|
PUBLIC INTERNAL AUDIT MANUAL
INTRODUCTION
This manual has been prepared by Internal Audit
Coordination Board (Board) pursuant to paragraph (1) of Article 10
of By-Law on the Working Procedures and Principles of Internal
Auditors and approved by Board Decision No.5 dated 07.04.2008.
This manual is composed of
two parts. In the first part, general framework including internal
audit process is explained, whereas sections on principles regarding
each internal audit practice are included in the second part.
Internal audit units shall
adopt the methodology included in the first part of this manual for
the subjects in their duty fields, and prepare their own audit
manuals with regard to each internal audit practice in accordance
with the principles included in the second part and send a copy to
the Board. In preparation process of mentioned audit manuals, they
may benefit from generally accepted national and international
practices.
Although the audit manuals are guiding, they do
not limit auditing capabilities of internal auditors and do not
prevent improvement of internal audit practices.
Internal audit units shall review the manuals, to
be prepared in accordance with this manual, once a year considering
whether their audit manuals are efficient and adequate in terms of
planning, programming, realization and management of internal audit
activities and shall notify the Board of the amendments.
Internal audit activity is
composed of compliance, performance, financial, information
technologies and system audits. Each internal audit activity is
composed of the following processes: planning, executing the audit,
reporting and monitoring.
INTERNAL AUDIT PROCESS
With a
view to ensure the expected added value, it is essential that the
internal audit is performed in line with the process below:
I.
PLANNING
-
Defining the audit universe
-
Determining the audit fields
-
Defining the risk criteria and grading the
risks
-
Prioritizing the audit fields
-
Allocating the audit resources
-
Preparing and approving the plan
-
Preparing and approving internal audit
program
-
Notification to the
auditor and the units to be audited
II.
PERFORMING THE AUDIT
Preliminary study and individual work plan
1.
Working papers and forms
2.
Determining the goals of the audit
3.
Data collection/ preliminary
research
4.
Opening meeting
5.
Identification of Potentially Problematic Areas (risk
assessment)
6.
Preparation of the individual work
plan
Fieldwork
1.
Application of audit tests
2.
Obtaining findings and developing suggestions
3.
Sharing findings with the auditee
4.
Closing meeting
III.
REPORTING
A.
Preparing and Presenting Draft Audit Report
B.
Preparing and Presenting Final Audit Report
MONITORING AUDIT RESULTS
A.
Monitoring audit results
B.
Evaluation of the audit
C.
Evaluation of the auditor
Section One
PLANNING
Planning process in internal audit is composed of the
following stages: defining the audit universe, determining the audit
fields, defining the risk criteria and grading the risks,
prioritizing the audit fields, allocating the audit resources,
preparing and approving the plan as well as preparing and approving
the program. Relevant
works and transactions shall be performed in accordance with Manual
for Preparing Public Internal Audit Plan and Program and Manual for
Risk Grading in Public Internal Audit.
Following the preparation and approval of internal audit program,
each internal auditor shall be notified of his/her duty in writing
by internal audit unit (Annex: 1).
After
the internal auditors are assigned, letter of notification shall be
sent to the auditee by the internal audit unit (Annex: 2).
Section Two
PERFORMING THE AUDIT
A.
Preliminary Study and Individual Work Plan
Auditing activity starts with preliminary study. The aim of the
mentioned study is to assist the internal auditor with getting
information necessary for his/her individual auditing activity.
Preliminary study is composed of the following stages: determining
the goals of the audit, data collection/preliminary research and
opening meeting. In the light of the information acquired,
individual work plan shall be prepared through finalizing the goals
of the audit, identifying the potentially problematic areas and
determining the scope of the audit.
In addition, audit checklist shall be prepared during
preliminary study. Audit checklist (Annex: 3) indicates the way
that the auditor should follow and provides the auditor, who is
responsible for supervising the works performed by the auditor, with
the current status of the audit. Mentioned list shall be filled
following the completion of each step and filed together with the
working papers.
1. Working Papers and Forms
In
the preparation process of the audit, format and content of working
papers and forms to be used shall be determined.
All works performed during the audit, namely;
preparation for audit, risk and control assessments, tests,
information, evidence and results obtained as a result of these as
well as reporting and monitoring activities shall be documented
through working papers.
Working papers assist the auditor with performing
the audit and support the findings obtained by the auditor.
Standard
working paper sample to be used in the auditing activity, apart from
those whose format and content are specifically set such as risk
control matrix, is provided in the annex (Annex: 4).
Working papers shall be communicated to the internal audit unit to
be kept after completion of audit and provided for use of others,
when necessary.
2. Determining the Goals of the Audit
In
the scope of preliminary study, firstly, internal auditor shall
clearly set the goals that s/he desires to reach at the end of the
audit in line with the objectives envisaged in audit program, and
record them in the working papers.
3. Data Collection/Preliminary Study
Internal auditor, who determines goal of auditing activity, performs
preliminary research through collecting the data s/he may need,
prior to the audit concerned. S/he may meet with the managers of the
auditee or the concerned, if needed in this stage.
This
stage is composed of obtaining significant information and gaining
experience in practice regarding the following items;
-
Size, scope, goals and objectives of the
field to be audited,
-
Legislation, policies and procedures
regarding the unit to be audited,
-
Present controls,
-
Work flow processes,
-
Organization and management structure.
Some references that
may be used to get the mentioned information are as follows;
-
Reports and working papers pertaining to the
former audits,
-
Reports prepared by external audit units and
other audit units,
-
Work/process flow charts,
-
Organograms,
-
Definitions of functions, works/duties,
-
Accountability reports.
4. Opening Meeting
At the beginning of the audit, internal auditor
shall hold a meeting with the participation of managers of the unit
to be audited and the required staff. Following issues shall be
discussed in the meeting and a memorandum shall be issued at the
end: goals, objectives, scope and expected duration of the audit,
personnel who will provide assistance in auditing activity,
expectations from the personnel in the course of the audit,
expectations of the administration from auditing activity,
assessment of audit findings, reporting the audit results, how the
auditor and the unit will communicate with each other and if
requested from the auditors by the unit, how the consultancy
activities will be performed (Annex: 5).
5. Identification of Potentially Problematic
Areas (Risk Assessment)
At
the end of the risk assessment to be performed using data obtained
following the completion of data collection and preliminary research
stage, internal auditor shall identify the potentially problematic
areas with regard to the processes and the unit to be audited.
First
step to be taken with regard to the identification of the mentioned
areas is definition of the main processes of the unit to be audited.
To this end, it is necessary to determine work processes of the
unit, the relations between the processes, officials take place in
the process and their roles as well as the controls applied.
Work
flow charts which provide a visual point of view may be used in this
stage. Clearness and simplicity is of utmost importance with regard
to work flow charts. Details in excess may result in overlooking the
significant points. While preparing the charts, standard symbols
should be used.
After
that, existence of risks in the main processes that have been
defined shall be searched. Some indicators pointing to the existence
of a risk are as follows:
·
No/lack of planning,
·
Organizational structure which does
not ensure proper distribution of duties in terms of subjects,
persons and units, and violates the principle of segregation of
duties,
·
Authority allocation which is
inadequate with regard to establishing effective control on assets,
liabilities, credits, payments and expenditures,
·
Written procedures officially
envisaged to be applied, but on the other hand ,which are
ineffective or unclear and hard to understand or whose cost is
higher than its benefit,
·
Lack of coordination in the cases
where the working/duty field of the unit or field which is subject
to audit is related to the other units or organizations,
·
Expenditures, collections or
credits at huge amounts,
·
Existence of functions, processes,
programs, projects and activities which have not been subjected to
audit before,
·
Interest conflict among the
personnel who have positions that can effect policies and activities
or between the management and the mentioned personnel,
·
Existence of transactions at an
amount closer to control and authorization limits,
·
Complicated processes, programs and
activities,
·
No/lack of feedback mechanisms that
informs the managers about the activities of the unit,
·
Extraordinary activities and
operations,
·
New units and activities as well as
projects on restructuring,
·
Significant changes in organization
and human resources.
The
auditors may meet with the personnel of the unit which is subject to
audit with a view to ensure that the current status of the
administration is understood correctly and to get the information
required while determining the scope of the audit. Such meeting
provides a significant source on information for possible problems,
sensitive issues and in the fields that might be needed in the
course of the audit. Such kind of opinion exchanges may take place
in the stage of data collection and preliminary research, in opening
meeting or in the course of field work.
Lastly, present controls with regard to potentially risky areas
identified before shall be evaluated. However, there is no need to
review all of the controls. Since the audit resources are often
limited, it is almost impossible to do so. Thus, auditors shall
identify the controls at utmost importance in this stage and focus
on them.
After
potentially problematic areas are identified, with a view to grade
them in terms of their risk levels, “Risk Control Matrix” which
includes potentially problematic areas (unit or process), structural
(natural) risks with regard to the mentioned areas, present controls
against these risks, residual risks remained after these controls
and in this framework explanations section where final assessments
are performed for each risk (Annex: 6) shall be prepared.
While
preparing each section of the mentioned matrix, the following
instructions shall be complied with:
·
As for potentially problematic
areas section; auditable (main or sub) units or processes shall be
recorded.
·
As for structural risks section;
natural risks shall be recorded with regard to each sub-unit or
process.
·
As for control measures, controls
stated to have been applied by the administration with regard to
each structural risk shall be recorded. However, whether the
controls stated to have been applied are actually exist or not,
shall be checked by the auditor through using limited number of
tests, and control measures section shall be revised accordingly.
·
As for residual risks section, the
risks which have been remained after the controls applied by the
administration with a view to eliminate or reduce the structural
risks shall be recorded.
·
As for explanations section, final
assessment of the auditor with regard to each residual risk and the
decision of the auditor on whether the relevant field will be
included within the scope of the audit or not, shall be recorded.
Strengths of the unit or the process are included in the report as
well, through assessing adequateness and efficiency of the controls
applied by the administration so as to eliminate or reduce the
structural risks.
Audit
tests to be applied to the units or processes within the scope of
the audit field, in stage of preparing the individual working plan,
shall be included in the mentioned matrix. Expected controls may be
included in the matrix.
6. Preparation of Individual Work Plan
So as
to achieve the expected goals of the auditing activities, internal
auditor shall define the scope of the audit that s/he will perform
in a manner that it includes high risk areas, which have been
determined to be included within the scope of the audit under
explanations section of risk control matrix, and periods to be
audited with regard to these areas. Then, the tests aim to measure
“adequacy and efficiency” of the controls implemented with regard to
the risks in the units or the processes that are included within the
scope of the audit shall be given under the section titled as “tests
to be applied” in Risk Control Matrix.
While
planning the audit, provided that it is in accordance with the audit
period notified in the assignment letter for audit, the internal
auditor shall prepare an audit duration plan showing the main stages
of audit and their durations (Annex: 7).
While
planning the audit or during fieldwork; in case of a need for any
reason, to revise the audit sources or durations determined at the
beginning, the auditor shall prepare a form explaining the reasons
of such revision and present it to the internal audit unit
management (Annex: 8).
Internal auditor shall prepare individual work plan, which includes
goals and objectives of the audit, scope of the audit, methods for
obtaining, analyzing and evaluating the information, audit tests to
be applied to the units or the processes included within the scope
of the audit as well as estimated audit duration, and submit the
mentioned plan to the management of internal audit unit for its
positive opinion within the framework of audit supervision
responsibility (Annex: 9). Management of internal audit unit shall
evaluate adequacy of the mentioned plan, particularly its risk
control matrix and audit tests sections, in terms of achievement of
audit goals. In this regard, internal auditor may request for
correction or additional tests, if necessary.
B.
Performing the Audit (Fieldwork)
Fieldwork is composed of the following stages: application of audit
tests, generating findings and developing suggestions, communicating
the findings to the auditee and closing meeting.
1. Application of Audit Tests
The tests stated in the individual work plan are
applied in this stage. Audit is the examination of processes,
records and documents with an aim to find out whether the controls
(stated to exist by the management) regarding the issues, which have
been decided to be included within the scope of the audit, work in
due manner.
Above mentioned works shall be written down and
supported by observations and researches. Use of electronic data
processing methods, which may affect reliability, accuracy or
usefulness of financial or statistical data and reports, shall be
evaluated as well. Mentioned tests, researches and observations as
well as findings shall be recorded in the working papers.
A Few research techniques which may be used while
applying the audit tests are as follows:
Recalculation/application:
is a kind of check carried out through recalculating so as to find
out whether the same result is obtained. With this test, internal
auditor has an opinion on the reliability of the transactions
performed by the auditee personnel.
Observation:
Internal auditor, in person, observes and gets information about the
way transactions or activities are performed in the unit subject to
audit. Observation of physical inventory of the auditee might be
given as an example.
Verification: is
confirming the accuracy of the information that the internal auditor
obtain from a source by comparing it with the information obtained
from the same source or an other source that is more reliable.
Interview: The
auditor gets information, in person, about the way the transactions
or operations are performed in the auditee through meeting with the
relevant personnel face to face. This method is the shortest way of
getting information on the problems or serious risks encountered by
the auditee. However, the information obtained from single source
should be verified by other sources.
Evaluation of published reports or studies:
means the review of the studies and reports which have affected the
audited unit/process.
Benefiting from the services as a citizen:
is the determination of whether the service provided by the public
administration is in compliance with the announced quality/standards
through benefiting from the mentioned service as a citizen.
Questionnaire: is
set of detailed and comprehensive questions with an aim to determine
the conditions or attitude regarding any specific issue. A
well-designed questionnaire (service evaluation questionnaire/
satisfaction questionnaire / self-assessment questionnaire) provides
useful information on the issues such as efficiency and success of
the process or the service provided.
Analytical examination:
means assessment of the data on the basis of the rational relation
in/among the mentioned data. Analytical examination is composed of
researching defined fluctuations and relations such as inconsistency
among the relevant data or considerable deviation in estimated
amounts. Especially in the stage of reviewing the audit as a whole
and risk assessment, internal auditor applies analytical examination
techniques so as to understand the activity conditions of the
auditee and its external relations.
The auditor shall choose the most appropriate
method depending on the qualifications of the work. However, s/he
should take into account the costs to be covered while choosing the
method. The auditor should also make considerable effort to find and
use new and more effective methods.
1.1 Sampling
Sampling is defined as the application of audit
procedures to less than 100% of the population to enable the auditor
to evaluate audit evidence about some characteristics of the items
selected in order to form or assist in forming a conclusion
concerning the population, which means all works and operations to
be audited.
It is almost impossible or inefficient to examine
all of the information and documents during fieldwork and it is
possible to get reliable results by using sampling method. Thus, the
internal auditor may use sampling method while forming his/her
opinion on audit.
Besides statistical methods, non-statistical
methods may be used in sampling as well. However, when
non-statistical methods are used it is probable that the selected
sample does not represent the population. For this reason, results
of such study should not be regarded as the results that may be
obtained when applied to the population.
Design of the Sample:
When designing the size and structure of the
audit sample, auditor should consider the concrete audit objectives,
nature of the population as well as sampling and selection methods.
Sampling unit:
determination of sampling unit will depend on the purpose of audit
tests to be conducted in the course of fieldwork. In this framework,
sampling unit is composed of quantitative and qualitative components
of each test subjects.
Population: The
population is the entire set of data from which the auditor wishes
to sample in order to reach a conclusion on the population.
Therefore the population from which the sample is drawn has to be
appropriate and verified as complete for the specific audit
objective.
Stratification:
Stratification is the operation of dividing a population into
sub-populations with similar characteristics explicitly defined so
that each sampling unit can belong to only one stratum.
Sample size: It
refers to the part of the population that the auditor will use to
reach a conclusion on the population. When determining sample
size, the auditor should consider the sampling risk, the amount of
the error that would be acceptable and the scope of the expected
errors.
Sampling risk:
Sampling risk arises from the possibility that the auditor's
conclusion may be different from the conclusion that would be
reached if the entire population were subjected to the same audit
procedure. There are two types of sampling risk:
-
The risk of incorrect acceptance
– Considering the sample does not sufficiently represent the
population, it is the risk of accepting a faulty case at
population level as faultless, which arises from selecting
incorrect or inadequate sample.
-
The risk
of incorrect rejection: is the
opposite of the risk of incorrect acceptance. Thus, considering
the sample does not sufficiently represent the population; it is
the risk of accepting a faultless case at population level as
faulty, which arises from selecting incorrect or inadequate
sample.
Tolerable error: It
is the maximum error level, where the audit results are not affected
even if it is neglected. The auditor determines the mentioned
error level on the basis of his/her own experiences considering the
significance of the audit for the administration, resource and cost
of the audit as well as its duration.
Expected error:
These are the errors likely to occur in the population and
determined by the auditor considering error levels identified in
previous audits, changes in the organisation's procedures and
results of evaluation of internal control and the results of
analytical examination procedures. When the population is expected
to have an error level higher than the tolerable error level, the
auditor selects a larger sample. In opposite cases, smaller
sample groups may be used.
Determining the Sampling Method:
There are four sampling methods in commonly used
two categories:
Statistical sampling methods:
·
Random sampling:
ensures that all combinations of sampling units in the population
have an equal chance of selection.
·
Systematic sampling:
involves selecting sampling units using a fixed interval between
selections, the first interval having a random start.
Non-statistical Sampling Methods:
·
Haphazard sampling:
in which the auditor selects the sample without following a
structural technique, however avoiding any prejudices or
predictions. Nevertheless, analysis of a haphazard sample should not
be relied upon to form a conclusion on the population
·
Judgemental sampling:
in which the auditor places a bias on the sample (e.g., all sampling
units over a certain value, all negatives, all new users, etc.). It
should be noted that a judgmental sample is not statistically based
and results should not be extrapolated over the population as the
sample is unlikely to be representative of the population.
The auditor is expected to select sample items in
such a way that the sample is expected to be representative of the
population in terms of the characteristics being tested. To this
end, all sampling units in the population should have an equal or
known probability of being selected.
Documentation in Sampling:
The working papers should include sufficient
detail to describe clearly the sampling objective and the sampling
process used. The working papers should also include the source of
the population, the sampling method used, sampling parameters, items
selected, details of audit tests performed and conclusions reached.
Evaluation of Sampling results:
Having performed, on each sample item, the audit
procedures which are appropriate to the particular audit objective,
the auditor should examine any possible errors detected in the
sample to determine whether they are actually errors or not. The
auditor should evaluate the qualitative aspects of the errors such
as the nature and cause of the error and possible effect of the
error on the other stages of the audit.
The auditor should consider projecting the
results of the sample to the population with a method of projection
consistent with the method used to select the sampling unit.
The auditor should determine whether errors in
the population might exceed the tolerable error, by comparing the
projected population error to the tolerable error, taking into
account the results of other audit procedures relevant to the audit
objective. If the projected population error exceeds the tolerable
error, the auditor should include this area in the audit scope,
allocate resource for this purpose and consider extending the audit
procedure.
2. Generating Findings and Developing Suggestions
The
internal auditor supports the findings obtained as the result of
application of audit test with adequate evidence, develops
suggestions to add value to the administration through evaluating
these findings.
The
internal auditor shall classify the issues that s/he has detected
during the audit considering their importance and records them in
the findings form. Findings form shall include the following:
detection, reason, risks and effects, criteria, suggestions (Annex:
10).
Under findings form:
-
the question “what is the fault or
deviation?” shall be replied in detection section.
-
reasons section determines the reasons of
faults or deviations.
-
section of risks and their effects indicates
the risks that the administration might encounter as a result of
faults or deviations and probable effects of these risks.
-
criteria section explains due procedure
within the framework of the relevant legislation, standards and
good practices.
-
Suggestions section defines the way heading
the desired situation.
The auditor shall ground the
findings and his/her opinions with regard to the audit in the
evidence. Audit evidence is composed of the information and
documents which are collected and used to support or prove the audit
findings.
The auditor shall evaluate the evidence s/he has
collected aiming at achieving the goal of audit in three aspects,
namely; relevance, reliability and adequacy.
Appropriate audit evidence is
determined by taking into account that whether a rational relation
exists between the evidence and audit goals and criteria.
So as to understand the
reliability of the audit evidence, the evidence should be evaluated
in terms of its source (internal, external), its nature (written,
oral, visual or electronic) and its reality (original, signature,
stamp etc.).
Considering the reliability of
audit evidence, the following principles are generally accepted:
·
Written or
documentary evidence are more reliable when compared to oral
evidence.
·
Evidence
obtained from independent sources is more reliable than those
obtained from internal sources.
·
The evidence
obtained by the auditor is more reliable when compared to those
provided by the auditee.
·
The original
documents are more reliable than the photocopies.
If the audit evidence answers the significant
questions regarding the goal and scope of the audit, then it might
be regarded as adequate. If the same results are obtained when the
tests regarding this evidence are applied by a different auditor,
then the audit evidences are considered as objective and adequate.
Audit evidence shall be proportional to the
importance level and risks of audit subject.
Considering their types, audit evidence may be
classified under four titles: physical, oral, documentary and
analytical.
-
Physical Evidence:
is generally obtained by observing the people and examining the
assets. They should be supported by documenting the evidence
obtained through observation by using examples or supporting
additional observations. Supportive observation should be
performed by another internal auditor and if possible with the
participation of the representatives of administrative unit.
Photographs, maps, audio record and video record may be given as
relevant examples. Observation results shall be recorded in
working paper.
-
Oral evidence:
are generally composed of the information received from internal
and external stakeholders of the institution via inquiries and
interviews. In fact, mentioned information includes the
statements of the relevant stakeholders. These statements
provide important clues not always obtainable through using
other audit techniques and also facilitate understanding the
issue much better. However, supporting the oral evidence with
the documents instead of using them directly will ensure
achievement of the audit goals through using reliable and
appropriate evidence.
While evaluating the
reliability and relevance, the auditor should take into
consideration position, knowledge, expertise, credibility and
forthrightness of the person being interviewed.
If it is considered
that the oral evidence will have a noteworthy impact on the audit
results, a written statement or audio/video record that confirms the
statements should be obtained.
-
Documentary evidence:
is the most common form of audit evidence. Documentary evidence
may take various forms such as agreements, contracts, reports,
invoices, minutes and letters. Besides, it is possible to obtain
such evidence from electronic records in due manner and with due
instruments.
Reliability and relevance of documentary evidence
shall be assessed in terms of its source in relation to the goals of
the audit. Existence of a sound internal control system increases
the reliability of the evidence obtained within the institution.
-
Analytical Evidence:
is the evidence obtained through examining, calculating and
comparing the relation between financial and non-financial
information. Analytical evidence shall be collected on the basis
of an assumption, which is “similar results are obtained under
normal conditions”. Apart from the fact that they are digital, a
few cases where analytical evidence does not have digital
characteristic exist. Analytical evidence may be obtained by
performing ratio and trend analysis between the periods and also
by subdividing the available information.
Under audit supervision responsibility, internal
audit unit management evaluates whether the tests stated in
individual work plan have been applied or not, the evidence
supporting the findings obtained at the end of the mentioned tests
are adequate or not, adequate sampling has been conducted or not and
in this regard whether additional examination is needed or not, and
records thereof.
3.
Communicating the Findings to the Auditee
After
generating the findings, the auditor shall send the findings as
annexed to an official letter to the auditee to be deliberated in
the closing meeting.
4. Closing Meeting
The
auditor and the auditee shall discuss the audit findings and
relevant suggestions in the closing meeting, and the results of this
meeting are recorded in minutes (Annex
11).
Section Three
REPORTING
Reporting on the auditing activities shall be executed in accordance
with Public Internal Control Reporting Standards which has been
published by Board. Since preparation and dispatch of draft and
final report are included within the scope of individual audit
process, relevant issues are provided below in brief.
A. Presentation and Dispatch of Draft Audit
Report
The internal auditor shall prepare a draft report
considering the issues discussed between the auditor and the auditee
with regard to the audit findings in the closing meeting.
The auditor shall communicate the draft report to
the chief audit executive as annexed to an official correspondence
to be replied in a certain period of time. Chief audit executive
shall reply to the report, if needed through receiving opinions of
the personnel and the concerned, and send it to the internal
auditor
In case of a dispute regarding the level of risks
between the internal auditor and the chief audit executive, the
auditor shall record his/her assessment on this issue in the
report.
If the internal auditor and the chief audit
executive are of the same opinion about the level of risks, they
agree on the establishment of some measures within a reasonable
period of time, and the measures to be taken shall be regulated in
an action plan by the auditee.
B. Preparation and Presentation of Final Audit
Report
The internal auditor shall present his/her final
report, which includes responses of the auditee and the evaluations
related thereto, to the head of administration via internal audit
unit. Chief audit executive is responsible for communicating the
final report to the concerned.
The reports, after evaluated by the head of
administration, shall be sent to the units stated in the report and
to the strategic development units for due action.
The disputes between the internal auditor and the
auditee shall be settled by the head of administration. In case of
any dispute between the internal auditor and the head of
administration, the Board shall be informed about the issue so as to
contribute to the settlement of the dispute.
Section Four
MONITORING AND EVALUATION
A. Monitoring the Audit Results
Audit
results are executed within the framework of
Public Internal Control Reporting Standards which has been published
by Board. Main principles with regard to monitoring the audit
results aiming at ensuring the integrity of audit process are as
follows.
The corrective actions and advice recommended by
the internal auditor following the internal audit activity shall be
completed by the auditee within the time period indicated in the
relevant report. In cases where a certain period of time is required
to realize corrective action, such situation shall be indicated in
the response to internal audit report and the internal audit unit
shall be notified of the periodical developments in six-month
intervals by the relevant unit.
Head of administration shall follow up whether
the measures stated in the report have been taken or not. The head
of administration may perform the mentioned duty via internal audit
unit.
The actions taken by the auditee in accordance
with the report or reasons for not taking any action shall be sent
to internal audit unit to be communicated to the internal auditor.
The report summary, together with the actions
taken in accordance with the final report, shall be sent to Board by
the head of administration no later than two months as of the date
the mentioned report has been submitted to him/her.
Internal audit reports shall not be taken out of
the auditee, except from the Board, unless permitted by chief audit
executive.
B. Evaluation of the
Audit
Once the audit has been
completed, questionnaires may be conducted under the supervision of
the auditees by the internal audit unit, so as to evaluate the
audit. To this end, questionnaires (Annex: 12) shall be distributed,
and the questionnaires filled in shall be sent to the internal audit
unit in a closed envelop by the units that are subject to audit.
The
questionnaires shall be examined and evaluated in detail by internal
audit unit management in terms of increasing efficiency and quality
of auditing activity and improving professional competency of
internal auditors, and necessary measures shall be taken within the
framework of the conclusions thereof.
C. Evaluation of the Auditor
At the end of the audit, performance of the auditor
shall be evaluated in auditor evaluation form (Annex: 13) by
internal audit unit management, and the mentioned form shall be kept
in the individual file of the auditor.
System
shall be audited in line with the methodology specified in “General
Framework” part of the manual. Some factors specific to system audit
are listed below.
A. Definition
System can be defined as a structure constituted
by specific components among which there are specific relations.
While system components can be either too simple or too complex,
there can be some sub-systems that can constitute a system in
themselves.
A system can be analyzed in three main parts:
input, process and output. Inputs are the components that are
included in the system by an outer source and that result in the
initiation of a process. For instance; raw materials, energy and
other data are inputs. Outputs, on the other hand, are the products
produced by the system and rendered for the users, such as services,
information and reports. Any action triggered by inputs and turning
into output is called process. For example; production of a product,
preparation of a report and rendering of a service are all
processes.
In the light of above-given information; system
audit can be defined as the evaluation of the adequacy and
efficiency of internal control systems in ensuring achievement of
the objectives by the process of the unit (system) audited. In other
words, system audit refers to analyzing the activities and internal
control system of the audited unit; defining the deficiencies in
these activities and the control system; examining their quality and
compliance; searching the adequacy of the sources and applied
methods in such way to contribute to organizational structure.
As defined in Public Internal Control Standards;
internal control shall be constituted by the components of control
environment, risk assessment, control activities, information and
communication and monitoring.
While
the system audit shall cover analyzing the whole internal control
related with the unit or the process, performance audit shall focus
on the controls on the effective, economic and efficient performance
of the activities and financial audits on the controls on ensuring
the reliability of financial systems and statements.
In
system audit, internal audit system established to achieve the
objectives below shall be evaluated as a whole and existence of
internal control components shall be examined
-
To manage the public
revenues, expenditures, assets and liabilities in an effective,
economic and efficient way,
-
To ensure that public
administrations operate in accordance with the laws,
basic policy documents and other legislations,
-
To ensure regular,
timely and reliable reporting and acquisition of information for
taking decisions and monitoring,
-
To prevent irregularities and frauds in all
kinds of decisions and transactions,
-
To prevent the misuse and waste of assets and
protect against losses.
B. Implementation
In
system audit, one shall focus on evaluating the control system of
the process or the unit to be audited.
1. Defining of Audit Goals
In
the scope of the preliminary study, internal auditor shall firstly
learn the reason why the unit/process s/he will audit is included in
the annual audit program. Defining all the outcomes expected to be
obtained at the end of audit will facilitate defining the goals of
the audit.
2. Collection of Information/Preliminary Study
After audit goals are determined, internal
auditor makes a preliminary study by collecting information about
the system subject to audit. At the end of this study, where the
process to be audited starts and ends and what kind of relations it
has with other systems shall be clearly defined.
Related legislation; accountability reports; regulations prepared
and put into effect by the administration regarding sharing and
transfer of authorities; and interviews with managers and personnel
can be used as source at this phase so as to ensure clear
understanding of the process or the unit to be audited. Inquiry form
that can be used in the interviews to be conducted in the units is
given below.
·
What are the
current processes and their sub-processes related with the services
rendered?
·
What is the
basic priority of the processes? What is the value (monetary- and
non-monetary) of the output produced by the process?
·
Regarding
functioning of the process;
o
How does the
process start functioning? Which demand, action or the system
initiates the process?
o
Does the
process functions smoothly at the moment? What are the big obstacles
before the proper functioning of the process?
o
Which
sub-units of your unit are assigned duties in this process?
o
What are the
basic inputs you need in these processes and which other units
provide these basic inputs?
o
What are the
critical points of the information and documents received from other
units regarding this process?
o
Is there any
information technology system used in relation to this process?
·
Regarding
process outputs;
o
What are the
outputs produced at the end of the process?
o
Who use
these outputs? Who are dependent on these outputs?
o
Which
procedures are followed by the related unit in the cases when these
outputs are not accepted?
o
Who is the
final beneficiary of the process?
o
Does it
necessary to produce this output within specific times and periods?
o
Does this
process have working periods?
·
Regarding
process documentation;
o
Is there any
documentation/technical documents related with the process?
o
Are there
any report issued in relation with the process?
·
What kind of
additional sources and facilities are required to successfully
achieve the goals?
·
What is the
most important problem that can come out in relation with this
process?
·
What is the
most important problem to have ever come out in relation with this
process?
·
Is there any
alternative to ensure functioning of the system in times of crises?
3. Defining and Evaluation of the Risks and
Controls
The most critical phase of system audit is the
defining and evaluation of the risks and controls. There are various
methods to be applied in evaluating (in terms of adequacy and
efficiency) the controls applied during the audit of the unit or the
process concerned. Some of these methods are listed below:
Workflow Diagrams:
Workflow diagrams which are also used in system
identification and determining the limits of the system facilitate
not only detecting the problematic parts of the system, the cases
where the principle of segregation of duties is not complied with
and the cases where control weaknesses such as duplication of the
same work are recorded but also revealing the critical control
activities of the processes.
Explanations about the Controls:
Explanations made by people having detailed
information about the process or the unit is one of the most
important information sources for the internal auditor to evaluate
internal control system. In addition, people falling out of the
scope of management but in relation with the unit can also provide
useful information about the control weaknesses. However, attention
shall be paid to ensure that the information collected is unbiased
and impartial.
Internal Control Inquiry Form:
Another method to be adopted in evaluating
internal control is to get detailed information from the authorized
personnel by using the internal control inquiry forms prepared in
advance. Inquiry forms shall be prepared in such manner to ensure
that any negative answer reveals possible weaknesses or risks.
Auditor who encounters a negative answer shall control whether there
exists any control against this risk or not. Find attached a sample
inquiry form related with the evaluation of control environment
which is an internal control component (Annex: 14). Internal control
inquiry form is a tool enabling systematic conduct of the audit.
Risk and Control Evaluation Matrixes:
This method handles internal control system of the unit or process
in a risk-oriented manner and evaluates the risks together with the
controls applied. Find attached a risk and control matrix related
with the legal consultancy department of an administration (Annex
15).
One or a number of the methods specified above
can be used by the auditor.
Controls can be handled at two separate levels: high and mid/low
level. High level controls are the controls determined and carried
out at administration level. Mid/low level controls are the controls
that are designed and carried out on the basis of units/processes.
I.
High-level controls;
·
Aims and objectives,
·
Plans and procedures,
·
Authorization,
·
Organization,
·
Performance criteria,
·
Duties and responsibilities,
·
Efficient communication and
reporting,
·
Adequate human resource,
| 
Türkçe 
English
