Operational Manual for Internal Audit (Central Ministries) — Study Notes
Study Notes · Internal Audit · O/o CGA

Operational Manual for Internal Audit in Central Ministries

Issued by the Internal Audit Division of the Controller General of Accounts (Ministry of Finance, Dept of Expenditure). A practical companion to the Internal Audit Handbook — it lays out how Internal Audit Wings are structured, how the audit cycle is planned and performed, the tools used, how results are reported, and how quality and special audits are conducted.

7 Chapters 23 Checklists 8 Exhibits 5-C Reporting Framework
INTRO · PART A

What This Manual Is

The document in one breath
This is the Operational Manual for Internal Audit issued by the Internal Audit Division of the Controller General of Accounts (Ministry of Finance, Department of Expenditure). It is the working companion to the Handbook on Internal Audit in Central Civil Ministries/Departments — where the Handbook lays down policy and guidelines, this Manual supplies the step-by-step process, ready-to-use checklists, and worked exhibits an Internal Audit Wing (IAW) actually runs on.
How the manual is built

Seven chapters trace internal audit from setting up the wingplanningchoosing toolsperforming the engagementreporting & follow-upquality controlspecial audits. Threaded through them are 23 numbered checklists, and eight detailed Exhibits at the back (sample risk registers, self-assessment forms, IT-audit templates).

§1

Who's Who — The CAE and the Key Bodies

The boss of the wing
CAE — Chief Audit Executive

The Pr. CCA / CCA / CA acting as head of the Internal Audit Wing. Plans the audit, approves plans, manages resources, sets policies, coordinates with senior management, and owns quality assurance.

The wing itself
IAW — Internal Audit Wing

The team in each Central Civil Ministry that carries out the audits — at least five officials under the CAE.

The oversight body
Audit Committee

Receives the CAE's quarterly reports, the Annual Audit Plan, and unresolved high-risk issues. The body to which internal audit is accountable.

The apex coordinator
IAD in O/o CGA

The Internal Audit Division in the Office of the CGA — issues this manual, shares findings across wings, and compiles the annual review of all IAWs.

§2

Key Acronyms You Must Know

AcronymExpansion
CAEChief Audit Executive (refers to Pr. CCA / CCA / CA)
IAW / IADInternal Audit Wing (at a Ministry) / Internal Audit Division (in O/o CGA)
ATRAction Taken Report
CAATComputer Assisted Audit Techniques
RBIARisk Based Internal Audit
RAURisk and Audit Universe
KPI / KRIKey Performance Indicator / Key Risk Indicator
QAIPQuality Assurance and Improvement Program
IPPFInternational Professional Practices Framework (of the IIA)
IIAInstitute of Internal Auditors
COSOCommittee of Sponsoring Organizations
ERMEnterprise-wide Risk Management
IDEA / ACLGeneral-purpose audit software (Interactive Data Extraction & Analysis / Audit Command Language)
PPSProgrammes, Projects and Schemes
DDO / PAODrawing & Disbursing Officer / Pay & Accounts Officer
C&AG / CVCComptroller & Auditor General / Central Vigilance Commission
§3

The Four-Phase Cycle — the Spine of the Manual

Every internal audit engagement moves through four phases. Chapters 2–5 map onto them directly:

1
Planning & Preparing  (Chapter 2)

Engagement planning, risk-based selection, Annual Plan and 3-Year Programme, work program.

2
Performing the Engagement  (Chapter 4)

Intimation, entry conference, field work, evidence, working papers, exit meeting.

3
Reporting on the Engagement  (Chapter 5)

Communicating results, drafting via the 5-C framework, grouping findings by risk.

4
Follow-up Action  (Chapter 5)

Tracking Action Taken Reports, monitoring implementation, escalating unresolved issues.

⭐ Why this matters
The manual's mission line is worth memorising: internal audit exists "to enhance and protect organizational value by providing risk-based and objective assurance, advice and insight." Every checklist and tool in the document serves that single purpose.
⚡ Intro — Quick Recap
ConceptKey Fact
Issued byInternal Audit Division, O/o CGA, M/o Finance (Dept of Expenditure)
Companion documentHandbook on Internal Audit in Central Civil Ministries/Departments
CAE meansPr. CCA / CCA / CA as head of the IAW
Minimum team size5 officials
Numbered checklists23
Exhibits at the back8 (I to VIII)
Four phasesPlan → Perform → Report → Follow-up
Mission of internal auditEnhance & protect organisational value via risk-based assurance, advice & insight
CH 1 · PART A

Structure & Management of Internal Audit Wings

What this chapter does
Chapter 1 sets up the wing before any audit begins. It fixes the mission, the role of the CAE, the composition of the team, and the detailed job descriptions of the CAE, the Team Head, and the Team Members.
Mission of Internal Audit

Each IAW articulates its own mission statement. The model wording offered: "To enhance and protect organizational value at the Ministry by providing risk-based and objective assurance, advice and insight."

§1

Role of the CAE

The Pr. CCA / CCA / CA, in their capacity as CAE, perform all activities of the head of the wing:

  • 📋Planning the internal audit.
  • Communication and approval of the plans.
  • 🤝Resource management for the wing.
  • 📝Laying down policies and procedures for the IAW.
  • 📤Coordination and reporting to senior management and the Audit Committee.
  • 🎯Quality assurance across the wing.
§2

The CAE's Reporting Calendar

Four hard reporting obligations sit on the CAE — three quarterly, one annual:

Quarterly
Status to Audit Committee

At least once a quarter on internal-audit status: progress against plan, limitations to independence/objectivity, and challenges faced by the team.

Quarterly
KPIs & KRIs

Report actual performance against KPIs and give a written assessment on KRIs for each significant risk — both every quarter.

By 15th January
Annual Audit Plan

Submit the risk-based Annual Audit Plan to the Audit Committee — consistent with Ministry goals.

By 1st March
Present Plan + 3-Year Programme

Present the Annual Plan and 3-year rolling programme to the Committee, with the impact of resource limitations.

§3

Composition of the Internal Audit Team

An Internal Audit Team headed by the CAE should comprise at least five officials:

👨‍💼
1
A.O. / Sr. A.O.
👥
2
A.A.O.
📋
2
Accountants / Sr.
🔢
5
Minimum Total
Team size is flexible

The number may vary by assignment, scaled to six factors: organizational structure; functional activities; financial data (budget, expenditure, funding, receipts, assets); actual staffing; inherent risks in the audit unit's functioning; and scope of the internal audit.

CH 1 · PART B

Roles & Responsibilities — Three Levels

§4

Responsibilities of the Chief Audit Executive

  • 📝Develop and document an audit plan (including RBIA) for each engagement — objective, scope, quantum, timing, resource allocation.
  • Ensure assignments are initiated per the approved plan and established notification, standards, policies and procedures.
  • 🔍Ensure the team obtains all relevant information to fix objective, scope, methodology and resources.
  • 🏢Understand the entity's mandates, risks, structure, internal control and ongoing issues — and brief the team before the assignment.
  • 📊Maintain and update Risk Registers for all audit units, schemes, programmes and projects based on findings and feedback.
  • 🎓Continuously review team performance; provide training on schemes, programmes and audit tools.
  • 📄Finalise standard report templates; maintain records of reports/findings; ensure timely action by audit units.
  • 📤Share important findings with other teams and with the IAD in O/o CGA for cross-Ministry learning.
  • 📅Compile the wing's year-end performance into an annual review report for the Chief Accounting Authority / Audit Committee, then to O/o CGA.
  • 📧Start every assignment with an Audit Memorandum drafted by the wing.
§5

Responsibilities of the Head of the Audit Team

  1. Issue the audit memorandum at least one month before the planned audit, so the entity can prepare.
  2. Discuss the plan with members; finalise audit strategy (objectives, scope, quantum).
  3. Attend the entry conference on day one — introduce the team, discuss issues, learn the entity's functions, status of past findings and high-risk areas.
  4. Guide staff in developing the plan and a checklist of questions; personally audit key activities / risk areas.
  5. Assign each member specific responsibilities in writing; supervise every phase; review and approve working papers and primary observations; ensure sufficient evidence.
  6. Conduct a formal exit conference; brief the entity head on objectives, findings, recommendations; consider the entity's views and additional facts.
  7. Ensure the draft report uses the prescribed template, is presented to the CAE with working papers and evidence on time, and that the approved report is issued within the prescribed timeline.
§6

Responsibilities of Team Members

  • 📝Carry out duties assigned in writing, verified fully per audit methodology.
  • 📖Verify that prescribed records, books and ledgers are accurately maintained, compiled and reconciled; scrutinise sanctioning and purchase procedures for defects.
  • 💰Verify payments are correct per rules, and that deductions and recoveries are timely accounted for.
  • ⚙️Verify general office-management procedures with financial/accounting implications; suggest tightening of controls and streamlining of accounting.
  • 📋Review scheme/programme implementation against notified guidelines; record observations within scope.
  • 📁Maintain working papers, collect relevant evidence, and develop observations under the Team Head's guidance.
⚡ Chapter 1 — Quick Recap
ConceptKey Fact
Head of the wingCAE = Pr. CCA / CCA / CA
CAE's six functionsPlan · approve · resource · policies · coordinate/report · QA
Reporting to Audit CommitteeAt least once per quarter
Annual Audit Plan dueBy 15 January
Present Plan + 3-Year ProgrammeBy 1 March
Minimum team1 A.O./Sr.AO + 2 A.A.O. + 2 Accountants = 5
Team size factorsStructure · activities · financial data · staffing · inherent risk · scope
Memorandum timingAudit memorandum issued ≥ 1 month before audit
Assignments start withAn Audit Memorandum
Three role levelsCAE · Head of Team · Team Members
CH 2 · PART A

The Internal Audit Process

What this chapter does
Chapter 2 covers the first phase — planning and preparing. It defines the four phases of the whole process, then drills into engagement planning, the Annual Audit Plan and 3-Year Rolling Programme, planning for risk-based audit, and the engagement work program. Two checklists anchor it: Checklist 1 (planning) and Checklist 2 (work program).
The four phases (again)

Planning and Preparing → Performing the engagement → Reporting upon the engagement → Follow-up action. This chapter is all about phase one.

§1

Audit & Engagement Planning (Checklist 1)

Checklist 1 makes sure the team has answered the foundational questions before fieldwork. The key planning considerations:

  1. Categorise & risk-rate units. Have audit units been identified by category, with audit plans per category, and a risk rating/register driving selection of units, processes and areas?
  2. Document each engagement. Is there a well-developed, documented plan per engagement including objectives, scope, timing and resource allocation?
  3. Map objectives, controls, risks. Have the program's objectives, the controls ensuring achievement, and the significant risks (to the activity, its objectives, resources and operations) been assessed — including whether governance, risk management and control are adequate and working?
  4. Preliminary survey & risk assessment. Was a preliminary survey conducted and its results used to find areas of emphasis? Was a preliminary risk assessment of the scheme/program done in the planning stage?
  5. Engagement objective covers all risks. Does the engagement objective include every significant risk found in the preliminary risk assessment?
  6. Working-paper file ready. Before fieldwork, does the file contain the Audit Planning Memo (APM), Preliminary Survey findings (with the Risk Assessment Report), Engagement Terms of Reference (TOR), and the Engagement Program?
§2

Annual Audit Plan & 3-Year Rolling Programme

The CAE builds a risk-based Annual Audit Plan on an understanding of the auditable unit's strategies, objectives and risk framework — then supplements it with a 3-Year Rolling Audit Programme. Key features:

Coverage
The Audit Universe

A comprehensive list of auditable units: departmental units, cost centres, schemes, programs, policies, processes, systems, PSUs under the Ministry, financial statements, regulatory compliance.

Frequency by risk
Risk-Driven Coverage

High-risk areas audited once or more per year; low-risk areas only once in 2–3 years. Both assurance and advisory work are weighed.

Deadlines
15 Jan · 15 Feb

Submit plan to the Committee by 15 January; revise for the Finance Bill's impact on Ministry outlay/operations by 15 February.

Living document
Continuous Update

Revise plan and programme for revised risk ratings, outcome budget changes, anticipated 3-year changes, and new Government directives as they arise.

§3

Planning for Risk-Based Internal Audit

When developing the plan, the CAE weighs these factors:

  • ⚠️Inherent risks — identified and assessed?
  • 🛡️Residual risks — identified and assessed (after controls)?
  • 🔗Mitigating controls, contingency plans, monitoring — linked to individual events/risks?
  • 📊Risk registers — systematic, complete and accurate?
  • 📄Documentation — are the risks and activities documented?
💡 The point of RBIA planning
The wing must identify areas of high inherent risk, high residual risk, and the key control systems the Ministry most relies on. Where residual risk is unacceptable, management must be notified so the risk can be addressed. The sample risk registers for RKVY (Ministry of Agriculture) sit in Exhibit I.
§4

Preparing for Audit — The Work Program (Checklist 2)

A documented engagement work program must include:

1
Goals
Audit Objectives

What the engagement sets out to achieve.

2
Targets
Risks & Transactions

The risks, processes and transactions to be examined.

3
Method
Procedures

For identifying, analysing, evaluating and documenting information.

4
Testing
Nature of Testing

The kind of testing required.

Schedule alignment

A tentative schedule for all phases of the audit must be set and aligned with the Audit Calendar of the respective Ministry/Department.

⚡ Chapter 2 — Quick Recap
ConceptKey Fact
Four phasesPlan & Prepare · Perform · Report · Follow-up
Planning checklistChecklist 1 (engagement planning)
Engagement plan containsObjectives, scope, timing, resource allocation
Pre-fieldwork fileAPM · Preliminary Survey (with RAR) · TOR · Engagement Program
Annual Plan due15 January; revise for Finance Bill by 15 February
Rolling programme3-Year Rolling Audit Programme
High vs low risk frequencyHigh: ≥1/yr  |  Low: once in 2–3 yrs
RBIA factorsInherent · residual risk · controls · registers · documentation
Sample risk registersExhibit I — RKVY (M/o Agriculture)
Work program (Checklist 2)Objectives · risks/transactions · procedures · testing
CH 3 · PART A

Audit Tools & Techniques

What this chapter does
Chapter 3 hands the auditor the toolkit: internal control evaluation, risk-based internal auditing as a method, and two heavyweight techniques — audit sampling and Computer Assisted Audit Techniques (CAATs).
§1

Objectives of Sound Internal Controls

A sound internal control framework helps a Ministry meet its compliance, financial-reporting and operational goals, minimise surprises, and deal with change. During evaluation the auditor checks that controls achieve six objectives:

1
Operational Efficiency

Promote operational efficiency and effectiveness.

2
Reliable Information

Provide reliable financial information.

3
Safeguard Assets

Safeguard assets and records.

4
Policy Adherence

Encourage adherence to prescribed policies.

5
Regulatory Compliance

Comply with regulatory agencies.

6
Correct Liabilities

Correctly identify and measure liabilities.

§2

Means of Evaluation & The Review Process

The wing evaluates internal controls through four means — questionnaires/checklists, flow charts/narratives, facilitated workshops, and control self-assessment (Checklist 3 supports this; a sample self-assessment is Exhibit II).

Reviewing effectiveness — the five-step logic (Checklist 4)

Has the Ministry: (1) identified its business objectives; (2) identified and assessed the risks threatening them; (3) designed controls to manage those risks; (4) operated the controls per their design; and (5) monitored the controls to ensure they work? Each "no" is a control gap.

§3

Conducting Risk-Based Internal Audit (RBIA)

Before conducting RBIA, the wing must be able to answer: what is the Ministry's risk maturity? Has risk profiling been done and to what extent can it be relied on for planning? Do individual audits assure that all inherent risks above the risk appetite are managed down to within it?

1
Assess risk maturity

Gauge the Ministry's risk maturity.

2
Set up the Risk & Audit Universe (RAU)

Assign risks to audits and draw up a plan for carrying out audits, usually annual.

3
Carry out audits & feed back

Perform individual risk-based audits and feed the results back into the RAU.

RBIA assurance covers five things

Whether management's processes identify all significant risks; whether risks are correctly scored to prioritise them; whether responses are appropriate and policy-compliant; whether reporting of key risks to senior management is accurate, timely and effective; and whether controls are operational and monitored.

CH 3 · PART B

Audit Sampling

Definition
Audit sampling is applying audit procedures to less than 100% of the items in a class of transactions — letting the auditor evaluate evidence about some characteristic of the selected items and form a conclusion about the whole population.
💡 How auditors choose what to test
Areas where the department exercises discretion are riskier than rule-bound ones. Higher-value transactions are often examined for material impact — but materiality is irrelevant where compliance is required by law. Past audit reports guide selection, and March vouchers are invariably picked because of the well-known "March rush" in expenditure.

Judgemental vs Statistical Sampling

ApproachHow it worksTrade-off
JudgementalItems chosen on the auditor's experience, intuition and judgement.Simple and popular, but no scientific basis — hard to extrapolate findings to the population.
StatisticalEvery unit has an equal chance of selection, eliminating bias.Lets findings be asserted with a known degree of confidence; needs sample-size and technique decisions.
Sample size

Influenced by the purpose of audit, population size and homogeneity, required precision and confidence level. For a small or homogeneous population a small sample suffices; in general, a sample of 10% or more is considered reasonable.

Common statistical sampling techniques

Technique 1
Random Number

Number all items, then use a random-number generator to select the sample.

Technique 2
Interval Sampling

Select items at fixed intervals — e.g. every 10th, 15th or 35th voucher; interval set by population size and sample needed.

Technique 3
Stratified Sampling

Divide the population into discrete homogeneous groups, then pick a pre-decided number from each group.

Technique 4
Attribute Sampling

Select items sharing certain attributes; objective in nature — items chosen by compliance (yes) or non-compliance (no) with standards. Good for evaluating controls over many similar transactions.

§4

Computer Assisted Audit Techniques (CAATs)

As Government operations computerise, huge volumes of electronic data accumulate that are impractical to extract manually. CAATs are computer-based tools that run tests on data or IT systems — especially useful when significant data is electronic.

  • CAATs permit 100% testing of data in a short span, repeated tests on different files, and standardisation of audit activity.
  • 🧮Two broad categories: add-on tools used inside existing programs (Excel, MS Access); and general-purpose audit software built off-the-shelf for auditors.
  • 💻Commonly used general-purpose software: IDEA (Interactive Data Extraction and Analysis) and ACL (Audit Command Language).
  • 🎓Wings should train staff to use these tools in engagements.
📝 The evolution of audit (per the manual's box)
From "tick and check" audits → systems-based audits focused on key controls → CAATs. The principles of taking the client's books to audit them haven't changed — only the practices, now that books are electronic. Auditors who fail to embrace new techniques risk becoming "surplus to requirements." (Source cited: The Internal Auditing Handbook, K. H. Spencer Pickett.)
⚡ Chapter 3 — Quick Recap
ConceptKey Fact
Internal control objectives6: efficiency · reliable info · safeguard assets · policy adherence · regulatory compliance · correct liabilities
Means of evaluationQuestionnaires · flowcharts/narratives · facilitated workshops · control self-assessment
Control review (Checklist 4)Objectives → assess risks → design controls → operate → monitor
RBIA three stagesAssess maturity → set up RAU & plan → audit & feed back
Audit samplingProcedures on <100% of items
Materiality & lawMateriality irrelevant where compliance is legally required
March vouchersInvariably selected ("March rush")
Reasonable sample size10% or more in general
4 statistical techniquesRandom number · interval · stratified · attribute
CAATs enable100% testing, repeated tests, standardisation
General-purpose softwareIDEA & ACL
CH 4 · PART A

Performing the Audit Engagement

What this chapter does
Chapter 4 is the doing phase — the actual conduct of internal audit. It walks four stages from notifying the entity through to the closing meeting, and packs the heaviest cluster of checklists in the manual (Checklists 5–13) covering intimation, entry conference, fieldwork, evidence, working papers, observations and exit.
1
Intimation of Audit

Inform the unit of the audit schedule (Checklist 5).

2
Opening Meeting (Entry Conference)

Set scope and understand the entity (Checklist 6).

3
Performing Field Work

Evidence, working papers, observations (Checklists 7–12).

4
Conducting Exit Meeting

Discuss the draft report with the client (Checklist 13).

§1

Intimation of Audit (Checklist 5)

A Commencement Letter, addressed to the highest individual responsible for the Ministry/Department/Scheme, must include:

  • 🎯Objective of the audit.
  • 📐Scope and the period it covers.
  • ⏱️Estimated duration.
  • 👥Names of auditors — especially the Team Leader.
  • 📅Information on entry and exit conferences.
  • 📄Request for necessary information and documents.
§2

Opening / Entry Conference (Checklist 6)

The engagement normally starts with an entry conference with the Head of Department/Office. Points to cover: proposed objectives and scope; the entity's risk-management practices; areas of special concern; logistics (a nodal officer for space, records, meetings); the principal risks being audited; processes included and excluded; special considerations (C&AG findings, recent frauds, major system changes); the approach and testing plan; the communication/reporting strategy; and the auditee representative who will coordinate management action plans.

⚠ The surprise-audit exception

Audits with an element of surprise do not have any entry conference.

CH 4 · PART B

Performing Field Work & Evidence

§3

Preliminary Field Work (Checklist 7)

Field work begins with an approved Audit Programme and standardised checklists for recurring schemes. The CAE ensures: staff interviews identifying detailed objectives, risks and high-risk areas; an agreed audit scope (reasons, objectives, main stages, staff and time, client contact, timetable with draft/final report dates); sufficient and appropriate evidence; adequate supervision scaled to proficiency and complexity; objective sampling at desired confidence; and minuted meetings kept as working papers.

§4

Reliability of Audit Evidence (Checklist 8)

Evidence must be relevant to the audit objectives, drawn from appropriate sources, and free of unacceptable risk of improper findings, significant limitations, or an inadequate basis. The manual's hierarchy of reliability:

  • 🌐Evidence from external sources is more reliable.
  • Evidence obtained directly by the auditor is more reliable.
  • 📄Original documents are more reliable than copies.
  • 📊Larger samples are more reliable than smaller ones.
  • 🔗Reliability rises when accounting and internal-control systems operate effectively.
When evidence is weak or inconsistent

If limitations or uncertainties are significant, the wing should seek independent corroborating evidence, disclose the limitation in the report, and decide whether to report it as a finding. If sources are inconsistent, the auditor performs additional procedures to resolve the conflict.

§5

Documenting & Testing Processes, Risks, Controls (Checklist 9)

The auditor performs walkthrough tests to confirm processes, surfaces any new risks, and identifies the controls that should operate to manage them plus the monitoring management uses. Tests of control effectiveness are defined and run, with special attention to controls carrying a high control score. The standard: documentation must let an experienced auditor with no prior connection understand the nature, timing, extent and results of procedures, the evidence obtained, its source, and the conclusions reached.

CH 4 · PART C

Working Papers & Observations

Working papers must be indexed, referenced and cross-referenced to the relevant observations. They split into two files:

Checklist 10
Permanent Audit File

Organizational chart; descriptions of schemes/programs/systems/procedures and business plans; corrective action plans; legal & regulatory issues; risk assessment; correspondence of continuing interest; updated audit programmes.

Checklist 11
Current Audit File

Draft & final report copies; significant findings and how resolved; planning documentation; administration/correspondence; follow-up of previous reports; updated programmes; supporting documentation; minutes of entry & exit meetings.

How an audit observation is born
An observation emerges by comparing "what should exist" (the audit criteria) with "what exists" (the evidence). When they differ, the auditor assesses the effect, impact and cause of the variance and documents it. Accumulated observations become the foundation for the engagement's conclusions, recommendations and report. (Checklist 12 governs the field-work steps.)
§6

Conducting the Exit Meeting (Checklist 13)

A formal exit conference concludes field work. With key officials, the team discusses the Draft Audit Report, obtains their views and any additional facts, and records any disagreements with reasons. The exit conference is minuted, the minutes go into the working papers, and a copy is given to the Department.

⚡ Chapter 4 — Quick Recap
ConceptKey Fact
Four stagesIntimation → Entry conference → Field work → Exit meeting
Intimation documentCommencement Letter (Checklist 5)
Surprise auditsNo entry conference
Most reliable evidenceExternal source · auditor-obtained · originals · larger samples
Confirming processesWalkthrough tests (Checklist 9)
Documentation standardUnderstandable to an experienced auditor with no prior connection
Two working-paper filesPermanent (Checklist 10) & Current (Checklist 11)
Observation ="What should exist" vs "what exists" + effect, impact, cause
Exit conferenceDiscuss draft report; minuted; copy to Department (Checklist 13)
Field-work checklistChecklist 12
CH 5 · PART A

Reporting & Follow-up

What this chapter does
Chapter 5 covers phases three and four: communicating results and following up. Its centrepiece is the 5-C framework for drafting observations, supported by Checklist 13 (reporting) and Checklist 14 (follow-up).
§1

Communicating the Results of the Engagement

  • ⏱️Results must be communicated in a timely manner.
  • 📝Final communication must contain an opinion and/or conclusions; an overall opinion must account for the Ministry's expectations and be supported by sufficient, reliable, relevant, useful information.
  • ⚠️The reason for an unfavourable overall opinion must be stated.
What the report must highlight (Checklist 13)

Before drafting, the supervisor reviews all working papers and checks supporting evidence. The report flags: weaknesses in internal-control design/implementation; non-compliance with policies, procedures, rules and regulations; and transactions that fall short of standards of propriety. It incorporates the auditee's response and planned corrective action (or notes the absence of a response), brings out any scope limitation, and acknowledges satisfactory performance and best practices.

Don't wait to report serious findings

Where an observation is so serious that delay could harm achievement of programme/scheme objectives, it must be communicated early — even during the audit. Errors or omissions in an issued report must be corrected and circulated to all earlier recipients.

CH 5 · PART B

The 5-C Framework

Every audit observation is developed with reference to engagement objectives using five C's. They form a logical chain — from what was expected, to what happened, to what should be done:

  1. Criteria — "What should exist?" The benchmarks or expectations audit evidence is compared against (policy, SOP, norm).
  2. Condition — "What exists?" The factual evidence found, stating the nature and extent of the observation — the result of comparing actual evidence with criteria.
  3. Consequence / Effect / Impact — "What effect did it have?" The risk or exposure from the gap between criteria and condition; often expressed quantitatively. The effect must be serious enough to justify the cost of correction.
  4. Cause — "Why did it happen?" The likely reason for the gap. Similar causes across observations may reveal an underlying theme; identifying the cause is a prerequisite to a meaningful recommendation.
  5. Corrective Action / Recommendation — "What should be done?" Actions to correct the situation and prevent recurrence — within the client's scope, addressing the cause not just the symptoms, and at least intuitively viable.
⭐ Memory hook for the 5 C's
Criteria (should) → Condition (is) → Consequence (so what) → Cause (why) → Corrective action (fix). Two states, an impact, a reason, a remedy.
§2

Grouping Findings by Risk Severity

Red
High Risk

Absence of immediate corrective action may have a major negative impact on achievement of objectives.

Orange
Medium Risk

Failure to act could result in significant consequences.

Green
Low Risk

Suggested action would bring greater efficiency or enhanced controls at minimal additional cost.

§3

Reporting & Follow-up (Checklist 14)

Follow-up closes the loop. The CAE conducts follow-up of previous reports and communicates the findings. For the current report there must be a defined time-frame for Action Taken Reports (ATRs), and those timelines must be adhered to.

⚠ Escalation of unresolved issues

The CAE establishes a process to monitor whether management actions are effectively implemented — or that senior management has accepted the risk of not acting (per IIA Standard 2500.A1). Issues the auditee cannot resolve within six months are reported to the Audit Committee and included in the quarterly reporting on risks unacceptable to the Ministry.

⚡ Chapter 5 — Quick Recap
ConceptKey Fact
Final communication must containAn opinion and/or conclusions
Unfavourable opinionReason must be stated
Report flagsControl weaknesses · non-compliance · propriety lapses
Serious findingsCommunicate early — even during audit
The 5 C'sCriteria · Condition · Consequence · Cause · Corrective action
Criteria / Condition"Should exist" / "What exists"
Risk colour codingRed (high) · Orange (medium) · Green (low)
Action trackingAction Taken Reports (ATRs) with timelines
Escalation windowUnresolved in 6 months → Audit Committee
Standard citedIIA Standard 2500.A1 (management accepting risk)
CH 6 · PART A

Performance Evaluation & Quality Control

What this chapter does
Chapter 6 turns the lens on internal audit itself. Like any function, the wing must add value — so the head sets objectives, builds processes to meet them, and reports results. The chapter covers the Quality Assurance and Improvement Program (QAIP), documentation policy, a quality-check of the audit report (Checklist 15), and a wide performance-evaluation checklist (Checklist 16).
§1

What Is a QAIP?

  • 🎯A QAIP evaluates the wing's conformance with the IPPF Standards and whether auditors apply the Code of Ethics.
  • 📈It assesses the efficiency and effectiveness of the activity and identifies improvement opportunities.
  • 📝The CAE must develop and maintain a QAIP covering all aspects of the internal audit activity (IIA Standard 1300), and it must include both internal and external assessments (IIA Standard 1310).
§2

Internal vs External Assessment

Internal — Standard 1311
Two components

Ongoing monitoring — part of day-to-day supervision, review and measurement, built into routine policies to evaluate conformance with the Code and Standards. Plus periodic self-assessments (or by others within the organisation with sufficient knowledge) to evaluate conformance with the Manual and Charter.

External — Independence
No conflict of interest

An independent assessment means no actual or perceived conflict of interest, and not being part of or under the control of the organisation the activity belongs to. The CAE communicates QAIP results to the Audit Committee and the IAD in O/o CGA.

§3

Documentation Policy

The CAE must approve a documentation policy — consistent with organisational guidelines and regulatory requirements — governing custody, retention and release of engagement records. It must cover:

  • 📄Sufficient, reliable, relevant documentation to support engagement results and conclusions.
  • 🔒Controlled access to records — and approval of senior management and/or legal counsel before releasing records to external parties.
  • 🗓️Retention requirements for records (regardless of storage medium), consistent with organisational and regulatory rules.
CH 6 · PART B

Quality Check of the Audit Report (Checklist 15)

Reports are issued in the format prescribed by O/o CGA. To be effective they must be complete, concise, accurate and objective, issued timely, fact-based, free of personal criticism, constructively worded, with recommendations focused on achieving objectives.

The five qualities of a good report

Accurate · Objective · Clear · Concise · Complete. The report structure includes the engagement's objectives, scope, conclusions, recommendations and action plans.

What the quality check verifies

  • 📑Cover page states "Internal Audit Report of ____ for the period ____", plus date of issue.
  • ⚖️Clearly states the responsibility split: management owns internal controls and financial statements; the auditor's job is to express an opinion on the efficiency of internal controls in achieving management objectives.
  • Approved by competent authority, signed by the designated authority, and addressed per the Internal Audit Charter.
  • 📊Supplemented by an Executive Summary (objectives, scope, summary of observations).
  • 🔴Uses colour coding (Red, Orange, Green) for significance/risk; develops observations via the 5-C framework; uses photographs where useful.
  • Acknowledges satisfactory performance and best practices; brings out any scope limitation.
§4

Performance Evaluation of the IAW (Checklist 16)

This checklist lets O/o CGA evaluate a wing's performance. Highlights worth remembering:

Meetings cadence
4 minimum, 6 ideal

Formally report to the Audit Committee at least 4 times a year (once per quarter), with 6 meetings per year as the ideal target.

Capacity maths
210 working days

Plan staffing at 210 working days per auditor, compute man-days required vs available, and decide how to fill the gap (consultants / deputation / outsourcing).

Report contents
Progress vs Plan

Reports include progress vs plan with timelines, limitations to independence/objectivity, challenges, delays in resolving issues, and action on outstanding paragraphs.

Value added
KPIs & Dashboards

Adopt KPIs and dashboards; track risks mitigated, cost-saving opportunities, and financial-recovery opportunities; run a QAIP and gap analysis against the Handbook.

⚡ Chapter 6 — Quick Recap
ConceptKey Fact
QAIP evaluatesConformance with IPPF Standards & Code of Ethics
QAIP must includeBoth internal and external assessments (Std 1310)
Internal assessmentOngoing monitoring + periodic self-assessment (Std 1311)
Independent assessmentNo actual/perceived conflict; outside the organisation's control
QAIP results go toAudit Committee & IAD in O/o CGA
Documentation policy coversSufficiency · controlled access · retention
Report qualitiesAccurate · Objective · Clear · Concise · Complete
Responsibility splitManagement owns controls; auditor opines on their efficiency
Colour codingRed / Orange / Green
Committee meetingsMin 4/yr (quarterly); ideal 6/yr
Capacity assumption210 working days per auditor
CH 7 · PART A

Special Audits

What this chapter does
Chapter 7 covers five specialised engagements beyond the routine audit: Gender Audit, IT Audit, Audit of Governance Activities, and Scheme/Program Audit — plus how to fold these into the work program. Each is undertaken on Terms of Reference given by the Ministry, with the Audit Committee informed afterwards.
§1

Gender Audit

A gender audit examines two sets of dimensions — what the programmes do, and how the organisation is set up.

What to audit — set 1
5 Programmatic Dimensions

Situational analysis (planning & annual plan development) · policy analysis (programme design, scheme guidelines) · budgetary allocations & expenditure · monitoring of implementation progress · evaluation procedures.

What to audit — set 2
4 Organizational Dimensions

Gender policy & staffing (support and gender balance) · capacity building · monitoring systems (gender sensitivity) · resource allocation (how far the budget supports gender equity).

Methodology & tools

Process: set up a gender-audit team → brainstorm to freeze objectives and identify criteria → develop criteria into a checklist → build an Audit Matrix (criteria, questions, verifiable indicators, means of verification) → entry meeting → gather data → analyse → feedback → report. Tools: existing data & schematic guidelines, documentation review, field visits, field surveys, interviews, key-informant interviews, staff questionnaire, and a Gender Audit Score Card.

CH 7 · PART B

Information Technology (IT) Audit

Purpose of IT Audit
IT audits assess controls in IT systems that maintain the CIA triad — Confidentiality, Integrity and Availability of data. They assure that data isn't modified in an unauthorised way, that controls prevent unauthorised access, and that controls prevent service disruption so systems are available when required.
Two types of IT audit

The easiest boundary: Application Control Review Audits (controls relating to Ministry transactions/processes and their internal security settings) and General Control Review Audits. Everything that isn't an application control is treated as a General Computer Control (GCC) — and GCCs are reviewed first because they form the basis of the IT control environment.

§2

The IT Audit Process

1
Prepare the IT Audit Universe

Understand the tech environment — list technologies, the IT processes/controls against them, and interview program & IT staff (Checklist 17). Sample in Exhibit V; vulnerability survey in Exhibit IV.

2
Prepare the Annual IT Audit Plan

List auditable units, identify their risks, prioritise by risk significance, fold into the Annual Audit Plan (Checklist 18).

3
Conduct IT Risk Assessment

Document the six IT risk areas; identify assets at risk, threat events, impact, frequency and uncertainty; then run a risk-mitigation analysis (Checklists 19 & 20).

4
Identify & Report on IT Controls

Review GCCs; report on information-security incidents, change-management exceptions, project status, etc. — integrating risks from programmes to IT in one format.

The six IT risk areas (Checklist 19)

Non-availability of the system · unauthorised access to systems (security) · incomplete/inaccurate data (integrity) · unauthorised access to data (confidentiality) · non-delivery of expected function (effectiveness) · sub-optimal use of resources (efficiency).

📚 IIA guidance & the Centre of Excellence
Wings doing IT audits use the IIA's GTAGs (Global Technology Audit Guides) — e.g. GTAG 11 (developing an IT audit plan), GTAG 12 (auditing IT projects), GTAG 13 (fraud prevention in an automated world). Until Ministries build their own IT-audit capability, the Centre of Excellence (CoE) in O/o CGA can develop an in-house support team or outsource to specialist firms. A sample PFMS system-audit checklist is Exhibit VI; the IT control-framework checklist is Exhibit VII.
CH 7 · PART C

Governance & Scheme Audits

§3

Audit of Governance Activities (Checklist 21)

The CAE assesses whether the audit plan covers the Ministry's governance processes and their risks — so the wing helps the Ministry be accountable and transparent while achieving objectives effectively, efficiently, economically and ethically. Three core questions drive it:

  • 📝Has the policy been implemented as intended?
  • 💰Are funds being spent for the intended purpose?
  • 🛡️Are managers implementing effective controls to minimise risks?
§4

Scheme or Program Audit (Checklists 22 & 23)

Scheme audit works from two angles — the beneficiary's experience and the auditor's verification.

Checklist 22
Beneficiary Questionnaire

Awareness of the scheme and its benefits; how they heard of it; problems in availing it; online application difficulty; time to sanction and to credit; sufficiency of the amount; complaints and the management's response; whether life improved; whether they'd recommend it.

Checklist 23
Auditor Checklist

Three-year budget vs expenditure; delays in fund transfer at each level (Centre→State→District→CDPO→beneficiary); diversion of funds; projects completed on time / extended; unspent grant refunded; separate bank account under specified authority; periodic reports to the Centre; % of admin expenses; Utilization Certificate (incl. men/women ratio).

Inclusion into work programs

Special audits — Gender, IT, Governance, Grant or Scheme/Program — are undertaken as and when assigned by the Ministry, per its Terms of Reference. The Audit Committee is informed about these engagements subsequently. A sample Summary of Audit Paras for scheme audit is Exhibit VIII.

⚡ Chapter 7 — Quick Recap
ConceptKey Fact
Five special auditsGender · IT · Governance · Grant · Scheme/Program
Gender audit dimensions5 programmatic + 4 organizational
Gender audit toolGender Audit Score Card + Audit Matrix
IT audit assuresConfidentiality · Integrity · Availability (CIA)
Two IT audit typesApplication Control · General Control (GCC)
Six IT risk areasAvailability · security · integrity · confidentiality · effectiveness · efficiency
IIA IT guidanceGTAGs; support from CoE in O/o CGA
Governance audit (4 E's)Effective · efficient · economical · ethical
Governance core questionsPolicy as intended? · funds for purpose? · effective controls?
Scheme audit anglesBeneficiary (Checklist 22) + Auditor (Checklist 23)
Assignment basisMinistry's Terms of Reference; Committee informed after
CH 8 · PART A

The 23 Checklists — A Navigation Map

Why this reference matters
The manual's real working content lives in 23 numbered checklists scattered through Chapters 2–7, and 8 Exhibits at the back. This chapter pulls them into one place so you can see, at a glance, which checklist serves which phase.
ChecklistPurposePhase
1Audit & Engagement PlanningPlanning
2Audit Work ProgramPlanning
3Internal Control EvaluationTools
4Reviewing effectiveness of internal controlsTools
5Audit Intimation (Commencement Letter)Performing
6Conducting the Entry ConferencePerforming
7Preliminary Audit PerformancePerforming
8Reliability & Documentation of Audit EvidencePerforming
9Documentation & Testing of processes, risks, controlsPerforming
10Working Papers — Permanent Audit FilePerforming
11Working Papers — Current Audit FilePerforming
12Performing Internal Audit Field WorkPerforming
13Exit Meeting / Audit Communication: ReportingReporting
14Audit Communication: Follow-upFollow-up
15Quality Check of Audit ReportQuality
16Performance Evaluation of the IAWQuality
17Preparing audit universe for IT auditSpecial — IT
18Planning for IT auditSpecial — IT
19Undertaking IT risk assessmentSpecial — IT
20Assisting CAEs in conducting IT auditSpecial — IT
21Audit of Governance ProcessesSpecial — Gov
22Scheme Audit Questionnaire — beneficiarySpecial — Scheme
23Scheme Audit Checklist — auditorSpecial — Scheme
Note on numbering

The manual reuses "Checklist 13" for both the exit-meeting checklist and the reporting checklist — a quirk in the source text. Treat them as the same number serving the close-out / reporting boundary.

CH 8 · PART B

The Eight Exhibits

The Exhibits are full worked samples an auditor can adapt directly. Knowing what each contains is enough for revision:

I
Risk register
Sample Risk Register — RKVY

For Rashtriya Krishi Vikas Yojana (M/o Agriculture). Maps sub-processes, inherent risks, impact/likelihood scoring, existing & required controls, residual risk.

II
Self-assessment
Internal Control Self-Assessment Checklist

A template for a unit to assess its own internal controls.

III
Compliance
Compliance Audit of DDOs & PAOs

Checklist for compliance audit of Drawing & Disbursing Officers and Pay & Accounts Officers.

IV
IT survey
Vulnerable Areas of IT Processes

Sample survey to identify vulnerabilities in IT processes.

V
IT universe
Preparing an IT Audit Universe

Sample for assembling the IT audit universe.

VI
System audit
Checklist for System Audit (PFMS)

Sample system-audit checklist in the PFMS environment.

VII
IT controls
Examining the IT Control Framework

Checklist to examine the IT control framework.

VIII
Scheme paras
Summary of Audit Paras — Scheme Audit

Sample summary of audit paras for scheme audit, categorised by type (financial / operational / performance) and risk level.

§1

Anatomy of a Risk Register (from Exhibit I)

The RKVY register is the clearest illustration of how risk is recorded. Each row carries the following columns — worth memorising as the standard structure:

  1. Sub-process — the activity (e.g. "Approval", "Release of funds").
  2. Inherent risk description — what could go wrong (e.g. "delay in approval of projects by States").
  3. Risk assessment — Impact and Likelihood, each scored L / M / H.
  4. Identification & listing of controls — split into existing controls and required controls.
  5. Residual risk — Impact and Likelihood again (L/M/H) after existing controls.
  6. Frequency of control, control owner, timeline — how often the control runs, who owns it (e.g. P.D — Programme Division), and the implementation date.
⭐ The takeaway
A risk register is the bridge between Chapter 2 (planning), Chapter 3 (RBIA), and Chapter 7 (scheme audit). It is where inherent risk, controls, and residual risk are made visible — and it is continuously updated as audits feed findings back into it.
⚡ Chapter 8 — Quick Recap
ConceptKey Fact
Total numbered checklists23 (across Chapters 2–7)
Planning checklists1 & 2
Control evaluationChecklists 3 & 4
Performing (heaviest)Checklists 5–12
Reporting / follow-upChecklists 13 & 14
QualityChecklists 15 & 16
IT auditChecklists 17–20
Governance / SchemeChecklists 21 / 22 & 23
Exhibit IRKVY Risk Register (M/o Agriculture)
Exhibit IIICompliance audit of DDOs & PAOs
Exhibit VIPFMS System Audit checklist
Risk register columnsSub-process · inherent risk · scoring · controls · residual risk · owner/timeline

Gateway to Promotion Exams

Single Device Policy: You can only be logged in on one device at a time. Logging in here will end any existing session.
Forgot Password?

Enter your email to receive a password reset link.

Back to Login