Professional Documents
Culture Documents
AUDIT MANUAL
Table of Contents
FOREWORD.................................................................................................................................. 6
1.0 General Policies & Standards .................................................................................................... 7
1.1 Audit Charter ..................................................................................................................................... 7
1.2 Auditing Standards ............................................................................................................................ 7
1.2.1 IIA Professional Practices Framework ......................................................................................... 7
1.2.2 Other External Standards............................................................................................................ 8
1.2.3 General Standards - Summary .................................................................................................... 8
1.2.3.1 Qualifications of Audit Staff ..................................................................................................... 8
1.2.3.2 Reasonable Professional Care .................................................................................................. 9
1.2.3.3 Independence .......................................................................................................................... 9
1.2.3.4 Confidentiality ......................................................................................................................... 9
1.2.3.5 Evidence................................................................................................................................. 10
1.2.3.6 Adequate Documentation...................................................................................................... 10
1.2.4 Operating Standards - Summary ............................................................................................... 11
1.2.4.1 Planning ................................................................................................................................. 11
1.2.4.2 Supervision ............................................................................................................................ 11
1.2.4.3 Statutory and Regulatory Requirements................................................................................ 11
1.2.4.4 Internal Controls .................................................................................................................... 12
1.2.4.5 Reporting ............................................................................................................................... 13
1.2.5 Audit Management Responsibilities ......................................................................................... 13
1.2.5.1 Organising .............................................................................................................................. 14
1.2.5.2 Directing ................................................................................................................................ 14
1.2.5.3 Controlling ............................................................................................................................. 14
1.3 Audit and Compliance Committee Charter ...................................................................................... 14
2.0 Personnel & Administration .................................................................................................... 15
2.1 General Procedures ......................................................................................................................... 15
2.1.1 Commencement of an Audit ..................................................................................................... 15
2.1.2 Conduct of an Audit .................................................................................................................. 15
2.2 Personnel......................................................................................................................................... 15
2.2.1 The Auditor ............................................................................................................................... 15
2.2.2 Internal Audit Area - Organisation Structure ............................................................................ 16
2.3 Administration................................................................................................................................. 17
Page 2 of 57
FOREWORD
The purpose of this manual is to provide Curtin University Audit staff with a source of reference for general
audit procedures and routine, in accordance with the Audit Charter (refer Section 1.1).
Any instruction contained herein which is inconsistent with Curtin University's internal policies and
procedures is void to the extent of that inconsistency.
Page 6 of 57
Code of Ethics
Conformance with the principles set forth in mandatory guidance is required and essential for the
professional practice of internal auditing.
The Internal Audit Charter contains a definition of internal auditing that is in alignment with the
IPPF i.e.
The basic objective of Internal Audit is to provide independent, objective assurance and
consulting services designed to add value and improve the Universitys operations.
Section 9.2 of the Internal Audit Charter states that the Director Internal Audit will ensure:
compliance with professional standards, as laid down by the Institute of Internal Auditors
(IIA) i.e. the International Standards for the Professional Practice of Internal Auditing;
and
compliance with the IIA Code of Ethics
Page 7 of 57
Knowledge of auditing theory and practice and the education, ability and experience to apply
such knowledge to a variety of auditing assignments.
Specific:
Page 8 of 57
1.2.3.3 Independence
Independence is essential to the effectiveness of Internal Auditing. This independence is obtained
primarily through organisation status and objectivity.
The organisational status of the Internal Auditing function, and the support accorded to it by
management, are the major determinants of its effectiveness. The Director Internal Audit,
therefore, is responsible to the Audit and Compliance Committee whose authority is sufficient to
ensure both a comprehensive range of audit coverage, and the adequate consideration of, and
effective action on, the audit findings and recommendations.
Whilst the auditor may recommend standards of control for systems or review procedures before
they are implemented, the design, installation and operation of systems or drafting of procedures
for systems are not an Audit function. Performing such activities is presumed to impair audit
objectivity and could be seen to be displacing the role of management.
1.2.3.4 Confidentiality
Information acquired by an auditor in the course of audit duties must not be used for purposes
outside the scope of assessment and formation of an opinion and in reporting according to audit
responsibilities.
It is essential that the auditor maintain confidentiality regarding audit matters and information
arising from audit tasks.
Page 9 of 57
1.2.3.5 Evidence
Auditors must obtain all evidence necessary for the effective completion of the audit.
The decision on how much evidence is enough and what type to seek requires the exercise of the
auditors judgement based on experience, education, reasoning and intuition. A thorough
knowledge of the concepts underlying audit evidence will help the auditor to improve the audit
quality and efficiency.
Evidence needed to support the auditors findings may be:
Regardless of the type, the evidence involved should meet basic tests of sufficiency, competence
and relevance. The audit working papers should reflect the details of the evidence upon which the
auditor has relied or include copies of papers containing the evidence.
1.2.3.6 Adequate Documentation
Auditors must provide adequate documentation of the audit, including the base and extent of
planning, the work performed and the results and findings of the audit.
Adequate documentation of audit planning, methods, procedures, findings and results is necessary
in order to maintain an acceptable level of auditing service by providing:
The Director Internal Audit with an adequate basis and sufficient evidential material to support
any opinions expressed in the Audit Reports;
Planning procedures;
Information provided by the client or other parties that is significant to the findings or the
recommendations;
Page 10 of 57
Principal procedures and findings to the extent that these are not documented in the final
report;
Client correspondence and reporting, including the final report (NOTE: only the first draft and
final copy of the report need to be kept on file).
Documentation that is not referred to in the working papers or report findings is not to be retained
on file.
1.2.4 Operating Standards - Summary
Operating auditing standards in operation for Internal Audit at Curtin University are in alignment
with the above referred external standards:
1.2.4.1 Planning
An audit plan must be prepared and revised as necessary in the course of an audit to cover all
material areas under examination.
This standard requires sufficient advance planning to provide a basis for effective audits. This is the
first step towards effective and efficient utilisation of staff time.
The audit planner is expected to be thoroughly familiar with the operations of the organisation and
be concerned broadly with medium to long-term horizons to ensure systematic and adequate
coverage of activities over time.
1.2.4.2 Supervision
Where work is assigned to members of an audit team, each member must have sufficient
proficiency and training to carry out assigned tasks. Their work must be carefully supervised and
reviewed.
The most effective way to control quality and to expedite the efficient and effective progress on an
assignment is by supervision from the beginning of preparatory work to the completion of the
report in draft form.
In particular, the Director Internal Audit is required to oversee and assess the audit work program
and audit budget throughout the course of each audit. In addition, it is the Director Internal Audits
responsibility to approve any change to the audit budget or deviation from the audit work program
on each audit.
1.2.4.3 Statutory and Regulatory Requirements
One specific aspect to be covered is a review of compliance with statutory and regulatory
requirements, organisation plans and policies, directives and procedures.
Page 11 of 57
This standard places an onus on the auditor to advise management of any instances where the
organisation has not complied with pertinent laws and regulations. In reviewing compliance, the
auditor should examine enabling legislation and general regulations as appropriate.
1.2.4.4 Internal Controls
The system of internal control is conceptual in nature. It is the integrated collection of control
mechanisms used to achieve desired results.
A control is any mechanism or practice used to enhance the probability that required results will be
achieved.
Internal auditors must systematically evaluate the nature of the organisations operations and
systems of internal control to assess the extent to which they may be relied upon to:
Ensure compliance with policies, plans, procedures, standards, laws and regulations; and
Internal controls comprise the plan of organisation and the methods and measures adopted to
safeguard assets, comply with laws and regulations, check the accuracy and reliability of
management data, promote operational efficiency and encourage adherence to prescribed
managerial policies. These controls embrace the policies, procedures and practices established by
management as well as the plan of organisation and other measures intended to promote and
facilitate their implementation.
Internal control is the whole system of control, financial or otherwise, established by management
in order to carry on the business of the organisation in an orderly manner.
The characteristics of a sound system of internal control include:
Sound, formal practices to be followed in the performance of duties and functions of each of
the organisational units;
Page 12 of 57
Management;
Organisation;
Accounting; and
Physical controls.
A complete review of internal controls as a specific requirement would often be prohibitive in terms
of available resources. An examination of all controls would not be efficient (and would not
always add value) because not all are significant in fact, the importance of controls is directly
linked to the assessment of business risk within an auditable area under review. The auditor should
exercise professional judgement and should concentrate on controls which are important within the
full scope of the system under review, i.e. key controls.
1.2.4.5 Reporting
Each audit report should:
Explain clearly, where applicable, the scope, objectives and limitations of the audit;
Include only factual information and findings and conclusions adequately supported by
evidence;
Reflect the balance between critical comments and recognition of management and initiated
improvements;
Identify and explain issues or questions needing further study and consideration by the auditor
or others;
Highlight any departure from policies, plans, procedures, standards, laws and regulations; and
Recognise the views of management which should be considered for presentation in the final
audit report.
1.2.5.1 Organising
The Director Internal Audit should define and put into effect organisational arrangements
appropriate to provide the quality and level of auditing services required at reasonable cost.
Organising involves the establishment of the organisational structure and includes the division of
work into manageable units and the specification of the span of management. It involves the use of
such tools as organisation charts, position descriptions, flowcharts, procedures, records and reports
to establish the flow of information and the responsibilities and authorities of individuals for
performing activities, establishing information trails, and setting standards of performance.
1.2.5.2 Directing
The Director Internal Audit should provide directives and written policies and procedures to guide
Audit staff.
Directing involves undertaking certain activities to provide additional assurance that plans are
carried out and that systems operate as intended. These activities include issuing instructions to
staff.
The form and content of written policies and procedures should be appropriate to the size and
structure of the Audit unit and the complexity of its work.
1.2.5.3 Controlling
The Director Internal Audit should establish and maintain a system of supervision and control
(including a quality assurance program) to evaluate the operations of the Audit unit and provide
reasonable assurance that required results will be met in an efficient and economical manner.
1.3 Audit and Compliance Committee Charter
The Audit and Compliance Committee Charter provides details of that Committees membership, purpose
and responsibilities.
The Audit and Compliance Committee Charter may be found on the Curtin University Internal Audit
website here.
Page 14 of 57
Approach - Auditors, like their auditees, are all members of the same institution and shouldn't
set themselves apart or appear to be aloof. Audit is a management tool in the overall
Page 15 of 57
organisation of the University and its function is to assist rather than to hinder. Audit officers
are to be friendly and fair in their approach but, at times, need to be firm in exercising their
authority - particularly if other staff members are reluctant to give positive assistance.
Work Knowledge - The whole basis of the auditor's work centres around determining
weaknesses in control and management of risk. In order to be appointed to Internal Audit,
officers must display a certain level of experience and competence. It is the auditor's
responsibility to ensure that he/she refers, as often as is necessary, to the University's policies
and procedures, individual Faculty/School/Department/Area procedures manuals, user guides
and any statutes/regulations which may be applicable.
Audit files, when the auditor is in the field, are suitably housed overnight and not left on desks;
Personal computer equipment and backup thumb drives/CDs are not left unsecured while the
auditor is away from his/her desk;
Page 16 of 57
Any University documents, files, reports or papers of any nature are not taken outside the
building unless in a suitable envelope, parcel or briefcase.
Audit staff who are required to take PC equipment, working papers or reports to their home prior to
commencement of (or during) an audit must ensure that this property is not left in motor vehicles
overnight.
2.3 Administration
2.3.1 Audit Procedures
The Internal Audit area may maintain various Acts and Statutory Regulations, as required. However,
much of this information is now readily available on the web.
The Internal Audit area will maintain the following internal documentation:
Audit Manual (which is stored electronically on the Internal Audit Area J drive and published on
the Internal Audit website). This manual determines the standard expected of auditors in
discharging their audit responsibilities.
This document is stored on the LAN in: J:\ODVC\PQ\AUDIT\OPERATIONAL
MANAGEMENT\Procedures\Internal Audit Manual\2011 Onwards
CCH TeamMate System User Guide for Curtin Auditors (which is stored electronically on the
Internal Audit Area J drive and published on the Internal Audit website). This guide describes
how the Internal Audit Areas audit methodology is to be utilised through the use of the CCH
TeamMate electronic working papers system see further information below.
This document is stored on the LAN in:
MANAGEMENT\Procedures\CCHTeam Mate Manual
J:\ODVC\PQ\AUDIT\OPERATIONAL
Other technical auditor information (which is stored electronically on the LAN in the
appropriate directory e.g. running CAATs).
CAAT software is held on the LAN in: J:\ODVC\PQ\AUDIT\INFORMATION AND
COMMUNICATION TECHNOLOGY\Compliance\CAATS
Amendments to the above documentation are to be authorised by the Director Internal Audit.
2.3.2 Area Expenditure
All drawings made to recoup expenses paid during the course of an Audit, for interstate travel or
external training, are to be compiled personally by the auditor for authorisation by the Director
Internal Audit (or relevant support administrative staff). Copies of all supporting documentation,
including receipts, vouchers etc are to be filed in the relevant administration area of the Office
within which the Internal Audit Area operates.
Page 17 of 57
activity
by
key
The minimum unit of time to be recorded is 0.25 hours (15 minutes) in a 7.5 hour working day.
In calculating administration (non-productive time), the auditor should first determine hours spent
on each assigned project and other tasks during a working day; the remaining hours should then be
allocated as administration to make up 7.5 hours in total.
The timesheet is to be updated each day and figures accumulated on a calendar month basis, with
final actuals being carried forward from the previous calendar month. Any necessary totalling of
figures is performed automatically by the spreadsheet software.
Page 18 of 57
The Director Internal Audit is to ensure that, on a monthly basis, totals are transferred from the
computerised timesheets to the Audit Progress spreadsheet (which reports annual budgeted time
against actual hours for scheduled audits).
Page 19 of 57
A Strategic Audit Plan which is the identification and documentation of auditable areas within
an Audit Universe, and the prioritisation of these areas for review based on a predetermined
risk assessment methodology over a period greater than one financial year;
An Annual Audit Work Plan which sets out the planning of individual audit assignments over
one financial year; and
A Field Audit Plan which determines the scope and parameters for each individual audit.
Justification of Resources.
Page 20 of 57
A strategic plan, when accepted, can support Audit management's requests for establishing
staff levels and in determining associated budgets.
Management Participation.
Management overview of the strategic plan will ensure that Audit's assessment of relative
priorities accords with that of management.
Accountability.
A plan allows the comparison of work completed to work scheduled and is an important link in
the accountability chain.
Liaison.
Communication of long-term plans can facilitate working arrangements with all other review
activities, including external audit.
Identification;
While the Audit Charter defines the responsibilities of the Audit function in broad terms, Audit
management should possess sound knowledge of the organisation's activities in order to document
the auditable areas.
3.2.4 Identification of Auditable Areas
The Audit Universe of auditable areas must consider all major University operations, systems and
computer environments. To this end, Audit management must seek relevant information from a
variety of different sources e.g.
Executive management
Line management
Audit staff
The University's Risk Map (covering strategic, operational and project risks)
New risks may be identified or existing risks may change in terms of their probability and/or
impact.
Page 22 of 57
The final Annual Work Plan for the area is submitted to the Audit and Compliance Committee for
review and approval, prior to the commencement of the new financial year.
3.3.2 Considerations for Planning
Not all of the auditable areas identified and risk ranked in the Audit Universe will be covered in the
Annual Audit Work Plan.
The availability, skills and knowledge of available internal audit resources, the ability to outsource or
co-source audits, and the scope and objectives of each audit are factors affecting the selection of
any one audit in the final operational plan.
With regards to scope and objectives, typical examples are:
A 7.5 hour working day will be used in determining duration of audit assignments.
Consideration will have to be given to administration (non-productive) time each working day.
Administration caters for personal breaks, phone calls, Christmas lunches etc.
In assigning audits to staff, the Director Internal Audit shall:
make appropriate allocations of time for two or more auditors to work on the same audit;
ensure auditors are adequately rotated on audits to minimise reliance on key persons and
increase skills and knowledge across the team; and
determine availability of working hours for each employee ONLY after first calculating total
non-worked time e.g. annual leave, long service leave, personal leave, training, study
leave/exams and non-productive administration time.
In addition, the Director Internal Audit will strive to ensure that agreement is reached with
management on the timing of selected audits (where feasible) and their scope and objectives, prior
to the Annual Audit Plan being approved by the Audit and Compliance Committee. A special form
has been developed to facilitate this i.e. the Audit Budgeted Hours Estimate Sheet (see Section 9
Forms and Templates List).
Page 23 of 57
List of CAATs (computer assisted audit techniques) proposed for use; and
System Description of the auditable area, and any other supporting documentation.
Page 24 of 57
Part B of the Field Audit Plan document should also be updated with relevant information upon
completion of the audit and handed to the Director Internal Audit for final sign-off.
The Field Audit Plan and accompanying documents enable Audit management to ensure that work
performed meets accepted standards and audit objectives, and is carried out in the most
economical and effective manner.
Page 25 of 57
Verification;
Reporting; and
Follow-up.
A short explanation of each phase appears below. Note that these stages do not necessarily run
contiguously but may overlap.
4.1.1.2 Planning and Administration
A pre-requisite for an efficient and professional audit is an adequate plan. The amount of work
involved in planning may vary considerably, depending upon whether or not the audit has been
performed before. An integral part of this planning is the entry interview (where the scope and
objectives of the audit are discussed), and the engagement letter (where the outcome of the entry
interview, and other audit planning related matters, are confirmed with the auditee).
4.1.1.3 Review and Evaluation
In this phase, the system or operation is reviewed and documented, risks and associated controls
are identified, and a preliminary evaluation of the adequacy of these controls performed. From
here, an audit program is developed or an existing audit program modified.
4.1.1.4 Verification
During this phase, the audit program is followed and assessments made based upon the results of
further investigation and testing.
4.1.1.5 Reporting
At the end of the Verification phase, findings are documented, together with appropriate audit
recommendations, in report form for later discussion with the Auditee during the exit interview.
A draft copy of the report is sent to the auditee (management) to gain final clearance on matters
raised (via written management comments).
Page 26 of 57
Upon receipt of management comments, the comments are included within the body of the report
and an audit opinion determined and inserted in the Conclusion section, prior to publication.
The final report is issued, and two to three days later, an Audit Client Questionnaire Form (see
Section 9 Forms and Templates List) is issued requesting feedback from the Auditee on the
Auditor's performance.
4.1.1.6 Follow-up
On a six monthly basis, a follow-up report is issued by the Director Internal Audit on all outstanding
matters reported during prior audits. The status of action taken on each item is noted, and items
are carried forward until all action is complete.
The issues reported as being outstanding at the end of the follow-up process are reported to Audit
and Compliance Committee (this occurs twice a year, at the May and November meetings).
4.2 Audit Programs
4.2.1 Introduction
It is Internal Audit policy that, before detailed audit testing is undertaken, an Audit Program should
be prepared (see Section 9 Forms and Templates List). The audit program is in fact the end point
of the Review and Evaluation phase.
Programs may cover more than one auditable area (if these areas are clearly inter-related) but must
be structured so that different auditable areas can be covered separately. In circumstances where a
number of auditable areas are covered in one program, the program must make provision for a
summary assessment covering all included areas.
Note that there are occasions where standard audit programs may be employed e.g. for Business
Unit audits.
The audit program is reassessed and updated during each subsequent performance of the audit.
The program is thus a working document used as a guide to the auditor and subject to amendment
as appropriate.
4.2.2 Structure
The audit program is made up of several sections.
4.2.2.1 Audit Objectives and Scope
This is always the first section of the audit program. It has the following components:
Audit Objectives - the primary (and perhaps secondary) objective for the program as a whole.
Any summary assessment of the audit will be based on the achievement of this objective.
Page 27 of 57
Likelihood of Risk;
Upon completion of the audit testing in any one control section, the auditor will be able to
conclude, based on the results of the testing performed, whether management is achieving/has
achieved the stated control objectives.
4.2.2.3 Standard General Section
Each audit program will have a standard section, at the beginning, titled "General". This section
requires the auditor to do the following:
List the recommendations to major findings from the previous audit in the working papers (and
the most recent management response to each recommendation) and verbally verify, with the
auditee, that the matters have been addressed or are being addressed. Where a particular issue
will, for whatever reason, not be covered during the current audit, sufficient audit testing must
be performed in this step to verify management's response; and
Review all related external audit management letter issues raised in the current and previous
financial year (whether cleared or outstanding), then verbally verify, with the auditee, that the
matters have been addressed or are being addressed. Where a particular issue will, for
whatever reason, not be covered during the current audit, sufficient audit testing must be
performed in this step to verify management's response.
Page 28 of 57
To identify and document deficiency findings, and accumulate evidence needed for determining
the existence and the extent of the deficient conditions.
To help perform the audit in an orderly fashion coinciding with the audit program; to document
what has been done; to indicate what is still to be done and give reasons for what will be left
undone.
To provide support for the audit report. Well-structured working papers make it easy to transfer
the material written during the audit to the pages of the final audit report. The auditor can
develop discipline that moves both the working paper documentation and the audit report on
the same assembly line, minimising any rephrasing and restructuring and ensuring that the
points raised in the report are covered by the working papers. An experienced auditor has the
structure of the final report in mind throughout the entire audit project. It helps keep the work
relevant and pointed in the right direction.
As the basis for supervisory or peer review of the audit progress and accomplishment. Review of
the audit project should be current and continual. The working papers, as evidence of work
done and to be done, are much better indices of accomplishment than unsupported oral
assertions (which may easily become general, distorted or superficial) and can materially
Page 29 of 57
benefit the audit. A review of work progress is seriously diminished in value if it is based only on
conversation with the auditor.
As a basis for appraising the auditor's technical ability, skills and working habits. Audit
proficiency is clearly mirrored in the documentation of work and support for conclusions.
As background and reference data for subsequent reviews. Audit projects may be repeated or
followed up. High quality working papers make the repeat audit much easier and more
economical. The subsequent review may therefore build on the earlier one.
4.3.2 Structure
It is Internal Audit policy that current working papers on each program will be completed and
presented in three sections (one set for each performance of the audit). See Section 9 Forms and
Templates List:
The Initial Email notification of audit commencement briefly informs Executive and
Senior Management of the audits commencement and the audit objective.
The Field Audit Plan facilitates the planning process at the individual field audit level. The
first page of this form (Part A) is completed before the field work commences, and the
final page (Part B) is completed upon completion of the audit.
The Engagement Letter summarises the scope and objectives of, approach to, and an
estimate of time for completing, a particular audit.
The List of CAATs identifies the proposed computer assisted audit techniques (e.g.
sample data extracts, exception reports) that will be required to support the specified
audit tests, and who will be responsible for running them.
The PANA is completed during the course of the audit and outlines any points that need
to be highlighted at the next audit. It provides a mechanism whereby appropriate followup action can be initiated and, for this reason, the form should be referred to before the
next audit of the auditable area for which it was completed. Examples of points which
may be listed for attention at next audit include selected items which could not be
located for checking at the time of audit and any other matter which could not be
Page 30 of 57
properly dealt with at the time of audit and requires or merits attention at the next audit,
including program steps not performed.
The Audit Budgeted Hours Estimate Sheet provides information obtained on the scope
and objectives of the audit, during the audit planning cycle undertaken in the previous
year.
The Reference File contains static or permanent information in relation to the auditable
area e.g. a system description, design committee minutes, executive submissions, user
guide sections, flowcharts, sample forms, sample reports etc.
The actual test or work performed must be described in narrative/tabular form, with
appropriate references (where necessary) to supporting documentation in the
Appendices e.g. copies of actual forms, documents or report pages used to support
findings. In addition, large tables of tests performed should also be documented and
inserted here to avoid excessive detail in the main narrative.
Each test completed should have, incorporated within it, statements of any conclusions
reached (and the validity of these statements should be self-evident from the
documented findings).
Upon completion of an audit section, the overall conclusion for the section should be
determined and documented immediately after the last program step on the worksheet.
This overall conclusion should be documented as a separate paragraph with its own heading
"CONCLUSION" and should indicate whether the control objectives for the section have
been attained.
Each audit program step documented may have one or more unique reference numbers
created which link to identified Audit Issues (this is usually performed at the completion
of the audit when all of the issues identified during the course of the work can be
considered).
Where audit testing involves drawing conclusions based on samples, then an appropriate
approved sampling methodology will be employed.
All audit documentation produced must be signed off by the auditor when it is complete,
before being reviewed and signed off by the Director Internal Audit (or a delegate).
Page 31 of 57
AUDIT REPORTING comprises Audit Issues identified, Audit Reports and associated
memoranda:
o
During the course of the audit, Audit Issues may be identified which may eventually find
their way into the draft audit report (as either major issues or minor issues).
Prior to the final report being compiled, the Auditor may develop a set of Audit
Observations which will contain information on observations made during the course of the
audit work, and associated evidence to support observations. These observations may not
necessarily be raised as report findings, but are for discussion with auditees to ensure they
are kept informed of matters arising from the audit that have potential to be reported (and
to eliminate any erroneous or incorrect findings at an early stage). The observations may be
progressively accumulated during the audit, but must be discussed with management
before the final working papers are submitted to the Director for review. As there may be
many changes arising from these matters being brought to the attention of management, it
is not necessary (or even feasible) to align each matter raised in the Audit Observations
sheet with those in the final draft report and working papers.
At the end of the audit, the Audit Report Grade and Conclusion will be determined at
this point, the Audit Report is ready to be issued to the Executive Manager and his/her
direct reports by the auditor through the Director Internal Audit (see section 4.4 below
for more detail).
Other memos and any extra correspondence received/raised during the course of the audit,
or after final audit report issue, may also be included here.
Audit Report Grade is displayed on the front page of the report by placing a tick graphic against
the relevant audit grade row. Each of the four audit grades:
o
o
o
o
Satisfactory (Green)
Some Improvement Required (Amber)
Major Improvement Required (Blue)
Unsatisfactory (Red)
Executive Summary provides a summary of the audit performed and includes standard sections
describing the audit objective and scope (which should align with the audit objective and scope
detailed in the Engagement Letter), any positive observations noted during the audit, a list of
issues raised and the final audit conclusion (which provides the high level justification for the
audit grade reported on the first page of the audit report).
Major Audit Issues should each be inserted in a separate table, with the following information:
o
Major Issue No. - a unique number identifying the issue (in the heading).
Consequence(s) - details the consequence to the University should the underlying risk not
be minimised, treated or eliminated. This links to the Risk Consequence rating below.
Risk Likelihood, Risk Consequence and Risk Rating - provide a quantitative assessment of
the risk arising from the reported finding. These are explained further in the appendix at
Page 33 of 57
the back of the audit report (which is standard appendix contained in each major audit
report issued).
Audit File Ref. - one of more references to issue nos raised during the audit (in the CCH
TeamMate system).
Management Action
recommendations.
Plans -
management's
response
to
Internal
Audit's
Minor Audit Issues are identified as Low risk and should each be inserted as separate rows in
a section titled MINOR ISSUES at the back of the report but before the standard appendix,
with the following information:
o
No. - a unique number identifying the issue (commencing from no. 1 onwards).
Audit File Ref. - one of more references to findings located in the working papers.
Note that while these minor matters are discussed at exit interview with the auditee, no
formal management comments are sought.
4.4.3 The Reporting Process
Finally, the Auditor is required to electronically transfer a copy of the final audit report to the
following two LAN subdirectories:
For permanent electronic storage in the Audit Repository (in PDF form) to:
J:\ODVC\PQ\AUDIT\PUBLICATION\Reporting\Internal Audit Report Repository
Interim Reports
During the course of an audit, matters requiring immediate attention may arise.
Rather than wait for the completion of the audit, an interim report (Action Memo) stating the
deficiencies, causes, risks and recommended action (if any) should be issued. The matters so
raised, and their resolution, will still be reported in the final report.
Special Reviews
Internal Audit may be called upon to perform a special review.
The report from such a review should follow a standard format, which may be modified to suit
the circumstances of the review: see Section 9 Forms and Templates List.
The working papers file, including the draft report findings and Scope and Objectives (but not the
Audit Report Grade and Conclusion), is to be handed to the reviewer prior to the exit interview.
Once the review has been completed and queries resolved, all documents are to be filed on the
working paper file.
4.5.2 Procedures
All working papers must be reviewed to ensure that the audit has been adequately conducted and
documented. The reviewer must sign each worksheet (excluding appendix documents) as evidence
of review.
Formal queries raised by the reviewer will be documented as Review or Coaching Notes and
referred to the auditor for answers. No working papers will be considered complete until all
questions have been answered to the reviewer's satisfaction.
The checklist below is an indication of the aspects which the reviewer will examine before exit
interview:
Ensure that audit steps signed off as being "not applicable" are in fact not applicable.
Enquire into audit steps which have not been signed off.
Ensure that the `Points for Attention at Next Audit' from the previous audit have been
adequately resolved or addressed.
Check that each finding in the working papers has been accurately brought forward to the
report.
The checklist below is an indication of the aspects which the reviewer will examine after
management comments have been received, inserted in the report, and the Audit Report Grade and
Conclusion prepared:
Ensure that each major finding reported has been properly resolved or includes a comment
from relevant management.
Ensure that the draft report has been discussed with the appropriate auditee(s) before the final
report is released.
Page 36 of 57
Confirm that the Report Conclusion written by the auditor properly reflects the outcomes of
the audit.
Check that all Review Notes have been addressed before signing them off along with the
working paper file.
It is important therefore that an appropriate balance between detail and simplicity be established. A
complex flowchart is difficult to understand and update; it is likely to be of little use to anyone other
than its original author.
The use of narrative to clarify charts is encouraged but charts are not an appropriate place for long
descriptions. A flowchart is a graphic representation of relationships, of flows of information or
documents. A single chart should not be made to perform all functions.
4.7 Audit Sampling
4.7.1 General
Audit sampling is a method by which an auditor can draw conclusions about the whole of a group of
items (the "population") by examining some of them ("the sample").
4.7.2 Testing Template
Auditors will use the Internal Audit area's standard Audit Testing Template to determine sample
sizes, based on population and risk, and to draw conclusions as to what is happening in a population
of audited items.
This template is now built into CCH TeamMate (EWP module) and details:
Test performed;
Test conclusion.
NOTE: Where the audit period selected is such that the sample size cannot be achieved, the Auditor
must exercise his/her judgement in determining what to sample and in what period. It may mean
that the whole population in the audit period is selected, plus other transactions outside of the
period in order to achieve a reasonable sample for testing, based on the guideline in the template.
4.7.3 Sample Selection
Once a sample size has been determined, each item to be sampled will be selected on the basis of
the following:
On a completely random basis and in such a manner that each item in the population has an
equal or known chance of being selected; or
Page 38 of 57
However, an audit report should always be issued upon implementation of a project (see Section 9
Forms and Templates List). The format of this report will be non-standard in that the auditor is not
expected to raise new major issues and obtain management recommendations (as such matters
should have been resolved during the course of the project). Instead, the report should outline the
auditor's involvement, the auditor's conclusion, and list any issues that remain outstanding (but
which do not materially affect the project outcomes).
During the course of the audit, it may also be necessary to publish action memos where significant
control deficiencies or other issues require immediate management consideration.
5.3 Major Project Development Audit Working Papers
5.3.1 General
The auditor will maintain a file of documentation arising from, or produced as a result of, audit
involvement on the selected project.
This documentation should be structured in accordance with the Standard Audit Checklist referred
to above i.e. checklist at the front, followed by published audit report and other supporting papers.
It will not be necessary for the auditor to produce written working papers as evidence that the
checklist items have been addressed, however, a working paper file, as described above, should be
maintained (containing memos, correspondence, documents, plans etc).
5.4 System Documentation
5.4.1 Introduction
The system documentation described below may be produced in support of major project
development audits undertaken, where considered necessary.
This documentation will be produced and maintained on the Internal Audit Areas LAN J drive
directories.
This documentation is as follows:
System Description
Page 40 of 57
Management trails.
Page 41 of 57
Page 42 of 57
7.0 Miscellaneous
7.1 LAN Permanent File Naming Standards - Effective 1 May 2003 to 30 June 2012 (now replaced by CCH
TeamMate)
7.1.1 General
During the course of an audit, the auditor may develop permanent documentation (flowcharts,
audit programme, a system description etc) which will need to be retained and updated at the next
audit.
This documentation is to be stored on the LAN to ensure it is available for the auditor the next time
an audit is conducted.
Within the Permanent Files subdirectory are further subdirectories.
Each of these subdirectories is identified by a two character alphabetic code e.g. MG (for
Management and Governance) represents a subsection of the Audit Universe. Therefore, all
auditable areas in the MG section of the Audit Universe will have their permanent information
stored in the MG subdirectory of the Permanent Files subdirectory.
Permanent files will be stored as Word, Excel etc files in subdirectories, using a standard naming
format i.e. XX.YY.FCC, where:
XX = the two character alphabetic code representing the appropriate section of the Audit
Universe e.g. MG, US, GR etc
YY = a unique two digit numeric to identify a separate auditable area within the relevant section
of the Audit Universe e.g. MG.10 represents an audit called Corporate Governance and
Leadership, SM.10 represents an audit called Library and Information Services etc.
CC = two numeric digits, in the range 01 - 99, representing a unique document number.
Multiple successive versions of audit programs will be identified by these two digits.
Page 43 of 57
The audit programme for the audit of the Copyright Act would be stored in the LR
(Legislative/Regulatory Compliance) subdirectory of Permanent Files as LR.10.P01, while the Risks
and Controls would be stored as LR.10.A01
The audit programme for the audit of Expenditure Controls would be stored in the FA (Financial
Activities) subdirectory of Permanent Files as FA.21.P01, while two sets of flowcharts would be
stored as FA.21.F01 and FA.21.F02
Note: With the implementation of the CCH TeamMate electronic working papers system, the above
arrangements will eventually be phased out.
7.2 Important LAN Directories/Files
7.2.1 Subdirectories
All Internal Audit Area LAN data is stored on J drive.
Data is stored in accordance with University recordkeeping standards.
The subdirectories of importance are:
Page 44 of 57
Most requirements for certification are governed by contracts, procedure manuals or legislation
which set out the format and frequency of certifications as well as defining exactly what is being
certified. They can also define who is qualified to sign the certificate.
8.1.2 Preferred External Service Providers
Where such an audit is required, it is standard procedure (from 1 March 2007) that the work should
not be undertaken internally (unless there is a specific requirement for Internal Audit to provide
such an audit opinion).
This type of audit is not covered within the scope of work described in the Internal Audit Charter. In
addition, the provision of audit certificates, particularly to external bodies, may create a legal
liability for the University should the opinion offered later be found to be incorrect or deficient.
The University has access to preferred external suppliers of such services who will provide a quote
for the work to be done (on a fee for service basis). Information concerning these service providers
is available on the Strategic Procurement website.
8.2 Special Investigations
8.2.1 Introduction
Special investigations will be conducted with the urgency and priority established at the time the
investigation is requested or the circumstances determine.
From time to time, the Internal Audit Area may be called upon to perform special investigations.
These, unfortunately, often relate to investigating an incidence of fraud or other type of
misconduct, as described under the Corruption and Crime Commission Act 2003 (WA). In such
Page 45 of 57
cases, the Professional Standards and Conduct Unit may contact Internal Audit and request that an
investigation be done in relation to an allegation of staff misconduct.
However, they may also be urgent investigations of an aspect of operations which do not fit the
"traditional" definitions of compliance audits (e.g. investigating the effectiveness of destruction of
confidential documents) and cannot be scheduled as part of the normal audit program. In these
cases, an Internal Auditor will be contacted to perform the investigation.
In all cases, the Chair of the Audit Committee is to be notified and permission sought for the work to
be done (as per resolution made at the Audit Committee meeting held on 14 November 2003).
Page 46 of 57
Page 47 of 57
Page 48 of 57
Page 49 of 57
Page 50 of 57
Page 51 of 57
Page 52 of 57
Page 53 of 57
Page 54 of 57
Page 55 of 57
Page 56 of 57
9.4.5 Hardcopy Cover Sheet for Official Records File (one page)
Page 57 of 57