Executive Council Office
Audit Services
ECO Online
Audit Process
- Purpose
- How it's done
- Phase 1 – Planning
- Phase 2 - Fieldwork
- Phase 3 - Reporting
- Phase 4 – Follow-up
Programs and services are selected for internal audit using a risk assessment process. This identifies programs with the highest risk and/or greatest potential payback to the government.
- Provide comfort to management that operations are well-managed, efficient, and within the bounds of applicable laws, regulations and policies;
- Detect weaknesses in systems, controls and management practices, and recommend improvements; and,
- Identify opportunities to reduce expenditures, increase revenues and better protect government's assets.
In fulfilling this mandate, the internal audit function determines whether systems, controls and governance processes, as designed and represented by management, are adequate and functioning in the following manner:
- Risks are appropriately identified and managed;
- Programs, plans and objectives are achieved in an efficient and effective manner;
- Reliable, complete and accurate financial and operating information is provided on a timely basis to management for decision-making and accountability;
- Statutory, regulatory or contractual requirements are recognized and addressed appropriately;
- Activities and processes are in compliance with directives, policies, procedures and applicable laws and regulations; and
- Resources are adequately protected, used economically and effectively applied against stated priorities.
HOW IT’S DONE
An internal audit includes:
- Comparing “what is” (actual performance) against “what should be” (expected performance);
- Analyzing and evaluating differences between actual and expected performance; and
- Reporting gaps between actual and expected performance and making recommendations to support management in minimizing risk exposure.
The planning phase answers three basic questions:
1. What will be looked at during the audit? (the scope)
These are the “things” (activities, systems, business processes, financial affairs, documents, people, and locations) that will be looked at during the course of the audit engagement. For example, the scope may be defined as an examination of all government offices within a department providing direct services to citizens or specific program activities.
2. What questions will be answered? (the objectives)
These identify “what” is to be accomplished by looking at the scope items. For example, as above, an internal audit may look at the government office providing direct services to citizens (the scope) to determine whether the office is accessible to the citizens that it serves (the objective). More often than not, objectives are prefaced with the terms:
- To determine whether…
- To assess whether…
- To provide assurance that...
It is the job of the internal auditor to conclude on the objectives established in the audit.
3. How the objectives will be answered? (the criteria)
Criteria are the “measuring sticks” that an internal auditor will consider in concluding on performance relative to an audit objective. For example, in concluding on the objective noted above, criteria may include:
- The office is located within 20 minutes travel time for 80% of the clients who use the office.
- The majority of clients served by the office feel it is conveniently located.
- Office hours of operation are appropriate to meet the needs of the clients.
- The office is accessible to physically impaired people.
By responding to all the criteria underlying an objective, an internal auditor is able to reach an objective, factual and fair conclusion to the question posed by the audit objective.
To ensure success of the internal audit, it is important that the organization being audited participates in the planning process. Organizational input into the development of the audit criteria is key.
At the conclusion of the planning process, Government Audit Services develops a Planning Memorandum. This document sets the terms of reference for the audit engagement including the overall purpose, scope, objectives, resources and scheduling of the audit. The Planning Memorandum is reviewed and approved by the department or manager within the organization being audited.
During the fieldwork phase, sufficient, relevant and reliable evidence of actual performance is gathered and compared to expected performance. Rather than finding fault, the intent of internal auditing is to identifying gaps between actual and expected performance. While all differences are noted, only significant differences are identified in the reporting phase.
For example, if the expected performance is that sensitive documents are kept in a locked safe, and the actual performance, based upon fieldwork, shows that sensitive documents are kept in an unlocked desk drawer, the auditor would note this difference.
In determining the significance of the difference between actual and expected performance, the internal auditor will consider a number of factors. In drawing a conclusion, the internal auditor will rely upon their independence from the process being examined, their objectivity as a person disinterested in the outcome of the audit, and on the professional judgment gained through training and experience.
Internal auditors may conduct interviews, surveys, run focus groups, review documentation, analyze reports, prepare calculations, consult experts, and employ any number of other techniques that help them to obtain sufficient, relevant and reliable information.
The conclusions reached by Government Audit Services are professional opinions, based on the evidence collected and the analysis performed, as to how closely actual performance compares to expected outcomes.
Internal audit recommendations are intended to assist management in improving actual performance to more closely reflect expected performance.
Phase 3 - Reporting
Although an end product of any internal audit is the report to management, the management reporting process starts at the beginning of the audit assignment, and continues throughout the course of the audit.
The contents and structure of the report are considered during the planning phase and modified as necessary during fieldwork. Like the planning and fieldwork phases, the internal audit report continues to evolve and change over the course of the audit as new information and new perspectives are revealed.
Progress reports are provided to management throughout the internal audit. By working closely with the management and staff of the organization being audited, Government Audit Services can ensure that the report that is prepared contains no surprises. All significant issues and the related recommendations will have been fully discussed with the organization prior to the issuance of the final audit report.
A first draft of the report is issued to management in order to achieve agreement on the accuracy of the information contained in the report, the suitability of the recommendations and the validity of the conclusions.
A second draft report is issued to management, at which time an action plan is developed by management that addresses the audit issues. The recommendations contained in an audit report suggest what needs to be done. How the recommendation is implemented, however, remains the responsibility of management. A final report, including the action plan, is issued to the Deputy Minister and the Audit Committee.
Phase 4 – Follow-up
With the release of the final audit report, there is an expectation that management will follow-up and report on the actions in the action plan. To encourage that outcome, Government Audit Services follows up on the status of the recommendations and may decide to conduct a follow-up audit. During the follow-up audit, internal auditors assess the extent to which management actions have been implemented.