MANUAL FOR PREPARING
PUBLIC INTERNAL AUDIT PLAN AND PROGRAM
I.
INTRODUCTION
This manual is prepared by the Internal
Audit Coordination Board as per Article 40 of By-Law on Working
Procedures and Principles of Internal Auditors in order to
determine the basic principles for preparing the internal audit
plan and program.
It is essential that internal auditing
activity is executed on a risk based basis. Through continuous
measurement and the assessment of the risks that public
administrations may be exposed to, areas of high risk shall be
determined and accordingly the internal audit plan and program
shall be prepared. The internal auditing activity shall be
executed in compliance with this plan and program.
Taking the internal audit strategy document
(plan) prepared by the Board into consideration, the internal
audit plan shall be prepared for three-year periods by
discussing with the head of public administration as well as the
unit managers and shall include the scope of audit, areas and
topics to be audited, the workforce needed and other resources
and the training activities in order to ensure effective,
economical and efficient performance of internal audit activity.
This plan shall be reviewed every year according to the results
of risk assessment and changed when necessary.
Through prioritizing most risky
areas and topics and taking into account the cost of audit, an
internal audit program that is in line with the internal audit
plan and in such a way that it shall not exceed one year, shall
be prepared by meeting with the head of public administration,
managers and when necessary, with other employees. New units and
activities with high risks, restructuring projects, significant
changes in the organization and human resources shall be given
the priority in the audit program. In the internal audit
programs, the areas and topics to be audited are set out in a
time schedule by indicating the names of internal auditors.
Audit plan and program
should be consistent with the internal audit unit charter and
the objectives of the administration.
During the preparation of the
audit plan and program, studies and reports produced by Turkish
Court of Accounts and other audit bodies can be taken into
account.
II. INTERNAL AUDIT PLAN
Internal audit plan shall
be prepared by the internal audit unit and submitted to the head
of public administration one month prior to the planning period.
Basic principles to be
applied to the preparation of the audit plan are as follows:
·
During the
preparation of the plan; internal audit strategy document,
opinions of the head of public administration and the results of
the previous audits are taken into account.
·
Plan
includes activities pertaining to the next three-year period.
·
Resource
allocation in the plan shall be made according to the criteria
mentioned below:
o
Audit
management activities: It covers preparation of internal audit
plans and programs, coordination of auditing activities,
examination of audit reports, audit follow-up activities and the
administrative procedures included in this scope.
o
Auditing
activities: It covers planned auditing of priority areas
determined with the help of risk assessments made.
o
Consultancy
activities: It covers planned consultancy activities in the
scope of the services requested.
o
Training
activities: It covers the trainings to be given to/by internal
auditors, taking into consideration the provisions of related
legislations.
o
Audit
resource allocated for extraordinary cases: It covers auditing
and consultancy services not envisaged in the preparation phase
of the Project.
·
The audit
plan shall be effective upon the approval of the head of
administration.
·
The audit
plan shall be reviewed annually and amendments shall be made
when deemed necessary. The amendments shall be effective upon
the approval of the head of administration.
The
audit plan shall be taken into consideration in two parts;
namely the audit activities and other activities.
1.
Planning of the Auditing Activities
Planning of the auditing activities shall be performed in two
stages, namely the identification and analysis of risky areas
and the allocation of audit resources in this direction.
1.1
Identification and analysis of risky areas
Risk identification is the
process of identifying the possible situations that will prevent
or may prevent the organization from achieving its goals and
objectives.
All
activities of the organizations are subjected to a comprehensive
risk analysis by the internal audit units according to the risk
evaluation manual issued by the Board. The results of these
analyses are evaluated and the risks that may affect the
services of public organizations are listed by weighing them
according to their risk level and significance.
According to the results of this evaluation, internal audit plan
shall be prepared by starting from highest risk areas and
topics. In the preparation of audit programs; together with the
issues that the head of public administration regards as risky
and requests priority, by considering the number of internal
auditors, working period and facilities, the maximum efficiency
is targeted by prioritizing highest risk areas and topics.
Following steps are taken during the process of the
identification and analysis of the risky areas:
1.1.1 Identification of audit universe
The first
step of risk weighing process is the identification of audit
universe. Audit universe refers to the whole of the auditable
areas. As a general principle audit universe covers all
activities of a unit within the organization. However the audit
universe can be limited taking into account several factors such
as;
-
Whether the auditable area makes
significant contribution to the realization of the goals and
objectives of the organization,
-
Whether the auditable area has a
considerable size capable of creating significant effect on
the organization,
Whether the auditable
area is significant enough to justify the cost of the controls
and the audit.
1.1.2 Determination of Auditable Area
In order to
ensure flexibility in audit and to limit the audit project with
a manageable area, sub auditable units may be defined.
Through
assessing the unit, activity, process, project of the audit
universe or more than one of these simultaneously, sub auditable
units are determined by dividing the activities of the
organization into auditable sections.
1.1.3
Defining Risk Criteria and the Weighing the Risks
Defining risk
criteria and weighing the risks shall be performed in accordance
with the risk assessment manual issued by the Board.
1.1.4
Prioritizing the Auditable Areas
Auditable
areas are prioritized according to the results of the risk
weighing activity starting from the area with the highest risk.
Results of numerical analysis are re-assessed in the light of
professional experience and the prioritization order may be
changed when necessary stating the justifications of it. The
opinion of the organization on this matter should also be taken
into account.
1.2. Allocation of Audit Resources
In internal auditing activities, it is
essential that the resources are used in the most efficient
manner. The criterion to be taken as
basis for establishing such approach may be the risk ratings of
auditable areas. Within this scope the
audit resources shall be allocated starting mainly and before
all else from the most risky areas.
For example, while, it is possible to make a sampling of 10% in
areas with lower risk rating, in areas of higher risk instead of
sampling, a scanning may be required. Henceforth, more personnel
and time should be allocated.
On the other hand, the adequacy of the audit
resources and the risk ratings of auditable areas shall also be
taken into consideration. For example, for areas with high risks
a planning which foresees audits to be performed every year
shall be made whereas for areas with medium risk a planning
which foresees audits to be performed every two years, for areas
with low risks a planning which foresees audits to be performed
every three years shall be made.
It may be useful to leave some of the audit
resource for extraordinary duties that may arise afterwards.
2. Planning of Other Activities
Other
activities include; audit management activities, consultancy
activities, other auditing and consultancy activities which are
out of the program and the training activities.
Planning of the other activities shall be made in the light of
the experience on internal auditing taking into account the cost
of the activities and discussing with the head of public
administration and unit managers.
3.
Approval of the Plan
Audit plan prepared by
the internal audit unit shall be approved by the head of
administration and enter into force prior to the beginning of
the planning period.
4.
Preparation of a Sample Audit Plan
Following points
have been considered during the preparation of sample internal
audit plan (Annex:1) prepared on a three-year basis for
2008-2010 period;
·
That
it is 2007,
·
That
the internal audit unit consists of five internal auditors one
of whom is the chief audit executive,
·
That
200 workdays per year shall be applied for each internal auditor
as working time taking into account the public holidays, annual
leave and leave on excuse (sickness etc),
·
That
the risk assessment studies are conducted and auditable areas
are prioritized
Taking
into consideration the existing workforce and budget facilities,
as a result of the risk assessment activities it is decided that
areas with high risks shall be taken to the scope of audit
program every year whereas areas with moderate risks shall be
taken to the scope of the audit program every two years and
finally areas with low risks shall be taken to the scope of
audit program every three years.
III. INTERNAL AUDIT PROGRAM
Internal audit program
shall be prepared by internal audit unit and be presented to the
head of administration one month prior to program period.
Basic principles to be
taken as basis in the preparation of audit program are as
follows:
·
Three-year
internal audit plan prepared, opinions from the head of
administration and the heads of unit and the results of earlier
audits shall be considered in the preparation of the program.
·
The program
shall include the activities pertaining to maximum one year
period.
·
Resource
allocation by the program shall be made on the basis of
following activities:
o
Audit
management activities: It covers preparation of internal audit
plans and programs, coordination of auditing activities,
examination of audit reports, audit follow-up activities and the
administrative procedures included in this scope.
o
Auditing
activities: It covers planned auditing of priority areas
determined with the help of risk assessments made.
o
Consultancy
activities: It covers planned consultancy activities in the
scope of the services demanded.
o
Training
activities: It covers the trainings to be given to/by internal
auditors, taking into consideration the provisions of related
legislations.
o
Audit
resource allocated for extraordinary cases: It covers auditing
and consultancy services not envisaged in the preparation phase
of the Project.
·
The program
shall enter into force upon the approval of the head of
administration.
Audit program shall be
evaluated under two titles: “auditing activities” and “other
activities”. Principles listed in planning section shall be
considered during the programming studies related with these
activities.
Audit program to be
prepared by internal audit unit shall enter into force upon
approval of the head of administration, before the commencement
of the program period.
Preparation of Sample
Audit Program
Following issues are envisaged in the preparation of sample
internal audit program for 2008 (Ek:2);
·
That three-year internal audit plan pertaining to 2008-2010 period
is prepared,
·
That
the internal audit unit consists of five internal auditors one
of whom is the chief audit executive,
·
That
200 workdays per year shall be applied for each internal auditor
as working time taking into account the public holidays, annual
leave and leave on excuse (sickness etc),
·
That
the risk assessment studies are conducted and auditable areas
are prioritized.
ANNEX: 1/A
2008-2010 INTERNAL AUDIT PLAN
OF INTERNAL AUDIT UNIT X
I. INTRODUCTION
The period covered by the plan,
legislation explaining the reason behind the preparation of the
plan and other issues shall be briefly defined.
II. INFORMATION ON THE ADMINISTRATION
General information about the
administration shall be provided and auditable areas shall be
briefly explained.
III. STRATEGIC GOALS
The strategy to be pursued by the
internal audit unit during the plan period in line with the
audit strategy of IACB and related goals shall be defined.
IV. PRINCIPLES TO BE ABIDED BY DURING THE
IMPLEMENTATION OF THE PLAN
What to do in case of any deviation from the
project expectations in terms of institutional structure,
activities, resources of internal audit unit and other issues
and the general principles to be complied with during the
implementation of the plan shall be defined.
V. RISK ASSESSMENT ACTIVITIES
Risk analysis made within the
framework of the strategic goals and objectives of the
administration and the results obtained at the end of such
analysis shall be presented.
VI. AUDIT RESOURCES
Audit resources (auditors,
bureau, budget, etc) expected to be owned in the plan period
shall be defined.
VII. PLANNED INTERNAL AUDIT ACTIVITIES
In line with the activities
performed to this point, internal audit activities planned to be
conducted on a yearly basis shall be given on the basis of the
sample chart given in ANNEX: 1/B.
ANNEX: 1/B
|
CHART ANNEXED TO 2008-2010 INTERNAL AUDIT PLAN |
|
INTERNAL AUDITING ACTIVITIES |
Risk Priority |
Years |
|
2008 |
2009 |
2010 |
|
Audit Management Activities |
200 |
200 |
200 |
|
Auditing Activities |
|
|
|
|
|
Auditable Areas |
|
|
|
|
European Union BBB Project Activities |
1 |
30 |
30 |
30 |
|
World Bank AAA Project Activities |
3 |
|
60 |
|
|
Recruitment Process |
1 |
60 |
60 |
60 |
|
Purchasing Process |
2 |
30 |
|
45 |
|
Procurement Process |
1 |
60 |
45 |
30 |
|
Inventory Procedures |
2 |
30 |
30 |
|
|
Archining Procedures |
3 |
|
30 |
|
|
Financial Reporting Process |
3 |
|
30 |
|
|
Network Security |
1 |
60 |
45 |
30 |
|
Data Security |
1 |
60 |
60 |
45 |
|
Information Collection Services |
3 |
|
|
30 |
|
Process of Salary Payments to Staff |
1 |
45 |
45 |
30 |
|
Investment Expenditures |
1 |
90 |
60 |
45 |
|
Representation and Accomodation Expenditures |
1 |
45 |
30 |
45 |
|
Treatment Expenditures |
2 |
45 |
|
60 |
|
Domestic Travel Expenses |
2 |
30 |
|
60 |
|
|
785 |
725 |
710 |
|
Consultancy Activities |
75 |
45 |
75 |
|
Training Activities |
35 |
35 |
35 |
|
Audit Resource Allocated for Revenues |
105 |
195 |
180 |
|
|
Out-of-Program Activities |
|
|
|
|
Out-of-Program Consultancy Activities |
|
|
|
|
|
215 |
275 |
290 |
|
Total Audit Resource (man/day) |
1000 |
1000 |
1000 |
ANNEX: 2/A
2008 INTERNAL AUDIT PROGRAM
OF INTERNAL AUDIT UNIT X
I. INTRODUCTION
Audit plan related with the program,
legislation explaining the reason behind its preparation and
other issues shall be briefly defined.
II. GOALS AND OBJECTIVES
Program goals and objectives shall be
explained in the scope of the internal audit activities to be
undertaken.
III. PRINCIPLES TO BE ABIDED BY DURING THE
IMPLEMENTATION OF THE PROGRAM
What to do in case of any deviation from the
program expectations in terms of institutional structure,
activities, resources of internal audit unit and other issues
and the general principles to be complied with during the
implementation of the program shall be defined.
IV. RISK ASSESSMENT ACTIVITIES
Risk analysis of the related year and the
results of such analysis shall be presented within the framework
of the risk assessment activities included in the internal audit
plan.
V. AUDIT RESOURCES
Audit resources (auditors,
bureau, budget, etc) expected to be owned in the program period
shall be defined.
VI. PLANNED INTERNAL AUDIT ACTIVITIES
In line with the activities
performed to this point, internal auditing activities to be
conducted on the basis of the sample chart given in ANNEX: 2/B
shall be presented.
VII. TASK RESULTS AND
REPORTING
Procedures to be followed for
reporting to audit unit and related authorities of the task
results to be obtained at the end of activities to be conducted
in the scope of the program shall be listed.
Türkçe 
English
