I 6 / 001

OVERSTRAND MUNICIPALITY

INTERNAL AUDIT
 
METHODOLOGY
 

Approved by Council

29 April 2015
 OVERSTRAND MUNICIPALITY
I 6 / 002
INTERNAL AUDIT METHODOLOGY

TABLE OF CONTENTS

NO PARAGRAPH PAGE

1. INTRODUCTION 4
1.1 Definition of Internal Audit 4
1.2 Background 4
1.3 Purpose of the Internal Audit 4
1.4 Objective of the Overstrand Municipality Internal Audit Methodology 4

2. LEGISLATION,GOOD GOVERNANCE AND GUIDANCE 5

2.1 Local Government: Municipal System Act, No 32 of 2000 5
2.2 Local Government: Municipal Finance Management Act, No 56 of 2003 5
2.2.1 Chapter 14, Section 165 – Internal audit Unit 5
2.2.2 Chapter 14, Section 166 – Audit Committees 6
2.3 The King III report on Corporate Governance in South Africa 7
2.3.1 Internal Controls 7
2.3.2 Audit Committees 7
2.3.3 Internal Audit 8
2.4 National Treasury Circular 65 8
2.4.1 Audit Committee Responsibilities 8
2.4.2 Internal Audit Responsibilities 12

3. THE PROFESSION OF INTERNAL AUDITING 13

3.1 The IIA International Standards 13
3.2 The IIA Code of Ethics 13

4. THE SERVICES OF THE INTERNAL AUDIT ACTIVITY 15

4.1 Services Provided 14
4.2 Internal Auditors responsibility to Management 14
4.3 Main Control Environment Focus Areas 15
4.3.1 Ensure reliability and integrity of information 15
4.3.2 Ensure compliance with policies, plans, procedures, laws and regulations 15
4.3.3 Ensure safeguarding of assets 15
4.3.4 Ensure economical, efficient and effective use of resources 16
4.3.5 Ensure accomplishment of established objectives and goals for operations and programs 16
4.3.6 Ensure availability of services to management 16
4.4 Scope of Work 16
4.4.1 Assurance Services 16

Page 2 of 33
 OVERSTRAND MUNICIPALITY

I 6 / 003 INTERNAL AUDIT METHODOLOGY

NO PARAGRAPH PAGE
4.4.2 Consulting Services 16
4.4.3 Legal Requirement 16

4.5 Audit Areas of Specification 17

4.5.1 Financial Audit/ review 17
4.5.2 Auditing of Performance Measurements (AOPO – Audit of Pre-determined Objectives) 17
4.5.3 Operating Auditing 17
4.5.4 Compliance Auditing 17
4.5.5 Information Systems Audit 17
4.5.6 Control Self Assessments 18
4.5.7 Environmental Auditing 18
4.5.8 Ad hoc Management requests 18
4.5.9 Forensic Auditing 18
4.6 Specialized skills – Assurance and Consulting Assistance 18

5. AUDIT METHODOLOGY/ PROCESS 19

5.1 Risk Assessment 19
5.1.1 Establish and agree on risk rating criteria 20
5.1.2 Agree approach to risk assessments and facilitate discussions 22
5.1.3 Identify and assess risk 22
5.1.4 Identify key business processes 23
5.1.5 Perform control environment review 23
5.1.6 Document issues and validate with client 24

6. INTERNAL AUDIT PLAN (RISK-BASED) 24

7. INTERNAL AUDIT EXECUTION 25

7.1 Process analysis 25
7.2 Create Internal Audit Program 26
7.3 Execute Program 26
7.4 Document Evidence and Report issues 26

8. REPORTING 28
8.1 Reporting to management 28
8.2 Reporting to the audit committee 30
8.3 Fraud Reporting 31

9. FOLLOW UP AND MONITORING 31

10. THE PARTNERING RELATIONSHIP

32

11. CONCLUSION
32

12. APPROVAL 33

Page 3 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 004
INTERNAL AUDIT METHODOLOGY

1. INTRODUCTION

1.1 Definition of Internal Audit

Internal auditing is an independent, objective assurance and consulting activity designed to add
value and improve an organization's operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes - Institute of Internal
Auditors (IIA)

1.2 Background
The overall objective of the internal audit activity is to provide all levels of management with an
independent assessment of the quality of the internal controls, administrative processes and the
extent to which they are assisting the municipality in achieving its strategic objectives in terms of
the Integrated Development Plan (IDP).
The internal auditing profession exists within an organisation to serve both management and the
organisation in providing recommendations and suggestions for continuous improvements.
The progress and understanding of internal auditing has evolved from an “error” style audit
approach, with an emphasis on negative reporting, to a pro-active approach aimed at adding
value through performance improvements and thus becoming a useful management tool.
It is expected that internal audit coverage extends beyond merely internal controls, to include
assisting in providing a systematic and disciplined approach to risk management and corporate
governance.
It is recognized that internal audit must focus on providing value to the organization. Overstrand
Municipality internal audit methodology encompasses many of the leading practices in internal
audit and is designed to take IIA standards into consideration.

1.3 Purpose of the Internal Audit

Internal audit is a systematic, objective appraisal of the diverse operations and controls within
an organisation to ensure the:
 Reliability and integrity of information;
 Compliance with policies and procedures;
 Safeguarding of assets;
 Economical and efficient use of resources; and
 Accomplishment of established objectives and goals for operations or programs.

1.4 Objective of the Overstrand Municipality Internal Audit Methodology

The purpose of Internal Audit Methodology is to provide a consistent basis for the delivery of
internal audit services. The Internal Audit Methodology is written as a reference document that
provides guidance on the key phases and activities applied in an internal audit engagement.
The Internal Audit Methodology further aims to:
 Detail the legislative framework in which Internal Audit operates;

Page 4 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 005
INTERNAL AUDIT METHODOLOGY

 Specify the codes of practice and standards to which the Internal Audit Activity adheres;
 Document the scope of activities and objectives of the Internal Audit Activity; and
 Provide guidelines and procedures for the Internal Audit Activity within the Overstrand
Municipality and assist members of the municipality in the effective discharge of their
responsibilities.

NOTE: Although the Internal Auditor's judgment will be required in applying this information to
specific audit assignments, the Internal Audit Methodology should provide guidance, and should
not inhibit professional judgment and objectivity.

2 LEGISLATION, GOOD GOVERNANCE AND GUIDANCE

The role and purpose of Internal Audit, like most professions, is governed by legislation and that
from time to time guidelines and best practices are issued and formulated in an effort to regulate
and govern the activities of Internal Audit. The following legislation and guidelines are applicable
to internal auditing:

2.1 Local Government: Municipal System Act, No 32 of 2000

The Municipal Systems Act requires that the results of performance measurements in terms of
section 41(1)(c) of the Act, must be audited –
(a) as part of the municipality’s internal auditing processes; and
(b) annually by the Auditor-General.

2.2 Local Government: Municipal Finance Management Act, No 56 of 2003

The MFMA requires the establishment of an internal audit unit and audit committee.

2.2.1 Chapter 14, Section 165 – Internal Audit Unit

1 Each municipality and each municipal entity must have an internal audit unit, subject to
subsection (3):
2 The internal audit unit of a municipality or municipal entity must -
a Prepare a risk-based audit plan and an internal audit program for each financial year;
b Advise the accounting officer and report to the audit committee on the implementation of the
internal audit plan and matters relating to –
i Internal audit;
ii Internal controls;
iii Accounting procedures and practices;
iv Risk and risk management;
v Performance management;
vi Loss control; and

Page 5 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 006
INTERNAL AUDIT METHODOLOGY

vii Compliance with this Act, the annual Division of Revenue Act and any other applicable
legislation; and
c Perform such other duties as may be assigned to it by the accounting officer.
3 The internal audit function referred to in subsection (2) may be outsourced if the municipality
or municipally entity requires assistance to develop its internal capacity and the council of
the municipality or the board of directors of the entity has determined that this is feasible or
cost effective.

2.2.2 Chapter 14, Section 166 – Audit Committees

1 Each municipality and each municipal entity must have an audit committee, subject to
subsection (6).
2 An audit committee is an independent advisory body which must –
a Advise the municipal council, the political office – bearers, the accounting officer and the
management staff of the municipality, or the board of directors, the accounting officer and
the management staff of the municipal entity, on matters relating to –
i Internal financial control and internal audits;
ii Risk management;
iii Accounting policies;
iv The adequacy, reliability and accuracy of the financial reporting and information;
v Performance management;
vi Effective governance;
vii Compliance with this Act, the annual Division of Revenue Act and any other applicable
legislation;
viii Performance evaluation; and
ix Any other issues referred to it by the municipality or municipal entity.
b Review the annual financial statements to provide the council of the municipality or, in the
case of a municipal entity, the council of the parent municipality and the board of directors of
the entity, with an authoritative and credible view of the financial position of the municipality
or municipal entity, its efficiency and effectiveness and its overall level of compliance with
this Act, the annual Division of Revenue Act and any other applicable legislation;
c Respond to the council on any issues raised by the Auditor-General in the audit report;
d Carry out such investigations into the financial affairs of the municipality or municipal entity
as the council of the municipality, or in the case of a municipal entity, the council of the
council of the parent municipality or the board of directors of the entity, may request; and
e Perform such other functions as may be prescribed.
3 In performing its functions, an audit committee –

Page 6 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 007
INTERNAL AUDIT METHODOLOGY

a Has access to the financial records and other relevant information of the municipality or
municipal entity; and
b Must liaise with –
i The internal audit unit of the municipality; and
ii The person designated by the Auditor-General to audit the financial statements of the
municipality or municipal entity.
4 An audit committee must –
a Consist of at least three persons with appropriate experience, of whom the majority may not
be in the employ of the municipality of municipal entity, as the case may be; and
b Meet as often as is required to perform its functions, but at least four times a year.
5 The members of an audit committee must be appointed by the council of the municipality or,
in the case of a municipal entity, by the council of the parent municipality. One of the
members who is not in the employ of the municipality or municipal entity, must be appointed
as the chairperson of the committee. No councilor may be a member of an audit committee.
6 A single audit committee may be established for –
a a district municipality and the local municipalities within that district municipality; and
b a municipality and municipal entities under its sole control.

2.3 The King III report on Corporate Governance in South Africa

The King III Report recommends the minimum practices that should be adopted by any
organization in relation to their corporate governance practices.
The King III Report is a non–legislated code that is applicable to:
 Companies listed on the Johannesburg Stock Exchange;
 Corporations falling in the South African Financial Services sector; and
 Enterprises that perform public functions (inclusive of those regulated by the Public Finance
and Management Act and the Municipal Finance and Management Act).

2.3.1 Internal Controls

The King III Report recommends that all affected organizations establish an Internal Audit
Activity, reporting at the highest level of authority, enabling it to achieve its function in terms of
an appropriate charter (Internal Audit Charter).
An effective Internal Audit Activity is an independent objective assurance and consulting activity
to add value and improve the organizations operations

2.3.2 Audit Committees

Organisations to which the King III Report applies should have an audit committee. The
interaction between such committees and the external auditors is an essential part of corporate
governance.

Page 7 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 008
INTERNAL AUDIT METHODOLOGY

The audit committees should have its own charter and be chaired by a non-executive member
(not a Council member), and preferably a majority of its member’s should be non-executive
(external persons not involved in the organisation) with sufficient experience and financial
literacy.
The audit committee must be able to communicate freely with the chair of the board / Council
who should not be a member of the audit committee.
The audit committee’s primary functions in respect of internal auditing include:
 Approval of the appointment / dismissal of the chief audit executive;
 Approval of the internal audit plan;
 Monitoring of the achievement of the internal audit plan;
 Review of the risk management processes;
 Performance monitoring of audit engagements;
 Monitoring of internal audit professional development; and
 Ensuring that the activity remains professional, relevant and of value.

2.3.3 Internal Audit

Internal audit should provide:
 Assurance that the management processes are adequate to identify and monitor significant
risks;
 Confirmation of the effective operations of the established internal control systems;
 Credible processes for feedback on risk management and assurance;
 Objective confirmation that the board receives the right quality of assurance and reliable
information from management; and
 Preparation of a risk based internal audit plan linking to the risk assessment.

2.4 National Treasury Circular 65

2.4.1 Audit Committee Responsibilities

Internal Audit
The audit committee must in relation to internal audit:
 Ensure that the charter, independence and activities of the internal audit function are
clearly understood and respond to the objectives of the municipality and the legal
framework;
 Regularly review the functional and administrative reporting lines of the internal auditor to
ensure that the organizational structure is consistent with the principles of independence and
accountability;
 Review and approve the internal audit charter, including internal audit strategic plan;
 Confirm that the annual audit plan makes provision for critical risk areas in the
municipality and its entities;

Page 8 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 009
INTERNAL AUDIT METHODOLOGY

 Advise the municipality on resources allocated to give effect to the work outputs of the
internal audit function;
 Ensure that there is support for the internal audit unit and external auditors from senior
management;
 Confirm with management that internal audit findings are submitted to the audit committee
on a quarterly basis;
 Confirm actions taken by management in relation to the audit plan;
 Consider and review reports relating to difficulties encountered during the course of the audit
engagement, including any scope limitation or access to information reported to the
accounting officer that remain unresolved;
 Evaluate the performance of internal audit activity in terms of the agreed goals and
objectives as captured in the audit plan;
 Ensure that the head of internal audit has reasonable access to the chairperson of the audit
committee;
 Conduct a high-level review of internal audit on an annual basis, to ascertain whether the
internal audit unit complies with the International Standards for the Professional Practice of
Internal Auditing;
 Concur with any appointment and termination of the services of the chief audit executive;
 Internal audit unit is accountable to the audit committee as follows:
 Maintain open and effective communication with the audit committee;
 Develop a flexible annual audit plan using a risk based methodology, addressing any
weaknesses in risks or controls identified;
 Submit the audit plan to the audit committee for review and approval;
 Report on the implementation and results of the annual audit plan including special tasks
requested by management and the audit committee;
 Assist in drafting the agenda and documentation, and facilitate the distribution thereof to the
audit committee in advance of meetings;

External Audit
The audit committee must in relation to external audit:
 Take cognizance of the scope of work undertaken by the external auditor and the extent of
co-ordination with the internal audit unit;
 Review annual external audit plans, audit fees and other compensation;
 Review reports and monitor management’s implementation of audit recommendations and
municipal council resolutions in the new financial year;
 Review the report on the financial statements and matters raised therein for reasonability
and accuracy;
 Review any interim reports issued in order to take cognizance of the issues raised in
determining the follow up work of the internal audit;
 Conduct a review of the extent to which previously reported findings by the external auditor
have been addressed by the municipal council;

Page 9 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 010
INTERNAL AUDIT METHODOLOGY

 Provide advice to the accounting officer on actions taken relating to significant matters
raised in external audit reports;
 Liaise with the external auditors on any matter that the audit committee considers
appropriate to raise with the external auditor;
 Ensure that the external auditors have reasonable access to the management and
chairperson of the audit committee;
 Address any potential restrictions or limitations with the accounting officer and council;
 Address outstanding matters raised by the external auditors and any findings are dealt with
conclusively in an expeditious manner.

Annual Financial Statements

The accounting officer must prepare Annual Financial Statements (AFS) of the municipality.
These financial statements should have been reviewed by the audit committee two weeks
before submission to the Auditor-General. The audit committee must review the annual financial
statements of the municipality:

 Confirming if the municipal audit file is prepared in line with the applicable standards and
guidance contained in MFMA Circular 50, or as updated;
 Reviewing the unaudited annual financial statements of the municipality to ensure that the
quality, integrity and content is consistent with applicable standards and compliant with the
legal framework;
 Evaluating the annual financial statement of the municipality and its entities for
 reasonableness, completeness and accuracy, and provide comment thereon, on a timely
basis;
 Considering the Auditor-General’s opinion on the quality and appropriateness of the
municipality’s accounting policies and that of its entities; and
 Reviewing efficiency and effectiveness of internal controls over AFS preparation and
reporting
 Specifically with regards to Annual Financial Statements, the Audit Committee should:
 Review and challenge where necessary:
 Arithmetical accuracy and consistency;
 Consistency of, and any changes to, accounting policies, comparing to prior years;
 Methods used to account for significant or unusual transactions where different approaches
are possible;
 Whether the Municipality has followed appropriate accounting standards and made
appropriate estimates and judgments, taking into account previous audit outcomes;
 The quality of disclosure in the Municipality’s financial reports and the context in which
statements are made;
 All material information presented with the financial statements, such as the operating and
financial review and the corporate governance statement (insofar as it relates to the audit
and risk management);

Page 10 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 011
INTERNAL AUDIT METHODOLOGY

 All material issues in prior reports by the AGSA have been appropriately accounted for,
resulting in fair presentation;
 Conduct Analysis of trends and other financial ratio calculations e.g. year-on-year
comparisons and composition of primary group e.g. salaries as a component of operations,
whether operations are undertaken on a sustainable basis, operations at surplus or deficit,
efficiency and solvency ratios, etc.

Risk Management Activities

The accounting officer is responsible for the establishment of effective risk management within
the municipality. It is expected that the committee will provide an independent and objective
view of the effectiveness of the municipality’s risk management. It must also provide feedback to
the accounting officer and municipal council on the adequacy and effectiveness of risk
management in the municipality and its entities.
Control Environment
The audit committee members need to have a good understanding of the control environment,
in fulfilling this responsibility the committee should:
 Ensure that management follows a sound process to draw conclusions on the adequacy and
effectiveness of the system of internal control;
 Establish whether management has relevant policies and procedures in place and that these
are adequate, effective and regularly updated;
 Determine whether appropriate processes are followed and complied with on a regular
basis;
 Consider measures applied on any required changes to the design or implementation of
 internal controls;
 Assess steps taken by management to encourage ethical and lawful behavior; financial
discipline and accountability for use of public resources.

Performance Management
Audit Committee members need to have a good understanding of the performance of the
municipality and its entities. These include:
 Review and comment on compliance with statutory requirements and performance
management best practices and standards;
 Review and comment on the alignment of the Integrated Development Plan, the Budget,
 Service Delivery and Budget Implementation Plan and performance agreements;
 Review and comment on relevance of indicators to ensure they are measureable and relate
to services performed by the municipality and its entities;
 Reviews compliance with in-year reporting requirements;
 Review the quarterly performance reports submitted by internal audit;
 Reviews and comments on municipality’s and entities annual financial statements and timely
submission to the Auditor-General by 31 August, each year;

Page 11 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 012
INTERNAL AUDIT METHODOLOGY

 Review and comment on the municipality’s and entities annual reports within the stipulated
timeframes; and
 Review and comment on the municipality's performance management system and make
recommendations for its improvement.
Information Technology (IT) Governance
The audit committee also needs to provide advice on IT governance, controls, access,
safeguarding of information in the municipality and its entities. Specific expertise may be
required from within or outside the municipality from time to time, to assist the internal audit unit
and audit committee formulates recommendations on systems and controls. The committee
may have to advise on the appropriateness of disaster recovery and continuity plans supporting
IT risks, regular testing and evaluation of plans, systems and processes.
2.4.2 Internal Audit Responsibilities:
Circular 65 states that Internal Audit Activity should:
 Develop a risk-based audit plan,
 Understand the control environment of the organization,
 Include the following types of audits:
1) Risk based audits,
2) Cyclical audits and,
3) Ad hoc audit requests
In addition, Internal Audit Activity should ensure that the following is in place:
 Quality Assurance and Improvement
The activities of the internal audit must be guided, monitored and supervised at each level of
operation to ensure that they are consistently performed in accordance with the International
Standards for the Professional Practice of Internal Audit. The quality assurance and
improvement programme should include periodic internal assessments within a short time prior
to an external assessment which can facilitate and reduce the cost of the external assessment.
 Internal Assessments
The Chief Audit Executive must ensure that internal assessments are performed. Internal
assessments should include ongoing reviews of the performance of the internal audit activity.
These should be performed through self-assessment or by other persons within the municipality
with knowledge of internal audit practices and the IIA Standards. The chief audit executive, at
least annually, must report on the results of internal assessments. Internal assessments should
appraise among others, compliance with the legislative framework, definition of internal auditing,
standards, internal audit charter, code of ethics and methodology.
 External Assessments
The internal audit must be subjected to an external assessment at least once every five years,
the results of which should be communicated to the audit committee and accounting officer. An
external assessment must be conducted by a qualified reviewer or review team from outside the
municipality. On completion of the external assessment, the review team should issue a formal

Page 12 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 013
INTERNAL AUDIT METHODOLOGY

report containing an opinion. The chief audit executive in consultation with the accounting officer
should prepare a written action plan in response to comments and recommendations in the
report.
 Coordination of efforts with other assurance providers
Internal audit should share information and co-ordinate its activities with other assurance
providers within the municipality or municipal entity. This is done to ensure appropriate
coverage of risk areas and minimise duplication of efforts. There should be access to each
other’s audit plans and audit reports. There should be periodic meetings held between internal
audit and external audit. At these meetings key
risks, audit scope and audit findings should be discussed and priorities should be emphasized.

3 THE PROFESSION OF INTERNAL AUDITING

The profession of internal auditing requires affiliation with a professional body, for example the
Institute of Internal Auditors, which is an international body.
The environments and organisations in which internal audit activities are performed throughout
the world are highly diverse. Moreover, these activities may be in-sourced or outsourced. This
diversity affects the practice of internal auditing in each environment and organisation.
Nevertheless, compliance with the International IIA Standards is mandatory for individuals and
entities providing internal auditing services. However, to accommodate the diversity of practice,
the language of the International Standards is broadly inclusive, and more specific guidance is
left to other pronouncements.
3.1 The IIA International Standards
According to the IIA, the International Standards are intended to:
 State basic principles for the practice of internal auditing.
 Provide a framework for performing and promoting value-added internal audit activities.
 Establish the basis for evaluating internal audit performance.
 Improve organisational processes and operations.

The International Standards consist of Attribute Standards (currently 1000 – 1340),

Performance Standards (currently 2000 – 2600), and Implementation Standards (integrated with
other Standards).
 Attribute Standards concern the traits of Internal Audit Activities and individuals providing
internal auditing services.
 Performance Standards describe internal audit activities and criteria for evaluation of their
performance.
 Attribute and Performance Standards furnish guidance for all internal auditing services
(assurance, consulting and other).

3.2 The IIA Code of Ethics

The Code of Ethics was adopted by the Institute of Internal Auditors, with a purpose of
promoting an ethical culture in the profession of internal auditing.

Page 13 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 014
INTERNAL AUDIT METHODOLOGY

The Institute's Code of Ethics extends beyond the definition of internal auditing to include two
essential components:
 Principles that are relevant to the profession and practice of internal auditing; and
 Rules of conduct that describe behavior norms expected of internal auditors. These rules are
an aid to interpreting the principles into practical applications and are intended to guide the
ethical conduct of internal auditors. The rules of conduct are defined into:
 Integrity;
 Objectivity;
 Confidentiality; and
 Competency

4 THE SERVICES OF THE INTERNAL AUDIT ACTIVITY

The Internal Audit Activity is a line function and serves the reports to the Accounting Officer
(administratively) and to the Audit Committee & Performance Audit Committee (functionally).

4.1 Services Provided

Services provided by the Internal Audit Activity include inter alia:
 Provide consulting services, including counsel, advice, facilitation and training;
 Provide audit assurance;
 Communicating audit knowledge and best practices (experiences);
 Draw and share comparisons in terms of best practice and industry norms.
 Provide advice and guidance to the Accounting Officer, Management and Audit &
Performance Committee;
 Review the adequacy, effectiveness and efficiency of systems of internal control;

4.2 Internal Auditors responsibility to Management

Each Directorate will have different business risks or concerns upon which management may
request feedback from the internal auditors. These may vary according to factors such as size,
industry geographical location, regularity requirements, management style and culture and the
availability of feedback from other sources. The table below provides some examples of typical
risks and the related internal audit engagements.

RISKS POTENTIAL INTERNAL AUDIT

ENGAGEMENTS

 Non-compliance with laws and  Control self assessment review

regulations  Compliance review
 “Health checks”
 Financial management  Control system review

Page 14 of 33
 OVERSTRAND MUNICIPALITY

I 6 / 015 INTERNAL AUDIT METHODOLOGY

RISKS POTENTIAL INTERNAL AUDIT

 Reliability and integrity of information
 Fraud / Misrepresentation
 Reliability of financial and
management information
 IT systems
 Efficiency of service delivery
ENGAGEMENTS
 Fraud prevention / detection review
 Security review
 Control self assessment review
 Investigations
 Preliminary assessments
other  Systems review
 Analysis review
 Information Systems review
 Systems development life cycle review
 Pre assessment review
 Process re-engineering
 Post system implementation reviews
 Value for money or operational review
 Cost vs. benefit (feasibility)
 Performance management review

4.3 Main Control Environment Focus Areas

Listed below are the main control environment focus areas of the Internal Audit Activity when
reviewing a business process:
4.3.1 Ensure reliability and integrity of information
 Review the control measures (access levels, storage, etc) around the safeguarding of data
and information.
 Review the accuracy and completeness of information and data.
 Review the need for information and data in the existing format.

4.3.2 compliance with policies, plans, procedures, laws and regulations

 Determine the regulated and approved legislation applicable to the given business process.
 Assess the application of the legislation by the business unit.
 Bring the lack of compliance with statutory / mandatory requirements to the attention of the
Municipal Manager and relevant Management for remedial action.

4.3.3 Ensure safeguarding of assets

 Review register / listings of assets / inventory to ensure that it is complete and accurate
 Determine if assets are marked and assigned to the applicable responsible business unit.

Page 15 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 016 INTERNAL AUDIT METHODOLOGY

 Review the disclosure of assets in respect of Financial Reporting.

4.3.4 Ensure economical, efficient and effective use of resources

 Determine if standard operating procedures / process flow diagrams exist.
 Ensure that job function / task / description and Key Performance Indicators (KPI’s) are
being met by individuals.
 Advise Management and the Municipal Manager of shortcomings in the resource
performance.

4.3.5 Ensure accomplishment of established objectives and goals for operations

and programs
 Obtain the IDP and KPIs and objectives of the Municipality and the business unit processes
under review
 Evaluate the goals and objectives to determine if they are specific, measurable, relevant,
achievable and time based for the business process.
 Raise attention to shortcomings in the achievement of goals and objectives.

4.3.6 Ensure availability of services to management

 Ensure that personnel remain abreast of professional development by means of periodicals,
seminars, courses and membership of professional bodies.
 Promote the consulting and assurance activities of Internal Audit.
 Plan ahead and include time for these ad hoc services in the audit plan, for approval of the
Audit Committee.

4.4 Scope of Work

4.4.1 Assurance Services
The Internal Audit Activity provides an independent assessment on the risk management,
control, and governance processes for the organisation. Examples include financial,
performance, compliance, systems auditing, and control self assessment reviews.

4.4.2 Consulting Services

Relates to advisory and related client service activities which are intended to add value and
improve the organisations governance, risk management and control processes. Examples
include counsel, advice facilitation and training.

4.4.3 Legal Requirement

The internal audit activity in local government is required to have or obtain skills and
competencies to examine and evaluate:
 Internal controls;

Page 16 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 017 INTERNAL AUDIT METHODOLOGY

 Accounting procedures and practices;

 Risk management;
 Loss control; and
 Compliance reviews.

4.5 Audit Areas of Specification

There are many types of audits; the Internal Audit Activity will determine which kind of audit
process (or a combination) to perform based on a formal risk assessment process. Listed
below are a few examples of the audits that could be performed by the Internal Audit Activity:

4.5.1 Financial Audit/ review

A financial audit - reviews the recording and reporting of financial transactions. The purpose of
this type of audit is to provide management with assurance that financial information is complete
and accurately recorded in the municipalities financial records and that these records support
the information shown in the financial reports.

4.5.2 Auditing of Performance Measurements (AOPO – Audit of Pre-determined

Objectives)
The audit/ review of the municipal performance management system (PMS) and performance
measurement in terms of compliance with legislation, functionality of the system and assurance
on the effectiveness of the system.

4.5.3 Operating Auditing

This type of audit examines an operating process to determine whether resources are being
used effectively, efficiently and economically in the pursuit of the Council’s corporate vision. The
process / system is documented (process analyses documents) where after the process /
system is reviewed for weaknesses. Internal Audit then provides practical solutions for the
control weaknesses identified, preventing the weaknesses from recurring.
Activities such as human resources, cash handling, procurement, and inventories are generally
subject to this type of audit.

4.5.4 Compliance Auditing

A compliance audit evaluates the municipality’s adherence to laws, regulations, and internal and
external policies governing the business process under review. The business unit should be
applying the guidelines to ensure the successful operation of its activities and this assessment
is a form of “health” check.

4.5.5 Information Systems Audit

An information system audit review of the internal control environment within the systems used
by the municipality. It also addresses the Information Technology governance processes.

Page 17 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 018
INTERNAL AUDIT METHODOLOGY

4.5.6 Control Self Assessments

This is also known as a facilitation process to internal auditing. The process is used to work with
management in a workshop environment to assess the control environment of the business unit
under review. A control model is usually utilised together with a set format, process and
objectives. The information gathered in the workshop is summarised. The risks from the
exercise are then reported with recommendations for management action.

4.5.7 Environmental Auditing

The environmental audits will be performed similarly to compliance auditing as environmental
requirements are documented and therefore need to be complied with. The audit approach can
also include a combination of the operating and financial auditing approach as well as control
self assessments.

4.5.8 Ad hoc Management Requests

These are requests made by management to the Chief Audit Executive who in turn prioritizes
and distributes the assignments to the relevant internal audit personnel for action. These
requests must be made in writing by management and must be included in the Internal Audit
Plan.

4.5.9 Forensic Auditing

This specialized type of auditing involves fraud investigations and related functions. The
ultimate goal is to implement deterrent controls, which are geared towards prevention as
opposed to detection in order to discourage fraudulent activity.
Loss control can be included / encompassed in here in terms of assessing control measures to
ensure they are appropriately highlighting losses at the earliest opportunity. Often loss control
measures expose fraudulent activities that have taken place.

4.6 Specialized Skills – Assurance and Consulting Assistance

The Internal Audit Activity should be in a position to provide assurance and consulting advice to
management. Where these skills, knowledge and competencies are lacking, the appropriate
budgetary provision within the internal audit budget should exist to source in assistance as and
when necessary.
The necessary supply chain management principles are to be applied when procuring
consulting assistance.

Page 18 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 019
INTERNAL AUDIT METHODOLOGY

5 AUDIT METHODOLOGY/ PROCESS

Internal Audit Engagement Cycle

5.1 Risk Assessment

The purpose of the risk assessment is to:
 Gain an understanding of the risks that threaten the organization’s achievement of strategic
objectives;
 Develop foundations that will assist in identifying the client’s key business processes that
mitigate strategic risks and to focus process-level assessment; and
 Develop the basis for the internal audit plan (single or multi-year).

The extent to which risk assessment activities are performed depends on the management.
Management’s involvement/ownership/buy-in is crucial to the success of the risk assessment.
Management should determine and agree on the risk rating criteria to be used in assessing
risks and plays a key role in the identification and analysis of risks throughout the process.
Internal Audit’s role is limited to facilitating the process and providing observations and
recommendations on the management’s assessments, but not making the assessments for
them.
The inputs for risk assessment include:

Page 19 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 020 INTERNAL AUDIT METHODOLOGY

 Discussions with senior management, the board (Mayoral Committee) , and the audit
committee through interviews and/or facilitated discussions;
 Business Understanding Document;
 Previous internal audit and risk assessment information, when available; and
 Other industry knowledge

The activities to complete the risk assessment include:

 Establish and agree on risk rating criteria;
 Agree approach to risk assessments and facilitate discussions;
 Identify and assess risks;
 Identify key business processes;
 Perform control environment review; and
 Document issues and validate with client.
 The risk assessment activities are explained in more detail below.

5.1.1 Establish and agree on risk rating criteria

The significance of the risks identified can be determined by considering three factors:
The risk appetite and risk capacity of the organization;
Risk appetite is defined as the level of risk that management is prepared to accept (tolerate) to
achieve the organization’s objectives. Risk appetite is determined by considering the
relationship between risk and return.
Risk capacity is the level of risk the client is not prepared to exceed. This can be done by
management by estimating the maximum loss that they believe they can endure in one year
without endangering the survival of the company.
The magnitude of the impact of the risks;
Risk impact can be defined using a five-point scale as follows:
 Low or Insignificant (1)
 Low to Moderate or Minor (2)
 Moderate (3)
 Moderate to High or Major (4)
 High or Catastrophic (5)

The following table illustrates detail impact descriptors that might be chosen:

Impact on business
Level Descriptor Example of detail descriptor
- Issue can be delegated to junior management
1 Low or Insignificant and staff to resolve
- No or insignificant impact on service delivery

Page 20 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 021
INTERNAL AUDIT METHODOLOGY

- No impact on internal business

2 Low to Moderate or Minor
3 Moderate
4 Moderate to High or Major
5 High or Catastrophic
- Insignificant impact on available budget
- Insignificant impact on reputation
- No injuries
- Issue can be delegated to middle management to
resolve
- Low to moderate impact on service delivery
- Low to moderate impact on internal business
- Low to moderate impact on available budget
- Low to moderate impact on reputation
- Light injuries – first aid required
- Issue can be delegated to senior management to
resolve
- Moderate impact on service delivery
- Moderate impact on internal business
- Moderate impact on available budget
- Moderate impact on reputation
- Light injuries – medical treatment required
- Issue can be delegated to Council to resolve
- Moderate to high impact on service delivery –
may impact the ability to deliver service
- Moderate to High impact on internal business –
may stop internal business
- Moderate to High impact on available budget –
requires significant portion of budget
- Moderate to High impact on reputation
- Serious injuries – possibly life threatening
- Delegate to Provincial Government to resolve
- High or Catastrophic impact on service delivery –
unable to deliver services
- High or Catastrophic impact on internal business
– internal business stops
- High or Catastrophic impact on available budget
– organization place under administration
- High or Catastrophic impact on reputation
- Life threatening

The likelihood that the risks will occur.

Before determining the likelihood/possibility of a risk materializing, a time frame should be
determined, in most cases the time period used is one year. It is important that the time period
and the descriptors be agreed with the management.
When determining likelihood for an identified risk during the risk assessment process, it is
important to consider the number of occurrences related to the process or event in question. For
example, certain transactions such as acquisitions may only occur once, whereas placing
orders for supplies might occur daily.

Likelihood of occurring
Level Descriptor Example of detail descriptor
- May only occur in exceptional
1 Rare circumstances.
- Low probability of occurring but could
2 Unlikely occur.

Page 21 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 022
INTERNAL AUDIT METHODOLOGY

3 Possible - Moderate probability of occurring.

4 Likely - Will probably occur in most instances.

5 Almost certain - Is expected to occur in most instances.

The relationship between the impact of the risk and the likelihood of occurrence is illustrated by
the following table:
Almost certain

Likely
Likelihood

Possible

Unlikely

Rare

Insignificant Minor Moderate Major Catastrophic

Impact
5.1.2 Agree approach to risk assessments and facilitate discussions
The technique used to perform the risk assessment will depend on management’s preferences.
The following are two examples of approaches to risk assessments:
 Involving the Mayoral Committee and senior management in facilitated workshops; or
 Obtaining relevant information through individual interviews and questionnaires.

Regardless of the approach employed, Internal Audit’s role during the risk assessment and
facilitated discussions is to:
 Establish a process that builds on the client’s knowledge and experience;
 Encourage open discussion and exploration of issues;
 Help participants identify, prioritize, and consolidate issues into common themes; and
 In the case of workshops, help participants reach a common understanding on issues.

5.1.3 Identify and assess risk

Internal Audit’s main objective during risk assessment is to help the client identify and
understand the risks that can threaten the achievement of business objectives.
Different definitions of the term “risk” exist and for the purposes of the methodology, the terms
are defined as follows:
 Risk: Risk is the possibility that event/circumstances will impact the achievement of DM
strategic objectives negatively.
 Gross risk: The possibility that events or circumstances will prevent the client from achieving
its objectives that does not take into account the effects of controls, also known as “inherent
risk.”

Page 22 of 33
 OVERSTRAND MUNICIPALITY

I 6 / 023 INTERNAL AUDIT METHODOLOGY

 Residual risk: The remaining risk after considering the effect of internal controls
implemented by client management.
The objective of risk analysis is to help the management determine the significance of the risks
identified by considering the relationship between the potential impact of a risk and the
likelihood of its occurrence. The relationship between impact and likelihood is visually depicted
on the enterprise risk matrix. Although engagement teams may opt for other means of
describing risk categories, one way it may be described is using a scale with the following
categories:
 C critical risk, immediate action required
 H high risk, senior management attention needed
 M moderate risk, management responsibility must be specified
 L low risk, manage by routine procedures

Example
 The relationship can be depicted graphically in the risk matrix.
Almost certain H H C C C

Likely M H H C C
Likelihood

Possible L M H C C

Unlikely L L M H H

Rare L L M H H

Insignificant Minor Moderate Major Catastrophic

Impact
Risk

Once the significance of the risks has been determined management may be asked to rank the
risks in order of significance. The risks deemed above the origination’s risk appetite especially
those in the upper right-hand quadrant, would be ranked as most significant.

5.1.4 Identify key business processes

A key business process is defined as a process associated with a strategic risk. This
association may arise in two ways:
 The process contains internal controls that address or manage the strategic risk.
 The process creates the risk or generates aspects of the risk.

5.1.5 Perform control environment review

The objective of a Control Environment Review (CER) is to assist the management in obtaining
an overall understanding of the general and underlying control environment supporting the
business operations. This assessment can be a key aspect to Internal Audit Department in
understanding of the high-level structures and controls within the organization.

Page 23 of 33
 I 6 / 024
OVERSTRAND MUNICIPALITY

INTERNAL AUDIT METHODOLOGY

The business control environment consists of activities covering and integrating the
municipality’s strategy and operations. It forms the context within which management makes
choices about controls and other activities.
Management maintains a balance between driving for high performance and helping to ensure
that its personnel do not go beyond the bounds of acceptable risk or business practice. This
means creating a business control environment to support the municipality’s business objectives
and strategies. Without a reasonable control environment, performance may not be optimized
and organization-wide (strategic) risks could emerge.
The CER can help enable the municipality to identify significant risks.

5.1.6 Document issues and validate with client

Issues potentially can be identified during the risk assessment. It is important to document these
issues or performance improvement opportunities. Following documentation, present these
items to management for verification. This process is critical to maintaining the relationship as
well as notifying management of any “new” risks or strategic issues that were noted during this
process.
The document outputs for the risk assessment can include a combination of the following:
 Risk Rating Criteria.
 Risk Categories.
 Risk Matrix.
 Risk Register.
 Control Environment Review.

6 INTERNAL AUDIT PLAN (RISK-BASED)

The risk based internal audit plan (IAP) sets out the scope of work to be undertaken by the
Overstrand Municipality’s Internal Audit unit. The plan is directed, agreed and adopted by the
municipality’s audit committee and is developed in conjunction with the risk assessment.
The inputs to the risk based Internal Audit Plan include:
 Outputs of an enterprise risk assessment, including identified risk focus areas for the
municipality’s key business processes and information on specific process-level risk factors
and internal controls within those business processes;
 Executive management/audit committee requests;
 Additional information about the industry;
 Information resulting from the external audits and regulatory examinations; and
 Historical internal audit activities, including those activities performed by other service
providers.
There are a number of different types of internal audit projects that may be included in risk
based Internal Audit Plan. These can include the following:
 Tests of Business Process and/or Internal Control Design;

Page 24 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 025
INTERNAL AUDIT METHODOLOGY

 Tests of Internal Control Effectiveness;

 Follow-up reviews on issues identified during previous internal audits;
 Management requests/agreed-upon procedures; and
 Internal audit function administration.
The proposed risk based Internal Audit Plan should be presented to the audit committee for
consideration and adoption, usually with, at a minimum, a proposed timeline for execution of the
plan and descriptions of each audit project.
The output or the Internal Audit Plan phase is a one-year internal audit plan and/or 3 year rolling
internal audit plan (multi-year internal audit plan) depending on needs and discretion of the
Overstrand Municipality Internal Audit Unit, Audit Committee and Executive Management.

7 INTERNAL AUDIT EXECUTION

Internal audit execution is performed after approval of the Internal Audit Plan. Internal audit
execution formalizes the activities to be performed as a result of our understanding gained
through risk assessment and internal audit planning.
The inputs for internal audit execution are:
 Approved internal audit plan;
 Information from strategic analysis and risk assessment; and
 Discussion(s) with management and/ or request(s) from management – usually via the
Accounting Officer.
During the internal audit execution process the following activities are conducted:
 Process Analysis /System description;
 Create Internal Audit Program;
 Execute Program; and
 Document Evidence and Report

The activities performed during internal audit execution may allow Internal Audit to identify
operational weaknesses and cost-saving recommendations which are key to adding tangible
value to the organization.
The Internal Audit Execution activities are explained in more detail below.

7.1 Process analysis

The process description should be documented in narrative form and/or through the use of
flowcharts, where deemed appropriate. Once the process is documented, the process owner
should confirm our understanding of that process by signing the Process Documentation
Analysis (PAD) working paper since this will serve as the foundation for the scope of the internal
audit.
Internal audit would look at the process and how it is managed and compare it against some
standard or benchmark, where available and appropriate, to help the management/process
owner assess the reasonableness of the process and controls and how they are managed.

Page 25 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 026 INTERNAL AUDIT METHODOLOGY

In undertaking any comparison against practices exhibited elsewhere, it is important that this
practice be generally recognized as a highly effective or efficient way of doing things.

7.2 Create Internal Audit Program

To create the internal audit work program, Internal Audit personnel should be able to identify
process level risks and internal controls for testing of design and effectiveness.
Information gained from a number of sources, including risk assessment and process analysis,
will drive the areas of emphasis in an internal audit program. The strategic and process level
risks identified and the priority of those risks will focus the internal audit program on the internal
controls that should be tested.
Such decisions (which controls should be tested) are based on the assumption that the internal
controls are operating effectively, which directly impacts the creation of the internal audit
program. If an internal control is known by the process owner to not be operating effectively or if
it has been determined and agreed to by the client that a control is not designed properly, then
agreement must be reached with the client on whether it is appropriate to perform testing of
those controls. In many instances, it may not be beneficial to the process owner to test internal
controls if they are known to have substantial issues in either design or effectiveness.
The internal audit program sets out the procedures to be undertaken to help the process owner
assess the existence and effectiveness of identified controls. There may be regulatory
compliance issues that also require testing. These issues should be documented in the
program.
In designing the internal audit procedures to include in the program, it is important that the
program allows flexibility for team members to use judgment, but provide sufficient guidance
that the fieldwork achieves its objectives. Internal Audit professionals should design internal
audit procedures in a manner that will result in the most efficient evidence on whether an
internal control is operating effectively.

7.3 Execute Program

Testing procedures should be structured to provide the strongest evidence for the least effort
sufficient to satisfy the testing objectives. Each test objective will have one or more procedures
that are performed to effectively meet that objective. Further, each planned test procedure is
linked to a specific test objective to determine that the test procedures are relevant and link
back to the specific scope of the assignment.
The extent of procedures may range from observation, inquiry and process walkthroughs to
detailed controls assessment and testing. In executing internal audit procedures, Internal Audit
should attempt to be as concise as possible in their documentation. To this end, conciseness
and relevance are key in developing working papers.

7.4 Document Evidence and Report issues

Audit evidence can be physical, testimonial, documentary, or analytical. The type and source of
test evidence obtained and used to complete testing are documented in a relevant working
paper. This enables an independent reviewer to arrive at the same findings and

Page 26 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 027
INTERNAL AUDIT METHODOLOGY

recommendations by reviewing the working papers. Each test procedure should link back to the
specific scope of our internal audit project. Upon completion of the test work, the test program
may be referenced to the relevant working papers, signed, and dated by the staff member who
performed the procedure or test.
It is acceptable to prepare exception-based documentation, whereby for a given test of internal
control, only those items with noted exceptions are included in the work papers. If no exception
is noted for the given test, then the engagement team includes a photocopy of a complete set of
supporting documentation for one of the items tested for that control to document an example of
what was reviewed by the engagement team.
It is important to note that, when preparing exception-based documentation; sufficient
information must be maintained in the working paper so that the test could be re-performed.
Alternatively, photocopies could be kept of all evidential matter supporting the test, whether
exceptions were found or not.
During our work, we may identify additional internal control issues that require resolution but are
not specifically within the scope of the internal audit project. These issues should be raised as
soon as possible with the Chief Audit Executive.
A finding is noted when the results of internal control testing denotes that the control is either
missing or not working as expected and could be documented on the Finding sheets.
Accordingly, a substantial residual risk remains even after the related internal controls have
been reviewed and tested.
All findings included in the internal audit report should tie back to the finding sheets, which in
turn should tie directly, back to the supporting test documentation or other relevant work papers.
In contrast, a performance improvement observation (PIO) is defined as an area for
improvement that does not involve a control weakness or involves an area outside of the scope
of the internal audit project and is documented on the finding sheets or a separate Performance
Improvement Observation document.
Based on the results of our internal audit procedures, we document the following information for
both findings and PIOs:
 Basis for our observation;
 Root cause;
 Impact on the organization;
 Recommended actions; and
 Management responses.

When recommending actions it is important for Internal Audit to analyze the root cause of the
finding. Once this information is documented, the assigned Auditor, together with the Chief Audit
Executive will decide which findings and/ or issues will be carried through to the draft report
versus only being reported to the client verbally.
The outputs for internal audit execution include a combination of the following:

Page 27 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 028
INTERNAL AUDIT METHODOLOGY

 Background information/ Process Analysis – document/ summary of our understanding of

the business process, which strategic risks the process is associated with, and our overall
understanding of process level risks and associated internal controls.
 System description / Process Workflow Process map graphically depicting the flow of the
business process along with key participants and internal controls.
 Process Risk Register. This document provides a summary of the outcome of the conducted
risk assessment at the process level. It usually contains a detailed listing and description of
each risk along with individual ratings for impact and probability.
 Internal Audit Program. The audit program sets out the procedures to be undertaken, these
procedures enable us to assess the existence and effectiveness of documented controls.
 Internal Audit Working papers. These working papers provides an indication work performed
during the internal audit project and are cross-referenced to the internal audit program and
the internal audit report for easy reference. This includes overall conclusions reached by the
assigned auditor in relation to the individual audit objectives tested.

8 REPORTING

The primary objective of reporting is to effectively communicate the results of the internal audit
work, thereby helping to drive changes that contribute to the achievement of organizational
objectives. Reporting occurs through formal documentation and respective meetings with the
process owner, senior management, audit committee and other stakeholders of the audit
process.
All of the work and documents previously prepared provide input to the reporting process;
however, the following documents are drawn from in preparing reports to management and the
audit committee.
 Audit committee charter;
 Internal audit charter;
 Risk register;
 Internal Audit Plan;
 Process analysis documentation;
 Process risk register;
 Audit working papers;
 Audit evidence obtained; and
 Audit reports from individual projects.

8.1 Reporting to management

During the course of performance of the engagement, regardless of the phase the Internal Audit
team is in, it is imperative that the Internal Audit team communicate as often as practically
possible with the process owner and/ or senior manager concerned. The timing and nature of
the communication is generally agreed upon with the management in advance, during the
planning meetings.

Page 28 of 33
 OVERSTRAND MUNICIPALITY

I 6 / 029 INTERNAL AUDIT METHODOLOGY

Status reporting should include, but not be limited to, communication of:
 Significant issues or findings;
 Potential scope changes;
 Project progress and milestones; and
 Items that may affect project timing.
Continual management communication helps the management and the Internal Audit in
agreeing with each other as to the significant aspects of the audit. Visibility of Internal Audit
work and work product helps to avoid surprises, which can potentially have a detrimental effect
on the working relationship.
For the reporting process to be effective the following should be adhered to at all times:
 No findings are to be included in the management reports that have not previously been
discussed with the process owner and/ or senior manager. This is a matter of courtesy and
sound business practices.
 The findings are associated with a business process and strategic risk(s). This emphasizes
the risk based internal audit approach and demonstrates the impact to the internal control
environment.
 Agreement is reached regarding the factual correctness of the audit findings and root
causes. If any disagreement exists, in relation to the audit finding(s) and/ or root causes
concerted efforts must be made to resolve such disagreements – if no agreement is still
reached between Internal Audit and the relevant process owner/ senior manager, this should
be noted in the Audit report (Draft of final audit report).

Disagreements: There are certain instances where there will be disagreement between the
audited process owner and Internal Audit. Where agreement cannot be reached, the audited
process owner has the opportunity to have its written comments “verbatim” included in the
report. The comments will be recorded in the management response portion of the internal
audit report. Management’s views should clearly identify:
 The reasons for disagreement with the recommendations;
 The alternative course of action that management plans to follow (if any);
 Justification for preferring the alternative course of action; and
 The name and designation of the person(s) whose views are expressed.

 Do not regard the recommendations made by internal audit as the only alternative that will
acceptably improve a deficiency and also be cost-effective. This point should be clear in the
tone of our comments in the report and in our informal discussions with organizations’
personnel. It should be noted, that Internal Audit’ recommendations remain Internal Audit’
recommendations based on our assessment and professional judgment and that the risk
and the treatment (mitigation) thereof remains there responsibility of management.
 Management must be directly involved in the formulation of the recommendations. It is
easier for management to accept recommendations if they were directly involved and
consulted in their formulation. It is also more likely that the recommendation will be
implemented, as management will more readily take ownership of the corrective action.

Page 29 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 030
INTERNAL AUDIT METHODOLOGY

 Internal Audit, in conjunction with management, must develop an effective action plan that
will address the issues identified. In agreeing and jointly developing the actions required,
organizational objectives as well as the improvement of the control environment are being
taken into account.
 The agreed action takes the 3 E’s into account, i.e., Economy, Efficiency, and Effectiveness.
The cost of implementing and maintaining the control is normally weighed against the
possible benefits to be derived from it.

8.2 Reporting to the audit committee

The internal audit function ultimately reports and is accountable to the Audit Committee of the
municipality. The audit committee must therefore be considered the ultimate Internal Audit
customer. An audit committee typically meets four times a year and will normally include internal
audit activities and performance as a standard item on its agenda.
Prior to the meeting Internal Audit must prepare internal audit reports for the projects performed
during the audit cycle and distributes them to the members of the audit committee and other
related parties. This distribution allows the committee to effectively examine and consider the
issues when provided with sufficient lead time prior to the audit committee meeting.
While all information should be available to the Audit Committee, internal audit should not
overwhelm the committee with excessive detail. Summaries are appropriate and should be
supported by detail as requested by the audit committee. In addition, we should also address
the details of previous report follow-up and status of management’s implementation of corrective
actions.
The Chief Audit Executive must attend each audit committee meeting.
The following factors are critical to our involvement with the Audit Committee:
 Internal Audit should have the respect, support, and cooperation of both senior management
and the audit committee;
 Internal Audit should always have an open line of communication and unrestricted access to
members of the Audit Committee, the Accounting Officer, The Executive Mayor and Speaker
and mayoral committee members of the municipal council.
 In order to discharge it functions and responsibility to the Audit Committee, Accounting
Officer, Management and Council, Internal Audit must have unrestricted access to personnel
and/ or information in the performance of its duties.
 Internal Audit’s involvement with the audit committee is focused on the most strategic and
significant issues, making the best use of their time.

The benefits of our interaction with the audit committee are:

 The audit committee is kept informed of our observations regarding the effectiveness of the
organization’s risk management, internal control environment, and governance processes,
assisting them in discharging their governance, “due professional care” and due diligence
responsibilities.
 It enables regular contact with management at the highest level — key decision makers in
the municipality and potentially those outside.

Page 30 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 031
INTERNAL AUDIT METHODOLOGY

 Through its unrestricted access to the audit committee, Internal Audit may influence the
scope and extent of the services provided to the municipality.

Progress is reported on the delivery of the internal audit plan that was submitted and approved
by the audit committee at the beginning of the financial year.
The outputs for internal audit reporting include:
 Internal Audit Report. The internal audit report provides a comprehensive presentation of the
business processes and internal controls assessed during the internal audit project. It
provides findings and performance improvement opportunities as well as summary
information on the internal audit process.
 Periodic & Annual Audit Committee Reporting. As discussed, the audit committee will
receive updates of the Internal Audit progress with respect to the execution of the Internal
Audit plan as well as the related results for the reviews conducted.

8.3 Fraud Reporting

Any fraud identified during any audit will be reported upon in the final audit report and will
communicated to the Accounting Officer for further processing.

9 FOLLOW UP AND MONITORING

The follow-up process monitors the progress of agreed-upon management action plans and
reports this progress to senior management and the audit committee.
The following inputs are required for follow up and monitoring and tracking:
 Internal audit report(s); management action plans, implementation timelines, and persons
responsible; and
 Management response on action plan status and revised implementation dates, where applicable.

The method and timing of follow-up and roles and responsibilities should be formally agreed
upon with the management. Typically, timing will be tied to the agreed-upon completion date if
the issue is significant or to the audit committee’s meeting cycle.
Internal audit should determine whether corrective action was taken and is achieving the
desired results, or that senior management or the board has assumed the risk of not
implementing the agreed-upon corrective action. In the event that a corrective action has not
been taken, written confirmation from management stating that senior management or the board
has assumed the risk of not implementing the agreed-upon corrective action should be sought.
To effectively perform these tasks the assigned auditor or Chief Audit Executive should
coordinate or direct the following activities:
 Determine which findings should be followed up;
 Confirm that the reported management response actually occurred;
 Evaluate the reasonableness of management response on actions;
 Assess whether the implemented action addressed the original finding;

Page 31 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 032
INTERNAL AUDIT METHODOLOGY

 Collate responses and update status of actions; and

 Summarize and report as appropriate

These activities can be performed in conjunction with a scheduled internal audit per the internal
audit plan or as a separate review. It is important to assess the status of these action plans and
the related internal audit test work, as they may affect audits in the current plan.
The Internal Audit Services team is involved in reviewing and reporting results of follow-up
activities to senior management and the audit committee often coinciding with the audit
committee’s meeting schedule.

10 THE PARTNERING RELATIONSHIP

Internal Audit provides a service to management by examining and evaluating the effectiveness
of controls put in place by Management. A key responsibility of Internal Audit is to identify
weaknesses and to provide practical solutions / recommendations; however the responsibility
for the prevention and detection of irregularities and fraud rests with management of the
business unit under review
The Internal Audit Activity seeks to:
 Involve management to a greater extent in the audit planning process;
 Be fair on audit objectives, purpose and outcomes;
 Be constructive and demonstrate added value for the client

Internal Audit makes use of exit meetings to ensure that the business unit and its management
are aware of the deficiencies / weaknesses in their systems before sending the report to the
Accounting Officer and the rest of the Executive Management Team. These exit meetings will
allow the management the opportunity to comment on the practicality of the audit
recommendations. Furthermore, at the exit meeting Internal Audit will provide the relevant
process owner/ senior manager to complete an “Auditee’s Assessment Questionnaire” – the aim
of the assessment is to ensure that Internal Audit continues to play a critical role in value adding
in terms of conducting internal audits.

11 CONCLUSION

The overall objective of the Internal Audit activity is to provide all levels of management with an
independent assessment of the quality of the internal controls governance and risk
management processes, and provide recommendations and suggestions for continuous
improvements. If deficiencies are eliminated, controls are enforced and fraud is prevented and
deterred – the municipality is managed more efficiently and effectively.
The content of the Internal Audit Methodology seeks to provide the relevant role players and
readers with an understanding of the role of the Internal Audit Activity of Overstrand
Municipality.

Page 32 of 33
 OVERSTRAND MUNICIPALITY
I 6 / 033 INTERNAL AUDIT METHODOLOGY

12 APPROVAL

This Internal Audit Methodology has been compiled by the Chief Audit Executive and its
contents are supported, recommended and approved by the Accounting Officer and Audit
Committee as set out below, effective from the date of approval.

CHIEF AUDIT EXECUTIVE DATE

ACCOUTNING OFFICER DATE

AUDIT COMMITTEE DATE

Policy Section Internal Audit Services

Current update
Previous review
Previous review
Approval by Council 29 April 2015

Page 33 of 33