IA Manual

Ver. No. 1.
00 Release Date: Internal Audit Manual

Rev. No. 0 Revision Date: Page 4 of 51
1. Document Information
Document Internal Audit Manual
Version Version 1.00
Department Internal Audit
Status
Approved By
Approval Date
Effective Date
Distribution
Controlled Copy. Do Not Duplicate For Internal Use Only

Ver. No. 1.00 Release Date: Internal Audit Manual
2. Revision History
Description of
Date Version Name Designation
Change

3. Introduction
Purpose of the Manual
3.1 The purpose of the Internal Audit Manual (the Manual) of Internal Audit Department
(IAD) is to set out internal audit policies and procedures and to provide essential
guidelines to the internal audit staff in performing the internal auditing activities at
Program Management and Implementation Unit (PMIU). The Manual will ensure the
conformance of IAD with the International Standards for the Professional Practice of
Internal Auditing (Standards) issued by the Institute of Internal Auditors (IIA).
3.2 The Manual is intended to achieve the following objectives:
 To establish policies and standards for the planning, performance, and reporting of
audit work to meet the IIA standards.
 To establish procedures and guidelines to assist staff members in adhering to these
standards.
 To help achieve consistency in internal auditing activities and internal audit project
execution.
 To support the on-boarding and training of new internal audit staff.
Responsibility for Implementation
3.3 The Internal Auditor shall have the overall responsibility for the implementation of the
Manual.
Custody and Confidentiality
3.4 The Manual shall remain in the custody of the Internal Auditor and Assistant IA. This is
a confidential document and shall be kept secured by each of the recipient. The right
for copy and its distribution is reserved with the Internal Auditor.
3.5 No recipient of the Manual is allowed to make a copy without obtaining formal approval
from Internal Auditor. Access to the Manual is not allowed to any external party except
with the prior approval of the Internal Auditor.
Distribution
3.6 It is the responsibility of the Internal Auditor to ensure that the copy of the Manual has
been provided to Assistant IA and other staff of IAD (if any).
Revision of the Manual
3.7 The Manual is a live document and will be updated on a periodic basis. It will be
amended as and when any changes occur that make it essential for its revision.
3.8 The review and updating of the Manual shall be an on-going process to ensure
continuous alignment with PMIU’s functions and SBEP’s strategies and objectives. The
responsibility for keeping the Manual up-to-date remains that of the Internal Auditor.
He shall initiate all revisions to the Manual and ensure that the revised pages showing
authorized changes have been circulated to all recipients of the Manual.

Version Control
3.9 The Version of the Manual is mentioned at the top of each page. All the revised pages
will show the version number in accordance with number of revisions made as illustrated
below as this will help maintain record of all changes made in the manual subsequently.
3.10 Version number consists of two parts – the number before the decimal point denotes
the version number of the entire Manual (Version No. 1.00) whereas the number after
the decimal point represents revision of sections and pages (Version No. 1.00).
3.11 Any minor amendment shall be issued as revision and only affected pages shall be
replaced. Version number(s) is in continuous increments of .00 (Ver. No. 1.01).
Sequential control is maintained through revision history and control sheet.
3.12 A new version shall be issued in circumstances where cumulative revisions exceed
approximately 30% of pages of procedural sections.
3.13 The Revision number after decimal is reset to “00” with issuance of each new version
(e.g. Version No. 2.00).
Charter of Internal Audit and Audit Committee
3.14 Charter of Internal Audit and Audit Committee has been separately developed and
approved by Audit Committee of PMIU.

4. Organizational Structure
Structure of IAD
Program Steering
Committee
Audit Committee
Program Director
Internal Auditor (IA)
Assistant Internal Auditor

5. Internal Audit Risk Assessment

5.1 On an annual basis, IAD shall conduct a formal risk assessment of PMIU to understand
and document the risk environment and to develop the Internal Audit Plan (IAP). IA
shall lead the annual risk assessment process and Assistant IA shall participate in the
process.
Developing the Audit Universe
5.2 It is vital to develop the Audit Universe of PMIU and ensure its completeness before
initializing the risk assessment process. An Audit Universe represents the potential
range of all audit activities that can be audited by the IAD.
5.3 The Audit Universe shall cover all processes, entities, technology platforms, and
systems. IAD shall use the following types of information to develop, understand and
maintain the Audit Universe:
 Organizational structure including departmental charts/organograms

 Geographical locations
 Financial Reports
 IT systems, platforms, applications
 Information from management discussions
 Regulatory requirements
 Policies and SOPs of PMIU
 Previous audit work
5.4 IAD shall assess the above information to develop/re-confirm the Audit Universe. As a
minimum, this shall be done at least annually; however, IAD shall also take into account
any material changes in the PMIU continually throughout the year.
Ownership and Maintenance of the Audit Universe
5.5 IA shall ensure the completion and updating of Audit Universe with the help of the
Assistant IA. He shall discuss the Audit Universe with the Program Director and obtain
his/her concurrence on its completeness and accuracy. Audit Committee shall also
review the Audit Universe at the time of approval of the IAP.
Risk Assessment of Audit Universe
5.6 IAD’s risk assessment methodology consists of three phases with the overall objective
of developing an integrated, risk based and focused IAP. Below are the three phases
and corresponding activities for each of them:
Phase I: Planning
 Develop list of key management personnel to be interviewed

 Meet with the Program Director to understand the current priority risks and focus
areas, obtain updated PMIU-wide risk assessment documentation as necessary to
support the planning process, and assist with preparation for management
interviews
 Obtain and review prior year risk assessment documentation and results.
 Schedule interviews with various functional heads

Phase II: Conduct Risk Assessment Interviews
 Conduct risk assessment discussions with the management

 Obtain the following information during interview sessions with functional heads and
process owners:
o An updated overview of the function area identifying the notable changes
therein
o Primary risks related to their area of activity and
o Areas where they would recommend an internal audit
 Compile risk assessment interview summaries and analyze results
Phase III: Analyze and Score Risks
 Based on the risk assessment, assign a numeric rating for each audit activity based
on various risk factors
 Rate each audit activity into High, Medium, and Low, based on the risk scores
Risk scoring methodology is given in Annexure A.

6. Development of Internal Audit Plan (IAP)

6.1. IAD shall prepare an IAP based on risk assessment carried out in accordance with the
guidance provided in the previous chapter. The objective of the IAP is to provide a scope
of audit activities to be covered by the IAD in the Audit Universe and to ensure that critical
activities of PMIU having high risk are given more audit frequency relatively to medium
and low risk activities.
6.2. IA shall ensure that adequate understanding of the PMIU’s functions and general
activities, applicable laws and regulations, and controls designed by management
thereon has been obtained.
Contents of IAP
6.3. IAP generally includes the following information:
Audit Calendar
Audit Calendar is a break-down of Audit Universe which identifies timeline and

frequency of each audit activity. The frequency of each audit activity is determined
according to risk rating assigned to it during the phase of risk assessment.
Human Resource Budget
IAP shall also ensure that resources of IAD are allocated to important auditable areas
and audits are completed expeditiously. For this, it is important to include a human
resource budget in the IAP. It identifies the man-hours required by the IAD to complete
each audit engagement in the IAP economically, effectively and efficiently. When
developing human resource budget, IA shall consider the following:
 Skills and qualifications of Assistant IA to carry out audits as per IAP

 Involvement of external consultants, if any
 Time allocation for training and development of Assistant IA
 Time allocation for carrying out other administrative tasks
 Time allocation of any surprise audit/special requirement of USAID or GoS
Review of IAP by IA
6.4. On completion, IA shall review the IAP and ensure that:
 Auditable activities/processes are justified, based on the risk assessment

 The selection of requested engagements is appropriate
 The work plan is achievable and IAD has competencies required to conduct the audit
 Priority is given to higher risk areas
Sharing of Draft IAP with Program Director
6.5. When IA is satisfied that the IAP has been properly compiled, he shall submit a draft
version of IAP to the PD for their input. IA shall make required changes in the IAP (if
any) based on input received from PD.

Approval of Audit Committee & Monitoring of IAP
6.6. IA shall submit the IAP to the Audit Committee for its input and approval. IA shall also
update the Audit Committee on the status of implementation of the IAP on regular
basis.
Engagements Requested by Audit Committee
6.7. The IAP is primarily based on risk assessment of Audit Universe but IA may consider
inclusion of audit engagements in IAP that are not initially covered, on recommendation
of Audit Committee.
IA shall document reasons for the selection of such audit engagements which inter alia,
may include:
 Request from Audit Committee

 Emerging issues
 Insufficient past oversight coverage
 High monetary value
 Follow-up audit (on high risk recommendations).
6.8. A template of IAP is attached in Annexure B.

7. Internal Audit Engagement Plan

7.1. IA shall be responsible for planning and conducting the individual audit assignments
with appropriate supervisory review and reporting. The responsibilities for planning,
execution of work, supervision, review and reporting are clearly described in
engagement plans prior to the commencement of the fieldwork.
7.2. The development of engagement plan consists of following steps:
 Preliminary assessment
 Preparation of engagement plan
 Approval of engagement plan
Preliminary Assessment
7.3. Before preparing an engagement plan, the audit team shall meet and make a
preliminary assessment of audit activity for identifying its critical risks, which need to
be covered in the audit in order to achieve the audit objectives. Preliminary assessment
helps in identifying the key areas and in planning the audit procedures.
7.4. The objective of this exercise will be gathering an initial understanding of the
procedures, the size, the objectives and scope, and existing controls at PMIU thereon.
Audit team shall consider following information to gain understanding about the audit
activity:
 Policies & procedures manual

 Planning documents
 Management reports
 Laws and regulations
 Organizational structure
 Audit programs & prior year audit working papers
Preparation of Engagement Plan
7.5. Based on the understanding of audit activity achieved through preliminary assessment,
AIA shall prepare an Engagement Plan before any fieldwork is started. The purpose of
Engagement Plan is to provide information regarding the activity, its audit objectives,
scope of work, areas of audit concentration, any special concerns or considerations,
name of audit team and time budget.
7.6. While preparing an Engagement Plan, elements of materiality and relative risk shall be
considered. IA shall focus on those areas where significant problems and deficiencies
are identified in the first phase.
7.7. Main contents of Engagement Plan are described in the following paragraphs:
 Name of the audit activity

 Comparative analysis of Key financial information
 Staff strength of audit activity with name of the key staff, their position with
designation and the date since they are working in PMIU

 Audit objectives and scope of work - Audit objectives are broad statements which
defines the intended audit accomplishment. They define the scope of the audit
staff’s work. They should address the risks associated with the activity under audit
and its assessment
 Critical risks/focus areas of audit activity
 Names of the audit team members and allocated tasks
 Other requirements of the audit, such as the audit period covered and estimated
completion dates, should be determined.
Template of Engagement Plan is given in Annexure C.
Approval of the Engagement Plan
7.8. IA shall review and approve Engagement Plan prior to the commencement of audit
fieldwork.

8. Execution of Audit Fieldwork

Communication of Commencement of Audit
8.1. Prior to commencement of audit, IA shall send an announcement memo/email to the

process owner. For information to be specified in the memo, refer template attached in
Annexure D
Kick-off Meeting with the Process Owner
8.2. Prior to commencing the audit fieldwork (or during the planning and assessment phase
if deemed necessary by IA for audit planning), audit team shall conduct kick-off meeting
with key process owners. Following areas shall be discussed during the meeting:
 Scope and objectives of the audit

 Broad level understanding of the system / function and established controls
 Organizational/departmental structure and management
 Audit approach
 Responsibilities and roles of process owners and audit team
 Focus areas
 Risks, challenges and constraints to be faced
 Engagement timelines
8.3. Minutes of the meeting shall be prepared by Assistant IA and retained in audit working
papers after review by IA. Template of minutes of Kick-off Meeting is attached in
Annexure E.
Understanding and Documentation of Processes to be audited
8.4. IAD staff shall obtain detailed understanding of the processes from the process owner
in order to identify risky areas in the process. It helps in identifying existing controls
designed and implemented in the process and to find out control weaknesses that are
required to be catered by designing additional controls.
8.5. IAD staff shall document understanding of the processes and sub processes obtained in
a narrative form which serves as a repository for future reference. Repository of well
documented system notes saves time of IAD staff as they are not always required to
read detailed SOPs of audit activity in case of change in team member or same audit is
being carried out in different periods, etc.
8.6. Assistant IA shall ensure that system notes are adequately prepared and filed in audit
working papers.
8.7. Following are guidelines for writing a system note:

Guidelines for Writing a High Quality System Note
Audit team is encouraged to follow below mentioned guidelines when drafting a system
note:
 Information to include:
o Who
o What
o When
o Where
o Why
 How to organize the document
o Chronologically go through the process.
o Use section headings when necessary.
o Be clear and concise.
o Use paragraphs and bullet points.
 Document facts only
 Document the process using designations/titles
 Name specific reports and systems to avoid any ambiguity.
Developing Audit Programs
8.8. An audit program is a detailed plan for the work to be performed during the audit. A
well-constructed program is essential to completing the audit in an efficient manner.
An audit program shall guide the audit team about the procedures to:
 Confirm the adequacy of the indicated design of controls

 Confirm the continued effectiveness of the operation of controls
 Evaluate the effects or potential effects of inadequately designed or missing controls
in order to develop recommendations for improvement
 Gather missing information needed to evaluate risks and their related controls and
the overall control environment
Contents of Audit Program
8.9. For each segment of the audit, the audit program shall at least contain the following
contents:
 Name of the audit activity

 Audit period – period covered in audit
 Control objective – aim, purpose or reason which management desires to achieve
 Control activity – internal controls designed by management to ensure achievement
of control objective
 Risk – the possibility that an event will occur and adversely affect the achievement
of control objectives

 Test steps – work steps required to test the design and effectiveness of control
activity
 Documentation – actual work done by the audit team i.e. performance of test steps
 Conclusion – results drawn by the audit team after testing internal controls
 Working paper reference – cross reference to audit work papers
 Initials – space for sign-off by preparer and reviewer of audit program
A template of audit program is attached in the Annexure F.
8.10. Assistant IA shall get the Audit program for each audit activity approved by IA.
8.11. IA shall reassess the risks and customize audit program when using a prior audit
program as a reference document in developing an audit program or adapting an audit
program from another similar audit. Using the same audit program without diligent
reconsideration may lead to overlook:
 Changes that have occurred in the functions/controls, and

 Opportunities to improve the internal audit process
Data Requisition
8.12. Based on initial understanding of the department/function and its systems and controls,
audit team shall identify list of required data/documents and send data requisition to
the process owner specifying the time by which such information should be provided.
These document/data serves as the basis of detailed working and verification of
different assertions and compliance checks.
Selecting Items for Testing to Gather Audit Evidence
8.13. When designing audit procedures, the audit team shall determine appropriate means of
selecting items for testing. The means available to the audit team are:
 Selecting all items (100 % examination) and

 Audit sampling
8.14. The decision as to which approach to use will depend on the IA’s judgment in the
particular circumstances after giving consideration to audit risk involved and audit
efficiency.
Selecting all items
8.15. Audit team may decide that it is most appropriate to examine the entire population. For
example, a 100% examination may be appropriate when the population constitutes a
small number of large value items, or when the repetitive nature of a calculation or
other process performed by a computer information system makes a 100% examination
cost effective.
Audit Sampling
8.16. Audit sampling involves the application of audit procedures to less than 100% of items
within a population so that all sampling units have a chance of selection. This will enable
the audit team to obtain and evaluate audit evidence about some characteristic of the
items selected in order to form or assist in forming a conclusion concerning the

population from which the sample is drawn. Audit sampling can use either a statistical
or a non-statistical approach.
8.17. There are several types of sampling methods that can be employed, on the basis of IA’s
judgment, to support corroborative inquiry as outlined below:
Sampling
Explanation Example
Method
The sampling units in the If the total numbers within population
Systematic population are divided by the are 100 and the sample size is chosen
selection sample size to give a sample to be 20 the resulting sample interval
interval will be 5.
The sample is selected without
using any structured technique. In the case of payments, the 15th
Random However, the IA should avoid any date and last date of each month are
selection bias and must ensure that all the selected. Then vouchers are selected
items of the population have an randomly without any bias.
equal chance of selection.
This method is based on the
auditor's sound judgment to select
Judgmental samples based on specific factors
sampling (i.e., value, age, relative risk,
representative characteristics of
the population)
Audit Testing
8.18. The audit team shall perform audit procedures known as ‘audit tests’ in order to get
audit evidence.
8.19. Audit team can perform following types of audit procedures:
Analytical Procedures
Analytical procedures mean the analysis of significant ratios, trends, fluctuations and
relationships that are inconsistent with other relevant information or deviate from
predicted amounts.
Analytical procedures include comparisons of the PMIU’s financial information with, for
example:
 Comparable information for prior periods

 Anticipated results such as budgets or forecasts
Analytical procedures also include consideration of relationships, for example, between

financial information and relevant non-financial information such as payroll costs to
number of employees.
Analytical procedures are useful in identifying, among other things:
 Differences that are not expected

 Potential errors
 Potential irregularities or illegal acts
 Other unusual or non-recurring transactions or events

Analytical procedures may be performed using monetary amounts, physical quantities,

ratios, or percentages.
Additional Audit Procedures
When analytical procedures identify unexpected results or relationships, the audit team
shall examine and evaluate such results or relationships by inquiring management and
applying other audit procedures until the audit team is satisfied that the results or
relationships are sufficiently explained.
Following other audit procedures can be performed for gathering audit evidence:
Inspection involves examining records or documents, whether internal

Inspection or external, in paper form, electronic form, or other media, or a
physical examination of an asset.
Observation consists of looking at a process or procedure being

Observation
performed by others
Inquiry consists of seeking information from knowledgeable persons

inside or outside PMIU, evaluating responses to those inquiries, and
Inquiry
corroborating those responses with the audit team’s knowledge of the
audit areas and other evidence obtained during the course of the audit.
An external confirmation represents audit evidence obtained by the

External audit team as a direct written response from a third party (For
Confirmation example, engineers involved in construction of schools or lawyers etc.),
in paper form or electronic medium.
Recalculation consists of checking the mathematical accuracy of

Recalculation documents or records. Recalculation may be performed manually or
electronically.
Developing Issue Sheet
8.20. After conclusion of audit testing, IA shall:
 Discuss all aspects of a potential audit finding with the process owners in order to
seek their input on potential solution
 Fully develop all audit findings using the Issue Sheet. (A template is attached in the
Annexure G)
 Work with process owner, where possible, to jointly develop improvement actions
to address the finding for incorporation in the recommendation. Discuss any items
requiring follow-up and document the process owner’s response to the finding.
8.21. The objective of the above is to confirm the accuracy of facts supporting the finding,
enhance the quality of the proposed improvement action, prevent any surprises in the
exit meeting, and thereby contribute to the success and sustainability of the
improvement action.

Attributes of Audit Findings
8.22. When drafting a finding, audit team should have clear understanding of the attributes
of a finding and their relationship. Each of these must come together to make a cohesive
and persuasive set of facts that merit the process owner’s attention.
Following are the attributes of well-developed audit findings:
Criteria
The legitimacy of finding increases if a criterion is identified, that is, "By what standards
was the finding judged? “It can be PMIU’s policies, procedures, guidelines, applicable
laws and regulations. It is important for audit team to research the criteria thoroughly
to ensure they are applicable. Audit team should simplify the language as much as
possible and refer precisely to relevant laws, regulations, and policies.
Condition
Condition often answers the question: "What is wrong?" IA shall compare the results
with appropriate evaluation criteria to form accurate “condition” and shall ensure that
the condition is concise, focused, adheres to the facts and refers to supporting evidence.
An example of an acceptable condition statement is: “Of the 25 sampled contracts

valuing over Rs. “x” million, 13 were not approved by PSC and were approved instead
by the Program Director."
Cause
This attribute identifies "Why did it happen?” meaning the reason for the factors
responsible for the difference between the situation that exists (condition) and the
required state (criteria).
Identification of the cause is a prerequisite to making meaningful recommendation(s)

for corrective action. The cause statement must address the root cause. Moreover, the
statement should be based on facts, not speculation.
If, for example, the audit team states the cause is lack of training or orientation, they
must be prepared to substantiate the statement with evidence.
Effect
This attribute identifies the real or potential impact of the condition and answers the
question: "What effect did/could it have?” These are frequently expressed in
quantitative terms; e.g. value, quantities of material, number of transactions, or
elapsed time.
Accurate evaluation of the real or potential effect is crucial in determining the effort,
resources or control that should be applied to improve the situation, as well as in getting
management’s buy-in on the issue.
While audit team may merely state that the process owner is not complying with a
particular law, regulation, or policy, it is advisable to specify the actual or potential
effect of the non-compliance.
For example:
 Fines and penalties
 Possibilities of lawsuits

 Loss or exposure to fraud and collusion.
An example of an effect statement is: “If the PMIU’s contracts continue to sign without
appropriate authorization, the risk increases that PMIU could be subject to obligations
beyond its ability to meet or that the purchases are not aligned with Program’s needs
or objectives."
Recommendation
This final attribute identifies "What should be done?” i.e. suggested improvement
action. The relationship between the audit recommendation and the underlying cause
should be clear and logical.
The quality and sustainability of the improvement action will be significantly enhanced
if the process owner is brought into the discussion and takes part with internal audit in
jointly developing the solution.
More generalized recommendations (e.g., greater attention be given, controls be

reemphasized, a study be made, or consideration be given) should be avoided, although
they are sometimes appropriate in summary reports to direct top management's
attention to specific areas.
Unless benefits of taking the recommended action are very obvious, they should be
stated. Whenever possible, the benefits should be quantified in terms of lower costs,
or enhanced effectiveness or efficiency. The cost of implementing and maintaining
recommendation should always be compared to risk.
Close-out Meeting with Process Owner
8.23. IA shall be responsible for scheduling the close-out meeting with the process owner on
the last day of fieldwork. The goals of this meeting are to share audit findings with
process owner, reach final agreement on findings and finalize planned improvement
actions. Process owner can also update on any actions already taken.
8.24. IA shall review the audit objectives, scope, and reporting process with the process
owner before discussing the audit findings.
8.25. Assistant IA shall document all discussion during the meeting and prepare minutes of
meeting including Summary sheet for each finding discussed during the meeting. These
minutes shall also be retained in audit working papers.
Template of minutes of exit meeting is provided in the Annexure H.

9. Internal Audit Report

9.1. Internal audit reports are the IAD's opportunity to get management's undivided
attention. Each internal audit report shall be circulated to the process owner, Program
Director and Chairman of the Audit Committee and Program Steering Committee.
9.2. The purpose of this chapter is to provide guidance to IAD staff regarding the contents
of the internal audit reports and its distribution to key stakeholders.
Contents of the Internal Audit Report
9.3. An internal audit report shall include all of the following sections:
Content Description
It identifies the scope and objectives of audit engagement,
Introduction areas and period covered and approach used for testing of
internal controls.
A brief description of audit activities and processes involved
Audit Activity is given to provide overview of the processes to reader of the
report.
Executive It provides high level summary of findings/recommendations
Summary and conclusion reached from audit.
Detailed findings,
This section provides detailed findings with risk,
Risks and
recommendations and action plan provided by management.
Recommendations
This section includes:
 Detailed analysis, calculations and instances to support
Appendices detailed observations.
 Criteria for rating of internal audit report
 Criteria for risk rating of individual findings
Criteria for Rating of Internal Audit Report
9.4. IAD shall assign each internal report, one of the following rating to facilitate comparison
between reports:
Rating Definition
The majority of expected controls are in place and operating

effectively. Represents an assessment of a control environment
Satisfactory
that is appropriate and supports management’s objectives for
the process subject to review.
Medium priority for management to address. Represents an

Needs assessment of a control environment that broadly supports
Improvement management’s objectives but has further opportunities for
improvement.
High priority for management to address. A high number of

individually significant control deficiencies exist where the
Unsatisfactory potential financial, operational or reputation risk exposure within
the context of the specific audit area is significant. Management
should develop an urgent action plan to address these issues.

Criteria for Risk Rating of Individual Findings
9.5. IAD shall also assign each audit issue, a priority rating based on following criteria to
establish its criticality:
Rating Definition
 Matters that are fundamental to the system of internal controls

 These may cause a Program’s objective not to be met or leave a risk
High
unmitigated
 Such matters need to be addressed as a matter of urgency
 Matters that have an important effect on controls but do not require

immediate action
Medium  Program’s objective may still be met in full or in part or a risk
adequately mitigated but the weakness represents a significant
deficiency in the system.
 Issues that, if corrected, would improve internal control in general but

are not vital to the overall system of internal control
Low
 Such issues focus on improvement in efficiency of processes as well
as management & control of risk
9.6. A template of Internal Audit Report is attached in Annexure I.
Draft Sharing with Process Owner
9.7. Assistant IA shall prepare a draft report based on the findings discussed with process
owner in the close-out meeting. IA shall carry out preliminary review of the draft report
before sending it to process owner for comments and action plan.
Finalization of Action Plan
9.8. IA shall ensure that the process owner provides justified comments and action plans
against each of the findings in the draft report.
9.9. If process owner disagrees with any of the finding or Assistant IA is not satisfied with
the provided responses, he shall discuss it with the IA for appropriate action.
9.10. IA, after evaluating the responses, may request the process owner to send their revise
responses for inclusion in the final report. If the process owner refuses to do so, IA may
still include the finding in the final report after including justification in the form of
“Auditor’s Response to Management Comments” accordingly. These findings shall
be separately discussed in the Audit Committee for appropriate action plan.
9.11. In case the process owner does not provide management comments and action plan
within 10 working days of issuing the draft report, IA shall issue the final report after
sending an email to the process owner.
9.12. IA shall review the final internal audit report before its distribution.
Report Distribution
9.13. Final reports shall be distributed to the process owner with direct responsibility for the
facility, function, or department audited with a copy to Program Director and Chairman
of the Audit Committee and Program Steering Committee.

Follow-Up of Previous Findings
9.14. In order to determine that the process owner has taken corrective action on
recommendations, a log of findings with their target implementation dates shall be
maintained.
9.15. Assistant IA shall carry out follow-up of all open audit findings of prior period with
overdue target implementation dates. IA shall communicate the status of all audit
findings to respective process owners on monthly basis.
9.16. IA shall ensure that open findings are closed after obtaining sufficient appropriate
evidence from the process owner confirming the same. Status of all closed findings shall
be circulated to the Program Director and process owner.
9.17. A summary follow-up report shall be prepared by IAD which reflects all prior period
findings with their status. IA shall submit such follow-up report to the Audit Committee
on regular basis.
A template of follow-up report is attached in the Annexure J.

10. Audit Working Papers

10.1. Internal audit work papers should be prepared in a professional manner and should
meet acceptable standards. Internal auditing performs many different types of internal
audits having different objectives. The inherent variety of internal audit work performed
requires some flexibility in the content and format of work papers. However, the
minimum standards contained herein will help ensure that all work papers prepared by
IAD will meet acceptable standards in the following areas:
• Content;
• Uniformity;
• Neatness;
• Accuracy; and
• Documentation.
Purpose
10.2. The purpose of work papers is to compile and document all information related to the
objectives of the internal audit. Work papers aid the IAD in the conduct of internal audit
work by:
 Providing a basis to adequately plan and control the internal audit effort;
 Providing a means to logically organize and analyze evidence gathered; and
 Facilitating the preparation of the Internal Audit Report.
Organization
10.3. Work papers should generally be organized into a permanent file (see discussion of
permanent files below) and a current file. Permanent files maintain ongoing information
which is relevant to more than just the current audit. Current files contain work papers
which support the current audit being performed.
Permanent Files
10.4. Permanent Files contain information that is relevant and of interest to the IAD on a
continuing basis. The file should contain data that need not be recreated during each
audit. For each new audit, the information should be acknowledged as containing no
change, or be updated for change. Accordingly, a Permanent File should be an effective
audit tool which, once prepared, allows the audit to progress in an efficient and
organized manner.
Examples of items that should be included in a Permanent File are:
 Organization/Departmental Chart - showing the personnel responsible for the
system of internal accounting control and the existing lines of authority.
 Flow Chart/System Understanding - explaining the document function and flow
of each significant process.
 Previous Internal Audit Reports - documenting previous audit findings.
 Copies of Department Documents - schedules, charts, etc.
 Control Copies - of the audit programs pertaining to the given audit area.
 Any other information that is considered to be of continuing nature
A standard filing convention to be used for common work papers found in permanent
files.

Current Files
10.5. Working papers will be produced for each internal audit performed. These papers will
clearly display all activities related to a particular internal audit including planning
procedures, testing performed, findings which resulted from this testing, and disposition
of these findings.
The work papers should follow a standard format to increase audit efficiency by reducing
preparation and review time. Depending upon the type of internal audit project, the
format of the work papers may vary substantially.
Included in the “detailed work papers” is the testing performed, process narratives,
schedules and any other documentation the IA believes is necessary to adequately
support any conclusions or comments.
Additionally, the work papers should document the completion of all procedures outlined
in the AP. Each work paper should include, at a minimum, the following information:
 Purpose - the reason the work paper is included in the file;

 Source - where the work paper or information was obtained;
 Scope - the extent of the testing performed, number of items tested, etc.;
 Conclusion - represents the evaluation of the test results or analysis within the
work paper;
 Testing performed;
 Signature of the preparer the work paper and the completion date; and
 Heading which describes the contents of the work paper
Documentation of the Preparation/ Review
10.6. Every work paper should be signed off by the preparer, upon completion of all audit
work. All work papers should be initialed and dated by IAD’s management upon their
review. This signoff will indicate that management has reviewed and approved all work
presented on that particular work paper.
The IA must review all working papers. Review of working papers will be indicated by
the reviewer's initial and date (month, day and year) of review in the upper right-hand
corner of each working paper.
Working papers for a particular section of an audit program will be reviewed at the
completion of that section by IA in a Status Meeting. In addition to this review, the
department head should be contacted and the observations shall be discussed with him
/ her.
The reviewer should examine the working papers for both form and content and
document the review. The reviewer should write appropriate notes on review sheets to
address any questions, changes or additional work needed.
The preparer must address the review notes to the reviewer's satisfaction before the
working paper package is finalized.

Annexures
Annexure A - Risk Model
Each audit activity shall be rated on below mention various elements of risk (explained below)
and each element shall be assigned a numeric rating of 1 to 3 indicating:
1 = probably not a problem

2 = possibly a problem
3 = probably a problem
Risk assessment of each identified auditable process/activity shall be done on the basis of
following factors:
S. No Risk Factor Brief Definition

This factor represents the materiality of an audit
1. Scope of PMIU’s Activities
process for the purpose of the audit.
The number and/or significance of the control
2. Prior Audit Findings
deficiencies identified in the previous audit.
This represents an assessment of the inherent risk of
3. Inherent Risk
auditable process i.e. what potentially can go wrong.
The control environment represents the policies &
4. Control Environment procedures, physical safeguards, employees in place
and tone at the top.
It represents changes within the audit entity including
Changes in
5. re-organizations, growth, new systems or new
People/Systems
regulations etc.
This risk factor reflects the potential for errors or
6. Complexity misappropriation to go undetected because of a
complicated environment.
Risk Scoring Table

Inherent Risk
Environment
Total
Prior Year’s
Complexity
Changes in
People or
activities
Scope of
Findings
System
Control
PMIU's
Audit
Low 6-9
Auditable Activities
Med 10-13
3 – High to 1 – Low High 14-18

Annexure B –Internal Audit Plan
1. Introduction
1.1 The mission of the Internal Audit (“IA”) function is to help PMIU manage business risk
and to provide the Audit Committee of the Program Steering Committee (PSC)
(hereinafter called “Audit Committee”) and all levels of management with information
to assist them in the establishment and maintenance of an effective system of internal
control. The purpose of IA is to assist members of the PMIU in the effective management
of their responsibilities by furnishing independent and objective analyses, appraisals,
recommendations, counsel and information concerning the activities reviewed and the
adequacy of the PMIU’s overall control environment.
1.2 The objective of developing IAP is to compile a schedule/program of work that

establishes the cycle for recurring internal audits and determines, at a high-level,
individual scope of work for all internal audits to be undertaken in a given period.
1.3 IAP has been developed in compliance with the requirements of the International
Standards for the Professional Practice of Internal Auditing issued by the Institute of
Internal Auditors (IIA), which requires internal auditors to plan the audit activities based
on the assessment of program-wide risks
1.4 Through IAP, areas of risk have been incorporated into the risk-based internal audit
plan. By performing internal audits, Internal Audit Department of PMIU will provide
assurance to Audit Committee and the Program Steering Committee (PSC) on the
design and operation of controls, validate that whether reliance on existing controls is
acceptable, and recommend control improvements.
1.5 The broad objectives of internal audit encompass the following:
 Review of the effectiveness and efficiency of PMIU’s operations to ascertain whether

the operations are being carried out as intended and the results are consistent with
established plans and objectives of GoS and USAID.
 Review of the systems established by PMIU to ensure compliance with requirements

of applicable laws, regulations, internal policies and plans that could have a
significant impact on PMIU’s operations and reports, and determine whether PMIU
is in strict compliance.
 Communicate to the Audit Committee the impact of resource limitations and

significant interim changes and the plan will be developed based on a prioritization
of the audit universe using a risk-based methodology, including input of the Audit
Committee

2. Audit Universe and Risk Assessment

Audit Universe
2.1. Based on broad understanding of PMIU’s activities, following auditable areas have been
identified:
1) Entity Features
2) Information Technology
3) Human Resources
4) Procure to Pay
5) Financial Management
6) Monitoring and Evaluation
Risk Assessment Methodology
2.2. Each audit activity shall be rated on below mention various elements of risk (explained
below in para 2.3) and each element shall be assigned a numeric rating of 1 to 3
indicating:
1 = probably not a problem

2 = possibly a problem
3 = probably a problem
2.3. Risk assessment of each identified auditable process/activity shall be done on the basis
of following factors:
S.
Risk Factor Brief Definition
No
Scope of PMIU’s This factor represents the materiality of an audit

1
Activities process for the purpose of the audit.
The number and/or significance of the control

2 Prior Audit Findings
deficiencies identified in the previous audit.
This represents an assessment of the inherent risk
3 Inherent Risk of auditable process i.e. what potentially can go
wrong.
The control environment represents the policies &
4 Control Environment procedures, physical safeguards, employees in
place and tone at the top.
It represents changes within the audit entity
Changes in
5 including re-organizations, growth, new systems
People/Systems
or new regulations etc.
This risk factor reflects the potential for errors or
6 Complexity misappropriation to go undetected because of a
complicated environment.
Risk Scoring Table
2.4. The table below represents the score (as mentioned in para 2.2) against each process
based on which the risk levels i.e. High, Medium and Low have been determined for
each activity.

Total
Audit Findings
Inherent Risk
Environment
Prior Year’s
Complexity
Changes in
People or
activities
Scope of
System
Control
PMIU's
Low 6-9
Auditable Risk
Activities Med 10-13 Level
3 – High to 1 – Low High 14-18

3. Internal Audit Plan [Year]

3.1. Based on risk levels determined in Section 2, frequency of audit is scheduled as
follows:
Year 2xxx
S. Risk
Auditable activity Quarter Quarter Quarter Quarter
No. Level
1 2 3 4
1
2
3
4
5
6
7
8
Further, the risk levels so determined may be revised on the basis of any
information/evidence obtained during the course of our audit activity.
Risk levels shall be categorized as High, Medium and Low and highlighted as follows:
High
Medium
Low

4. Audit Resource Plan

Plan
4.1. Estimated time required to achieve internal audit plan:
IAD Human Resource

S. Risk
Auditable activity IA AIA ….. Total
No. Level
Man-days
Quarter 1
1
2
3
4
…
Subtotal
Quarter 2
6
7
8
…
Subtotal
…
…
Total

Annexure C - Engagement Plan
Audit Activity:
Period Covered: WP Ref:
Date:
Relevant Financial Information
Corresponding Period
Current Year to Date Inc. / Dec
Particulars Last Year
a b C=a-b
Key Management Personnel
Name Designation
Audit objectives
Audit Scope
Major Risks Involved
Audit Team
Name Designation Budgeted Time Allocated Tasks

Audit Time Table
Particulars Date
Start of Audit
Close Out Meeting
Issue of Draft Report
Issue of Final Report
Sign off
Name Signature
Prepared By
Reviewed By

Annexure D – Audit Announcement Memo or Email
To Process owner Date :

From Internal Auditor
Subject Commencement of Audit of (mention name of Auditable Activity)
IAD has planned to commence the audit of (Audit Activity) as per the Audit
Committee’s approved Audit Plan.
Audit Period
The audit covers the period from (……) till (……)
Audit Scope
The scope of our audit includes following areas:
a) ……………
b) ……………
c) ……………
Audit Team
Name Designation
Audit Time Table

Particulars Date
Start of Audit
Close Out Meeting
Issue of Draft Report
Issue of Final Report
We would like to see you for a kick-off meeting to discuss the focus areas of auditable
activities on audit commencement date i.e. [enter date]. Kindly, communicate the
commencement of internal audit to relevant personnel.
At the completion of field work, the audit results will be shared and discussed with you
and other concerned personnel before submission of the draft report for management
comments. The report will be finalized after obtaining management comments and
action plan along with the target implementation date in writing.
We look forward to a smooth audit with your assistance and co-operation.

Annexure E – Minutes of Kick-off Meeting
Audit Activity:
Period Covered WP Ref
Venue:
Prepared By Date
Agenda:
Scope & Objectives of the Engagement:
Expectation of Process owner and Focus Areas:
Roles & Responsibilities of Process owner:
Participants:
Name Signature
IAD Staff
Process Owner

Annexure F - Audit Program
Audit Activity:
Period Covered:
Prepared By: Date:
Reviewed By: Date:
Control Control Audit

Risk Test Steps Conclusion W/P Ref
Activity Objective Documentation

Annexure G – Issue Sheet
Audit Activity:
Prepared By Date
Reviewed By Date
Issue Issue Title:

No.
Criteria
Condition
Cause
Effect
Recommendation

Annexure H – Minutes of Exit Meeting
Audit Activity:
Venue:
Prepared By Date
Agenda:
Pending Data (If any):
Findings & Comments of the Process owner

Comments of
Audit Findings Recommendation W/P Ref:
Process owner
Participants:
Name Signature
IAD Staff
Process Owner

Annexure I – Internal Audit Report
Program Management and

Implementation Unit
Internal Audit Report on
_______
[Month of Issue]

Header: (To-be repeated on each page)
[ Logo] [Name of Report]
Contents
1. Introduction [pg.]
2. Description of In-Scope Processes [pg.]
3. Executive summary [pg.]
4. Detailed findings, risks and recommendations [pg.]
5. Appendices [pg.]
Footer: (To-be repeated on each page)
[Page # of #]

1. Introduction
This section identifies the scope and objectives of audit engagement, areas and period
covered and approach used for testing of internal controls.
For e.g.
This report is prepared based on the internal audit of “Name of Audit Activity” of Program
Management and Implementation Unit (hereafter to be referred as PMIU) carried out in
accordance with the approved Internal Audit Plan.
The previous internal audit report of “Name of Same Audit Activity” was issued in [Month]
Year 20XX and was rated as “Satisfactory”. The current audit covered a period of [No of
months] months from [Month] 20XX to [Month] 20XX.
Audit objective
The broad objective of the audit was to assess the internal control system surrounding
selected processes with a view to achieve the following:
 Effectiveness and efficiency of PMIU’s functions;

 Reliability of financial information; and
 Compliance with laws and regulations applicable to the PMIU and other internal policies.
Extent of Verification
The audit was performed on test basis, using one of the sampling approach; therefore,
issues highlighted in this report are those that came to our attention during our review and
do not necessarily present a comprehensive view of all the weaknesses/improvement areas
that may exist. Management should assess our recommendations from the perspective of
Program’s objectives before they take actions for implementation.
Areas Covered
Following areas were covered during the audit:
Audit Activity 1
Audit Activity 2
Audit Activity 3

2. Description of In-scope Processes

This sections contains a brief description of audit activities and processes involved to
provide overview of the processes to reader of the report. Information on following areas
may be provided here:
 Structure and Composition of the Division / Function
 Core responsibilities of the Department
 Brief description about the process flow
 Major Reports and documents prepared
 Key financial information

3. Executive Summary
Summary of findings and recommendations
A brief of findings and recommendations resulted from our internal audit are provided
as under:
Sr. Ref Priority

Findings and recommendations
No. # Rating
1.
2.
3.
4.
5.
Please refer Appendix I of the report for the description of Priority Ratings.
Overall audit rating
Based on the assessment of internal control systems surrounding, the audited activity is
rated as “______”. Please refer Appendix II for the description of term “Satisfactory”,
“Requires Improvement” and “Unsatisfactory”.

4. Detailed findings, risks and recommendations
Priority
4.1 [Issue title describing crux of finding] Rating
[ ]
Finding
In this section describe three attributes of finding in paragraph form. The major content
of finding will be obtained from issue sheet / exception log discussed with the process
owner.
 Criteria
 Condition
 Cause
The finding must be in narrative form and should not contain heading Criteria,
Condition and Cause.
Risk / Impact
Describe risk of the finding in this section, quantifying its impact as well wherever
possible.
Recommendation
“What should be done” to rectify the issue, should be provided here.
Management Comments and Action Plan
Process owner’s feedback and action plan on the issue is provided here.
Responsible person Targeted implementation date

5. Appendices
Appendix I
Internal Audit Report Classifications
Based on the review of the content of each report one of the following classifications are
assigned to facilitate comparison between reports.
Satisfactory
The majority of expected controls are in place and operating effectively. Represents an
assessment of a control environment that is appropriate and supports management’s
objectives for the process subject to review.
Needs Improvement
Medium priority for management to address. Represents an assessment of a control

environment that broadly supports management’s objectives but has further opportunities
for improvement.
Unsatisfactory
High priority for management to address. A high number of individually significant control
deficiencies or issues exist where the potential financial, operational or reputation risk
exposure within the context of the specific review is significant. Management should
develop an urgent action plan to address these issues.

Appendix II
Risk Rating for Individual Findings
High
Issues arising referring to important matters that are fundamental to the system of internal
control. We believe that the matters observed might cause PMIU’s objectives not to be met
or leave a risk unmitigated and need to be addressed as a matter of urgency.
Medium
Issues arising referring mainly to matters that have an important effect on controls but do
not require immediate action. PMIU’s objectives may still be met in full or in part or a risk
adequately mitigated but the weakness represents a significant deficiency in the system.
Low
Issues arising that would, if corrected, improve internal control in general but are not vital
to the overall system of internal control. Low priority issues will also focus on opportunities
to improve efficiency of processes as well as the management and control of risk.

Annexure J – Follow up Report
Program Management and

Implementation Unit
Follow-up of Internal Audit Reports for the
Half Year Ended on _______
[Month of Issue]

Header: (To-be repeated on each page)
[ Logo] [Name of Report]
1. Executive Summary
Introduction
We are pleased to submit Follow-up Report on Name of “Audit Activity”. The original report was submitted on…………………….. We
only checked implementation status of recommendations given in the said report through performance of follow up procedures.
Following table provides an overview of current implementation status:
Internal Audit Partially Not

Total Findings Implemented In Process
Report on Implemented Implemented
Report name 1
Report name 2
Report name 3
Summary of Open Findings
A summary of open findings is given below:
Target Revised
S. Person
Findings /Recommendation Implementation Implementation
No. Responsible
Date Date

Footer: (To-be repeated on each page)
[Page # of #]

2. Follow-up on Audit Observations
Target Follow-up Revised Target
Finding / Management Current Follow-up
Implementation Management Implementation
Recommendation Comments Status Audit Remarks
Date Comments Date

IA Manual

Uploaded by

Copyright:

Available Formats

IA Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IA Manual

Uploaded by

Copyright:

Available Formats

Ver. No. 1.

00 Release Date: Internal Audit Manual

Controlled Copy. Do Not Duplicate For Internal Use Only

Controlled Copy. Do Not Duplicate For Internal Use Only

3.2 The Manual is intended to achieve the following objectives:

Responsibility for Implementation

Custody and Confidentiality

Revision of the Manual

Controlled Copy. Do Not Duplicate For Internal Use Only

Charter of Internal Audit and Audit Committee

Controlled Copy. Do Not Duplicate For Internal Use Only

Internal Auditor (IA)

Assistant Internal Auditor

Controlled Copy. Do Not Duplicate For Internal Use Only

5. Internal Audit Risk Assessment

Developing the Audit Universe

 Organizational structure including departmental charts/organograms

Ownership and Maintenance of the Audit Universe

Risk Assessment of Audit Universe

 Develop list of key management personnel to be interviewed

Controlled Copy. Do Not Duplicate For Internal Use Only

Phase II: Conduct Risk Assessment Interviews

 Conduct risk assessment discussions with the management

Phase III: Analyze and Score Risks

Risk scoring methodology is given in Annexure A.

Controlled Copy. Do Not Duplicate For Internal Use Only

6. Development of Internal Audit Plan (IAP)

6.3. IAP generally includes the following information:

Audit Calendar is a break-down of Audit Universe which identifies timeline and

Human Resource Budget

 Skills and qualifications of Assistant IA to carry out audits as per IAP

6.4. On completion, IA shall review the IAP and ensure that:

 Auditable activities/processes are justified, based on the risk assessment

Sharing of Draft IAP with Program Director

Controlled Copy. Do Not Duplicate For Internal Use Only

Approval of Audit Committee & Monitoring of IAP

Engagements Requested by Audit Committee

 Request from Audit Committee

6.8. A template of IAP is attached in Annexure B.

Controlled Copy. Do Not Duplicate For Internal Use Only

7. Internal Audit Engagement Plan

7.2. The development of engagement plan consists of following steps:

 Policies & procedures manual

Preparation of Engagement Plan

 Name of the audit activity

Controlled Copy. Do Not Duplicate For Internal Use Only

Template of Engagement Plan is given in Annexure C.

Approval of the Engagement Plan

Controlled Copy. Do Not Duplicate For Internal Use Only

8. Execution of Audit Fieldwork

8.1. Prior to commencement of audit, IA shall send an announcement memo/email to the

Kick-off Meeting with the Process Owner

 Scope and objectives of the audit

Understanding and Documentation of Processes to be audited

8.7. Following are guidelines for writing a system note:

Controlled Copy. Do Not Duplicate For Internal Use Only

Guidelines for Writing a High Quality System Note

Developing Audit Programs

 Confirm the adequacy of the indicated design of controls

Contents of Audit Program