Purpose of IA to provide independent, objective assurance and consulting activity designed to add value and improve operations. The mission of internal audit is to enhance and protect organisational value by providing risk-based and objective assurance, advice, and insight. The internal audit service helps Cardiff University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.
The Charter is published on the intranet and the external facing website containing public information. A requirement for internal auditors to declare any conflicts is included within the planning of each audit assignment via the RIPE. All staff are required to declare any declarations of interest within the corporate system Core HR.
The probation and performance development reviews are used to document training needs, aligned to the annual IA programme. External firms are engaged to undertake areas of work which fill a skills gap or where technical expertise is required, such as IT resource. Internal Audit have devised an Incident Assessment Form to allow a risk-based decision to be made and evidenced at the institution. Should specialist counter-fraud expertise be required for complex frauds, professional services firms are utilised.
All procedures have been tested during live incidents. Through planned audit work, the RIPE form used at the planning stage, has a section that requires an assessment of fraud risks. The IT programme is delivered by an external provider. There is budget available to allow key risks to be covered in a rolling programme of work. Consistency of IA approach and use of IT and audit tools e. All audit files are held electronically, which facilitates the agility of the team, whether working in the office or home working.
Each audit holds a unique reference number e. The process of version control is captured in a separate document. The use of data analytics and other tools is severely limited by the maturity of data quality across the institution. Further details of required qualifications, experience and skills is detailed within the job description. Professional due care is exercised by the IA function experience, objectivity, training and judgement. File review of each audit assignment is the predominant control over the due professional care exercised by the IA function.
All reviews are evidenced, which are held within the relevant audit assignment folder on the shared drive. Knowledge of the sector and ways of achieving this are given as objectives within probation and PDR reviews. All staff are professionally qualified and are required to maintain CPD to retain professional membership. IA appetite for innovation and new working practices to enhance service provision.
The HIA actively keeps abreast of current developments in the audit profession and considers application to service delivery. Working practices and templates are considered annually, at team audit planning session and in advance of the new academic year. Internal review is completed for all work undertaken as part of day to day supervision prior to report release, as noted on the PAD and all published reports. The HEFCW Financial Management Code details requirements for appointment, removal, or resignation of internal and external auditors, where governing bodies are responsible for the appointment and removal of both internal and external auditors.
The risk register is laid over the Audit Universe and there is direct line of sight from the higher-level risks through to the Audit Programme for the year. KPIs are included within the progress report and notes any limitations. A level of contingency days are built into the plan to enable the service to respond to emerging risks. Processes to ensure IA are kept informed of institutional changes impacting the risk environment.
In addition, as a minimum of twice per annum meetings are held with the Vice-Chancellor and Pro Vice-Chancellors. The audit universe incorporates associated activities of the university, including the Student Union, joint ventures and subsidiary companies. Time is built into the Audit Plan to accomplish an overview of alternative assurance providers.
The co-ordination of activities remains ad hoc at present, there is a low level of institutional maturity of assurance frameworks. In advance of this the Annual Report is passed to University Executive Board for discussion and comment.
In accordance with the HEFCW Financial Management Code the Annual Report provides an opinion of governance, risk management, internal controls, data quality and value for money, regards adequacy and effectiveness.
The annual report draws together emerging governance themes in the root cause analysis of themes. The annual report draws together emerging risk management themes in the root cause analysis of themes.
The follow-up report will list the actions taken by the audited entity to resolve the original report findings. Unresolved findings will also appear in the report and will include a brief description of the finding, audit recommendation, client response, current condition, and the continued exposure to ABC Company.
In addition to the original report recipients and other officials as deemed appropriate, the follow-up review results will also be included in the Internal Audit Annual Report to the Board of Directors. Recommend and develop internal auditing policies, standards of performance, procedures, and programs. Make recommendations for improved fiscal management systems. Monitor, verify, and reconcile expenditure of budgeted funds. Determine the direction and extent of audits. Continue to develop expertise in specialised areas to advise other auditors or ABC Company units.
Determine level of compliance with institutional policies and procedures, laws and contractual obligations regarding privacy and security in data processing areas. Provide support to internal auditors in the development of computer-assisted audit techniques. Four years experience as an EDP auditor, two years experience as a financial auditor, and knowledge of computer environment similar to the one at ABC Company.
Ensure that adequate controls are established and installed to meet management objectives, 2. Verify that users and computer operation's staff have been trained in the system functions and controls 3.
Determine whether level of security is appropriate 4. Based on a review and evaluation of current internal controls, assess potential risk, and exposure to ABC Company, and prepare detailed audit program describing tests to be performed. Obtain sufficient competent and relevant evidential matter, analyse and summarise data to support an objective informed opinion on the adequacy and effectiveness of internal controls, the accuracy of institutional data, and the level of compliance with ABC Company policies.
Draft written reports expressing opinions on the adequacy and effectiveness of system controls, the accuracy of institutional data, and the level of compliance with relevant policies and procedures. Recommend changes in policies and procedures to enhance controls or correct deficiencies.
Review working papers and conduct performance appraisals so that standards are complied with and evaluations can be accurately completed. Analyse evidential data as a basis for an informed, objective opinion. Prepare comprehensive reports addressed to campus and ABC Company administration and external agencies. Determine whether areas reviewed are performing their planning, accounting, custodial, and control activities in compliance with managerial guidelines, applicable statements of policy and procedures, and in a manner consistent with both ABC Company objectives and high standards of administrative practice.
Obtain and analyse data to provide an objective, informed opinion on the accuracy and fairness of financial statements. This includes performing advanced and complex analytical procedures and recommending material adjustments i.
Survey functions and activities of units to evaluate nature of operations and existence and adequacy of internal controls. Monitor performance of staff and evaluate performance of supervised staff.
Arrive at independent decisions concerning recommendations for administration. Prepare the program and establish procedures, which may include statistical sampling and electronic data processing. Prepare and evaluate working papers supporting opinions presented in the report to administration and external agencies. Use specialised knowledge to retrieve information from ABC Company mainframe computers.
Plan and prepare formal written reports addressed to managers or external agencies. This requires a general understanding of departmental activities in relation to computerised information systems under review. This entails analysing evidential data as a basis for an informed, objective opinion and preparing comprehensive reports addressed to ABC Company administration.
Prepare working papers containing sufficient, competent, and relevant evidence to support findings and opinions in audit reports. Draft audit reports containing the results of the audit, including findings, recommendations, opinions. Perform post-audit reviews to determine the extent to which audit recommendations have been implemented.
Appraise the adequacy of replies to final audit reports, and perform post-audit reviews to determine the extent to which audit recommendations have been implemented.
Where appropriate, recommend changes in policies and procedures to enhance controls or correct deficiencies. Provide in-house information systems audit and technical training for internal audit staff. One year of related work experience in information systems auditing or related field e. Excellent planning, organisation, research, analysis, writing, and interpersonal skills.
This includes performing analytical procedures and recommending adjustments to ABC Company financial statements. Prepare the program and establish procedures which may include statistical. Prepare working papers supporting opinions presented in the report to administration and external agencies. This requires a conceptual understanding of the departmental activities in relation to computerised information systems under review.
Plan and prepare formal written reports addressed to department managers or external agencies. First, it will be used for employee development. The feedback that employees receive from the appraisal process should provide them with information they can use to improve job performance.
Second, performance appraisal provides bottom-line evaluations of employees that can be used for administrative decisions such as promotion, salary evaluation, recommendation for training, or remedial action. Performance Evaluation Policy All Internal Audit full-time appointed employees will have an evaluation of their work performance at least every semester and once a fiscal year.
The results of these evaluations will be the primary means for administrative decisions. Performance Evaluation Process The evaluation process will be a twofold approach interim evaluation and annual evaluation. These evaluations will be performed in September and March respectively. Total Chargeable Hours at department standard 2. Audit Completed Timely 3.
Audit Within Budget hours 4. Working papers Technically Correct Dept Standards 5. Audits Performed according to standards. Competent in required job skills and knowledge 2. Exhibits ability to learn and apply new skills 3. Exhibits sound and accurate judgment 4. Requires minimal supervision 5. Keeps current on ABC Company systems 3. Participates in available Continuing Education 4. Balances team and individual responsibilities 2. Exhibits objectivity and openness to others' views 3.
Gives and welcomes feedback 4. Contributes to building a positive team spirit 5. Writes clearly, precisely and informatively 2. Edits work for spelling, grammar, and format 3. Varies writing style to meet needs 4. Follows standards for presenting elements of findings 5. Speaks clearly and persuasively 2.
Listens and gets clarification 3. Responds well to questions 4. Demonstrates group presentation skills 5. Participates in meetings 6. Displays original thinking and creativity 2. Meets challenges with resourcefulness 3. Generates suggestions for improving work 4. Adapts to changes in the work environment 2. Manages competing demands 3. Accepts criticism and feedback 4. Synthesises complex or diverse information 2.
Collects and researches data 3. Uses intuition and experience to complement data 4. Identifies data relationships and dependencies 5. Schedules time off in advance 2. Begins working on time 3. Keeps absences within guidelines 4.
Ensures work responsibilities are covered when absent 5. Establishes and maintains effective relations 2. Exhibits tact and consideration 3. Displays positive outlook and pleasant manner 4. Offers assistance and support to co-workers 5. Works cooperatively in group situations 6. Works within approved budget 2. Conserves organisational resources 3. Develops and implements cost saving measures 4. Displays courtesy and sensitivity 2. Manages difficult or emotional customer situations 3. Meets commitments 4.
Responds promptly to customer needs 5. Follows instructions 3. Responds to management direction 4. Takes responsibility for own actions 5. Commits to doing the best job possible 6. Keeps commitments 7. Volunteers readily 2. Undertakes self-development activities 3. Seeks increased responsibilities 4. Takes independent actions and calculated risks 5. Looks for and takes advantage of opportunities 6. Displays willingness to make decisions 2.
Includes appropriate people in decision making process 3. Exhibits confidence in self and others 2. Inspires respect and trust 3. Reacts well under pressure 4. Shows courage to take action 5.
Provides direction and gains compliance 2. Includes subordinates in planning 3. Takes responsibility for subordinates' activities 4. Makes self available to subordinates 5. Provides regular performance feedback 6.
Follows policies and procedures 2. Completes administrative tasks correctly and on time 3. Supports organisation's goals and values 4. Benefits organisation through outside activities 5. Prioritises and plans work activities 2. Uses time efficiently 3. Plans for additional resources 4. Integrates changes smoothly 5. Sets goals and objectives 6. Identifies problems in a timely manner 2. Gathers and analyses information skilfully 3. Develops alternative solutions 4. Resolves problems in early stages 5.
Develops project plans 2. Coordinates projects 3. Communicates changes and progress 4. Completes projects on time and budget 5. Demonstrates accuracy and thoroughness 2. Displays commitment to excellence 3. Looks for ways to improve and promote quality 4. Applies feedback to improve performance 5. Meets productivity standards 2.
Completes work in timely manner 3. Strives to increase productivity 4. Works quickly 5. Observes safety and security procedures 2. Determines appropriate action beyond guidelines 3. Uses equipment and materials properly 4. Achieves sales goals 2. Overcomes objections with persuasion and persistence 3. Initiates new contacts 4. Maintains customer satisfaction 5.
To increase the professionalism and credibility of the audit staff, the department supports employees' efforts in achieving certification through obtaining study aids and providing reimbursement for sitting for exams. Support is also given by making study time available during working hours and allowing time off to sit for exams. Professional certification is a factor used in the department's annual employee performance appraisal.
Professional development through certification, membership, and participation in professional organisations is encouraged. Internal Audit Department funds may be available and budgeted to support this activity. Continuing Education Internal Audit has a responsibility to provide for the most effective use of available continuing education funds in supporting staff member requests for professional training. Therefore, it is paramount that we have a process that will provide the information necessary to effectively manage this resource.
The departmental standard for staff hours is expected to charge to projects each year is 1, hours. Auditors shall perform fieldwork at the audited entity location whenever possible. All staff members will submit a weekly progress report, using the electronic Audit Reporting and Management System ARMS detailing the hours spent on assigned projects. Progress reports must be completed by Friday p. The comments field will be used to provide a brief description of the work performed or if no work was performed an explanation of why.
The comments field should also include a statement of how many hours was spent performing fieldwork at the audited entity location Any audit work or other activity that is material e. Electronic Working Papers To assure standardisation of working papers and reports, standardised reports, programs and working papers have been developed as Word templates.
In addition, there is an Audit Macros toolbar that will enable you to input your information in a form that will automatically add the information to the new Word document. The working papers shall be purged once a year after the Directors' approval. The exception to this policy is when we are required to retain working papers longer by law or by agreement.
Computer Software Only computer software that the department or ABC Company owns the rights to should be installed on department computers. If you wish to install other software on a department computer, you must receive prior approval from the Director and provide evidence that you own the rights to the software.
When out of the office, material in work areas should be straightened. Care is to be exercised to avoid exposure of confidential or potentially sensitive documents. Please review the audit schedule with your management team to ensure the timing is coordinated with them.
Our audit will be conducted in accordance with generally accepted auditing standards and, accordingly, will include such tests of the accounting records and other auditing procedures as we consider necessary to accomplish our audit objectives.
We will follow-up on previously raised audit issues, review internal controls, the human resource function, operating efficiencies, computer systems, year status, and other audit procedures considered necessary based on the circumstances encountered.
We appreciate your support and the cooperation of your staff as we work together on this engagement. If you would like to discuss the audit, areas that need special audit attention or this schedule, please call me at This information will help to foster future improvements in the Internal Audit function. We request that you, or the staff member most familiar with our recent work, complete and submit the questionnaire.
Please feel free to expand on any areas that you wish to clarify in the comments area. We sincerely appreciate your assistance. Questions Please Select 1. During the initial conference, the audit team explained the objectives, timing, and audit process and solicited your questions and concerns. The audit team was cooperative in attempting to minimise interruptions to your operations and schedule.
The audit team demonstrated technical proficiency in audit areas and knowledge of company policies. The audit team demonstrated courtesy, professionalism, and a constructive and positive approach.
You or your key staff members were adequately informed of the audit status, major issues, and final results on a timely basis. You had the opportunity to provide explanations or responses to audit findings as they developed during the audit process.
During the exit conference, all findings were adequately discussed and all issues of fact were resolved. The final report was accurate and clearly communicated the audit results. The audit recommendations were constructive, relevant, and actionable. On a scale of 0 no value to 10 high value , how much value do you feel this audit added to your unit? Please use the comment box below to let us know what specific changes we can make to improve our audit process.
This valuable information can be in the form of consultation, advice, written communications, or through other products. Adequate Control: Present if management has planned and organised designed their operations in a manner that provides reasonable assurance that the Company's risks have been managed effectively and that its goals and objectives will be achieved efficiently and economically. Analytical Review: The examination of ratios, trends and changes in balances and other values between periods to obtain a broad understanding of the Company financial or operational position and identify areas that may require further or closer investigation.
Assurance Services: An objective examination of evidence for the purpose of providing an assessment on risk management, control, or governance processes for the Company. Examples may include financial, performance, compliance. Audit Committee: Committee of the Company that has no operational responsibilities for any of the activities undertaken by the Company. Their primary function is to help ABC Company fulfil its stewardship role by reviewing the systems of risk management, governance and internal control.
The Company's Audit Committee meets three times a year. Audit Scope: Refers to the activities covered by an internal audit. Audit scope often includes: Audit objectives: Nature and extent of auditing procedures performed Time period audited: Related non-audit activities that delineate the boundaries of the audit When planning audit assignments at the Company, we always agree the scope of our reviews with the unit managers before starting the audit.
Audit Working Papers: Record the information obtained, the analyses made, and the conclusions reached during an audit. Audit working papers support the bases for the findings and recommendations to be reported. Audit working papers are a key part of the evidence used by us in arriving at our conclusions and recommendations. Auditable Activities: Consist of those subjects, units, or systems, which are capable of being defined and evaluated.
Auditable activities may include:. We have adopted risk-based approach in recent years as an approach that uses the Company's Risk Register as a means of identifying our audit universe. Audit Universe: An inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process.
Traditionally, the list included all financial and key operational systems audited as part of the overall cycle of planned work. The audit universe serves as the source from which the five-year audit plan and the annual audit schedule are prepared. Developments in the approach to auditing and audit planning have meant that the audit universe is determined by risk i. The universe will be periodically revised to reflect changes in the overall risk profile.
An inventory of audit areas, or audit universe, will be complied and maintained. Authorisation: Implies that the authorising authority has verified and validated that the activity or transaction conforms to established policies and procedures. Authorising: Includes initiating or granting permission to perform activities or transactions.
C Charter: The charter of the internal audit activity is a formal written document that defines the activity's purpose, authority, and responsibility. Compliance: The ability to reasonably ensure conformity and adherence to Company's policies, plans, procedures, laws, regulations, contracts, ordinances and statutes.
Conclusions: Our evaluation of the effects of the findings on the activities reviewed. Conclusions usually put the findings in perspective based upon their overall implications, particularly in a risk-based audit approach which will provide an audit viewpoint in relations to the aims and objectives of the Company. Conflict of Interest: Any relationship that is or appears to be not in the best interest of the Company. A conflict of interest would prejudice an individual's ability to perform his or her duties and responsibilities objectively.
Consequence: The outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. Management plans, organises, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
See internal control also. Control Environment: The attitude and actions of the members and management regarding the significance of control within the organisation. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements:. Control Framework: A recognised system of control categories that covers all internal controls expected in an organisation.
Control Processes: The policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process. Control Self-Assessment: A class of techniques used in an audit or in place of an audit to assess risk and control strength and weaknesses against a Control Framework.
The "self" assessment refers to the involvement of management and staff in the assessment process, often facilitated by internal auditors. There are many self-assessment techniques in use. At the Company, we operate an annual self-audit system that is a form of self-assessment. D Detection Risk: The probability that an incorrect audit conclusion will be drawn from the results of the examination or that the audit work will fail to detect any serious errors. Detective Controls: Actions taken to detect and correct undesirable events which have occurred.
Directive Controls: Actions taken to cause or encourage a desirable event to occur. Due Professional Care: Calls for the application of the care and skill expected of a reasonably prudent and competent internal auditor in the same or similar circumstances. Due professional care is exercised when internal audits are performed in accordance with Generally Accepted Auditing Standards. The exercise of due professional care requires that:. At ABC Company, we have agreed procedures in place to ensure that we work to recognised professional audit standards.
Effective Control: Present when management directs systems in such a manner as to provide reasonable assurance that the organisation's objectives and goals will be achieved. Error: As it relates to internal audit reports, it is an unintentional misstatement or omission of significant information in a final audit report. External Auditors: Refers to those audit professionals who perform independent annual audits of an organisation's financial statements.
F Findings: Pertinent statements of fact. Audit findings emerge by a process of comparing what should be with what is.
Follow-up: This is a process that we use to determine the adequacy, effectiveness and timeliness of actions taken by management on previous audit findings and recommendations. Fraud: Any illegal acts characterised by deceit, concealment or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force.
Frauds are perpetrated by individuals and organisations to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantage. G Goals: Goals are specific objectives of specific systems and may be otherwise referred to as operations or programmes, objectives or goals, operating standards, performance levels, targets or expected results.
Governance Process: The procedures used by the representatives of the Company's stakeholders to provide oversight of risk and control processes administered by management.
Governance is the Company's strategic response to risk, which brings together related components such as strategic planning, risk management, assurance that goals and objectives will be achieved, and internal auditing. Internal Audit: The Company's in-house team that provides independent, objective assurance and consulting services designed to add value and improve the Company's operations.
Internal Control: A process within an organisation designed to provide reasonable assurance regarding the achievement of the following primary objectives:. Irregularities: Refers to the intentional misstatement or omission of significant information in accounting records, financial statements, other reports, documents or records.
L Likelihood: A qualitative description of a probability or frequency. Monitoring: Encompasses supervising, observing and testing activities and appropriately reporting to responsible individuals. Monitoring provides an ongoing verification of progress toward the achievement of objectives and goals. O Objectivity: An unbiased mental attitude that requires internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that.
Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others. Operations: Refers to the recurring activities of an organisation directed toward producing a product or rendering a service. Such activities may include, but are not limited to, marketing, procurement, personnel, finance and accounting. Opportunity: An uncertain event with a positive probable consequence.
Related to risk, the possibility that one or more individual organisations will experience beneficial consequences from an event or circumstance. P Planning Risk: The risk that the planning process is flawed. In risk assessment, it is the risk that the assessment process is inappropriate or improperly implemented. Preventative Controls: Actions taken to deter undesirable events from occurring. Probability: A measure expressed as a percentage or a ratio of estimation sometimes used as a basis of measuring the likelihood and impact of risks when undertaking risk assessments.
Q Quality Assurance: A programme by which the Head of Internal Audit evaluates operations of the internal auditing service. R Recommendations: Actions we believe are necessary to correct existing conditions or improve operations. Residual Risk: Also known as 'net risk'. This is the level of risk remaining after the relevant controls have been applied by management to the gross or 'absolute' risk.
Residual risk represents the actual level of exposure that the Company faces. Risk Analysis: The assessment of risk, the management of risk, and the process of communicating about risks. A systematic use of available information to determine how often specified events may occur and the magnitude of the consequences.
Risk Assessment: The identification of risk, the measurement of risk, and the process of communicating about risks. The risk assessment process measures risk by the use of two factors: impact and likelihood. Risk-Based Auditing: An approach that focuses upon how an organisation responds to the risks it faces in achieving its goals and objectives; it aims to provide assurance on the management of the identified risks within the context of the Company's corporate plans and aims..
It is an invaluable resource for team members, who can and should , use it as a reference guide to ensure that they are performing their reviews in compliance with the audit standards. Implementing a manual and process into a team is never easy, particularly where the team has been used to a previous way of working for a long period of time.
This article by Entrepreneur has set out 8 steps which are very much applicable to implementing an audit manual in a team.
The steps are:. Create a plan - How are we going to implement the new manual. What are the timeframes for implementation, what training needs to be delivered, what audits are going to be the first 'trial run' under the new methodology, etc. These are all factors to be built into your implementation plan. Understand the end goal - Your end goal will likely be related to quality, efficiency, timeliness, consistency, or a combination of all. Making sure this goal is clear, how the new internal audit manual will address it, and communicating this to your team is essential.
Communicate clearly - In addition to communicating the goal, its important that the plan, and expectations are also clearly communicated. Identify key players - Your managers are critical to ensuring that the new manual is implemented and upheld. They will be responsible for making sure audits are performed in compliance with the new manual, and as such, they should be reminded of this responsibility.
Delegate tasks - Everyone in the team has a role to play. Its the Head of Audit's role to actively communicate the new manual at each team meeting and spruik its benefits. Its the managers responsibility to ensure it is embedded, and its the junior audits responsibility to adhere to it.
Managers should, as part of their audit review process, recognise and celebrate where team members have adhered to the manual well and share this during team meetings. Set clear objectives - The objectives of implementing the new manual, such as ensuring quality, efficiency, timeliness, consistency, or a combination of all, in our audits, should be communicated and made clear throughout the implementation process.
Manage expectations - Change isn't easy. Some people embrace change more than others, and therefore, its important that we set expectations which set the standard.
0コメント