Each engagement is specifically planned to ensure that the auditors obtain an adequate understanding of the audit area and can determine an appropriate scope and approach for the engagement. The output of this exercise should be agreed terms of reference including the engagement’s objectives, scope, timing and resource allocations, and documented in an Audit Planning Memorandum.
The audit field work comprises assessment and testing of key controls in place to manage the identified risks (e.g. the risks within programmes to deliver objectives such as new services and facilities and fiscal consolidation), or within core systems.
This would typically be undertaken through: discussion with key staff responsible for the relevant processes; review of relevant documentation; physical verifications and independent confirmations; and, testing of controls (which may be on a sample basis) to confirm that they are both designed and operating effectively.
Such controls may be financial, operational or compliance in nature and might range from the segregation of incompatible duties, to the analysis of business cases before strategic plans are implemented, to embedding appropriate cultural attitudes.
Each internal audit engagement culminates in a written report on the adequacy and effectiveness of the risk management, governance and control systems. The draft report is discussed with the management of the Ministry/Department/Agency to obtain their concurrence on its factual accuracy and practicality of the recommendations. The final signed report should include the actions agreed with management to address the internal audit findings, and the timeframe within which the recommendations should be implemented.
Following audit recommendations and identification of actions to improve the Ministry/ Department/ Agency’s framework of governance, risk management and control, internal audit also plays a role in helping ensure such recommendations and actions are implemented. This is achieved through a process of tracking and continuous monitoring to ensure that agreed recommendations have been effectively implemented by management.