Circular NSW TC 09/08 implements policy and guidelines paper TPP 09-05, the Internal Audit and Risk Management Policy. The policy draws on the practice of exemplar organisations in the public and private sectors. The policy aims to ensure that NSW agencies maintain organisational arrangements that provide additional assurance, independent of operational management, on internal audit and risk management. To achieve consistent application across the sector, the policy mandates a set of core requirements that agencies (i.e.both departments and statutory bodies) must implement. The six core requirements are: Core Requirement 1: Internal Audit Function - the requirement to establish and maintain an Internal Audit function Core Requirement 2: Audit & Risk Committee - the requirement to establish and maintain an Audit & Risk Committee Core Requirement 3: Independent Chairs and Members - Committee composition, and the requirement to appoint an independent chair and a majority of independent members Core Requirement 4: Model Charter and Committee Operations the requirement to maintain governance arrangements that ensure (a) the real and perceived independence of the Committee and (b) the rigour and quality of its oversight and monitoring role Core Requirement 5: Risk Management Standards - the requirement to implement a risk management process that is appropriate to the needs of the agency and consistent with the current risk standard, i.e. AS/NZS ISO 31000: Risk Management Principles and Guidelines Core Requirement 6: Internal Audit Standards - the requirement to ensure that operation of the Internal Audit function is consistent with the relevant standard, i.e. Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing and any additional practice requirements set by the Policy. Consistent with better practice corporate governance principles, the policy requires department heads and governing boards of statutory bodies to attest compliance with the core requirements annually, and to provide this information in a new annual report disclosure. TPP provides agencies with the procedures they need to implement the core requirements. Its Section 6.7 requires the development and maintenance of a manual for the internal audit function. 4

5 This NSW Treasury Cluster Internal Audit Manual complies with that requirement. 1.2 Purpose The purpose of this Manual is to: delineate principles that guide the practice of internal auditing within the Treasury Cluster provide a framework for performing and promoting value-added internal auditing establish the basis for the evaluation of internal audit performance foster improved organisational processes and operations. 1.3 Scope This Manual applies across the entire Treasury Cluster, with the exception of the Treasury Corporation (TCorp), which has its own arrangements. Unless otherwise specified, Treasury should be taken to mean any or all cluster entities except TCorp. Refer to Annexures 1 and 2 of the Internal Audit Function Charter for the list of entities covered by Treasury internal audit. This Audit Manual addresses both assurance services and consulting services provided by the Internal Audit function. These two types of internal audit services have been defined by the IIA as follows: Assurance Services an objective examination of evidence for the purpose of providing an independent assessment of risk management, control or governance processes for the organisation. Consulting Services advisory and related client activities, the nature and scope of which are agreed upon with the client and which are intended to add value and improve an organisation s operations. In Treasury these services are used primarily for exercises such as the review and redevelopment of our Risk Register or for reviews of best practice in areas important to risk management. 1.4 Authority This document is consistent with the professional practices set out in the Institute of Internal Auditors (IIA) Standards The first Treasury Internal Audit Manual was endorsed by Treasury s Audit & Risk Committee on 27 July This complete revision was endorsed by the Committee on 4 December

6 2.0 GENERAL POLICIES AND STANDARDS Treasury s internal audit function complies with TPP and the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing and International Professional Practices Framework. 2.1 Internal Audit Charter Treasury s Internal Audit Charter can be found here. 2.2 Audit Standards and Guiding Principles Internal audit activities will be conducted in accordance with relevant professional standards. (Refer Section 7 of the Internal Audit Charter) 2.3 Audit & Risk Committee Charters Treasury s Audit & Risk Committee Charter can be found here, and its Shared Arrangement Charter here. 2.4 Long Service Corporation Committee Charter The NSW Long Service Corporation has a separate Audit & Risk Committee, but it shares Treasury s Chief Audit Executive and outsourced internal auditors. Its Committee Charter can be found here (link to be confirmed). 6

7 3.0 PERSONNEL Treasury has outsourced its internal audit function by contracting the services of an external audit provider. The Chief Audit Executive and the Audit & Risk Committee oversee internal audit on behalf of the CEO 1. The service provider is responsible for undertaking internal audits on their behalf and in line with this Manual. 3.1 Audit & Risk Committee The roles and responsibilities of the Treasury Audit & Risk Committee are outlined in its principal department and shared arrangements Charters (see previous page for links). 3.2 Chief Audit Executive (CAE) The Chief Audit Executive is responsible, in consultation with the Audit & Risk Committee, for: developing and regularly reviewing an Internal Audit Charter and the Charters for the Committee developing and maintaining a Treasury Risk Register, based on a regular full and proper assessment of Treasury s risks and on Treasury s Risk Framework developing and implementing 3-year and more detailed 1-year Audit Plans, prioritised according to the needs identified in the Risk Register selecting an audit provider to carry out duties as described in 3.3 below implementing a risk based audit methodology for assessing and responding to audit findings, with risk ratings aligning with the rating system used in the Risk Framework and Risk Register. ensuring a course of action is recommended for every significant audit finding, and ensuring that these actions are referred to operational management for formal response monitoring Treasury s progress in implementing endorsed management responses to audit recommendations providing input which assists the Audit & Risk Committee to be in a position to assure the Chief Financial Officer (CFO) and the Secretary (as well as the other CEOs) that adequate controls are in place around all of the annual financial statements which must be approved, including the Total State Sector Accounts. The Chief Audit Executive is also responsible for developing and maintaining an annual meeting schedule for the Committee to ensure it 1 CEO in this Manual will usually mean the Secretary, Treasury Cluster, but it may also or alternatively refer to the General Manager, RBMC, and/or the Directors of the Ports Lessor Companies, who act as CEOs in relation to those cluster entities. 7

8 can meet all its commitments, and for providing the Committee s secretariat support functions. 3.3 An Outsourced Service Provider Model Treasury uses an outsourced service provider model for the conduct of its internal audit program. Whether they are contracted for a single audit or for a period of time, service providers are responsible for: conducting risk-based audits and other projects, as directed by the CAE and conformant with this Audit Manual providing advice on their work to the CAE and the Audit & Risk Committee, and to the Secretary as required Proficiency and Due Professional Care Internal Audit engagements must be performed with proficiency and due professional care. (a) Proficiency The internal audit function collectively must possess or obtain the knowledge, skills and other competencies needed to perform its responsibilities effectively. Internal audit providers are expected to be able to demonstrate their proficiency through appropriate professional certifications and qualifications, such as the Certified Internal Auditor designation and other designations offered by The Institute of Internal Auditors and other appropriate professional organisations. Proficiency includes the capacity to evaluate the risk of fraud and/or corruption and the manner in which the risks are managed in Treasury; and sufficient knowledge of information technology risks and controls to perform their assigned work. (Specialists will be engaged for IT systems audits.) If an internal service provider lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement, s/he must decline a consulting engagement, or obtain competent advice and assistance, or advise the Chief Audit Executive to do so. The Chief Audit Executive must obtain competent advice and assistance. S/he may terminate the original engagement if the internal audit providers lack the knowledge, skills, or other competencies needed to perform all or part of it. (b) Due Professional Care Providers must apply the care and skill expected of a reasonably prudent and competent internal auditor. Internal audit providers must exercise due professional care by considering: Any real or perceived conflicts of interest that may arise as part of the engagement. 8

9 The extent of work needed to achieve the engagement's objectives The relative complexity, materiality, or significance of matters to which assurance procedures are applied The adequacy and effectiveness of governance, risk management and control processes The probability of significant errors, fraud, or non-compliance that might affect objectives, operations or resources The cost of assurance in relation to potential benefits In exercising due professional care, internal audit providers must consider the use of technology-based audit and other data analysis techniques. (c) Continuing Professional Development Internal audit providers must enhance their knowledge, skills and other competencies through continuing professional development. (d) Code of Ethics Internal audit providers are expected to read and abide by the codes of ethics and conduct set out in the International Professional Practices Framework. The Code centres on the principles of: Integrity Objectivity Confidentiality Competency Internal audit providers should also be aware of Treasury s own codes and policies in areas such as conduct, ethics and fraud prevention, as they may be relevant to audit methodology or findings. 3.4 Resource Use The budgeted hours and price for each assurance and consulting engagement are agreed with the Chief Audit Executive prior to the commencement of the engagement. Internal audit providers are then accountable for time spent. They will be monitored by an Audit Program manager using appropriate contract management procedures, and will be required to report on the progress of the Audit Program at Audit & Risk Committee meetings. Variations to the budgeted hours or price of any project must be requested in writing and negotiated with the Chief Audit Executive as soon as is practicable and before the budgeted hours of the project are exceeded. The Chief Audit Executive may authorise or refuse any variation at his or her discretion. 9

10 4.0 PLANNING THE INTERNAL AUDIT PROGRAM Planning out the Audit Program on an at-least annual basis is essential to ensure that internal audit effort is directed to areas that will provide the most benefit and value to Treasury. It also helps ensure that internal audits will not overburden the areas under review by clashing with external audits or with peak business periods. The total audit planning process involves the establishment of: A Strategic Audit Plan which is the identification and documentation of auditable areas within the Treasury Cluster, and the prioritisation of these areas for review based on a predetermined risk assessment methodology over a period of three years; An Annual Audit Plan which sets out the planning of individual audit assignments over one financial year; and A Field Audit Plan, or Scope, which determines the scope and parameters for each individual audit. 4.1 Strategic Audit Planning In consultation with the Audit & Risk Committee, the Chief Audit Executive should establish long-term, strategic, risk-based plans to determine the priorities of the internal audit function and how they are linked to Treasury s objectives. The Chief Audit Executive is responsible for providing to the Audit & Risk Committee a three-year Strategic Audit Plan, the purpose of which is to ensure that there is reasonable internal audit coverage of all relevant risk areas and key internal control systems over time. The Plan should prioritise the areas within Treasury for review, based on the risk assessment methodology set out in the Treasury Risk Management Framework, available here, and on Treasury s Risk Register. The three-year Strategic Audit Plan should be reviewed by the Executive team and provided to the Audit & Risk Committee annually. The Committee will commend it to the Secretary for endorsement prior to the approval of the Annual Audit Plan. 4.2 Annual Audit Plan The Annual Audit Plan, which sets out the Audit Program for the coming year, should be based on documented risk assessment and revised at least annually. The Plan should be in draft form by the end of March for the forward financial year. There should be consultation with the NSW Audit Office to 10

11 ensure the proposed internal and external audit plans are not duplicated, that the same area of Treasury is not subjected to internal and external audit at the same time, and that any efficiencies can be realised. The input of senior management and the Secretary (as well as the other CEOs) is vital in the development of an Annual Audit Plan for the cluster. Also vital is a newly revised Risk Register. This should incorporate the legislative and regulatory compliance framework and identified fraud and corruption risks and controls. If it does not, these should also be taken into account in developing the Annual Audit Plan, as should the findings of any audit post-dating revision of the Risk Register. The Audit & Risk Committee will review the Annual Audit Plan each year after they have considered the Strategic Audit Plan. The Annual Plan will be submitted for the approval of the Secretary and other CEOs following the endorsement of the Committee. Once the Annual Audit Plan has been approved, the Chief Audit Executive and the internal audit provider s senior management must meet with the Treasury senior managers who will be impacted by the Annual Program to agree the timing of each audit. This should be consulted with the Audit Office at the time, to ensure internal and external audit timing is synchronised. It is important that both managers and service providers comply with the timetable once it is set, and provide proactive notice of delays or problems. All stakeholders who will be impacted should be notified of the timetable at the start of the year. It is considered due professional care that stakeholders are notified by the service provider again throughout the year and at least four weeks prior to commencement of fieldwork. The Chief Audit Executive must communicate to the Audit & Risk Committee and the Secretary the impact any resource limitations are projected to have on the effectiveness of the internal audit program. It is important to note that: The Strategic and Annual Internal Audit Plans will be weighted towards areas of higher risk to Treasury. All areas and all risk types should be covered over a 3-5 year period, but higher risk areas will be considered more frequently and have more time allocated to them. The extent of the strategic and annual internal audit programs will be limited by the available resources and by the scope of external audit work. The Audit & Risk Committee will report periodically on the status of the Internal Audit Program via the Chief Audit Executive and the ARC Minutes, which are submitted to the Secretary and to the other CEOs where relevant. 11

12 The members may discuss any concerns about the plans or the Program directly with the Secretary at any time. 4.3 Field Audit Plan (Detailed Scope) The Field Audit Plan determines the scope and parameters for each individual audit. In Treasury this is included in the Detailed Scope (Terms of Engagement). See below 12

13 5.0 AUDIT METHODOLOGY NSW Treasury currently engages with a single service provider for internal audit services (multiple reviews/audits under a three year contract). The following flowchart summarises the process of each internal audit project. (See overleaf for process of selecting an audit provider where an audit provider is engaged outside of this contract) Internal audit approved by the Secretary as part of the Treasury Annual Internal Audit Plan. Planning/Scoping meeting is held between CAE and audit provider to discuss scope and objectives of project. Where appropriate, the representatives from the audited area will attend this meeting. Normally a project brief will be drafted and circulated for discussion at this meeting. Audit provider prepares Detailed Scope (Terms of Engagement). Detailed Scope must be approved by the CAE and signed as reviewed by senior management from the area to be audited. The service provider will conduct a kick off meeting to signal the start of fieldwork. The meeting will be attended by the CAE, Project Manager, senior management from audited area and any other relevant Treasury officers. The audit provider should hold exit interviews with all Treasury officers who have responsibility over an area where exceptions have been noted. This is to ensure that (a) the audit provider has a full understanding of the processes they are reporting on (b) Treasury officers are aware of findings and recommendations that relate to them. Fieldwork: The service provider will liaise with the Treasury Project Manager regularly and at least weekly on progress of review. Where delays are expected or significant issues are identified they should be brought to the Project Manager s attention as soon as practicable. Any issues identified with an Extreme risk rating should be brought to the Secretary s attention as soon as practicable. The audit provider will create a Risk and Control Matrix as the basis for defining the audit procedures to be tested. The audit provider will circulate a draft report to the CAE and stakeholders of the audited area for discussion at the exit meeting. Report to be issued at least two days prior to meeting. The audit provider will conduct an exit meeting with stakeholders from the audited area and the CAE to check the draft report is factually correct and agree wording. The audit provider will issue a formal draft audit report to the director of the audited area to who will provide management responses. Under normal circumstances management will be given 10 working days to provide responses. Audit provider working papers will be subject to a detailed and primary review by the relevant manager and partner within the audit provider respectively. Working papers will then be provided to Treasury for its records. The Project Manager will check them for reasonableness and completeness. The audit provider will conduct a close-out meeting with the CAE, Project Manager, director of the audited area and project reference group (and area staff as appropriate). The purpose of this meeting is to discuss and agree on management responses and the timeframes for their completion. Evaluation Surveys are sent to all stakeholders by the Program Manager The Finalisation of Internal Audit Checklist is completed and the final report is put on file and registered in Objective When the final report is approved by the Secretary the recommendations are entered into the Register of Internal Audit Recommendations by the program manager, to be monitored by the ARC. On ARC recommendation the report will be submitted to the Secretary for endorsement and sign off. Should the Secretary or ARC request further changes, the report will be returned to the service provider to make amendments. The audit provider will attend the next Audit and Risk Committee meeting to present the report. The service provider will finalise the audit report and issue to the NSW Treasury ARC (care of the CAE). Once a report has been finalised, only the service provider will be entitled to edit the report (in response to ARC or Secretary s comments). For assurance engagements the program manager completes the ASAE compliance checklist. NSW Treasury Cluster Audit Manual 13

14 The following flowchart summarises the process of engaging an audit provider for a single project outside the current internal audit contract (e.g. because of a conflict of interest or need for a technical specialist) Internal audit is approved by the Secretary as part of the Treasury Annual Internal Audit Plan. Interested service providers are issued with a Request for Proposal, project brief and Standard Form of Agreement (i.e. Contract). Audit provider selected in line with Treasury procurement policy. Selection approved and contract signed by CAE if contract less than $50,000 and by the Secretary if greater than $50,000. Program manager prepares project brief in consultation with senior management from the Treasury area to be audited/reviewed. Project brief approved by CAE and Project Liaison Executive/Director of audited area (whichever is appropriate). Three to six Audit service providers are selected from the Department of Finance and Services prequalification list and contacted. Once the audit provider is selected, follow audit methodology set out in the flow chart on the previous page. NSW Treasury Cluster Audit Manual 14

15 5.1 The Audit Cycle - Summary Implement change (monitored by ARC) Identify risks, appetite and current controls d Plan necessary Change (recommendations + mgt responses) Develop 3 year Strategic Audit Plan and 1 year detailed Audit Plan Collect data on current practices Select provider and commence the next audit on the Plan * * See flowcharts on pages 13 and 14 15

16 5.2 Engagement Planning (Detailed scoping) Project Approval The Secretary must give his approval to all internal audit projects. In most cases this will occur when he endorses the Annual Internal Audit Plan. Requests for any projects to be undertaken outside the approved Plan will be put to the Audit & Risk Committee for evaluation and to the Secretary for approval Project Brief For each planned audit, Treasury will provide a Project Brief which sets out issues and risks of which it is already aware in relation to the area to be audited and its preliminary views about what should be in and out of scope. The Brief will usually give the service provider guidance on the amount of resourcing envisaged for the audit. This may be subject to negotiation during the scoping phase. The client for each audit in the Internal Audit Program is the Chief Audit Executive Planning Meeting The purpose of the planning meeting is to give the internal audit provider the opportunity to meet relevant managers, gain an overview and understanding of the audited area and agree timing. The internal audit provider must establish an understanding with senior management within the area to be audited regarding objectives, scope, audit criteria, respective responsibilities and other client expectations. These points should be discussed at a planning meeting between the audit provider, Treasury CAE (client), the project sponsor and project reference group. These points will then be documented in the Detailed Scope Audit Criteria The audit provider should clarify the specific explicit and implicit criteria against which evidence collected will be evaluated. Criteria are explicit when they are clearly set out in policies, manuals, standard operating procedures, standards, laws and/or regulations. Where management has not yet established goals and objectives or determined the controls needed in a particular area, it may be necessary to develop implicit criteria based on industry best practice or what management considers to be satisfactory performance standards. The accuracy of implicit criteria should always be confirmed with the audited area. 16

17 Some examples might include: Treasury s internal policies, procedures and management directives; better practice guidance or industry benchmarks; legislation or regulation; or accounting or ISO Standards. If no specific criteria can be identified, the audit opinion should describe the benefits of implementing the recommendations. Conducting an audit without agreeing the criteria may result in wasted audit effort and fruitless argument, when conclusions and recommendations are not accepted by management. The audit criteria should be referred to in the audit opinion and in the Independent Auditor s Report Detailed Scope (Terms of Engagement) The Detailed Scope will normally include: A title/subtitle for the audit which clearly indicates the topic of the audit, the areas of the Treasury Cluster to which it will apply, the type of assurance the audit will offer (e.g. reasonable assurance) and the Standard with which it will comply (if applicable) An overview of the area to be audited Background on why the audit is taking place The objectives of the audit A preliminary risk assessment A list of stakeholders and stakeholders expectations for the audit The audit criteria The scope of the audit i.e. the processes the audit will include and exclude The audit standards that will be followed including the type of engagement The audit approach to be taken The key deliverables of the project The resources that will be used on the audit and the cost, and The timetable for delivery of milestones. The Detailed Scope must be approved and signed by both the Treasury Chief Audit Executive and the audit provider s Engagement Partner before the commencement of field work. The Detailed Scope is also signed by the most senior member of the project reference group to indicate s/he has reviewed it. 17

18 5.3 Undertaking the Audit Opening ( Kick-off ) Meeting The purposes of the kick off meeting are: to ensure all relevant staff of the audited area are aware that the audit is taking place and know who the auditors are; to confirm the project timetable; and signal the commencement of fieldwork. The kick-off meeting will be attended by the Chief Audit Executive, project manager, the project reference group, senior management (and often all staff) from the area to be audited. It will be chaired by the audit service provider Risk Assessment (Risk and Control Matrix) As part of scoping an audit, a risk assessment is conducted at the activity level to identify and evaluate risk exposures and determine audit objectives. It involves considering business process risks, quality of management and individual performance in different situations. As part of the planning activities, the risks that threaten the objectives of each process to be audited should be identified and classified. The audit will concentrate on those processes which are assessed as moderate or higher risk. The risk categories of these processes indicate the types of objectives that should be included in the audit project plan. For example where residual compliance risks are rated as moderate or high, the audit objectives should include a review of compliance with the procedures/policies related to the activity. If residual operational risks are high, the objectives should include a review of the efficiency and effectiveness of the procedures and policies. The processes identified should also be a determinant of the type of audit to be conducted (performance, financial, IT, etc) Control Analysis (Risk and Control Matrix) All audits, regardless of their nature, involve providing assurance on the design and effectiveness of a system of internal control. After obtaining an understanding of the internal control system by way of interviews, documents and records, questionnaires, systems documentation, walk-throughs and/or performing some initial analytical procedures or data analysis, audit providers should make a preliminary assessment of the internal control system to determine whether identified controls are designed to meet the control objectives and mitigate risks. 18

19 5.3.4 Audit Programs (Field Audit Program) The audit program establishes the procedures necessary to complete an efficient and effective audit. It includes a detailed plan of the work to be performed as well as the steps required to achieve the audit objectives. The structure of the audit program should be made up of the following sections: Audit Objective - the primary (and perhaps secondary) objective for the audit as a whole. Any summary assessment of the audit will be based on the achievement of this objective. Audit Scope - the scope of activities to be included or excluded. Risk and Control Analysis/Matrix (RACA or RACM) - This is the outcome of the analysis explained under and Audit Criteria see section above. Previous Audit Recommendations in cases where previous audits are relevant, this section requires the audit provider to list the relevant recommendations relating to significant (or higher) rated findings from both previous internal audits and Audit Office management letters. The audit provider will then verify that the matters have been addressed or are being addressed. For audit sampling see Annex C Audit Evidence Audit evidence is obtained through procedures such as observing conditions, interviewing people, examining records and analysing data. Provided the methodology is documented, sampling approaches and other means of selecting information may be used if useful conclusions can be drawn by those means. Audit evidence is cumulative in nature and is usually persuasive rather than conclusive. Audit inferences are drawn from the body of evidence collected. Audit evidence refers to all the information used by the audit provider in arriving at the recommendations. It should be sufficient, competent, relevant and useful. a. Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the audit provider 2. There should be enough of it to support the audit provider s findings. In determining the sufficiency of evidence it may be helpful to ask such questions as: Is there enough evidence to persuade a reasonable person of the validity of the findings? When should appropriate statistical sampling methods be used to establish sufficiency? b. Competent information is reliable and is the best attainable through the use of appropriate engagement techniques 3 such as statistical sampling and analytical audit procedures. Information is more competent if it is (i) obtained from an independent source, (ii) corroborated by other 2 IIA Practice Advisory Ibid. 19

20 information, (iii) obtained directly by the audit provider, such as through personal observation, (iv) documented, and (v) an original document rather than a copy. c. Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement 4. Relevant information should have a logical, sensible relationship with the key risk/s and the associated audit finding. d. Useful information will help Treasury meet its goals 5. Evidence collected by audit providers should possess all of these qualities. For example, it is not enough merely to interview staff members without using other sources to corroborate any important information obtained. Sample sizes should be representative i.e. sufficient that conclusions reached may be validly extrapolated from the data. Evidence may be categorised as physical, documentary, testimonial or analytical and is obtained by using various procedures: a. Physical evidence Physical evidence is obtained by direct inspection or observation of people, property or events. Inspection of tangible assets provides reliable audit evidence about their existence, but not necessarily about their ownership or value. Observation consists of watching a process or procedure being performed by others, for example, physically counting inventory and making observations. Observation of certain procedures is important, particularly those that do not leave an audit trail. b. Documentary evidence Documentary evidence consists of information that exists in some permanent form such as letters, contracts, accounting records, invoices and management information on performance. It is the most common form of evidence; it may be internal, external or a combination of both. The source of documentary evidence affects its reliability, as may its context. c. Testimonial evidence Testimonial evidence is obtained through inquiries, interviews, or questionnaires. Inquiry and confirmation consist of seeking information from knowledgeable persons inside or outside Treasury. Responses to inquiries may provide audit providers with new information or with corroborative audit evidence. Testimonial evidence should be supported by other forms of information where possible and not regarded as conclusive by itself. d. Analytical evidence Analytical evidence arises from the application of analytical procedures, which produce information in the form of inferences or conclusions based on examining data for inconsistencies, anomalies, cause-effect relationships and so on. 4 Ibid. 5 Ibid. 20

21 5.3.6 Working Papers Working papers that document the engagement should be prepared by the internal audit provider and reviewed by management within the internal audit provider and by the Treasury internal audit function. This section of the manual contains characteristics of well-organised and documented working papers and should be used in evaluating the adequacy of working papers. Proper working papers document the work that was done from the preliminary scoping stages through to the final report. Audit working papers show whether due professional care was exercised and illustrate compliance with professional auditing standards. Careful documentation of work performed is necessary to support the findings, recommendations and opinions contained in the final audit report. Generally working papers should provide: documentation of information obtained about the area being audited; support for findings and recommendations contained in the audit report; a summary of documents reviewed; details of persons interviewed; detail of any control failures or exceptions noted; a means of evaluation - both in performance reviews and quality assurance reviews; evidence of consistency to the audit process; a guide for subsequent audits; and communication with the audited area during the course of field work, the auditor will query all exceptions that have been noted and other matters of significance to the audited area. Where satisfactory responses are provided by management these should be recorded in the working papers with justification as to why the matter can be closed. Supporting evidence should be retained. Working papers should include the following: notes of meetings; correspondence (including s); planning memos; testing documentation; and draft reports and final report. In preparing working papers, the following guidelines apply: each working paper should identify the engagement and describe the contents or purpose of the working paper 21

22 each working paper should be signed (or initialled) and dated by the internal audit provider/s performing and reviewing the work each working paper should contain an index or reference number, part of which should identify the audit audit verification symbols (tick marks) should be explained sources of data should be clearly identified information should be provided regarding how information that contradicts or is inconsistent with the final conclusion was addressed conclusions reached should be stated, along with the basis for them an informed reviewer should be able to replicate any test mentioned and obtain the same result. General requirements for the preparation of working papers are: Completeness and Accuracy working papers should be complete, accurate, and support observations, testing, conclusions, and recommendations. They should also show the nature and scope of the work performed; Clarity and Understanding - working papers should be clear and understandable without supplementary oral explanations. With the information the working papers reveal, a reviewer should be readily able to determine their purpose, the nature and scope of the work done and the preparer's conclusions; Pertinence - Information contained in working papers should be limited to matters that are important and necessary to support the objectives and scope established for the audit; Logical Arrangement - working papers should follow a logical order; Legibility and Neatness - working papers should be legible and as neat as practicable. Sloppy working papers may lose their worth as evidence. For handwritten papers, crowding and writing between lines should be avoided by anticipating space needs before writing Conclusion and Evaluation Evaluation is a means of arriving at a professional judgment. As audit providers compare circumstances observed against relevant audit criteria, they evaluate the significance of any variance and determine whether corrective action is necessary. The analysis and evaluation of evidence obtained should give rise to issues (positive and negative), which internal audit may report to management. Internal audit providers should draw conclusions ie logical inferences from the findings - for each audit objective. Conclusions should be specified and not left to be inferred by readers. 22

23 The strength of a conclusion depends on the persuasiveness of the evidence supporting the findings, and how convincing the logic is which was used to formulate the conclusions. It should be free from personal biases or prejudices, and be objective. The conclusion reached by an internal audit provider should be the same as would have been reached by a similar experienced professional reviewing the same evidence Working Paper Review Working papers are reviewed by the audit provider s management to ensure that: there is sufficient and appropriate evidence to support conclusions; issues identified in working papers have been solved and/or reported on; there is a clear trail from the terms of engagement (detailed scope) to the risk & controls analysis and testing summary, to the detailed work, and to the report; and all queries have been cleared; There are generally three types of review that should be performed by the internal audit provider on the working papers: Detailed Review Primary Review Overriding Review Detailed review should be performed by someone at least one level above the preparer and who is independent of performing the work. Primary review should be performed by a Manager/Director or equivalent. The reviewer must review the entire audit provider working paper file prior to the draft report being issued. This is a quality review, the purpose of which is to ensure that the report is appropriately worded, the conclusion/opinion is correct and in line with findings, it is correctly dated and complies with policy Current Working Papers As required by Treasury Circular NSWTC 07/14 Ownership of Internal Audit Documentation, all internal audit documentation is to remain the property of the audited department or statutory body, including where the internal audit services are performed by an external third party provider. Working papers are therefore the property of Treasury, but will generally be retained by the internal audit provider, who will provide them to the Chief Audit Executive at issuing of the draft audit report. (Copies are acceptable) Treasury management may request access to engagement working papers. Such access may be necessary to substantiate or explain engagement observations and recommendations or to utilise engagement documentation for other business purposes. These requests for access are subject to the approval of the Chief Audit Executive. 23

24 In some circumstances internal and external auditors may request access to each other s audit working papers. The Chief Audit Executive should be notified of any such requests. The Chief Audit Executive will control access to engagement records. The Chief Audit Executive should apply NSW State Records retention requirements for engagement records, regardless of the medium in which each record is stored. These retention requirements shall be consistent with Treasury s Records Management Policy. The Chief Audit Executive should apply due diligence in governing the custody and retention of audit records, as well as their release to internal and external parties. These policies must be consistent with Treasury's guidelines and any pertinent regulatory or other requirements Exit Interviews (End of Fieldwork Meetings) The purpose of exit interviews is to confirm the facts and to allow the management and (usually) staff of the audited area to hear and comment on the auditor s interpretation. The exit interview may also provide the auditor with input on proposed (or new) options for corrective action. During the course of audit work, the auditor will communicate matters of significance with the audited area to minimise the possibility of "surprises" at the end of the audit. This may be done informally (e.g. s, discussions) or via formal meetings. 5.4 Audit Reports This section sets out the basic components of a report and report writing, as well the consultation processes to be followed in completing reports. Reports should: meet the purpose and objectives set out in the Terms of Engagement (Detailed Scope) comply with appropriate Professional Standards and with the standards of accuracy, clarity and ethics reflected in this Manual clearly communicate their findings to management and the Audit & Risk Committee add value by alerting management to matters requiring attention, including advice on best practice in such matters, and by giving assurance regarding those controls which are functioning well Basic Components of an Internal Audit Report The basic components of a Treasury internal audit report are: a. Executive Summary, including Summary Statement; b. Independent Auditor s Assurance Report; c. Introduction; d. Scope and Objectives; e. Risk Assessment; f. Summary of Recommendations; g. Audit Opinion/Conclusion; 24

25 h. Observations / Issues (optional); i. Detailed Findings, with a risk rating for each; j. Recommendations; and k. Management responses. a. Executive Summary The Executive Summary is intended to provide an overview of the report to the Chief Audit Executive, Audit & Risk Committee, senior management and Secretary. The reader should gain a general understanding of the audited area as well as the objectives, key issues, risk implications and recommendations of the audit. The Executive Summary should draw attention to positive findings as well as improvement opportunities (e.g. examples of better practice, controls in place and actions in progress). Individual findings more relevant to operational management should be explained in detail in the body of the report. The Summary Statement should be of no more than two sentences and is used to describe the overall risk landscape of the area reviewed by an internal audit. b. Introduction The introduction provides any background information and acknowledgments the audit provider considers relevant. It may include contextual information about the audited area and/or the type of audit undertaken. The introduction also states the reason for the audit, for example making reference to the risk register or the audit plan. c. Scope and Objectives Components normally include: Objectives; Scope; Exclusions; Approach - methodology and procedures followed; and Details of testing. For the most part, this section should align with the Terms of Engagement (Detailed Scope) agreed and signed prior to commencement of the audit. Any variations to the Scope should have been made and signed off by the CAE and Engagement Partner during the audit, and should be outlined in the Final Report. The Detailed Scope will normally be appended to the Final Report. d. Risk Assessment The risk section describes how the risks have been assessed and usually includes a copy of the Treasury risk matrix. The key risks identified during 25

26 scoping and then during fieldwork will be outlined and given inherent and residual risk ratings. Where possible these risks will refer back to the Treasury, Long Service Corporation or Branch risk registers. If there is a recommendation made in the report relating to a risk the link will be clear. The risk assessment will show how each risk rating was calculated i.e. the value assigned to consequence and likelihood. e. Summary of Recommendations This section provides a table summarising each issue identified in the detailed findings section and its associated risk. f. Audit Opinion/Conclusion The audit opinion should make clear the criteria against which the subject was evaluated or assessed. (The key criteria should have been agreed in the Detailed Scope.) For assurance engagements see (j) Independent Assurance Report g. (Other) Observations/Issues This section presents the audit provider s key observations, identified during the course of their fieldwork. This section is different from the Detailed Findings section, which presents findings and recommendations based on the audit criteria agreed at scoping stage. Observations may represent key themes that the audit provider has identified and believes important to bring to senior management s attention, particularly where the observation was not explicit in the scope of the audit. This section may be omitted if the service provider considers that the findings speak for themselves. Alternatively it may be emphasised - for example, where a cultural problem is perceived which appears greater than the sum of the findings. h. Detailed findings, with risk rating for each Findings are specific observations which relate to each recommendation. Ideally, the format would be: Risk Rating Observation Root Cause Implication/Impact Recommendation Management Response The risk rating should include the scoring used to ascertain the rating i.e. the likelihood and consequence rating. The following is an example of the expected layout: 26