Part 2 Model Internal Audit Charter

climbmoujeanteaΛογισμικό & κατασκευή λογ/κού

13 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

85 εμφανίσεις

Part 2

Model Internal

Audit Charter

Model Internal Audit Charter

Heads of Internal Audit, and external audit service providers where relevant, are
encouraged to review, in consultation with the Chief Executive/Board and the Audit
Committee, their existin
g charters against this model. In doing so it is important that each
entity carefully consider its particular circumstances, especially the range of responsibilities
outlined in Chapter 2 of

this

guide.

Introduction

The [Chief Executive/Board] has establi
shed the [name of internal audit unit] as a key
component of

[entity’s] governance framework.

This charter provides the framework for the conduct of the internal audit function in the [entity]
and

has been approved by the [Chief Executive/Board] on the ad
vice of the Audit Committee.

Purpose of internal audit

Internal audit provides an independent and objective review and advisory service to:



provide assurance to the [Chief Executive/Board] that [the entity’s] financial and operational
controls designed to
manage the organisation’s risks and achieve the entity’s objectives are
operating in an efficient, effective and ethical manner, and



assist management in improving the entity’s business performance.

Independence

Independence is essential to the effectivene
ss of the internal audit function.

Internal audit has no direct authority or responsibility for the activities it reviews. The internal
audit function has no responsibility for developing or implementing procedures or systems and
does not prepare records
or engage in original line processing functions or activities [except as
noted

below
1
].

Internal Audit reports functionally to the Audit Committee. The Head of Internal Audit is
accountable to the [Chief Executive
2

or Board
3
] for the efficient and effecti
ve operation of the
internal audit function.

The Head of Internal Audit has direct access to the [Chief Executive/Chair of the Board], and
the Chair and other members of the Audit Committee. Periodic ‘in camera’ meetings will be
held

between the Head of In
ternal Audit and the Audit Committee.

Authority and confidentiality

Subject to compliance with [entity] security policies, internal auditors are authorised to have full,
free and unrestricted access to all functions, premises, assets, personnel, records, a
nd other
documentation and information that the Head of Internal Audit considers necessary to enable
internal audit to meet its responsibilities.




1

Delete if not applicable.

2

For FMA Act entities.

3

For CAC Act entities.

All records, documentation and information accessed in the course of undertaking internal audit
activities are

to be used solely for the conduct of these activities. The Head of Internal Audit and
individual internal audit staff are responsible and accountable for maintaining the confidentiality
of the information they receive during the course of their work.

Und
er its legislation, the Australian National Audit Office has access to all relevant [entity]
documents including internal audit reports.

Inter
-
agency arrangements with other entities also provide for consultation and disclosure of
audit matters affecting
other entity programmes and other circumstances
4
.

Roles and responsibilities
5


Internal audit’s responsibilities will be influenced by the governance arrangements established
by

the entity and the existence of other separate functions with specific respons
ibility for some
of

these matters. For example, many entities have separate organisational units responsible for
risk

management and/or fraud control.

In the conduct of its activities, internal audit will play an active role in:



developing and maintaining
a culture of accountability and integrity



facilitating the integration of risk management into day
-
to
-
day business activities and processes,
and



promoting a culture of cost
-
consciousness, self
-
assessment and adherence to high
ethical

standards.

Internal au
dit activities will encompass the following areas:

Audit activities

including audits with the following orientation:

Compliance



compliance with legislative requirements, Australian Government and [entity] policies and
procedures including assurance in resp
ect of the Certificate of Compliance



the adequacy and effectiveness of internal financial and operational controls including IT
system

controls



the recording, control and use of entity assets, and

Performance improvement



the efficiency, effectiveness, and
ethical conduct of the entity’s business systems and
processes.

Advisory services
6


Internal audit can advise [entity] management on a range of matters including:

New programmes, systems and processes



providing advice on the development of new programmes a
nd processes and/or significant
changes to existing programmes and processes including the design of appropriate controls.




4

Amend as applicable.

5

Internal audit’s responsibilities will

be influenced by the governance arrangements established by the entity and the
existence of other separate functions with specific responsibility for some of these matters. For example, many entities
have separate organisational units responsible for risk

management and/or fraud control. As a consequence, the roles
and responsibilities listed are illustrative only.

6

In providing advisory services, internal audit needs to maintain operational independence. It is the responsibility of
entity management to a
ccept or reject advice provided by internal audit, to implement the advice where considered
appropriate and be accountable for decisions taken.

Risk management



assisting management to identify risks and develop risk mitigation and monitoring strategies
as

part of the risk mana
gement framework



co
-
ordinating the annual [entity] Risk Management Plan



monitoring and reporting on the implementation of risk mitigation strategies

Fraud control



assisting management to identify the risks of fraud and develop fraud prevention and
monitori
ng

strategies



co
-
ordinating the [entity] Fraud Control Plan

Audit support activities

Internal audit is also responsible for:



assisting the Audit Committee to discharge its responsibilities



providing secretarial support to the Audit Committee



monitoring th
e implementation of agreed recommendations
7



disseminating across the entity better practice and lessons learnt arising from

its audit activities, and



managing the audit function.

Non
-
audit activities
8

Internal audit has management responsibility for the
following areas:

[insert non
-
audit responsibilities if any]

Scope of internal audit activity

Internal audit reviews cover all programmes and activities of the [entity] together with associated
entities as provided for in relevant business agreements, memor
andum of understanding or
contracts. Internal audit activity encompasses the review of all financial and non
-
financial
policies and operations.

Standards

Internal audit activities will be conducted in accordance with the Australian Public Service and
suppo
rting [entity] values, policies and procedures.

Audit activities will also be conducted in accordance with relevant professional standards
including
9
:



Standards for the Professional Practice of Internal Auditing issued by the Institute of
Internal

Auditors



Standards relevant to internal audit issued by the Australian Society of Certified Practising
Accountants and the Institute of Chartered Accountants in Australia




7

Arising from internal and external audit reports, Parliamentary Committee reports and other external bodies su
ch as
the Management Advisory Committee, the Australian Public Service Commission and the Ombudsman.

8

Delete if not applicable.

9


Specify applicable Standards.



The Statement on Information Systems Auditing Standards issued by the Information
Systems and

Control Association, and



Standards issued by Standards Australian and the International Standards Organisation.

In the conduct of internal audit work, internal audit staff will:



comply with relevant professional standards of conduct



possess the knowledge,

skills and technical proficiency relevant to the performance of their
duties



be skilled in dealing with people and communicating audit, risk management and related
issues

effectively



their technical competence through a programme of professional developme
nt, and



exercise due professional care in performing their duties.

Relationship with external audit

Internal and external audit activities will be coordinated to help ensure the adequacy of overall
audit coverage and to minimise duplication of effort.

Peri
odic meetings and contact between internal and external audit shall be held to discuss
matters of mutual interest.

External audit will have full and free access to all internal audit plans, working papers and
reports.

Planning

The Head of Internal Audit wi
ll prepare, for the Audit Committee’s consideration, an internal
audit strategic business plan and an internal audit annual audit work plan in a form agreed with
the

Committee.

Reporting

The Head of Internal Audit will report to each meeting of the Audit C
ommittee on:



audits completed



progress in implementing the strategic business plan and audit work plan, and



the status of the implementation of agreed internal and external audit, Parliamentary
Committee and other relevant external body recommendations.

In
ternal audit will also report to the Audit Committee at least once annually on the overall state
of

internal controls in the [entity] and any systemic issues requiring management attention
based on the work of internal audit [and other assurance providers
10
].

Administrative arrangements

Any change to the position of the Head of Internal Audit, or an external service provider, will
be

approved by the [Chief Executive or Board
11
]. The Audit Committee will be consulted as part
of

the process.

The Head of Interna
l Audit will arrange for a periodic, independent review of the efficiency and



10

Amend as appropriate.

11

Amend as applicable.

effectiveness of the operations of the internal audit function at least every five years.

Review of the charter

This charter will be reviewed at least annually by the Audit Comm
ittee. Any substantive changes
will be formally approved by the [Chief Executive or Board
12
] on the recommendation of the
Audit Committee.






12

Amend as applicable.

Part 3

Toolkit


Part 3 Contents

Example internal audit strategic business plan and annual work plan

58

Example lis
t of contents


internal audit manual

74

Example internal audit protocol

76

Pro
-
forma internal audit annual work plan progress report

79

Pro
-
forma Implementation of recommendations progress report

80

Example key performance indicators

81

Example client sur
vey questionnaire

82

Example Audit Committee internal audit questionnaire

83

Example internal audit self
-
review questionnaire

85


Example internal audit strategic business plan and
annual work plan

The format and content of internal audit’s strategic busi
ness plan and annual work plan is a
matter for agreement between the Audit Committee and the Head of Internal Audit. This
example contains the major elements that could be expected in a comprehensive strategic
business plan and audit work plan.

It is inten
ded as a guide only and entities should consider their own circumstances in
developing their strategic business plan and annual work plan that best suits their own
environment and governance arrangements.

Introduction

Part A of this business plan outlines

the strategic direction of [Entity’s] internal audit function
over a three year period [insert date] to [insert date].

It describes in broad terms the operations, programmes and business units that will be given
priority for audit coverage and the types
of audits that will be conducted in those areas.

Part A also describes the management strategies that will be implemented over the period
covered by the plan, aimed at enabling internal audit to achieve its objectives.

Part B contains the [Entity] interna
l audit annual work plan for [insert date] and details the
specific audit activity that will be undertaken in [insert date].

This strategic business plan is available on the [Entity’s] intranet at [insert intranet address].

PART A: Strategic Directions

Int
ernal audit objectives

This section will provide a statement of the broad business objectives and directions for internal
audit over the period of the plan. It will focus on both audit and management goals and

be
consistent with the internal audit charter
.

Methodology

This section will briefly outline the approach followed in developing the plan and the key
stakeholders

consulted.

Entity strategic environment

This section will summarise the goals, objectives and major initiatives of the entity. This will
be
derived from a review of key strategic and other planning documents and discussions with the
Chief Executive, members of the Audit Committee and senior managers.

The aim of this section is to demonstrate that internal audit has a good understanding of t
he
entity’s business, what is planned for the future and how the work undertaken by internal audit
assists the entity to achieve its objectives.

Entity key business risks

This section will describe the major high level risks identified as part of the enti
ty’s risk
management framework and discussions with key stakeholders. Where there is a less than
mature risk management framework, it will be necessary for internal audit to conduct its own
risk analysis.

The aim of this section is to identify those risks
that arise out of the entity’s environment and
future direction that may be addressed by internal audit and to provide a link between the
proposed direction and priorities of internal audit and the risks of the entity

Examples of risks could include:



bein
g unable to deliver core services and maintain key financial and operational controls in
a

period of rapid change



an inability to generate sufficient revenue



difficulties in recruiting and retaining sufficient numbers of skilled staff to deliver entity
pr
ogrammes in

a time of strong labour market conditions



a lack of co
-
ordination of service delivery with other government entities at the Australian,
state

and local government levels and non
-
government organisations.



delays and cost blow
-
outs in major proj
ects, and



security and business continuity.

For ease of presentation the risks could be consolidated into strategic audit themes and audits
that

address the theme grouped together.

External environment

This section will identify issues and trends relevan
t to the entity that arise from the external
environment that may impact on the achievement of the entity’s objectives. Such issues could
come from a number of sources including:



parliamentary and government accountability requirements



regulatory changes



governance trends, and



professional internal and external audit and accounting trends.

Other assurance and review providers

This section maps the identified business risks to the various assurance processes and
providers such as management monitoring, inte
rnal quality assurance, regulators, external audit
as well as internal audit. The aim of this mapping is to identify, for the benefit of the Chief
Executive and the Audit Committee, any risks that are not being addressed by either internal
audit or another

assurance or review activities or functions or risks where assurance is being
provided by one or

more such

activities.

The following example illustrates one version of an assurance map.

Business
Risk

Assurance and review activities


Management
Monitorin
g

Quality
Assurance

External audit

Evaluations/

reviews

Regulators

Internal Audit
programme

A










B










C









D










E







F










Key:


indicates adequate coverage of risk

Details can be provided of the specific coverage pro
vided by each of the assurance and review
providers against the relevant business risk.

Internal audit work strategies and priorities

This section will describe the major focus of audit activities including advisory services, audit
support and any non
-
audi
t activity over the life of the plan and any changes that are required to
help ensure that the audit plan and other activities remain relevant to the strategic direction of
the entity. The purpose of the section is to broadly demonstrate how the proposed w
ork of
internal audit will assist the entity to manage its current and emerging strategic, operational and
financial risks.

The section could usefully discuss issues such as:



what audit topics will be undertaken over the period of the plan and how they ad
dress the
risks facing the entity, including risks that might otherwise remain undetected



any rebalancing of the proportion of the different types of audit, or



the proposed introduction of any new audit advisory or audit support activities.

Audit Coverage

This section will describe where the major audit effort will be concentrated and the areas that
will receive little, or no, audit attention. It could describe not only the subject matter that will be
addressed but also the types of audits and the business

units and/or geographical location of
audit coverage. The aim of the section is to be able to demonstrate that the planned audit
programme is relevant to the identified risks, and to identify where gaps exist. In the light of this
information the Audit Co
mmittee is then in a position to make an informed decision on the
proposed audit coverage.

For ease of presentation, the proposed audit coverage could be summarised as shown in the
following example. It shows which audits are proposed to be conducted over
a

three year
period:



audit theme



audit title



area responsible



type of audit



priority.


Year 1

Year 2

Year 3

Audit theme
*

Audit Title

Area Responsible

Priority

Audit Title

Area Responsible

Priority

Audit Title

Area Responsible

Priority


Type of audit

Type of audit

Type of audit

Cyclical
13



























Governance














Programme performance














Strategy/planning


























Human resources


























Financial





























*

These themes should be

aligned with the entity’s main business risks.

13

Cyclical audits are reviews that are primarily of a compliance nature and are conducted as part of a regular annual cycle to
examine key risks such as financial, human resource, legal, contractual and proje
ct
management risks.

Previous audits and planned audits

To assist the Audit Committee and other stakeholders to place the planned audit coverage in
context, this section lists the audits c
ompleted over, for example, the last two years as well
as

those planned over the life of the plan. An example of how this might be presented is
illustrated below.

Audit Title

Year
-
2

Year
-
1

Year 1

Year 2

Year 3

A









B








C







D











E








F








G








Key:


indicates extent of internal aduit coverage

Allocation of resources

This section details the relative allocation of internal audit resources between audit, including
advisory, audit support and any non
-
audit activities.

Other options include showing the
allocation of resources between the different types of audit, business units and/or geographical
locations. Details can be provided in tabular or graphic form. The following examples illustrate
graphic representations of
the allocation of resources.



Audit resources

This section details the financial and human resource budgets for audit activities over the life of
the plan including the previous year for comparative purposes.

Budget

Year
-
1


$

Year 1

$

Year 2

$

Year 3

$

Staff (including overheads)





Travel & Accommodation





External Service Provider





Total





Human resources

Year
-
1

Days

Year 1 Days

Year 2 Days

Year 3 Days

Available days:

In
-
house staff

External service provider(s)





Total available da
ys





Less days applied to non

audit activities
14






Total available internal audit days





Internal audit support activities





Development of the internal audit strategic business
plan and annual work plan





Monitor audit and other report recommendations





Prepare annual
assessment report





Service the Audit Committee





Manage audit programme





Staff recruitment/training





External auditor liaison





Other internal audit support activities





Total internal audit support activity days





Total available
for annual work plan






Internal audit management strategies

This section will describe the management strategies that will be adopted to achieve the internal
audit goals and deliver the broad audit programme described earlier.

Examples of management s
trategies might include:




14

If specified in the internal audit chapter.



changes in work practices and enhancement of audit methodologies to assist in ensuring
that internal audit meets the needs of stakeholders and delivers value for money



review of the internal audit professional development programm
e



introduction of new audit technology



benchmarking exercises or external reviews, and



the introduction of secondment programmes aimed at ensuring internal audit has the
necessary skilled and experienced staffing resources to deliver the internal audit ann
ual
work plan.

Risks to the Internal Audit Strategy

This section will describe the major risks that may prevent internal audit from achieving
its

objectives and the strategies that will be implemented to mitigate such risks.

The following example illustrat
es possible risks and mitigation strategies.

Risk event

Description of Risk

Mitigation Strategy

The expiration of the external provider
contract in 15 months time

This has the potential to result in
delays in the audit programme if there
is a change in au
dit service provider.
There is also the risk of increased
costs, in line with market changes
over the last three years.

Immediate review of service delivery
options followed by early
commencement of the tendering
process.

Increase in staff turnover

Turno
ver of in
-
house audit staff is a
significant risk over the next 12
-
18
months as senior staff approach
retirement age.

Allowance has been made for
managing staff retention and
recruitment activities and the
introduction of a secondment
programme.

Manageme
nt requests additional
audits

Internal audit unable to respond in a
timely way to requests for additional
audits that have not been included in
the audit work programme.

Programme includes allowance for
urgent and unforseen tasks subject to
approval by Chi
ef Executive/Board or
Audit Committee.


Performance measures

This section will list the performance measures that will be used to measure the performance of
internal audit and any changes in measures or targets over time.

Review of plan

This section will
describe the timeframe and arrangements to be made for the review and
update of the plan. It would normally cover a three year rolling period and be reviewed at least
annually. It would be developed by the Head of Internal Audit for approval by either the
Chief
Executive/Board or the Audit Committee.


Part B: Internal audit annual work plan for [year]

Audit theme
*

Area Responsible

Audit orientation

Audit description

Potential benefit/
rationale

Priority

Estimated duration
^

Estimated start date

Audit titl
e

Sponsor

Provider

Date of consideration by
Audit Committee

Governance

Cyclical compliance check
















Certificate of Compliance
















Governance and reporting of
related business partners
















IT security environme
nt
















Programme performance

Programme grants to client
organisations
















Strategy/planning

Implementation of strategic
changes and organisational
restructure



















*

These themes should be aligned with the entity’s main business risks.

^

The plan could also include the cost of individual audits.

Audit theme
*

Area Responsible

Audit orientation

Audit description

Potential benefit/
rationale

Priority

Estimated duration
^

Estimated start date

Audit titl
e

Sponsor

Provider

Date of consideration by
Audit Committee

Selection of a new financial
management system
















Human resources

Personnel security clearances
















Financial

Asset management
















Corporate Taxation








Contingency for unforseen
audits








Total










Reserve topics

Audit theme*

Area responsible

Audi
t orientation

Audit description

Potential benefit/ rationale

Estimated duration

Audit title

Programme performance






Achievement of funding objectives






Strategy/ planning






IT project planning







High ranking topics not included in
annual work plan

Audit title

Area responsible

Audit orientation

Audit description

Environmental management




Insurance arrangements





Resource allocation

There are a number of options that can be used to illustrate the allocation of internal audit
r
esources in the internal audit annual work plan. Some of these are illustrated below.




Example list of contents
-

internal audit manual

An internal audit manual documents the policies and procedures for conducting audits and
for managing the internal a
udit function. It is an important aid in assisting internal audit to
produce high quality audit reports that meet the expectations of stakeholders.

The audit manual should be tailored to the individual needs of entities but Heads of Internal
Audit are enc
ouraged to review their audit manuals against this example list of contents.

Introduction

Purpose of internal audit

Purpose of the manual

Application to in
-
house staff and external providers

Review of audit manual

Overview of entity internal audit

Intern
al audit charter

Audit Committee charter

Structure of entity internal audit

Roles and responsibilities of in
-
house and external provider positions

Internal audit protocol(s):



entity management



external auditor



business partners

Internal audit professio
nal standards

Auditing frameworks

Strategic planning

Major tasks in developing the internal audit strategic business plan

Timing of tasks

Responsibilities for tasks

Development of the annual work plan

Major tasks in developing the annual work plan

Timing

of tasks

Responsibilities for tasks

Overview of the audit process

Preliminary research

Audit proposal

Audit assignment planning

Preliminary research

Preparing the assignment plan



Objectives



Scope



Methodology/test programme



Timing



Resources

Entry intervie
w

Fieldwork

Undertaking fieldwork

Techniques for collecting evidence and testing controls

Mid
-
point review

Support tools available

Supervision arrangement

Reporting

First draft report

Exit interview

Final draft report

Obtaining management response

Completi
ng the final audit report

Audit findings and recommendations rating system

Report format

Document styles/templates

Post
-
audit events

Audit evaluation by sponsor

Evaluation and debrief of auditor/external provider

Disseminating better practice and lessons l
earnt

Quality assurance review

Recommendation monitoring and reporting

Monitoring implementation of audit and other report recommendations

Reporting progress to the Audit Committee

Appendices

Internal audit protocols

Managing external service providers

Pol
icy and guidance

Servicing the Audit Committee

Committee papers

Internal audit management reports

Assessing internal audit performance

Key performance indicators

Records management

Registry files

Audit working papers

Audit records retention and disposal ru
les

Security procedures

Confidentiality

Data and document security

Asset security


Example internal audit protocol

The format and content of the internal audit protocol is a matter for the Head of Internal
Audit in consultation with entity management. Th
is example includes the key points found in
a better practice internal audit protocol.

Entities are encouraged to review their existing protocol against this better practice
example.

Introduction

This protocol outlines the respective roles and responsibi
lities of internal audit and management
in the course of an audit and the opportunities for consultation during the audit process.

Purpose of internal audit
15

Internal audit provides an independent and objective review and advisory service to:



provide assur
ance to the Chief Executive [and/or Board] that [the entity’s] financial and
operational controls designed to manage the organisation’s risks and achieve the
organisation’s objectives are operating in an efficient, effective and ethical manner, and



assist
management in improving the entity’s business performance.

Independence

Internal audit has no direct authority or responsibility for the activities it reviews. Internal audit
has no responsibility for developing or implementing procedures or systems and do
es not
prepare records or engage in original line processing functions or activities.

Internal Audit reports functionally to the Audit Committee. The Head of Internal Audit is
accountable to the Chief Executive [or Board].

Authority and confidentiality

Su
bject to compliance with [entity] security policies, internal auditors are authorised to have full,
free and unrestricted access to all functions, premises, assets, personnel, records, and other
documentation and information that the Head of Internal Audit

considers necessary to enable
internal audit to meet its responsibilities.

All records, documentation and information accessed in the course of audits are used solely for
auditing purposes. Under its legislation, the Australian National Audit Office has a
ccess to all
relevant [entity] documents including internal audit reports.

Agreements with purchasing departments also provide for consultation and disclosure of audit
matters affecting purchasing department programmes and other circumstances
16
.




15

For more information on the roles and responsibilities

of internal audit see the internal audit charter available on the
[entity’s]

intranet.

16

Include where applicable.

Standards
17

and values

Audit activities are also conducted in accordance with relevant professional standards including:



Standards for the Professional Practice of Internal Auditing issued by the Institute of
Internal

Auditors



Standards relevant to internal audit iss
ued by the Australian Society of Certified Practising
Accountants and the Institute of Chartered Accountants in Australia, and



The Statement on Information Systems Auditing Standards issued by the Information
Systems and Control Association.

Internal audit

activities are conducted in accordance with the Australian Public Service and
[entity] values, policies and procedures.

Planning and consultation

Internal audit prepares a strategic business plan and annual work plan in consultation with the
Chief Executi
ve, [the Board,] the Audit Committee and senior management. The business plan
and audit work plan are based on the risks facing [entity] and the business improvement
opportunities available to [entity].

The strategic business plan and the audit annual work

plan are approved by the Chief
Executive/Board/Audit Committee
18
. The audit work plan is available on the [entity] intranet.

In addition, audits not on the audit work plan can be commissioned by the Chief Executive,
the

Audit Committee or management
19
.

Audi
t process

The various stages in the audit process are outlined below.

Preliminary consultation

Prior to commencing the audit, internal audit will consult with the relevant senior manager on
the:



objectives and scope of the audit



likely commencement date an
d duration



locations to be visited, and



nomination of an audit sponsor.

Opening interview

An opening interview will be conducted shortly before the start of the audit with management of
the area to be reviewed. The purpose of the opening interview is to:



enable the audit team to meet key staff of the area being reviewed



clarify the objectives, scope and timing of the audit




17

Specify applicable standards.

18

Amend as applicable.

19

Audits commissioned by management and not included in the audit work plan require t
he agreement of the
Audit

Committee.



provide an opportunity for staff of the area being reviewed to present their views and
perspectives on the matters subject to audit



fi
nalise the plan for conducting the audit in terms of timing, duration, staff involvement, and



arrange access to buildings, personnel, files, systems and data in order to commence
fieldwork.

Fieldwork

Internal audit is committed to a ‘no surprises’ approach

and on
-
going discussions will be held
with management as findings emerge and conclusions are developed. At the mid point of the
audit, a formal meeting will be sought with the sponsor to discuss the audit programme and
any

emerging

issues.

If necessary, i
nternal audit will communicate significant matters of concern to the Chief
Executive and/or the Audit Committee prior to the completion of the final report.

Exit interview

At the conclusion of the fieldwork, internal audit will prepare a first draft repor
t to be used as the
basis for discussion at an exit interview.

The purpose of the exit interview is to:



advise management about the provisional findings, conclusions and recommendations



afford management the opportunity to correct any misunderstandings or

misinterpretations



discuss findings and conclusions and obtain management’s views, and



discuss the practicality of recommendations and timeframes for any remedial action.

Draft report

Internal audit will issue a final draft audit report promptly following

the exit interview, generally
within 10 working days.

Management comments

On receipt of the final draft report, the sponsor and management of the work area under
review

should:



consider the findings and recommendations in the draft report



formally advise
internal audit whether management agrees or disagrees with the
recommendations in the draft report



where management agrees with a recommendation, management should prepare an action
plan to address the recommendation, set a timeframe for implementing the a
ction plan and
nominate the individual responsible for implementation, and



where management disagrees with a recommendation, the reason for the disagreement
should be provided
20
.

Management comments are required within 10 working days of the receipt of the
draft report.




20

While management agreement is not always necessary, it would be expected that discussions would be held with the
sponsor with the aim of reaching agreement. The reasons for any disagreement will be included in the fin
al audit report
together with any internal audit response.

Final report

Within 5 working days of the receipt of management comments, internal audit will issue a
final

report to:



the Chief Executive



the Chair and members of the audit committee



the sponsor, and



the sponsor’s supervisor.

Where appropria
te, lessons learnt and examples of better practice will be disseminated to a
wider audience in [entity].

A client satisfaction questionnaire will be sent with the final report. The sponsor should complete
the client satisfaction questionnaire and return it

to the Head of Internal Audit. The Head of
Internal Audit will follow up any feedback indicating possible shortcomings in internal audit
performance.

Monitoring the implementation of agreed recommendations

The Audit Committee is responsible for examining
all internal audit reports. Internal audit assists
the Audit Committee in monitoring progress in implementing agreed recommendations. Internal
audit will, therefore, periodically seek advice from management regarding progress in
implementing agreed recomme
ndations.


Pro
-
forma internal audit annual work plan progress report

Status of [year] internal audit plan as at [date]

Audit title

Progress status
21

Original date for
consideration by
Audit Committee

Revised date for
consideration by
Audit

Committee

Perce
ntage of
estimated days used

Last milestone
achieved
22

Status comment
23




































Progress status legend



Red: Significant delays



Orange: Some delays



Green: On track

Milestones



Assignment planning commenced



Entry inter
view




21

Internal audit’s assessment of audit progress represented by ‘traffic lights’.

22

Selected from list of milestones.

23

Internal audit’s commentary on audit progress. An opportunity also exists to a
dvise the Audit Committee of the significance of any findings that are emerging from audits in progress.



Fieldwork commenced



Fieldwork completed



Exit interview completed



Draft report issued



Management comments received



Report considered by Audit Committee


Pro
-
forma Implementation of recommendations progress report

Status of the implementation of inter
nal audit and other report
24

recommendations as at [date]

Report title and date
considered by audit
committee
25

Recommendation/ issue
26

Progress status
27

Category/ priority of
recommendation

Manager responsible for
implementation

Original
completion date

Revis
ed
completion date

Comment
28











































Progress status legend



Red: Significant delays



Orange: Some delays



Green: On track





24

Including external audit and recommendations of Parliamentary Committees and other relevant bodies.

25

Or date issued, if not considered by the Audit
Committee.

26

Summary of recommendation or issue.

27

Internal audit’s assessment of progress represented by appropriate coloured ‘traffic lights’.

28

Internal audit’s commentary on the adequacy of progress, as required.

Example key performance indicators

Measuring performance over time using a number of
key performance indicators (KPIs)
linked to internal audit objectives, and acting on the results, is important for an effective
internal audit

function.

The most appropriate KPIs will vary according to the objectives and structure of the internal
audit fu
nction, but entities are encouraged to review their existing key performance
indicators against the following example indicators.



Performance indicator

Target

Actual

Percentage
variation

Performance
against plan

Number of audits completed





Number
of audits delivered by due date





Cost of audit plan




Stakeholders

Audit Committee assessment of overall contribution
of internal audit (from committee survey
questionnaire)





Client assessment of overall satisfaction (from client
survey questionn
aire)





Number of requests for ad
-
hoc advice/assistance
from management

Not
applicable


Not applicable

Staff

Staff satisfaction (from staff survey)





Training days per staff member





% staff turnover




Overall
contribution

Audit Committee asse
ssment of the extent audits
identified key issues (from committee survey
questionnaire)





Audit Committee assessment of the contribution
internal audits made to greater assurance and/or
improvements in performance (from Audit
Committee survey questionna
ire)





Clients’ assessment of benefits resulting from
internal audits (from client survey questionnaire)





Example client survey questionnaire

To assist in maintaining the efficiency of the audit process and the quality of the audit report
it is imp
ortant to seek the views of management immediately after an audit has been
finalised.

This example client survey questionnaire is designed to assist the Head of Internal Audit to
collect the views of management regarding the audit. Where there are signifi
cant areas of
disagreement the Head of Internal Audit should explore the matters further.

Entities are encouraged to review their existing client survey questionnaire against this
example.

Rating scale

Importance:

1 = Low importance

2 = Medium importance

3 = High importance

Performance:

1 = Strongly Disagree

2 = Disagree

3 = Agree

4 = Strongly Agree


Importance

Performance

The timing of the audit was appropriate.

1 2 3

1 2 3 4

My staff and I were given the opportunity to provide input, in
cluding any
concerns and our perspectives, to the planning

process.

1 2 3

1 2 3 4

The audit focused on issues that were important.

1 2 3

1 2 3 4

The internal auditor(s) kept me informed throughout the process on a timely
basis and the
re were ‘no surprises’.

1 2 3

1 2 3 4

The internal auditor(s) demonstrated a good knowledge of the subject matter.

1 2 3

1 2 3 4

The internal auditor(s) demonstrated professionalism and an objective
approach.

1 2 3

1 2 3 4

There was no undue disruption to my workplace during the audit and our work
environment was respected, e.g. safeguarding of documents and access to
facilities.

1 2 3

1 2 3 4

I was given the opportunity to provide input on the findings and concl
usions, and
on the recommendations made to address

them.

1 2 3

1 2 3 4

Conclusions reached were adequately supported by relevant facts and thorough
analysis.

1 2 3

1 2 3 4

The audit was completed on a timely basis.

1 2 3

1 2

3 4

The audit report was balanced and constructive.

1 2 3

1 2 3 4

Recommendations were useful, realistic, and cost
-
effective.

1 2 3

1 2 3 4

The audit was of benefit in providing me with assurance that there were no
major weaknesse
s and/or helped me to manage my business better.

1 2 3

1 2 3 4

Overall, I was satisfied with the audit.

1 2 3

1 2 3 4

Please use the space below to explain any specific ratings, to provide additional comments, or
to offer suggestions

to improve future internal audits.

Comments:

Example Audit Committee internal audit
questionnaire

The views of the Audit Committee on the performance of internal audit should be sought
periodically, but at least annually.

This example questionnaire is de
signed for use by the Audit Committee to provide feedback
to the Head of Internal Audit on the performance of the internal audit function. The
questionnaire would generally be completed by each member of the committee.
Alternatively it can be completed by
the committee as a whole.

Entities are encouraged to review their existing Audit Committee internal audit survey
questionnaire against this better practice example.

Rating scale

Importance:

1 = Low importance

2 = Medium importance

3 = High importance

Pe
rformance:

1 = Strongly Disagree

2 = Disagree

3 = Agree

4 = Strongly Agree


Importance

Performance

Audit Committee Papers

Audit Committee papers were distributed in sufficient time prior to

the meetings.

1 2 3

1 2 3 4

Audit papers provided
adequate pre
-
meeting information.

1 2 3

1 2 3 4

Audit papers were presented in a professional, well
-
ordered, clear

and concise
manner.

1 2 3

1 2 3 4

The information provided in the audit papers assisted the Audit Committee to fulfil
i
ts responsibilities under its charter.

1 2 3

1 2 3 4

Any changes suggested to the audit papers were implemented in a

timely manner.

1 2 3

1 2 3 4

Meetings

Internal audit actively participates in meetings.

1 2 3

1 2 3 4

Int
ernal audit offers suggestions and solutions to issues during

discussions.

1 2 3

1 2 3 4

Minutes from meetings are accurate, concise and distributed in

a

timely manner.

1 2 3

1 2 3 4

Internal audit strategic business plan and interna
l audit annual

work plan

The strategic business plan and annual work plan were appropriately aligned with
the entity’s business and operating environment (including key issues and business
risks), its strategy and its key priorities.

1 2 3

1 2 3

4

The internal audit strategic business plan and annual audit plan was developed in
consultation with the Chief Executive, the Audit Committee and senior
management.

1 2 3

1 2 3 4

The internal audit strategic business plan and annual audit pla
n takes into account
the work of other sources of assurance and

review.

1 2 3

1 2 3 4

Audit reports


Importance

Performance

The issues addressed by each audit assignment were appropriate to the business
needs of the entity.

1 2 3

1 2 3 4

Audit assignments w
ere completed in a timely manner.

1 2 3

1 2 3 4

Reports were well structured and concise.

1 2 3

1 2 3 4

Reports reflected a realistic understanding of the area under

review.

1 2 3

1 2 3 4

Recommendations were practical and
cost
-
effective to implement.

1 2 3

1 2 3 4

Better practice suggestions and lessons learnt were disseminated to relevant areas
of the entity.

1 2 3

1 2 3 4

Audits represented good value for money.

1 2 3

1 2 3 4

Audits identi
fied key issues.

1 2 3

1 2 3 4

Audits contributed to greater assurance and/or improvements in performance.

1 2 3

1 2 3 4

Overall contribution

Overall, internal audit has made a valuable contribution to the achievement of the
entity’
s objectives.

1 2 3

1 2 3 4


Please use the space below to explain any specific ratings, to provide additional comments, or
to offer suggestions for improvement.

Comments:

Example internal audit self
-
review questionnaire

This self
-
review quest
ionnaire is designed to assist the Head of Internal Audit to assess if
the key elements of a better practice internal audit function are in place.

Rating scale


Ratings:

1 = Strongly Disagree

2 = Disagree

3 = Agree

4 = Strongly Agree


Rating

You have
the confidence and support of:



the Chief Executive



the Board (where applicable)



the Audit Committee



senior management, and



line management.


1 2 3 4

1 2 3 4

1 2 3 4

1 2 3 4

1 2 3 4

You have direct access to the Chief Execut
ive/Chair of the Board and the Chair of the Audit Committee.

1 2 3 4

Internal audit is part of an integrated governance framework.

1 2 3 4

The internal audit charter is up to date and clearly articulates the roles, responsibilities and
accou
ntability lines of the internal audit function.

1 2 3 4

Your role is clear and well understood by management and staff in the entity.

1 2 3 4

You have access to all entity records, information and staff in the conduct of your work.

1 2 3

4

You and your staff know the entity’s business and the risks it faces.

1 2 3 4

There is a strategic internal audit business plan and internal audit annual work plan that is aligned with
the entity’s business objectives, risks and major business
systems and processes.

1 2 3 4

You have access to sufficient skilled and experienced staff and financial resources to meet your
responsibilities and the expectations of key stakeholders.

1 2 3 4

Internal audit’s working practices are efficien
t and effective and are supported by an up to date Internal
Audit Manual.

1 2 3 4

Relevant professional standards are adhered to.

1 2 3 4

There is adequate supervision of audit work and review of audit reports.

1 2 3 4

Audit reports ra
te the risk exposure of findings to the entity.

1 2 3 4

All audit recommendations are practical, cost
-
effective to implement and are

risk
-
rated.

1 2 3 4

Outstanding agreed internal and external audit, Parliamentary Committee recommendations a
nd those
of other relevant bodies, are monitored effectively, and progress in implementing recommendations
reported periodically to the Audit Committee.

1 2 3 4

Examples of better practice and lessons learnt are disseminated to relevant areas of the

entity.

1 2 3 4

An annual report that assesses the effectiveness of the entity’s internal controls and identifies systemic
issues is provided to the Audit Committee.

1 2 3 4

The key performance indicators provide effective accountability and

drive performance improvement.

1 2 3 4

The internal audit function is reviewed periodically.

1 2 3 4