Best Practices For Internal Audit in Government Departments
Best Practices For Internal Audit in Government Departments
Best Practices For Internal Audit in Government Departments
Government Departments
1. Introduction
Traditionally, people understand internal audit as an activity of self imposed internal check
and audit which also supposedly involved the activity of going around telling people what
they were doing wrong. However even if one sees it in a narrow sense , the contribution of
the activity of internal audit is potentially of major importance as an effective internal audit
system leads to improved accountability, ethical and professional practices, effective risk
management, improves quality of output and supports decision making and performance
tracking.
Historically it was always held that internal auditing is confined to merely ensuring that the
accounting and allied records have been properly maintained, the assets management system
is in place in order to safeguard the assets and also to see whether policies and procedures are
in place and are duly being complied with. With changing times this concept has undergone a
sea change with regard to its definition and scope of coverage. Modern approach suggests that
it should not be restricted to financial issues alone but also on issues such as cost benefit
analysis, resource utilisation and their deployment, matters of propriety, effectiveness of the
management, etc.
The Institute of Internal Auditors of UK and Ireland defines Internal Audit as:
“Internal Auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organisation's operations. It helps an organisation accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.”
The Institute of Internal Auditors New York defines Internal Audit as:
“Internal audit is an independent, appraisal activity within an organisation for the review of
accounting, financial and other operations on the basis as a basis of service to the
organisation. It is a managerial control which functions by measuring and evaluating the
effectiveness of other controls”.
The above definitions of internal audit call for internal audit, to be an independent function
within an organisation placing greater emphasis on its objectivity. Thus internal auditing
primarily provides an independent objective opinion to the Head of the Government
Department/ Office.
The findings of an independent focused internal audit function also brings to the fore its
findings and recommendations which act as a tool to officers in a department to take suitable
corrective action and help in plugging the loopholes which would otherwise go undetected for
a considerable period of time.
It is the management's responsibility primarily to manage the project and they should
therefore make the decisions, but internal audit could act as a facilitator within this process.
1
For example, management should identify the risks associated with the project and decide
how to deal with them with internal audit, acting as a consultant on risk and control matters.
The golden principles that state the Code of Ethics for Internal Auditors in Government are
Integrity, Objectivity, Competency, Confidentiality and Independence.
a. Integrity: Integrity is expected in aspects of the internal audit work. The principles of
honesty and fairness are to be observed. The basic point that is raised here is that his
report should bring with it an air of trust, reliance and fairness.
2
The scope of internal auditing should encompass the examination and evaluation of the
adequacy and effectiveness of the organisation's system of internal control and the quality of
performance in carrying out assigned responsibilities.
1. Determine whether the existing system of controls is in harmony with the structure of
the organisation. As far as possible keeping the controls within the operating
functions acts as a cost effective measure;
2. Review each control and analyse them in terms of costs and benefits;
3. Review the reliability and integrity of financial and operating information and the
means used to identify measure, classify, and report such information;
4. Review the systems established to ensure compliance with those policies, plans,
procedures, laws, and regulations which could have a significant impact on operations
and reports, and should determine whether the organisation is in compliance;
5. Review the means of safeguarding assets and, as appropriate, verify the existence of
such assets. The objective of the management is to ensure that assets are reasonably
and adequately protected against loss and that they are properly managed and
accounted for. The safeguard of assets should not be restricted to mere pilferage but
physical threats like fire, water, electricity, etc.;
6. Appraise the economy and efficiency with which resources are employed;
The internal auditing department is an integral part of the organisation and functions under the
policies established by management or board. The purpose, authority and responsibility of the
internal auditing department need to be defined in a formal written document duly approved
by management or the board. The document should spell out in clear terms, the intended
purposes of the internal auditing department, scope of its work, and a declaration that auditors
have no authority/responsibility for the activities they audit.
Throughout the world, internal auditing is performed in diverse environments and within
organisations which vary in purpose, size, and structure. In addition, the laws and customs
within various countries/states differ from one another. These differences may affect the
practice of internal auditing in each environment. Hence the need to be compliant with
prevalent and prescribed standards and best practices becomes all the more essential.
Auditors must take reasonable professional care in specifying evidence required, in gathering
and evaluating that evidence, and in reporting findings. This requires auditors to be alert for
instances that could indicate errors, fraud, improper or illegal expenditure, unauthorised
operation, waste and inefficiency.
In determining which audit tests and procedures achieve reasonable professional care, the
internal auditor should consider the following items:
3
• The requirements to meet audit objectives;
• The relative materiality of matters to be investigated;
• The effectiveness of systems of accounting and administrative internal
control;
• The estimates of costs of implementing audit test plans in relation to likely
benefits to be derived.
4. Independence
Internal auditors should be independent of the activities they audit. Internal auditors are
independent when they can carry out their work freely and objectively. Independence permits
internal auditors to render the impartial and unbiased judgments essential to the proper
conduct of audits. It is achieved through organisational status and objectivity. Independence
stands for an internal auditor being able to take a stand and report on materiality issues,
uninfluenced by any favor or coercion or undue influence.
The organisational status of the internal auditing department should be sufficient to permit the
accomplishment of its audit responsibilities. The head of the internal auditing department
should be responsible to the management/board in the organisation with sufficient authority to
promote independence and to ensure broad audit coverage, adequate consideration of audit
reports, and appropriate action on audit recommendations.
Auditors should inform their supervisor if they consider that personal or external
circumstances are likely to impede their ability to form independent and objective judgments.
5. Steps
5.1 Planning
Adequate planning is necessary for every audit. All material areas bearing on the reliability of
the accounts and records must be covered. The audit working papers provide the documentary
evidence of audit planning in the form of an audit plan, setting out the objectives and scope of
the audit and the techniques and resources to be used by the auditor. The planning process
must include the development of an in-depth, well-conceived, overall strategic plan that
4
clearly defines the desired future state of the internal audit function. In addition, it is essential
to create detailed tactical plans that support the overarching strategy, and to clearly describe
the specific initiatives required to achieve the transformation. Too often we see internal audit
functions diving straight into tactical planning - especially regarding the deployment of
technology - without first comprehending how their overall strategic plans and tactical plans
fit together.
Planning may be revised as may be deemed necessary in the course of the audit in the light of
newer findings or situations.
Internal Auditors must have sufficient proficiency and training to carry out the tasks assigned
to them. The auditor's work must be carefully directed, supervised and reviewed. The amount
of supervision required corresponds to the experience and skill of the auditor. The supervisory
role includes:
Any significant internal audit transformation will involve a large number of specific tasks
linked to a fairly complex timeline to ensure that everything comes together to produce the
desired result in a timely fashion. It is important to bear in mind that this is more than just a
simple scheduling exercise. Therefore, it is recommended that internal audit functions utilise
some of the numerous, highly effective project management techniques that can help ensure
the successful, timely conclusion of an internal transformation process.
The principles of change management typically are a centrepiece of any successful internal
audit transformation. In fact, the more significant the transformation, the more important
change management techniques become. Among the change management techniques that
have proven particularly successful to transformation initiatives are the deployment of a
project management office, the utilisation of project management tools and the development
of detailed communication plans. These types of techniques must be built into any internal
transformation process right from the start.
Building up a balanced pool of resources is critical to an effective internal audit function. The
competencies of internal audit staff must take into account the skills and knowledge base laid
down by the profession. This includes personal qualities, standards of education, sound
judgement, innovation and operational and auditing/evaluation experience.
5
The skill requirements for internal audit should be aligned to the nature of the organisation's
business, its risk profile and the associated needs of management. The changing role and
focus of internal audit activity means there must be a broader range of competencies than
required for traditional internal auditing. It needs also to address the composition of its audit
teams if it is to undertake a range of activities.
Internal auditors must systematically evaluate the nature of the operation and system of
internal control in the section being audited, to assess the reliance that can be placed on
controls. The assessment determines the nature, extent and timing of the audit procedures.
Internal controls of an organisation comprise the plan of organisation and methods adopted to
safeguard assets, comply with laws and regulations, ensure the completeness and correctness
of accounting data, promote efficiency and encourage adherence to management policies.
It is important that a review of an internal control system be directed primarily toward the
controls that have an important bearing on the reliability of that system, i.e., key controls, to
ensure efficient use of resources.
5.4 Evidence
An auditor must obtain all of the evidence considered necessary for the expression of an
informed opinion. The evidence required will vary and professional judgment is required to
determine the amount and nature of the evidence required. The auditor should consider:
6
5.5 Working papers
The standard for working papers and all documentation relating to an audit is very important
as the purpose for the working papers can include any one or all of the following:
Where the results of an evaluation are not satisfactory, the reviewer will discuss appropriate
corrective action with the auditor. That action is to be recorded on paper and referred back to
the auditor.
The review process can involve peer reviews by audit staff. These reviews have the dual
effect of improving the standard of work performed and enabling auditors to learn from their
peers.
It is generally accepted that, to be effective, the internal audit function must have the full
support of the organisation's senior management. The support of line management is also
critical. The attitude of management towards internal audit can have a significant influence on
the behaviour of an organisation’s staff - similarly the attitude of management towards
internal audit can either strengthen or hamper its role.
The planning of the internal audit section should reflect the organisation’s business planning
and align the audit effort with the key business objectives and the critical business risks.
Internal audit's focus should be on critical business processes and areas of high risk; be
relevant; and give due weight to the needs and expectations.
Internal audit's processes should be subject to ongoing monitoring, review and evaluation.
The concept of continuous improvement requires internal audit not just to measure its current
performance but also to assess it against some standard or target.
7
It demands the development of balanced indicators of performance, preferably with input
from the Audit Committee and line management. By promoting continuous improvement
internal audit can also be a powerful sponsor or aid to improving processes within the
organisation.
Internal audit has to be subject to performance management review as does other parts of the
activity. This can be undertaken by the audit committee with internal and/or external
assistance. This process can be facilitated by regular performance reports including
appropriate performance measures. Internal audit needs to be pro-active in this respect both to
set an example and to indicate better practice. This approach will both enhance its credibility
and provide greater assurance to its stakeholders.
Therefore, from the above the following conclusions can be drawn for officials in the
government departments on internal audit:
The internal auditor along with the audit staff is expected to take the help of an Internal
Controls Questionnaire. An internal control questionnaire (ICQ) is a series of ‘yes’ or ‘no’
questions about the internal control structure. A ‘yes’ answer indicates that a needed control
or policy is in place but however is to be accepted only after confirmation and testing to
satisfy the existence. A ‘no’ indicates absence of a control and enhances risk or may not be
relevant to the business, but requires confirmation to judge the impact of the same.
Most internal auditors use ICQ for undertaking audits. These questionnaires are designed
specifically for the department/office being audited. Answering this series of ‘yes’ or ‘no’
questions helps in the assessment of internal controls.
1. Does your department have an up-to-date copy of the department’s policy and
procedure manual?
2. Are written policies and procedures maintained for all departmental functions?
3. Are these policies and procedures reviewed and updated annually?
4. Does your department have an organisational chart that clearly defines lines of
authority and responsibility?
5. Are current job descriptions on file for each employee in the department?
Cash Receipts
8
3. Are cash receipts kept in secure storage until deposited?
4. Are deposits made daily to the cashier's office?
5. Are cash receipts deposited intact with no expenditures made from collections?
6. Is cash that has been received and deposited reconciled monthly?
7. Are cash receipts recorded and used only for the purpose for which they were
received?
8. Are cash handling responsibilities rotated among two or more employees when
possible?
9. Are numerically controlled receipt slips used for all cash receipts received in the
department?
10. Are numerically controlled cash-receipt slips accounted for and reconciled on a
regular basis?
Petty Cash
Travel
1. Is all travel reviewed for benefit to the department versus its cost prior to trip
approval being given?
2. Are travel plans made sufficiently in advance to obtain the most favorable
transportation rates?
3. Are travelers required to provide original receipts for all travel expenses?
4. Are direct advance payments and use of credit cards encouraged over cash travel
advances?
5. Are travel expense reports reviewed in detail prior to being approved for
reimbursement?
6. Are travel expense reports required to be completed in the time frames specified by
policy?
7. Are unauthorised personal expenses excluded from travel expense reports?
8. Are travelers required to review the travel policy prior to traveling?
Purchasing/Online Requisitioning
9
Payroll
1. Are all staff time records reviewed and electronically authorised by the department
administrator?
2. Are copies of timekeeping screens printed and retained on file for agreement to labor
reports?
3. Are overtime hours reported verified for reasonableness and proper approval?
4. Are pay checks distributed by someone other than the timekeeper?
5. Are undistributed pay checks returned to the Treasurer's Office after three working
days?
6. Are staff distribution and vacation/sick accrual reports reviewed at each pay period by
the department administrator for reasonableness?
7. Are staff time cards periodically compared to time keeping screen copies by the
department administrator to assure that actual hours are being recorded accurately?
Fraud Indicators
The role of internal audit has been ignored in all discussions on governance. The reasons for
this needs detailed examination. Is it lack of independence of the audit function? Is it that the
audit is conducted by staff members who do not understand modern concepts of auditing?
The quality of audit work is directly correlated with independence and importance accorded
to the internal audit function in an organisation. The poor status of the internal auditor is the
10
main reason why competent staff, are reluctant to take up this work. As a result most
departments do not have an efficient and effective internal audit department.
The head of internal audit needs to be elevated in the hierarchy to a level consistent with that
of the Chief Accounts Officer or more to minimise discounting of internal audit inputs, and
enhance the quality of audit.
Internal auditors also have a special responsibility since no precise set of guidelines exist for
best practices in ‘Governance’. A few suggested concepts in this regard are:
1. Internal auditors must identify forces that impact governance. They must constantly
fine tune their knowledge of these influences; and they must articulate, and
recommend to management and audit committee, actions that will help the
organisation against both traditional and emerging risks;
4. Internal auditors must be creative and aggressive as they seek strategies to add
value, safeguard assets, and promote effective governance.
The internal auditor needs to continuously update himself of the changing times and
technologies and sharpen his skills. By applying skills to the most critical points, building
personal and professional credibility and recognising and responding to the needs, internal
auditors can become indispensable, speeding good governance.
However, recognising the need to sharpen focus for bringing change is the easier but
implementing strategic change and measuring the results is by far the greater challenge. Too
often internal audit change initiatives fail, and the desired outcomes are never realised. By
incorporating proven change management and project management techniques throughout the
transformation process, internal audit functions can implement change initiatives quickly and
effectively.
One part of internal audit's consultancy work would be to work with the management to
improve systems, processes and methods of working. With regard to using Information
Technology (IT) tools to simplify processes, internal audit could identify control weaknesses
prior to the system going live. Identifying loopholes and strengthening the system during the
development of the system is desirable as it is cost effective than trying to change the system
at a later date, this will allow for the controls to be fully tested and not delay the
implementation of the project.
Internal audit may be able to offer a proactive approach, which may provide advice on a
framework for risk management on the project, facilitate risk identification, assessment and
mitigation through the implementation of controls.
11
Conclusion
By using best practices, internal audit functions can significantly enhance the probability of a
successful transformation. In addition, many of the tools and strategic approaches used in the
transformation process (such as detailed communications plans, teambuilding and change
management techniques) have applications that go beyond the transformation process, and
can be used to enhance basic internal audit strategies. We have seen the value of using these
best practices to ensure the most effective transformation possible, and it is well worth the
additional time and effort they require.
12
Appendix 1
(Case study: Government Treasuries, Education and Health Departments)
Current scenario:
The role of internal audit is to evaluate and report on the effectiveness of the internal control
system, highlighting any deficiencies and the risks they pose for the achievement of the
organisation’s objectives.
Internal audit is a relatively new phenomenon in state governments in India. The various
codes and manuals list out, quoting various government orders on functions and duties of
personnel, which require the establishment of an internal audit function in each government
directorate. It is the placement by Directorate of Treasuries and Accounts (DTA), of a Chief
Accounts Officer (CAO), in each of these Directorates which enables internal audit to be
undertaken. The CAO supervises the internal audits and reports to the Head of Department
(HoD).
On specific evaluation it would reveal that significant weaknesses exist in the internal audit
arrangements of departments/projects. It is understood that many, if not all, departments
share these weaknesses. Indeed, the features of the internal audit functions are such that the
internal audit might be better described as departmental inspection. The figure below sets
out these key features, highlighting the weaknesses.
Departmental internal audit
• Their accounts duties will habitually lead them to work with district and field accounts
staff and undertake accounts work;
• The staff in the name of internal audit would end up only answering AG audit
observations on behalf of the department.
Objectivity and independence of management of internal audit: As laid down by the
various GOs and Manuals, internal audit is the responsibility of the CAO. The overall audit
function thus lacks the required independence, as the CAO is also responsible for the accounts
and thus financial control.
• The various codes and manuals set down the role of internal audit as being “to conduct
internal audit of all monetary transactions in the department”;
• Internal audit reports often start with a statement that the auditors have conducted an audit
of the accounts;
• Internal audit reports normally state that they cover a number of years, i.e. the period
from, e.g., 1997-2002. This defeats the objective of internal audit, which is not to cover
transactions (and therefore, could cover several years) but to evaluate and report on the
13
effectiveness of internal controls. While controls can be evaluated for their effectiveness
over time, this period would not normally exceed one year.
Audit approach: The audit teams use an internal audit questionnaire which is normally
outdated and would not generally be in a position of being followed. Hence, there would be
no audit trail of results and conclusions on which to base the audit reports. This raises
considerable risks.
Sufficiency and proficiency: Internal audit holds the last priority on the list of works to be
done and the staff are usually cobbled up, which means they are not deployed on internal
audit full time. This deployment is thus inadequate. The auditors are usually graduates who
have passed the accounts tests of the Treasuries and Accounts Department, but they have
neither specific internal audit qualifications nor training.
Inadequate coverage and timeliness: Coverage and timeliness of audits are generally
inadequate, as set out below.
• The Directorates generally cover four district offices per year on a general check. Thus,
each District office is only audited every 5 years approximately. Units below the district
offices are visited much less often of course; some are not audited since a decade.
Clearly, the huge number of units below the district offices will make regular audits of
them difficult, but the same cannot be said for district offices. The irregularity of the
visits undermines the validity of the audit substantially. It will be difficult to determine
which rules were in place at the time of the transaction or event, to gather required
documentation, and to hold officers accountable.
• Inadequate responsiveness to internal audit: Departmental responsiveness to
internal audits are generally poor. Even the significantly more valuable internal audits
undertaken by certain directorates do not generally generate any responses from districts
offices. This is due to a number of factors, but the fact that there are no internal audit
committees at the district level may also play a role.
In conclusion, therefore, although the work is known as “internal audit” in many ways it is
more akin to inspection visits. Furthermore, its effectiveness has been low.
Internal audit has the potential to substantially reduce fiduciary risk; it is imperative that
effective internal audit units (staffed by professionals with proven records of integrity) are
established across Government, reporting to the HoD to build his accountability for internal
controls, and that this initiative receives the requisite resources.
14
General weaknesses in Government departments that need to be targeted by the Internal
Auditors include:
• Absence of receipt books in cases where receipts of monies existed;
• Absence of control registers to ensure receipt of Utilisation Certificates;
• Absence of commitment and arrears control mean that transactions cannot be traced from
their inception;
• Internal controls systems, and responsibility for them, are insufficiently well defined;
• Key codes and manuals are generally not updated and not in tune with changing times;
• Asset registers do not contain details of their cost nor the payment transactions, thus
preventing assets being traced back to their original purchase documentation;
• Key registers and documents are available for inspection on site. However, supporting
documentation and responses are generally tardy, suggesting that supporting
documentation was not readily available;
One area that is particularly weak is records management, which together with accounting, is
in the process of being computerised in many departments. It is essential that arrangements
are in place to back up data and ensure that records can be maintained or recreated to ensure
data security and the availability of financial information. However, it was noticed regarding:
• Absence of policies regarding maintenance, backup, movement of data, hardware and
software in each department;
• Inadequate back up arrangements, i.e., some offices take backups on hard, floppy and
compact discs, and they are stored in the same room as the main data source;
• No Disaster Recovery Plan (DRP) or arrangements for alternative activity continuity
facilities have been made;
• Furthermore, staff members do not have necessary training in order to be confident in
using technology. This enhances the risk of error in data entry;
• Outdated Internal Control Questionnaires and audit checklists.
15