University of Eswatini / Internal Audit
The Internal Auditor’s Office website is meant to serve as a resource for the University community to promote effective and efficient administration in support of the University’s academic mission. The site also hopes to clarify what the role of the Internal Audit Office is within the University by describing the responsibilities, services and processes of the Office. We encourage the University community to explore the Frequently Asked Questions and if additional information is required, you are welcome to contact the Office staff.
The vision of the Internal Audit office is to be valued, effective and continually improving for the benefit of the University of Swaziland.
The mission of the Internal Audit Office is to help ensure the University in accomplishing its overall objectives. This will be accomplished through;
• Improving internal control system and culture
• Enhancing management of risks
• Enhancing governance processes.
• Ensuring that assets are adequately safeguarded.
• Ensuring value for money is achieved in all operations.
For more information, please click here (pdf)
Internal Audit staff is responsible for conducting themselves so that their good faith and integrity should not be open to question. The profession of auditing is founded on the trust placed in its objective assurance about risk management, control, and governance. The Internal Audit Office staff has adopted the Code of Ethics issued by the Institute of Internal Auditors. Staff shall realize that individual judgment is required in the application of these standards.
Institute of Internal Auditors’ Code of Ethics
(adopted by the Internal Audit Office)
Internal auditors are expected to apply and uphold the following principles:
The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.
Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments
Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.
Rules of Conduct
1.1. Shall perform their work with honesty, diligence, and responsibility.
1.2. Shall observe the law and make disclosures expected by the law and the profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.
2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.
2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment.
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.
3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.
3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.
4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience.
4.2. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing.
4.3. Shall continually improve their proficiency and the effectiveness and quality of their services.
The Internal Audit Office has the authority to audit all parts of the University and is granted full and complete access to any records (in any form), physical properties, and personnel relevant to a review. This authority is contained in the Internal Audit Charter. In performing their work, the Internal Auditor and other auditors have neither direct authority over, nor responsibility for, any of the activities reviewed.
• What is internal auditing?
• What happens during an audit?
• Who receives Internal Audit reports?
• What are the benefits of being audited?
• How often do we audit departments /selection of areas to be audited?
• Is the Internal Audit Office part of the Bursary?
• What is the difference between Internal and External Audit?
• What kind of audits do we do?
• How long do audits take?
• I have a question, can internal audit help me?
• How far back do we look during an audit?
What is internal auditing?
The Institute of Internal Auditors offers the following definition of internal auditing:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps the organization to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes”.
The above definition might appear lengthy and a bit technical; but in simple terms the role of internal audit includes the following:
• To ensure that policies and procedures, external laws and regulations are complied with.
• To ensure that University resources are used effectively and economically.
• To ensure that University assets are adequately safeguarded
• Information given to management is accurate and reliable.
The aim of internal audit is to assist management and departments with information about the establishment and maintenance of internal control and ensure that these activities can be carried out efficiently and effectively. This is achieved by evaluating financial, managerial and operating information; making recommendations for improvement of controls.
This description shows that internal audit is more about improving internal control, reducing risk exposures, ensuring compliance to laid down policies and procedures, economic and efficient use of resources etc. Contrary to common perception, fraud is not the main focus of internal audit. Fraud can be reduced with good and effective controls and positive attitudes of staff and management towards controls.
What happens during the audit?
The audit will generally start with an entrance interview with the department head and other key members of the staff.
Additional in-depth interviews will likely follow. Then an examination of departmental records, equipment, and compliance with UNISWA policies and procedures will be performed. The scope of the work performed will be controlled to a great degree by the auditor’s perceived risks of the audited area.
A successful audit requires active participation between internal audit and the department being audited. As in any special project, an audit results in a certain amount of time being diverted from the department’s usual routine. All attempts are made by the auditors to be unobtrusive and not to interfere with department operations.
Each audit has a defined scope and objectives. An auditor requesting information from a department will explain where necessary the audit’s purpose and objectives so the department’s representative can understand the reasons for the questions being asked or requests being made.
Department heads responsible for areas under review have the opportunity to discuss the report with the Internal Auditor and the Internal Audit Officer. The Internal Audit Office aims to develop and issue factual and accurate final reports, however there may be instances where department heads do not agree with the assessment or recommendations the Internal Audit Office has made. Each report will be discussed at a draft stage with the process owner and then the department head/dean/director to ensure its accuracy and that the recommendations, language and tone are appropriate to achieve the University’s objectives. This does not mean that recommendations must always be agreed upon and it is important that the Internal Audit Office delivers an independent view of the process or area being audited. In some cases this will contain a different perspective from that of the department. This is both appropriate and healthy. Each report provides a section for a response to allow department heads to articulate their consideration of the recommendations and findings of the report and state what action will be taken as a result.
All recommendations are then agreed with department heads and a timetable for implementing recommendations is then agreed.
Who receives the Internal Audit reports?
The Internal Audit reports, including the auditee’s responses to any recommendations that are made, are routinely routed to the responsible Department Head or Director, the Dean (if appropriate), the Vice Chancellor, Administrative Management Committee and the University Audit Committee.
We perform follow-up audits after approximately six months of each audit to discuss auditee’s success at implementing the recommendations. Results of follow-up audits are submitted to the Vice Chancellor, Administrative Management Committee and the Audit Committee. The above shows that the department staff has the responsibility to implement agreed upon recommendations while management has the overall responsibility to ensure that all audit findings have been addressed.
What are the benefits of being audited?
An audit of each area/ department will bring the following benefits:
• Help to identify potential areas of weaknesses or inefficiency within the system, process or department.
• Provide an independent review of risks and issues facing the department heads and directors.
• Help to maximize the overall effectiveness of the system, process or department’s activities.
• Provide practical, imaginative and challenging observations and recommendations for consideration.
• The audit report provides an action plan so that any program of improvements can be effectively monitored and managed.
• Helps department heads to demonstrate confident and open leadership and commitment to process improvement in their areas.
How often do we audit departments/selection of areas to be audited?
There is no hard and fast answer to this question because the Internal Audit Office uses a risk-based approach to develop an annual audit work plan. The result is that some departments are audited more frequently than others. This risk-based approach includes an annual, University-wide risk assessment that considers such factors as the time since the last audit and significance of findings that resulted, size of the annual budget and revenue streams, complexity of operations, emphasis on internal controls, and external compliance requirements. In general, the higher the degree of identified risks, the more often a department will be audited. Occasionally, departments may also be selected for an audit by special request of the department head or a senior University official.
In addition to planned audits, the Internal Audit Office responds to reports on fraudulent activities, irregularities, or mishandling of University funds.
Is the Internal Audit office part of the Bursary?
No. The Internal Audit Office is a separate department from the Bursary Department and Accounts with direct reporting to the Vice Chancellor and the Audit Committee.
What is the difference between Internal Audit and External Audit at Uniswa?
The Internal Audit Office is the University’s independent assurance function that reports to the Audit Committee and the Vice Chancellor on the systems of control and governance, risk management and the value for money. The work of the Internal Audit covers both financial and non-financial aspect of the University’s operations. The role of the external auditors on the other hand is to provide an independent opinion on the truth and fairness of the University’s financial statements. The External Auditors report to the University Council. KPMG are the current external auditors of the University.
What kinds of audits do you do?
The Internal Audit Department offers the following services to the University:
• Regular audits – these are scheduled as part of an annual audit schedule, but may come up during the year.
• Follow up audits – these are also scheduled as part of an annual schedule. They are performed to ensure that reported concerns are adequately addressed by management within reasonable time.
• Consultations reviews – these are requests from interested parties. Requests can be schedule as part of an annual audit schedule or come up during the year. Reviews will depend on the magnitude of risk exposure.
• Special investigations – these come up during the year when interested parties contact the Internal Auditor where irregularities or inappropriate conduct is identified.
• Requests for advice – these also come up during the year when interested parties contact the Internal Auditor with questions or for advice on internal control and risk management issues.
• Policies and procedures – the department assists in the drafting and evaluating financial and operational policies and procedures of all activities of the University.
How long do audits take?
There is no easy answer to this question as each audit’s length will depend on the nature and scope of the review. Small audits might last 20 hours while more complex reviews can last several months.
I have a policy question, can Internal Audit help me?
Absolutely, if you have questions on policies, procedures, or best practices we will be glad to help. In some cases we will know the answer to your question, but if we don’t we will be glad to research the answer to your question.
How far back do we look during an audit?
The general scope period for departmental reviews includes account activity during the most recent six to twelve months. The scope period is determined with the objective of providing results that are relevant and timely. However, it is often necessary to extend the scope period for specific accounts or transactions to facilitate a reasonable and objective examination of activities and provide results that are informed and accurate. This is done where appropriate to review infrequent but recurring transactions assess annual budgeting practices, identify patterns, etc.
The scope period for special reviews is flexible and depends on the objectives of a given review and the depth of examination required satisfying these objectives.
– What are internal controls?
– What is the purpose of internal controls?
– Are there different types of internal controls?
– Are internal auditors responsible for internal controls?
– How can I be sure that my department has sufficient internal controls?
– What is segregation of duties?
What are internal controls?
A control is any policy, procedure, practice, or mechanism designed to provide reasonable assurance that the organization’s objectives will be achieved. This includes controls designed to safeguard assets, ensure the timeliness, accuracy and reliability of financial and management reporting and to promote operational efficiency, effectiveness and compliance with all applicable laws, regulations, policies and procedures.
Controls can generally be classified as preventive, detective, compensating or steering. Preventive controls are designed to avoid errors or irregularities. Detective controls are designed to identify errors or irregularities after they have occurred so corrective action can be taken. Compensating controls are designed to provide reasonable assurance where resource limitations preclude the implementation of more direct controls. Steering controls (i.e. policies) are designed to guide actions towards the desired objectives.
Control activities are designed to meet specific risk-reduction objectives and generally fit within the following categories:
Documentation – All policies and procedures should be formally documented to ensure they are applied consistently by all staff and that the unit will not suffer unnecessarily by the departure of knowledgeable employees. Management decisions and financial transactions should be documented to provide reasonable assurance that University assets are adequately controlled and transactions are correctly recorded. Documentation should be retained in accordance with University policies.
Authorization – Approval authority should be commensurate with the nature and significance of the transactions and in compliance with University policy. Approval should only be given following a thorough review of supporting information to verify the propriety, accuracy and validity of transactions. Authorizations and delegations of signing authority should be documented in writing.
Reconciliations and Reviews – These should be performed at regular intervals by senior department personnel to ensure that controls are operating effectively and to uncover any errors or irregularities. Department heads and should reconcile and review Budget control reports at least monthly for accuracy, correct account classification, compliance with applicable policies/procedures and propriety. Principal Investigators/ Project coordinators should perform the same function using Budget control Reports.
Personnel – Competence and integrity should be stressed for all employees. They should be adequately trained and supervised and receive written position descriptions to document their assigned authority and responsibility.
Access Restrictions – Access to physical assets and records should be physically restricted to only those who are authorized and require access. Access to electronic information and processes should be further restricted by the appropriate use of passwords and restricted user account profiles. These measures limit the risk of asset misappropriation, tampering or other misuse.
Segregation of Duties – At a minimum, to prevent errors and irregularities individuals should not have responsibility for more than one of the three components of a transaction: initiation, processing and reconciliation. Where staffing levels permit, it is preferable to segregate all three components.
Designing an Effective Control Environment
Control procedures should be established for every business process to minimize the potential risks to the achievement of unit objectives.
It is the responsibility of management to ensure that appropriate controls are implemented and functioning to support achievement of unit objectives. When determining which controls should be implemented, the cost of the control should not exceed the expected benefit of having it in place. In some cases, it may be necessary to implement compensating controls to address inherent limitations within the unit (e.g. where staffing levels are inadequate for a full segregation of incompatible duties, a unit may establish a compensating periodic trend analysis to identify unusual activity).
It is the responsibility of the Internal Audit Office to provide independent evaluations of the adequacy and effectiveness of key controls during the course of audit reviews and to report the results, including recommendations for improvement, to the unit head(s), their direct report(s), the Audit Committee of the University Council and other parties as appropriate.
What is the purpose of internal controls?
As noted above, the primary purpose is to help us achieve our objectives. Typically internal controls are noted for having four primary purposes:
• to protect the University’s assets,
• to ensure records are accurate,
• to promote operational efficiency, and
• to encourage adherence to policies and procedures.
Are there different types of internal controls?
Yes, generally speaking there are three types: preventative, detective and compensating or steering controls.
Preventative Controls are designed to discourage errors or irregularities from occurring. (Example: processing vouchers only after approval signatures have been obtained.)
Detective Controls are designed to find errors or irregularities after they have occurred. (Example: reconciling monthly account statements.)
Compensating Controls are designed to provide reasonable assurance where resource limitations preclude the implementation of more direct controls. (example monthly review of transactions by an independent person where segregation of duties is impossible) Steering controls (i.e. policies) are designed to guide actions towards the desired objectives.
Are internal auditors responsible for internal controls?
No. We play a role in our system of internal controls by performing evaluations and making recommendations for improved controls. However, the system of internal control is the responsibility of management. We believe every employee plays a role in either strengthening or weakening our institution’s internal control system.
How can I be sure that my department has sufficient internal controls?
• Perform a self assessment of your controls. Contact Internal Audit for assistance in this process.
• Request an internal audit. We budget several hours each year for administrative requests. If you have concerns or would like an independent assessment, contact the Internal Auditor.
• Request an internal control training session. Internal Auditing performs training on internal controls and what we believe are minimum requirements. Contact the Internal Auditor if you would like us to present on this topic to your unit. You can review several prior presentations on our departmental web site.
What is segregation of duties?
Segregation of incompatible duties is a control element designed to prevent errors and irregularities. At a minimum, individuals should not have responsibility for all three components of a transaction cycle: initiation, processing and reconciliation/review. Where staffing levels permit, it is preferable to segregate all three components.
What is Fraud?
The University has a Theft, Fraud and Corrupt Conduct policy.
The policy includes the following definition of theft, fraud and corrupt conduct.
Fraud includes theft, criminal deception; making false representations to gain an unjust advantage; and abuse of University property or time.
Theft is the dishonest appropriation of the University’s property with intent to deprive the University of it permanently.
Corrupt conduct includes improper use of influence or position and/or improper use of information or other improper acts or omissions of a similar nature.
Examples of some activities covered under these definitions are:
• taking inducements to mark a student assessment more favourably or award a contract for the provision of goods or services;
• misuse of one’s position to gain an unfair or unjust advantage;
• misuse or abuse of telephone, fax, computers, and other equipment to run a private business, whether for profit or not-for-profit;
• operation of a private business using University facilities and time;
• misuse of corporate credit card;
• misuse of petty cash;
• unauthorised removal of equipment, parts, software, and office supplies from University premises;
• submission of fraudulent purchase orders;
• submission of fraudulent applications for reimbursement;
• submission of exaggerated or wholly fictitious accident, harassment or injury claims;
• misuse of sick or family leave;
• using University-paid travel, ostensibly for business, but, in fact, where the principal purpose is private;
• falsification of time records; and
• damage, destruction or falsification of documents.
Hints on Creating a Low Fraud Environment
Nobody wants to come to work and worry about what can go wrong. We don’t want to doubt our co-workers and their honesty. The fact is most people will not commit an offence related to theft, fraud and corrupt conduct. But we must accept the concept, the reality that a fraud is possible. If you do not believe fraud is possible, you will not identify it, even if it is clearly evident. Very often fraud symptoms are viewed as administrative errors because individuals cannot conceive of the existence of fraud particularly where there is a long time affiliation with co-workers.
Procedures can (and should) be instituted to help reduce the risk of impropriety. The following procedures will help.
Identify assets for which you have responsibility. Examples include department expenditures, ie. major and minor equipment purchases, personal computers and laptops, software, petty cash, and amounts collected as revenue.
Identify the risks associated with safeguarding these assets. Ask yourself:
1. How could these assets be misused or improperly used?
2. If these assets were misused or misappropriated, how would I know?
3. What controls exist to prevent or detect inappropriate use or loss of assets?
4. What additional controls are necessary to ensure that assets are adequately protected from loss? and
5. Is the cost of additional controls reasonable in relation to the risk involved?
Establish a positive control environment in your department. It is important to demonstrate control consciousness. A genuine interest and concern for internal control should be conveyed to all staff members.
The following is a set of guidelines which should be in place to ensure an adequate system of internal control exists:
1. separation of duties;
2. physical safeguards over assets;
3. proper documentation;
4. proper approvals;
5. adequate supervision;
6. physical inventories; and
7. independent validation of transaction accuracy.
Hire honest employees. Check references of all pending employees.
Ensure that all staff members are familiar with the University’s policies and procedures. Copies of the aforementioned policies should be issued to department members and questions should be addressed by department management.
If you have any questions please contact us and we will be happy to help (if we can).
Activity Reports of the internal auditing department highlight significant audit findings and recommendations and inform senior management and the board of any significant deviations from approved audit work schedules, staffing plans, and financial budgets, and the reasons for them. (110.01.6)
Adequate Control is present if management has planned and organized (designed) in a manner which provides reasonable assurance that the organization’s objectives and goals will be achieved efficiently and economically. (300.02.4)
Analytical Auditing Procedures are performed by studying and comparing relationships among both financial and non-financial information. The application of analytical auditing procedures is based on the premise that, in the absence of known conditions to the contrary, relationships among information may reasonably be expected to exist and continue. Examples of contrary conditions include unusual or nonrecurring transactions or events; accounting, organizational, operational, environmental, and technological changes; inefficiencies; ineffectiveness; errors; irregularities, or illegal acts. (420.01.1 b and c)
Appreciation means the ability to recognize the existence of problems or potential problems and to determine the further research to be undertaken or the assistance to be obtained. (250.01.4)
Audit Objectives are broad statements developed by internal auditors and define intended audit accomplishments. (410.01.1a)
Audit Procedures are the tasks the internal auditor undertakes for collecting, analyzing, interpreting, and documenting information during an audit. Audit procedures are the means to attain audit objectives. (410.01.1a)
Audit Program is a document which lists the audit procedures to be followed during an audit. The audit program also states the objectives of the audit. (410.01.6a)
Audit Report is a signed, written document which presents the purpose, scope, and results of the audit. Results of the audit may include findings, conclusions (opinions), and recommendations. (430.01, 430.04 and 430.04.5)
Audit Scope refers to the activities covered by an internal audit. Audit scope includes, where appropriate:
• Audit objectives
• Nature and extent of auditing procedures performed
• Time period audited
• Related activities not audited in order to delineate the boundaries of the audit (430.04.4)
Audit Work Schedules include (a) what activities are to be audited; (b) when they will be audited; and (c) the estimated time required, taking into account the scope of the audit work planned and the nature and extent of audit work performed by others. (520.04)
Audit Working Papers record the information obtained, the analyses made, and conclusions reached during an audit. Audit working papers support the bases for the findings and recommendations to be reported. (420.01.5 and 420.01.5c)
Auditable Activities consist of those subjects, units, or systems which are capable of being defined and evaluated. Auditable activities may include:
• Policies, procedures, and practices
• Cost centers, profit centers, and investment centers
• General ledger account balances
• Information systems (manual and computerized)
• Major contracts and programs
• Organization units such as product or service lines
• Functions such as electronic data processing, purchasing, marketing, production, finance, accounting, and human resources
• Financial statements
• Laws and regulations (520.04.5)
Auditee includes any individual, unit, or activity of the organization that is audited.
Authorization implies that the authorizing authority has verified and validated that the activity or transaction conforms with established policies and procedures. (300.03.2a)
Authorizing includes initiating or granting permission to perform activities or transactions. (300.03.2a)
Board includes boards of directors, audit committees of such boards, heads of agencies or legislative bodies to whom internal auditors report, boards of governors or trustees of nonprofit organizations, and any other designated governing bodies of organizations.
Cause is the reason for the difference between the expected and actual conditions (why the difference exists). (430.04.7c)
Charter of the internal auditing department is a formal written document which defines the departments purpose, authority, and responsibility. The charter should (a) establish the department’s position within the organization; (b) authorize access to records, personnel, and physical properties relevant to the performance of audits; and (c) define the scope of internal auditing activities. (110.01.4)
Code of Ethics of The Institute of Internal Auditors (IIA) sets forth standards of conduct for Members of The IIA and Certified Internal Auditors to effectively discharge their responsibilities. The Code of Ethics calls for high standards of honesty, objectivity, diligence, and loyalty. (240.01)
Conclusions (Opinions) are the internal auditor’s evaluations of the effects of the findings on the activities reviewed. Conclusions usually put the findings in perspective based upon their overall implications. (430.04.8)
Condition is the factual evidence which the internal auditor found in the course of the examination (what does exist). (430.04.7b)
Conflicts of Interest refers to any relationship which is or appears to be not in the best interest of the organization. A conflict of interest would prejudice an individual’s ability to carry out their duties and responsibilities objectively. (280.01)
Control is any action taken by management to enhance the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Thus, control is the result of proper planning, organizing, and directing by management. (300.06)
Control Environment refers to the attitude and actions of the board and management regarding the significance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control.
The control environment includes the following elements:
• Integrity and ethical values
• Management’s philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• Human resource policies and practices
• Competence of personnel (300.07.4)
Cost-Benefit Relationship means that the potential loss associated with any exposure or risk is weighed against the cost to control it. (300.02.5)
Criteria are the standards, measures, or expectations used in making an evaluation and/or verification (what should exist). (430.04.7a)
Detective Controls are actions taken to detect and correct undesirable events which have occurred. (300.06.1)
Directing involves, in addition to accomplishing objectives and planned activities, authorizing and monitoring performance, periodically comparing actual with planned performance, and documenting these activities to provide additional assurance that systems operate as planned. (300.03.2)
Directive Controls are actions taken to cause or encourage a desirable event to occur. (300.06.1)
Director of Internal Auditing and Director identify the top position in an internal auditing department. The term also includes such titles as General Auditor, Chief Internal Auditor, Chief Audit Executive, and Inspector General.
Due Professional Care calls for the application of the care and skill expected of a reasonably prudent and competent internal auditor in the same or similar circumstances. Due professional care is exercised when internal audits are performed in accordance with the Standards for the Professional Practice of Internal Auditing. The exercise of due professional care requires that.
• Internal auditors be independent of the activities they audit
• Internal audits be performed by those persons who collectively possess the necessary knowledge, skills, and disciplines to conduct the audit properly
• Audit work be planned and supervised
• Audit reports be objective, clear, concise, constructive, and timely
• Internal auditors follow up on reported audit findings to ascertain that appropriate action was taken (280.01)
Economical Performance accomplishes objectives and goals at a cost commensurate with the risk. (300.02.7)
Effect is the risk or exposure the auditee organization and/or others encounter because the condition is not the same as the criteria (the impact of the difference). (430.04.7d)
Effective Control is present when management directs systems in such a manner as to provide reasonable assurance that the organizations objectives and goals will be achieved. (300.03.1)
Efficient Performance accomplishes objectives and goals in an accurate and timely fashion with minimal use of resources. (300.02.6)
Error as it relates to internal audit reports is an unintentional misstatement or omission of significant information in a final audit report. (430.03.1b)
External Auditors refers to those audit professionals who perform independent annual audits of an organization’s financial statements.
External Reviews of the internal auditing department are performed to appraise the quality of the department’s operations. External reviews should be performed by qualified persons who are independent of the organizations and who do not have either a real or apparent conflict of interest. (560.04)
Findings are pertinent statements of fact. Audit findings emerge by a process of comparing what should be with what is. (430.04.6 and .7)
Flowchart is a representation, primarily through the use of symbols, of the sequence of activities in a system (process, operation, function, or activity). (420.01.5d)
Follow-up by internal auditors is defined as a process by which they determine the adequacy, effectiveness, and timeliness of actions take by management on reported audit findings. Such findings also include relevant findings made by external auditors and others. (440.01.1)
Formal Internal Reviews are periodic self-assessments of the internal auditing department to appraise the quality of the audit work performed. These reviews generally are performed by a team or an individual selected by the director of internal auditing. (560.03.1)
Fraud encompasses an array of irregularities and illegal acts characterized by intentional deception. (280.01.1)
Goals are specific objectives of specific systems and may be otherwise referred to as operating or program objectives or goals, operating standards, performance levels, targets, or expected results. (300.02.2)
Guidelines are suitable means of meeting the General and Specific Standards for the Professional Practice of Internal Auditing. (Introduction)
Illegal Acts refers to violations of laws and governmental regulations. (280.01.1)
Independence allows internal auditors to carry out their work freely and objectively. This concept requires that internal auditors be independent of the activities they audit. Independence is achieved through organizational status and objectivity. (100.01)
Information is data the internal auditor obtains during an audit to provide a sound basis for audit findings and recommendations. Information should be sufficient, competent, relevant, and useful. (420.01.2)
Internal Auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization. The objective of internal auditing is to assist members of the organization in the effective discharge of their responsibilities. To this end, internal auditing furnishes them with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed. The audit objective includes promoting effective control at reasonable cost. (Introduction)
Internal Auditing Department includes any unit or activity within an organization which performs internal auditing functions.
Internal Auditor is an individual within an organization’s internal auditing department who is assigned the responsibility of performing internal auditing functions.
Internal Control is a process within an organization designed to provide reasonable assurance regarding the achievement of the following primary objectives:
• The reliability and integrity of information
• Compliance with policies, plans, procedures, laws, and regulations
• The safeguarding of assets
• The economical and efficient use of resources
• The accomplishment of established objectives and goals for operations or programs (300.05)
Irregularity refers to the intentional misstatement or omission of significant information in accounting records, financial statements, other reports, documents or records. Irregularities include (a) fraudulent financial reporting which renders financial statements misleading and (b) misappropriation of assets. Irregularities involve:
• Falsification or alteration of accounting or other records and supporting documents
• Intentional misapplication of accounting principles
• Misrepresentation or intentional omission of events, transactions, or other significant information (280.01.1)
Management includes those individuals with responsibilities for setting and/or achieving the organization’s objectives.
Monitoring encompasses supervising, observing, and testing activities and appropriately reporting to responsible individuals. Monitoring provides an ongoing verification of progress toward achievement of objectives and goals. (300.03.2b)
Objectives are the broadest statements of what the organization chooses to accomplish. (300.02.1)
Objectivity is an independent mental attitude which requires internal auditors to perform audits in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others. (120.01 and .02)
Operations refers to the recurring activities of an organization directed toward producing a product or rendering a service. such activities may include, but are not limited to, marketing, sales, production, purchasing, human resources, finance and accounting, and governmental assistance. (350.01.1)
Preventive Controls are actions taken to deter undesirable events form occurring. (300.06.1)
Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive recourse to technical research and assistance. (250.01.1)
Programs refers to special purpose activities of an organization. such activities include, but are not limited to, the raising of capital, sale of a facility, fund-raising campaigns, new product or service introduction campaigns, capital expenditures, and special purpose government grants. (350.01.2)
Purpose Statements in audit reports describe the audit objectives and may, where necessary, inform the reader why the audit was conducted and what it was expected to achieve. (430.04.3)
Quality Assurance is a program by which the director of internal auditing evaluates the operations of the internal auditing department. The purpose of the quality assurance program is to provide reasonable assurance that internal auditing work conforms with the Standards for the Professional Practice of Internal Auditing, the internal auditing department’s charter, and other applicable standards. The quality assurance program should include the following elements:
• Internal reviews
• External reviews (560.01)
Ratio Analysis is the study of financial condition and performance through ratios derived from items in the financial statements or from other financial or non-financial information. (420.01.1h)
Reasonableness Test is a comparison of an estimated amount, calculated by the use of relevant financial and non-financial information, with a recorded amount. (420.01.1h)
Recommendations are actions the internal auditor believes necessary to correct existing conditions or improve operations. (430.05.1)
Regression Analysis is a mathematical procedure which is used to determine and measure the predictive relationship between one variable (dependent variable) and one or more other variables (independent variables). (420.01.1h)
Risk is the probability that an event or action may adversely affect the organization or activity under audit. (410.01.1b and 520.04.2)
Risk Assessment is a systematic process for assessing and integrating professional judgments about probable adverse conditions and/or events. The risk assessment process should provide a means of organizing and integrating professional judgments for development of the audit work schedule. (520.04.10)
Risk Factors are the criteria used to identify the relative significance of, and likelihood that, conditions and/or events may occur that could adversely affect the organization. (520.04.6)
Scope Limitation is a restriction placed upon the internal auditing department that precludes the department from accomplishing its objectives and plans. Among other things, a scope limitation may restrict the:
• Scope defined in the charter
• Department’s access to records, personnel, and physical properties relevant to the performance of audits
• Approved audit work schedule
• Performance of necessary auditing procedures
• Approved staffing plan and financial budget (110.01.5b)
Senior Management refers to those individuals to whom the director of internal auditing is responsible.
Significant is the level of importance or magnitude assigned to an item, event, information, or problem by the internal auditor.
Significant Audit Findings are those conditions which, in the judgment of the director of internal auditing, could adversely affect the organization. Significant audit findings may include conditions dealing with irregularities, illegal acts, errors, inefficiency, waste, ineffectiveness, conflicts of interest, and control weaknesses. (110.01.6b)
Standards for the Professional Practice of Internal Auditing (the Standards) are the criteria by which the operations of an internal auditing department are evaluated and measured. They are intended to represent the practice of internal auditing as it should be.
Statement of Responsibilities of Internal Auditing is a document which presents in summary from the:
• Objective and scope of internal auditing
• Responsibility and authority of the internal auditing department
• Independence of internal auditors
Supervision is a continuing process, beginning with planning and ending with the conclusion of the audit assignment. Supervision includes:
• Providing suitable instructions to subordinates at the outset of the audit and approving the audit program
• Seeing that the approved audit program is carried out unless deviations are both justified and authorized
• Determining that audit working papers adequately support the audit findings, conclusions, and reports
• Making sure that audit reports are accurate, objective, clear, concise, constructive, and timely
• Determining that audit objectives are being met (230.01 and .02)
Survey is a process for gathering information, without detailed verification, on the activity being examined. The main purposes are to:
• Understand the activity under review
• Identify significant areas warranting special emphasis
• Obtain information for use in performing the audit
• Determine whether further auditing is necessary (410.01.5a)
System (process, operation, function, or activity) is an arrangement, a set, or a collection of concepts, parts, activities, and/or people that are connected or interrelated to achieve objectives and goals. (This definition applies to both manual and automated systems.) A system may also be a collection of subsystems operating together for a common objective or goal. (300.02.3)
Trend Analysis is the analysis of the changes in a given item of information over a period of time. (420.01.1h)
Understanding means the ability to apply broad knowledge to situations likely to be encountered, to recognize significant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions. (250.01.3)