ARD OPERATIONAL PROCEDURE 6.- Audit Reporting

Size: px

Start display at page:

Download "ARD OPERATIONAL PROCEDURE 6.- Audit Reporting"

Bertram Blair
6 years ago
Views:

1. Purpose The purpose of this procedure is to provide guidance and authority to internal auditors in the reporting of their work and to ensure consistency and completeness of the reporting function.

1 1. Purpose The purpose of this procedure is to provide guidance and authority to internal auditors in the reporting of their work and to ensure consistency and completeness of the reporting function. 2. Business Assurance 2.1 Initial Report The Lead Auditor is responsible for the preparation of initial report within 10 working days after the completion of the fieldwork. In preparing the report, the Lead Auditor must: Review the Working Papers Normally the Lead Auditor (or nominated auditor) will have the week following the fieldwork visit scheduled for report writing and will begin by: a. ensuring there is sufficient documented evidence to support the audit findings and control ratings recorded in the audit program in accordance with the following guidelines: The gathered information should be sufficient, competent, and relevant, and it should be able to withstand challenge. It must be representative of the total population or system under review or, if an isolated instance, be a significant defect. There may be disagreement with an auditor's interpretation, but if the condition is properly identified, there will be no reasonable basis to disagree with the facts that the auditor has gathered. b. seeking clarification from the field auditor if there is insufficient evidence to support the control rating or the findings are unclear; c. reviewing the audit summaries drafted in the audit program by the field auditors for completeness; d. reviewing the audit comment or recommendation for propriety and effectiveness in accordance with the following guidelines: Recommendations describe the course of action management should take to correct the audit-identified condition. Recommendations are most constructive when they are directed as resolving the cause of identified problems, are action oriented and specific, are addressed to parties that have the authority to act, are feasible, and to the extent practical, are cost-effective. e. reviewing and finalising the cross referencing of the test papers and supporting documentation to the relevant audit step in the audit program; f. reviewing the audit program for completeness; and g. ensuring all of the working papers are appropriately referenced and collated and stored on TRIM in accordance with the TRIM audit file naming convention. Electronic Audit File The Lead Auditor must maintain the electronic (TRIM) audit file, which is created when planning the audit project, during the course of the audit. Report Template - All business assurance reports will be prepared using the business assurance report template and renamed in accordance with the following naming conventions: a. save the template into the TRIM folder set up during the audit planning; b. rename the document using the audit File Name shown in the Annual Audit Plan; and

2 c. use the prefix RPT and the suffix V0.01 in the audit report file name. Audit Findings and Recommendation When finalising the audit findings and recommendations for the audit report the auditor will address the elements set out in Audit Findings and Recommendation Guidelines and complete the appropriate sections in the audit report template. Executive Summary The Lead Auditor will prepare an Executive Summary for the audit report which is generally no longer than one page in length. The summary should state the overall control rating and briefly report on the following: a. Significant Risks - areas identified as needing immediate corrective action; b. High Risks - Should be addressed in the short term- control weakness which has the potential to compromise the system of internal control and/or operational efficiency; c. Medium Risks - Should be addressed in the medium term control weakness which could undermine the system of internal control and/or operational efficiency; d. Better practice methodologies that were in place; and e. Acknowledgement of staff assistance during the audit. 2.2 Supervisory Review The supervisor will review the initial report and the audit file and provide feedback to the Audit Team within 5 working days of receipt of the file. When submitting the initial report for supervisory review, the report together with a printed copy of the completed audit program and collated work papers must be placed on the TRIM audit file. Evidence of supervisory review will be documented by completing Sections 1 and 2 of the Supervisory Review Checklist which must be initialed and signed by both the auditor (usually the Lead Auditor) and the supervisor (usually the Director or Associate Director) and placing it on the TRIM audit file. In accordance with the Internal Quality Assurance Program, an independent quality review may be undertaken and will be documented on the Supervisory Review Checklist. 2.3 Audit Report Once the supervisor has signed off on the initial report, the Lead Auditor will: make necessary corrections to the report; populate the Implementation Plan (Section 4 of the audit report) with the approved recommendations; rename the electronic file with the suffix V1.0 populate the Evaluation Form; prepare the Business Assurance Audit Report Memo using the standard template; and distribute the initial report and the Memorandum to the responsible officer (Cost Centre manager) and to all direct line managers up to the level of DVCR, PVC, COO and LCEDG. 2.4 Management Response The Lead Auditor must contact the responsible officer if the response to the audit report has not been received within 20 working days of issuance. the response time may be extended up to another 10 working days without approval from the Director Audit and Risk;

3 if the response has not been received within 30 working days of issuance, the matter must be referred to the Director Audit and Risk for resolution; and for responses received, the Lead Auditor must ensure that: a. agreement or disagreement with the audit findings and recommendations has been indicated; b. a date that the recommendation will be implemented has been indicated and is within a reasonable timeframe (within 12 months of the end of the field visit and in accordance with Follow up of Audit Issues Policy) ; and c. additional comments are relevant and brief in nature (lengthy responses may be included in an appendix to the report). 2.5 Resolving Disagreements and Late Responses If management disagrees with the audit findings or recommendations the Lead Auditor must: contact the responsible officer and try to clarify any error or omission in the audit findings; request an alternative corrective action that achieves the control objective; seek advice from the Director Audit and Risk if disagreements cannot be resolved; if required, seek approval from the Director Audit and Risk in writing to withdraw the recommendation and place the written approval on the audit file; where there are material errors or omissions, make corrections to the audit report and resubmit the report to the supervisor for review; rename the report using the next version control suffix; and redistribute the audit report for management responses if required. 2.6 Audit Issues Register Details from the Management Response must be entered into the Audit Issues Register and monitored in accordance with the Follow Up of Audit Issues Policy. 2.7 Final Version The Management Responses must be saved into the last version of the audit report and saved with the suffix V Corporate File To comply with UNE s corporate recordkeeping policies, the Lead Auditor must ensure the final report is recorded within the TRIM recordkeeping system. 2.9 Audit and Risk Committee The final report will be tabled at the next scheduled Audit and Risk Committee (ARC) meeting that occurs after the receipt of the management response. The Lead Auditor must save an electronic copy of the final audit report and management response into the Reports folder for the next ARC meeting and advise the Director Audit and Risk Final Sign-off The Lead Auditor must complete Section 3 of the Supervisory Review Checklist and print it, sign it and place it on the lllllllllllllllllllllllllllllllllllllllllllllllllllltrim audit file.

4 3. Operational and Information Systems 3.1 Draft Audit Report The Lead Auditor is responsible for the preparation of draft audit report within 10 working days after the completion of the field work. In preparing the audit report, the Lead Auditor must: Review the Working Papers Normally the Lead Auditor (or nominated auditor) will begin the preparation of the draft report by: a. reviewing the work of the audit team members; b. ensuring there is sufficient documented evidence to support the audit findings and risk ratings; c. seeking written clarification from the auditor where there is insufficient evidence, making appropriate notation in the audit work papers and placing this clarification on the audit file; d. cross referencing of the test papers and supporting documentation to the relevant audit finding; e. reviewing the audit working papers for completeness; and f. ensuring the working papers are in the TRIM audit file. Electronic Audit File The Lead Auditor must maintain the electronic audit file which is created when audit planning is approved. Report Template - Audit reports will be prepared using the one of the standard templates: Table based or Narrative. a. rename the document using the audit name and the prefix RPT and the suffix V0.01; and b. save the template into the TRIM audit file set up during the audit planning. Executive Summary The Lead Auditor will prepare an Executive Summary for the audit report which includes: a. Conclusion - the overall risk rating for the audit; b. Key strengths - positive statements about operational results and staff abilities c. Areas for improvement - summary listing of risks (audit findings) identified as: Significant: Requires immediate attention significant weakness which will compromise the system of internal control and/or operational efficiency if not addressed immediately. High: Should be addressed in the short term - control weakness which has the potential to compromise the system of internal control and/or operational efficiency. Medium: Should be addressed in the medium term control weakness which could undermine the system of internal control and/or operational efficiency. d. Observations (Low Risk Items) Represents an opportunity for improvement a weakness which does not seriously detract from the system of internal control and/or operation efficiency; e. Acknowledgement of cooperation and assistance and mention of any better practice methodologies that were in place; and f. Key to findings standard disclosure about audit risk rating; and g. Action Required standard paragraph about response to the audit report.

5 Background The Background is usually the same narrative used in the Audit Proposal Sections 1-4 (Introduction, Audit Objective, Scope and Methodology and the Audit Resources). Make sure that the verbs are present or past tense rather that the future tense used in the Proposal. Detailed Audit Findings Record the detailed findings, the risk implications and any audit recommendations in report template. Attachments Attachments (A-Z) include the Risk Rating document and any other analyses or documentation prepared by Audit that support the audit findings and conclusion. Appendices Appendices (1-X0) are additional information or clarifications provided to Audit that provide better understanding of the risks identified. Note that excessive use of appendices will increase report size and may hinder electronic distribution of the report. On a six monthly basis, usually during June and December, the Director Audit and Risk will review all of the outstanding recommendations and consult with the responsible Lead Auditor on those recommendations that have not been satisfactorily implemented on a timely basis. Action must be taken on recommendations that have been outstanding over or are approaching 12 months since the issuance of the final report and documentation placed on the file. 3.2 Follow Up Audits A follow up will be undertaken for any audit that has resulted in an unsatisfactory control (UC) rating. This follow up will be scheduled within 6-12 months of the issuance of the UC rated report and will focus on the high and medium risk findings. The follow up audit will: be conducted in accordance with the procedures for Audit Planning and Audit Fieldwork; have a report issued in accordance with the procedures for Audit Reporting using the Follow Up Report template; include an Implementation Plan for any outstanding high or medium risk recommendations; and include follow up actions in accordance with these procedures. 4. Administration Data Document Type: Protocol Document Owner: Audit & Risk Directorate TRIM reference: D12/ Date approved: 14/02/2013 Due for review: 2 years from approval Responsible party for review: Director, Audit & Risk Directorate Approved by: Mr Brendan Peet University Secretary For and on behalf of the UNE Council signature Help Contact Director, Audit & Risk Directorate

6 Related policies or other documents: TPP Internal Audit and Risk Management Policy for the NSW Public Sector International Standards for the Professional Practice of Internal Audit Follow-up of Issues Raised in Audits/Reviews Policy

COMPLIANCE WITH THIS PUBICATION IS MANDATORY

BY ORDER OF THE COMMANDER AIR FORCE AUDIT AGENCY AIR FORCE AUDIT AGENCY INSTRUCTION 65-105 19 NOVEMBER 2010 Financial Management INTERNAL QUALITY CONTROL PROGRAM COMPLIANCE WITH THIS PUBICATION IS MANDATORY