The role of Internal Audit
The Institute of Internal Auditors defines internal auditing as:
“An independent, objective assurance and consulting activity designed to add value and improve an organisations operations. It helps an organisation accomplish its objective by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
The internal audit activity should therefore evaluate and contribute to the improvement of risk management, control and governance systems of the organisation. Typical input/responsibilities of the internal audit activity should include, amongst others:
The Internal Audit Activity should assist management in achieving the goals of the Municipality by evaluating the process through which:
• Goals and values are established and communicated.
• The accomplishment of goals is monitored.
• Accountability is ensured and corporate values are preserved.
Internal Audit should evaluate whether the controls, which management relies on to manage the risks down to acceptable levels, are appropriate and functioning as intended (i.e. are they effective yet efficient) and propose recommendations for enhancement or improvement.
The Internal Audit unit will conduct audits in accordance with the “Code of Ethics” and “Standards for the Professional Practice of Internal Auditing- of The Institute of Internal Auditors, as well as other corporate governance regulations.
Internal Audit Strategic/Coverage Plan
The “Standards for the Professional Practice of Internal Auditing- as issued by the Institute of Internal Auditors requires that: “The internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually. The inputs of senior management should be considered in this process.”
The critical success factors for an effective Internal Audit Plan are that it:
• Is aligned with strategic objectives of the organisation.
• Covers the strategic risk areas facing the organisation
• Is risk based – addresses the key risks areas/concerns of management.
• Is prepared in consultation with management, the audit committee and external auditors.
• Matches assurance needs with available resources.
The Internal Audit Plan will be aligned with the strategic risks identified and could encompass risk-based, compliance, financial discipline and cyclical reviews.
The output of the risk assessment process at the Municipality will, amongst others, be used to develop the Internal Audit plan by:
Identifying and allocating a priority ranking to the respective audit areas.
Based on experience, establishing the need and appropriateness for specific types of audits/ reviews.
Assessing the level of audit skills and estimating resources required for each type of audit/review
Determining a proposed timetable for the respective audits/reviews.
The planned audit activities will be focussed at strategic, process and component level as appropriate.
The plan for each year will be determined by the priority ranking (based on the risk assessment) of identified audit areas and the expertise and resources available to Internal Audit.
Internal audit reports via the Accounting Officer to the Municipal Audit Committee and has unrestricted access to the Chairperson of Audit Committee, the Accounting Officer and Senior Management.
Internal Audit is authorised to:
• Have unrestricted access to all relevant functions, records, property and personnel.
• Have full and uninhibited access to the Audit Committee and the Accounting Officer.
• Allocate its own resources; determine frequencies, subjects, scope of work to be performed; and apply the techniques required to accomplish its audit objectives.
• Obtain the necessary assistance of personnel in the various departments, sections and units of the Municipality where they perform internal audit reviews, as well as other specialised services from within or outside the organisation.
Internal Audit is not authorised to:
• Perform any operational duties for the Municipality.
• Initiate or approve accounting transactions external to the Internal Audit Activity.
• Direct the activities of any Municipality employee except to the extent that such employees have been appropriately assigned to the internal auditing teams or to otherwise assist the internal auditors in carrying out investigations.
Types of audits
Below is an overview of the various interventions that are planned to address the identified audit areas. The nature of work will depend on the areas subjected to review.
Management and Performance Audits
Management audits entail the review and evaluation of the adequacy of the application of Generally Recognised Accounting Practice (GRAP) in achieving desired objectives of the Municipality. The audit approach may include the following, as appropriate:
• Obtain information regarding overall Department objectives and goals – assess alignment with Municipal strategic objectives and values.
• Gather details regarding the management planning process of the component. The management planning process consists of a series of distinct steps preceded by an input from the strategic planning process and ending with an output in the form of short-term financial plans or budgets.
• Obtain information relating to the directing of the plan and evaluate the adequacy of these management actions – consider, inter alia:
– Delegation of authority & institutional arrangements.
– Policies and procedures.
– Social commitment.
– Communication and information.
• Obtain information relating to the controlling of the execution of the plan – consider, inter alia:
– Monitoring of relevant performance indicators.
– Management information systems.
– Income and expenditure analysis.
– Staffing levels and movements.
– Human Resource Management.
– Asset Management.
• Evaluation of actual circumstances against accepted norms and practices
• Identify emerging issues and provide management with the assurance that the relevant matters are properly attended to.
Management audits involve, inter alia, the preparation of high-level process analysis documents, the review of relevant information, discussions with management and staff, audit fieldwork (primarily walk through tests, enquiry and observation techniques) and interrogation of data files.
Performance audits are generally based on the methodology used by the Auditor-General and are used to evaluate the process by which the municipality achieves its strategic and operational objectives. Internal Audit (in conjunction with management) would typically identify a focus area (a specific component of the entity) and investigates it with a view to recommending actions to improve the economy, efficiency and effectiveness of its operations.
Risk based, compliance and financial discipline reviews
The objective of these types of reviews is to evaluate the adequacy and effectiveness of controls in respect of key business process and related risks (linked to the strategic objectives / risk of the Municipality).
The review process should at least include the following general activities.
• Prepare / update the Process Understanding Documents (PUD’s) to extend the understanding of the process. This includes the identification of process-level objectives, risk and controls.
• Evaluate the methods of safeguarding assets.
• Evaluate the process in place to ensure the complete, accurate and timely recording of transactions.
• Evaluate and test the adherence to current policies, procedures, laws and regulations.
• Evaluate the adequacy of the current controls in place – in terms of reducing risk and promoting achievements of objectives.
• Evaluate the effectiveness of current internal controls in place for the period of review.
• Formulate recommendations for reducing risks, improving controls and increasing adherence to policies, procedures, laws and regulations.
• Confirm the findings with management and obtain agreed management actions with target dates and designated responsible officials.
IT Reviews include the evaluation of risks and internal controls within the computer information system environment to ensure the validity, reliability and security of information. Furthermore, it includes the assessment of the efficiency and effectiveness of the computer information system environment.