Generic Internal Audit Manual for Central Civil Ministries — Study Notes
Study Notes · Internal Audit · O/o CGA

Generic Internal Audit Manual for Central Civil Ministries

Issued in 2014 by the Centre of Excellence, Internal Audit Division, O/o Controller General of Accounts (Ministry of Finance, Department of Expenditure). A foundational guide that takes internal audit from a compliance-only past to a risk-based future — explaining risks and controls, the COSO framework, what internal audit is, the five-phase audit process, governance through Audit Committees, and quality assurance — and serving as the template from which each Ministry builds its own detailed manual.

6 Chapters COSO Framework 5-Phase Process 5-C Reporting Glossary + Annexures
CH I · PART A

Introduction — What This Manual Is

The document in one breath
This is the Generic Internal Audit Manual for Central Civil Ministries, issued on 30 September 2014 by the Centre of Excellence, Internal Audit Division in the Office of the Controller General of Accounts (Ministry of Finance, Department of Expenditure). It is a generic template — its express purpose is to help each central civil Ministry/Department develop its own detailed Internal Audit Manual, and to guide internal audit engagements end to end: from building a work programme through planning, performing, reporting and following up.
The big idea — a shift in approach

The whole manual turns on one transition: internal audit moving from a compliance-only / regularity past to a risk-based future. The defining difference between the traditional and modern approach is the explicit recognition of the twin concepts of "risks" and "controls." While compliance audit remains important, auditors are now expected to evaluate controls against the risks and assure management that controls work as intended.

§1

The CGA Mandate & Rule 64 of GFR 2005

The Controller General of Accounts is mandated under the Allocation of Business Rules to oversee accounting standards in Central Civil Accounts Offices, and has guided internal audit in the civil ministries since the departmentalisation of accounts in 1976. The scope of the internal audit function is codified in the Civil Accounts Manual and the Inspection Code.

⭐ Rule 64, GFR 2005 — memorise this
Rule 64 of the General Financial Rules 2005 designates the Secretary of the Ministry/Department as the Chief Accounting Authority, responsible and accountable for financial management. The internal audit wings — headed by Pr.CCAs / CCAs / CAs and working under the overall supervision of the Financial Adviser — assist the Secretary in discharging this responsibility.

The key objectives of ministries and departments that internal audit serves are threefold:

Objective 1
Proper Resource Management

Proper management of public resources and government authority, ensuring compliance with laws, regulations, policies and procedures.

Objective 2
Reliable Reporting

Ensuring the reliability of financial reporting.

Objective 3
Operational Performance

Ensuring operational efficiency and effectiveness.

§2

The Revised Charter of Financial Advisers (2006)

The Ministry of Finance, Department of Expenditure O.M. F.No.5(6)/L&C/2006 dated 1 June 2006 redefined the charter for Financial Advisers and the role of internal audit wings working under CCAs/CAs. It stipulated that internal audit move beyond compliance/regulatory audit and focus on four things:

  1. Adequacy & effectiveness of internal controls in general — and soundness of financial systems and reliability of financial/accounting reports in particular.
  2. Identification and monitoring of risk factors — including those contained in the Outcome Budget.
  3. Critical assessment of economy, efficiency and effectiveness of the service-delivery mechanism, to ensure value for money.
  4. An effective monitoring system to facilitate mid-course corrections.
§3

Key Acronyms You Must Know

AcronymExpansion
CAEChief Audit Executive (refers to Pr. CCA / CCA / CA)
Pr.CCA / CCA / CAPrincipal Chief Controller / Chief Controller / Controller of Accounts
Dy.CADeputy Controller of Accounts
AO / Sr.AO / AAOAccounts Officer / Senior Accounts Officer / Assistant Accounts Officer
IAWInternal Audit Wing
ATRAction Taken Report
DDODrawing and Disbursing Officer
CAATComputer Assisted Audit Techniques
COSOCommittee of Sponsoring Organizations
IDEA / ACLInteractive Data Extraction & Analysis / Audit Command Language (audit software)
IIA / ICAI / CIPFAInstitute of Internal Auditors / Institute of Chartered Accountants of India / Chartered Institute of Public Finance and Accountancy
INTOSAI / ISSAIInt'l Organization of Supreme Audit Institutions / its International Standards
C&AGComptroller & Auditor General
⚡ Chapter I — Quick Recap
ConceptKey Fact
Issued byCentre of Excellence, Internal Audit Division, O/o CGA, M/o Finance
Date issued30 September 2014
Document's purposeA generic template for Ministries to build their own detailed IA manuals
Accounts departmentalised1976
IA scope codified inCivil Accounts Manual & Inspection Code
Rule 64, GFR 2005Secretary = Chief Accounting Authority
IAW headed byPr.CCA / CCA / CA, under the Financial Adviser
Revised CharterO.M. dated 1 June 2006 — move beyond compliance audit
The defining shiftExplicit recognition of "risks" & "controls"
Three Ministry objectivesResource management · reliable reporting · operational efficiency
CH II · PART A

Theoretical Framework — Risks & Controls

What this chapter does
Chapter II builds the conceptual foundation. A sound public financial management system needs resources valued correctly, receipts realised in full, and expenditure incurred economically, efficiently and effectively. Above all it needs continuous assurance to stakeholders — most importantly citizens — that objectives are clearly spelt out, strategies are in place, and risks that threaten those objectives have been identified, assessed and contained within acceptable levels.
Accountability — what stakeholders want assured

Accountability is a core principle of democratic government. Stakeholders want assurance that: public resources are managed properly and used lawfully; government programmes are achieving their objectives and outcomes; and government services are delivered ethically, efficiently, economically and effectively. Governments have traditionally relied on in-built controls like "checks and balances" and "segregation of duties," plus rules such as the GFR and Receipt & Payment Rules.

§1

Understanding Risk

Definition — Risk
A risk is the possibility of an event occurring that will have an adverse impact on the achievement of objectives. To be protected, each risk must be identified, assessed and measured in two dimensions — impact (severity) and likelihood of occurrence (probability) — and then an appropriate response developed.

Some activities are inherently more risk-prone than others — procurement, for instance, carries more risk than routine accounting for expenditure. A change in circumstances can also shift the risk structure: year-end expenditure, driven by the urge to avoid lapse of budget, needs closer monitoring of controls. When analysing risk, three questions are asked:

  • What can go wrong?
  • 🎲What is the probability of it going wrong?
  • ⚠️What are the consequences?
§2

Responding to Risk — The Four T's

After identifying and evaluating risks, the Ministry develops a response to eliminate the risk or contain it within acceptable limits. Four options exist:

T
Transfer
Transfer

Shift the risk to a third party — obtaining insurance is the classic example.

T
Tolerate
Tolerate

Accept the risk when the cost of control outweighs the benefit, or the adverse outcome is inconsequential.

T
Terminate
Terminate

End the activity itself — needed where the risk could cause grave consequences or project failure. Not always possible in Government due to political/social sensitivities.

T
Treat
Treat

Manage the risk through appropriate control activities — the most obvious choice for Ministries and the most relevant for this manual.

Residual & acceptable risk

Some risk remains even after controls are instituted — this is "residual risk." It may be advisable to tolerate it, especially where elimination costs are very high and it sits within acceptable limits. "Acceptable risk" is a risk understood and tolerated, usually because the cost or difficulty of an effective countermeasure exceeds the expected loss. What is acceptable is a judgement exercised by Management. Since controls have costs, the benefit of risk reduction must exceed the cost of the control.

📊 The Risk Management Process (5 steps)
Establish context (understand objectives & environment) → Risk identification (write a "risk statement") → Analysis (comprehend the nature, determine consequences & likelihood) → Evaluation (compare against risk criteria — is it acceptable?) → Response (modify by mitigating, avoiding, transferring or accepting). Wrapped around all five: continuous monitoring and reporting & communication with stakeholders.
What "controls" formally are

In formal terms, controls comprise the actions taken by management, the audit committee and other parties to manage risks and increase the likelihood that established objectives and goals will be achieved.

CH II · PART B

The Internal Control Framework

Definition — Internal Control
Internal control is an integral process operated by an organisation's management and personnel, designed to address risks and provide reasonable assurance that, in pursuit of the mission, four general objectives are met: executing orderly, ethical, economical, efficient and effective operations; fulfilling accountability obligations; complying with applicable laws and regulations; and safeguarding resources against loss, misuse and damage.
⚠ Controls are continuous, not events

Internal controls are continuous processes, not isolated efforts. Per the COSO framework, everyone in an organisation has some responsibility for internal control — and the commitment of those at the top is critical. Control is most effective when "built in" and not "superimposed" on the entity's systems.

§3

The Five COSO Components

The Committee of Sponsoring Organizations (COSO) developed the internal control framework now accepted worldwide. Its five key concepts:

1
The foundation
Control Environment

Sets the tone of the organisation — integrity and ethical values of individuals and the organisation as a whole. Includes management's philosophy, structure, assignment of authority, HR practices and competence.

2
Find the threats
Risk Assessment

Identifying and analysing risks that threaten objectives. Elements: risk identification, risk evaluation (likelihood & significance, rated High / Medium / Low), and risk acceptance.

3
The actions
Control Activities

The actions that manage risk — split into preventive and detective controls (see below).

4
The flow
Information & Communication

For controls to work, management needs timely, reliable feedback. Communication must flow down, across and up the organisation.

5
The check
Monitoring

A well-designed review process — comprising ongoing monitoring and/or separate evaluations. Scope and frequency of separate evaluations depend on risk assessment and the effectiveness of ongoing monitoring.

§4

Control Activities — Two Types & Common Examples

TypeWhat it doesExamples
PreventiveStop a risk from occurring in the first place.Barring entry of unauthorised personnel; segregation of duties; limiting access to sensitive information.
DetectiveHelp discover inaccuracies, misconduct etc. after the fact.Preparing bank reconciliation statements; monitoring and supervision.

The manual lists common control activities worth memorising:

  • ⚖️Segregation of duties — separating authorisation, custody and record-keeping roles.
  • Authorisation of transactions — review by an appropriate person.
  • 📄Retention of records — documentation that substantiates transactions.
  • 👁️Supervision or monitoring of operations.
  • 🔒Physical safeguards — cameras, locks, physical barriers to protect property.
  • 📊Top-level reviews — actual results vs goals/plans, periodic operational reviews, metrics and KPIs.
  • 🔑IT security controls — restrict system/data access to authorised personnel (passwords, access-log review).
  • 💻IT application controls — edit checks to validate data entry, numerical-sequence accounting, comparing file totals with control accounts.
⭐ Internal audit is itself a control
Internal Audit is a critical component of the internal control system, entrusted with the review function. Like all controls, internal audit entails costs — so, in keeping with economy, efficiency and effectiveness, the audit function must itself be conducted with due regard to these principles.
⚡ Chapter II — Quick Recap
ConceptKey Fact
Risk definedPossibility of an event with adverse impact on objectives
Risk measured byImpact (severity) & likelihood (probability)
3 risk-analysis questionsWhat can go wrong? · probability? · consequences?
The 4 T'sTransfer · Tolerate · Terminate · Treat
Insurance is an example ofTransferring risk
Residual riskRisk remaining after controls; tolerate if within limits
Controls definedActions by management/audit committee to manage risk
Internal control objectivesOrderly/ethical ops · accountability · compliance · safeguard resources
Framework usedCOSO
5 COSO componentsControl environment · risk assessment · control activities · info & communication · monitoring
Risk rating scaleHigh / Medium / Low
2 control typesPreventive & Detective
Best controls are"Built in," not "superimposed"
CH III · PART A

Internal Audit — Definitions & Services

Why internal audit exists
The need for internal audit stems from the need for feedback to Management through periodic review of internal controls. Its primary function is the "measurement and effectiveness of other controls." This places internal audit in a unique position — it is both a part of the internal control system, and the function required to comment on the adequacy and effectiveness of the other controls. It aids management by giving periodic feedback on how controls are functioning and suggesting measures to strengthen them.
§1

The Four Authoritative Definitions

To meet widely accepted norms, the manual cites four bodies' definitions of internal audit:

BodyHow it defines internal audit
INTOSAI (ISSAI 1003)An appraisal activity established as a service to an entity; functions include examining, evaluating and monitoring the adequacy of internal control.
CIPFAAn assurance function giving an independent, objective opinion on the control environment (risk management, control, governance) by evaluating its effectiveness in achieving objectives.
IIAAn independent, objective assurance and consulting activity designed to add value and improve operations; helps the organisation accomplish objectives via a systematic, disciplined approach to evaluate and improve risk management, control and governance.
ICAIAn independent management function involving continuous critical appraisal of the entity to suggest improvements and add value to the overall governance, strategic risk management and internal control system.
The common thread + the public-interest overlay

All four see internal audit as evaluating the adequacy and effectiveness of risk management, governance and control processes, thereby adding value. In government and the public sector, one more principle overrides everything: serving the public interest must be the overriding objective.

§2

The Two Primary Services — Assurance vs Consulting

Service 1
Assurance Services

The auditor's objective assessment of evidence to provide an independent opinion or conclusion on the processes, systems or mechanisms put in place by the executive to ensure achievement of objectives.

Service 2
Consulting Services

Advisory in nature — positive recommendations to improve performance and/or controls, generally at the specific request of the agency. The auditor must maintain objectivity and not assume management responsibility.

What both services assess (reasonable assurance that…)

In both, internal audit focuses on whether governance, risk management and control provide reasonable assurance that: significant information is accurate, reliable and timely; resources are acquired economically and used efficiently; assets are safeguarded; actions comply with policies, procedures, contracts and laws; and significant programmes, plans and objectives will be achieved.

CH III · PART B

Types of Internal Audit

In government, internal audit may conduct several types of audit. The main ones:

  1. Regularity Audit (audit against rules & orders) — verifies that expenditure conforms to the laws, rules and orders governing the power to sanction/incur expenditure, and that rules on service conditions, pay, allowances and pensions are followed. The auditor flags deviations and suggests remedies; further action rests with Management.
  2. Propriety Audit — focuses on improper expenditure or waste even where it conforms to rules. Per Hallam, it "extends beyond the formality of the expenditure to its wisdom, faithfulness and economy." Catches improper or infructuous spending not caught by regularity audit.
  3. Performance (Value-for-Money) Audit — checks whether stated objectives are achieved with due regard to economy and efficiency. Examines the relationship between inputs, outputs and outcomes against the 3 E's (see callout below).
  4. Information Systems / IT Audit — determines whether IT systems are designed to achieve organisational goals; focuses on attributes of data (correct, consistent, reliable), assets (hardware & software) and resources (technological, physical, human).
  5. Financial Audit — provides reasonable assurance the financial statements show a true and fair view. For government accounts, this is performed by the C&AG.
  6. Grant or Contract Audits — evaluate compliance with grant conditions, the contracting process and third-party contractual performance.
  7. Fraud & Financial Irregularity Audits — verify the existence and magnitude of suspected fraud/irregularities, usually triggered by discovery or suspicion.
The 3 E's of Performance Audit

Economy — expenditure incurred was not in excess of requirement. Efficiency — output achieved with minimum inputs (or maximum output for given inputs). Effectiveness — expenditure achieved the intended objective.

📝 The one-line summary
The various kinds of audit differ in focus, scope and approach — but internal audit is primarily used for verifying the effectiveness of internal controls in operation, and compliance with laws, rules, regulations and government orders.
§3

Risk-Based Auditing

Definition — Risk-Based Auditing
An approach that focuses on the organisational response to the risks it faces in achieving its goals. The context for audits comes from the Department's objectives, associated risks and risk-management process — rather than from "controls" and deviations therefrom. The auditor's role shifts from examining compliance with controls to reviewing the risk-management processes.
A pragmatic caveat for Government

Until risk-management processes are well-designed and embedded in government systems, Internal Audit cannot yet rely on the Department's own view of risks for scoping. The pragmatic approach: Internal Audit, in conjunction with management, undertakes the risk-assessment exercise itself and draws up its audit plan. Over time, greater reliance can be placed on Departments' own risk assessments and risk-control matrices.

CH III · PART C

Audit Sampling

Definition — Audit Sampling
Applying audit procedures to less than 100% of the items within a class of transactions, so the auditor can obtain and evaluate evidence about some characteristic of the selected items and form a conclusion about the whole population. A 100% check is unnecessary — the objective is well served by a test check.
💡 How auditors choose what to test
Areas where the department exercises discretion are riskier than rule-bound ones. Higher-value transactions are often examined for material impact — but materiality is irrelevant where compliance is required by law. Past audit reports are a good guide to the control environment, and March vouchers are invariably selected because of the well-known "March rush" in expenditure.

Judgemental vs Statistical Sampling

ApproachHow it worksTrade-off
JudgementalItems chosen on the auditor's experience, intuition and judgement.Simple and popular — but no scientific basis, so findings are hard to extrapolate to the population.
StatisticalEvery unit has an equal chance of selection, eliminating bias.Lets findings be asserted with a known degree of confidence; requires decisions on sample size and technique.
Sample size

Influenced by the purpose of audit, population size & homogeneity, required precision and confidence level. For a small population, the whole group can be the sample; for a homogeneous population, a small sample suffices. In general, a sample of 10% or more is considered reasonable.

Four common statistical sampling techniques

Technique 1
Random Number

Number all items in the population, then use a random-number generator to select the sample.

Technique 2
Interval Sampling

Select items at defined intervals — e.g. every 10th, 15th or 35th voucher. The interval is set by population size and the number needed.

Technique 3
Stratified Sampling

Divide the population into discrete homogeneous groups, then select a pre-decided number from each group.

Technique 4
Attribute Sampling

Select all items sharing certain attributes; objective in nature — items chosen by compliance (yes) or non-compliance (no). Good for evaluating controls over many similarly-characterised transactions.

§4

Computer Assisted Audit Techniques (CAATs)

As government operations computerise, vast volumes of electronic data accumulate that are impractical to extract manually — and manual audit limits how much data can be audited in a given time. CAATs are computer-based tools that run tests on data or IT systems, especially useful when significant data is electronic.

  • CAATs permit 100% testing of data in a short span, repeated tests on different files, and standardisation of audit activity.
  • 🧮Two broad categories: add-on tools used inside already-installed programs (Excel, MS Access); and general-purpose audit software built off-the-shelf for auditors.
  • 💻Commonly used general-purpose software: IDEA (Interactive Data Extraction and Analysis) and ACL (Audit Command Language).
  • 🎓Internal Audit Wings should train staff to use these tools in engagements.
📝 The evolution of audit (per the manual's box)
From "tick and check" audits → systems-based audits focused on key controls → CAATs. The principle of taking the client's books to audit them hasn't changed — only the practices, now that books are electronic. Auditors who fail to embrace new techniques will find themselves "surplus to requirements." (Source cited: The Internal Auditing Handbook, 2nd ed., K. H. Spencer Pickett.)
⚡ Chapter III — Quick Recap
ConceptKey Fact
IA's primary functionMeasurement & effectiveness of other controls
IA's unique positionBoth part of the control system & reviewer of it
4 defining bodiesINTOSAI (ISSAI 1003) · CIPFA · IIA · ICAI
Overriding public-sector aimServing the public interest
2 primary servicesAssurance & Consulting
Consulting cautionDon't assume management responsibility
Audit typesRegularity · Propriety · Performance · IT · Financial · Grant · Fraud
Propriety audit (Hallam)"Wisdom, faithfulness and economy"
Performance audit 3 E'sEconomy · Efficiency · Effectiveness
Financial audit byC&AG
Risk-based auditingFocus on org's response to risk, not controls/deviations
Audit samplingProcedures on <100% of items
Materiality & lawMateriality irrelevant where compliance is legally required
March vouchersInvariably selected ("March rush")
Reasonable sample size10% or more in general
4 statistical techniquesRandom number · interval · stratified · attribute
CAATs enable100% testing · repeated tests · standardisation
General-purpose softwareIDEA & ACL
CH IV · PART A

Management of Internal Audit in Government

What this chapter does
Chapter IV is about governance and setup — how the internal audit function is positioned, mandated and supervised within a Ministry. It covers the organisational setup, the audit mandate and charter, the Audit Committee, the structure of the wing, the management team, audit teams, independence and access. Much of it is written as guidance for what each Ministry's own detailed manual should contain.
Mandate & Charter

The requirement for internal audit must be set out in a clearly defined audit mandate, formally documented in the Internal Audit Charter. The charter defines the framework within which internal audit operates, establishes its functional and administrative reporting lines, fixes its position within the organisation, and serves as the foundation for the annual audit plan. A carefully developed mandate and charter are critical for an effective function.

§1

The Audit Committee — Composition & Role

To provide oversight of the IAW, an Audit Committee should be constituted in each Ministry (or the mandate of an existing Standing Audit Committee enlarged). Its composition:

Role on CommitteeOfficer
ChairpersonSecretary of the Ministry/Department
Vice-ChairpersonFinancial Adviser
Convener / Member SecretaryChief Controller of Accounts / Controller of Accounts (i.e. the CAE, or his nominee)
MembersProgramme Division Heads; subject experts may be associated as needed
Terms of reference of the Audit Committee

Ensure development of an effective Risk Management system; supervise the IAW's overall functioning and set its priorities; provide strategic direction and resources; approve the Internal Audit Charter and the function's role/structure; approve the annual internal audit plan; evaluate IAW performance and offer guidance; ensure audit observations are implemented; and determine modalities to resolve key audit issues.

⭐ The reporting relationship
Internal audit has a formal reporting relationship with the Audit Committee. The CAE (Pr.CCA/CCA/CA) puts up a quarterly review of the internal audit function before the Committee. The Committee may also assign special audits directly to the CAE, who would then report directly to the Committee within a prescribed time-frame.
§2

The Internal Audit Charter

Rule 64 of GFR 2005 places the responsibility for sound financial management on the Secretary as Chief Accounting Authority, who must ensure full and proper records and systems affording better internal controls. The revised charter of Financial Advisers (2006) stipulates that IAWs move beyond compliance/regulatory audit to the four focus areas (assessment of controls, monitoring risk factors, value-for-money assessment, mid-course-correction monitoring). Each Ministry's manual should contain an Internal Audit Charter approved by the Audit Committee. A model charter covers:

  1. Role of the function — internal audit as an independent, objective assurance and consulting activity adding value, concerned with controls that ensure: reliability/integrity of information; effectiveness/efficiency of operations; safeguarding of assets; compliance with laws, regulations and contracts.
  2. Responsibilities — Programme divisions own the system of internal controls; internal audit provides assurance on the adequacy of those controls (and may consult, but never assumes the role of management).
  3. Annual Audit Programme — submitted by 15 January each year through the Financial Adviser to the Audit Committee, based on the Divisions' risk assessments (or the CAE's own assessment where these don't exist).
  4. Reports — issued within one week of CAE approval; significant-issue reports circulated with the Vice-Chairman's approval; an Annual Audit Review goes to the Committee Chairperson and to O/o CGA by 31 May (Annexure I).
  5. Access — internal audit has unfettered access to all officers, buildings, information and documentation.
  6. Independence — objective service per the Guidelines and Code of Ethics issued by O/o CGA, whose performance is periodically reviewed by O/o CGA, with results shared with the Audit Committee.
CH IV · PART B

Structure of the Internal Audit Wing

1
Chief Audit Executive (CAE)

Pr.CCA / CCA / CA heads the function. Reports to the Secretary through the Financial Adviser administratively; functionally reports to the Audit Committee.

2
Internal Audit Management Team

Headed by the CAE, comprising key Accounts & Audit functionaries — for closer supervision and quality assurance. Meets regularly to discuss plan execution, coordinate audit teams, decide approach, and issue guidance/advisories.

3
Audit Teams & Staff

Regular IAW staff + PAO staff not involved in the auditee's payment/accounting + other officials + Consultants hired as needed. A typical team: 1 Sr.AO/AO, 2 AAOs, 2 Accountants.

§3

The Independence Rule, Access & Service Types

⚠ The self-audit prohibition

No auditor should audit his own decision, nor be involved in the audit of a unit where he may have worked within the past one year. This is the core independence safeguard for team composition.

Standard work
Assurance & Consulting Engagements

Undertaken as per the overall directions of the Audit Committee.

On request
Special Audit Engagements

Taken up with defined Terms of Reference given by the executive wing; intimated to the Audit Committee at its next meeting.

📝 What the function actually does for the Ministry
Internal audit improves operating effectiveness of programmes through independent evaluation against policy guidelines and scheme objectives; looks into planning, execution and monitoring of spending units; comments on control weaknesses and risks; checks accuracy of accounting/financial records; and assists Financial Advisers in the appraisal, monitoring and evaluation of individual schemes. Its audit plan concentrates on high-risk areas, setting priorities by risk assessment and available resources.
⚡ Chapter IV — Quick Recap
ConceptKey Fact
Audit mandate documented inThe Internal Audit Charter (foundation for the annual plan)
Audit Committee ChairSecretary of the Ministry
Vice-ChairpersonFinancial Adviser
Convener / Member SecretaryCCA / CA (the CAE or nominee)
CAE reports administrativelyTo Secretary through Financial Adviser
CAE reports functionallyTo the Audit Committee
CAE's review to CommitteeQuarterly
Annual Audit Programme due15 January, via Financial Adviser
Reports issued withinOne week of CAE approval
Annual Review to O/o CGA by31 May (Annexure I)
Independence ruleNo self-audit; no unit worked at within past 1 year
Typical team1 Sr.AO/AO + 2 AAOs + 2 Accountants
Special auditsExecutive's ToR; Committee informed at next meeting
CH V · PART A

The Internal Audit Process

What this chapter does
Chapter V is the operational heart of the manual — the end-to-end audit process. It applies at both levels: the individual engagement and the Ministry-wide function. It covers planning, preparing, performing, reporting and following up, including audit evidence, working papers, the exit meeting, and the 5-C framework for drafting observations.

The internal audit process comprises five main phases. They can be compressed into three (planning, execution, reporting) for ease of understanding:

1
Planning the Engagement

Establish what is going to be audited — preliminary survey and research about the auditee unit.

2
Preparing for Audit

Gather relevant information from internal & external sources and prepare a work programme.

3
Performing the Engagement

Implement the approved plan — intimation, entry conference, testing, evidence.

4
Reporting upon the Engagement

Communicate the results achieved via the audit report.

5
Follow-up Action

Report on implementation of agreed improvement measures.

§1

Seven Steps of a Typical Assignment

A typical internal audit assignment runs through seven steps (many are iterative and may not occur strictly in sequence):

  1. Establish and communicate the scope and objectives to appropriate management.
  2. Develop an understanding of the operational area — objectives, measurements, key transaction types — via document review and interviews (flowcharts/narratives if needed).
  3. Describe the key risks facing the business activities within scope.
  4. Identify the control procedures ensuring each key risk and transaction type is controlled and monitored.
  5. Develop and execute a risk-based sampling and testing approach to check whether the most important controls operate as intended.
  6. Report problems identified and negotiate action plans with management.
  7. Follow up on reported findings at appropriate intervals (maintaining a follow-up database).
CH V · PART B

Planning & Preparing for Audit Engagements

Audit planning has two levels: the macro plan (Annual Audit Programme) and plans for specific assignments. The annual programme is developed in consultation with Management, finalised by 15 January each year, communicated to auditee units with sufficient notice, with a copy to O/o CGA.

Capacity Maths

Planning the year — the working-days arithmetic

Plan for about 210 working days per auditor (after deducting weekly/public holidays, eligible leave, travel, report preparation, follow-up and training). Keep an average of 10 working days for regular audits and 15–23 days for special audits. Given the available audit teams (1 Sr.AO/AO, 2 AAOs, 2 Accountants), the number of units that can be audited is then derived.

Step 1
Review the Audit Universe

The audit universe is the aggregate of all auditable areas — defined by function/activity, organisational unit/division, or project/programme. Examples: information systems, major contracts, procurement, payment, accounting. Budgetary allocations are a consideration.

Step 2
Risk Assessment & Prioritisation

An elaborate exercise with the Ministry's executive authorities, deciding which processes/units/schemes to audit. Use random sampling for selecting among similar units (so the sample is representative); judgemental sampling may pick areas/states/districts.

Step 3
Identify High-Risk Areas

Develop the work programme from the risk rating. Early on this involves substantial judgement; the process matures once Risk Registers and Risk Committees are functional.

Step 4
Fold in Special Audits

Special audits are undertaken per the Ministry's Terms of Reference; the Audit Committee is informed subsequently.

§2

Planning Individual Audits

Because audit itself spends public funds, each engagement must be economical, efficient and effective. Planning an individual engagement follows a logical chain:

  1. Background study & research — understand the unit's business operations, objectives, processes, policies, environment, and any significant or recent/proposed changes.
  2. Preliminary analysis of key controls & risks — consider entity-wide risks identified at the institutional level; for each activity/process/system, identify control objectives and the key controls that mitigate the risks, then evaluate their design effectiveness.
  3. Develop engagement objectives, scope, criteria and approach — the objective is a broad statement, often a question the auditor seeks to answer, with a conclusion drawn for each objective. The work must yield sufficient evidence to meet the objectives.
  4. Finalise the audit plan — a detailed scope statement describing the areas/processes/systems covered, the time period and locations, and any areas excluded from scope.
💡 Good planning is half the job done
Audit planning is often given low priority because auditors rush to get on with the job — but a good plan ensures high quality and provides evidence of due diligence. Note too that planning continues throughout the audit as additional information is gathered. The detailed Ministry manual should develop standard testing/working methodology and checklist work-programmes for a few key schemes.
CH V · PART C

Performing the Audit Engagement

Once the programme is finalised, it is communicated to auditee units 30 days before commencement (a questionnaire may accompany it).

§3

Intimation & Entry Conference

A Commencement Letter, addressed to the highest individual responsible for the function/department, is sent at least a month before the audit. It includes:

  • 🎯Objective of the audit.
  • 📐Scope and the period it covers.
  • ⏱️Estimated duration.
  • 👥Names of auditors — especially the Team Leader.
  • 📅Information on entry and exit conferences.
  • 📄Request for necessary information and documents.

The engagement normally starts with an entry conference between the auditors and the Head of Department/Office. Its purpose is to establish an appropriate environment: auditors communicate the proposed objectives and scope, seek to understand the organisation's objectives and risk-management practices, learn of areas of special concern, and settle logistics (a nodal officer for space, records, meetings). The conference validates information gathered during planning and gauges attitudes toward controls.

⚠ The surprise-audit exception

Audits with an element of surprise do not have any entry conference. (All meetings that do occur must be documented and minuted, forming part of the working papers.)

Operating effectiveness — what's tested

The auditor tests the operating effectiveness of the key controls. A control's operation is not effective when a properly-designed control isn't operating as designed, or the person performing it lacks the necessary authority or qualifications. Each test's results and evidence are documented on the applicable matrix, recording: the objective/criterion the test links to; the information sources used; the means of testing; the results and analysis; and the observations/recommendations.

§4

Audit Evidence & Its Reliability

Definition — Audit Evidence
Information collected, analysed and evaluated by the auditor to support an observation. It must be sufficient, appropriate and reliable. Sufficiency is the measure of quantity; appropriateness refers to reliability and relevance to a particular assertion. Evidence is appropriate when it is both relevant and reliable.

Reliability is influenced by source (internal or external) and nature (visual, documentary or oral). The manual's reliability hierarchy:

  • 🌐Evidence from external sources (e.g. third-party confirmation) is more reliable than from the entity's records.
  • 🔗Evidence from the entity's records is more reliable when the related accounting and internal-control systems operate effectively.
  • Evidence obtained directly by the auditor is more reliable than that obtained by or from the entity.
  • 📄Documents and written representations are more reliable than oral representations.
  • 📑Original documents are more reliable than photocopies, telexes or facsimiles.
  • 📊Large samples are more reliable than smaller ones; statistical samples more persuasive than non-statistical.
When evidence is consistent — or isn't

When evidence from different sources is consistent, it becomes persuasive. When sources are inconsistent, it is the auditor's responsibility to determine and perform the additional procedures needed to resolve the inconsistency. Decisions on what evidence to seek and how much is sufficient require due diligence and professional judgement.

CH V · PART D

Working Papers, Observations & the Exit Meeting

Working papers are the supporting documents for the whole engagement — they provide a complete audit trail, demonstrate how the audit was performed, and contain the evidence behind the Summary of Observations and the final report. They must be indexed, referenced and cross-referenced to the relevant observations. They sit in two files:

File 1
Permanent Audit File

Information relevant to current and future audits — allowing comparison of KPIs over time: (i) organisational chart; (ii) descriptions of schemes/programs/systems/procedures & business plans; (iii) corrective action plans; (iv) legal & regulatory issues; (v) risk assessment; (vi) correspondence of continuing interest; (vii) updated audit programmes.

File 2
Current Audit File

Records relevant to the current audit: (i) draft & final report copies; (ii) significant findings & how resolved; (iii) planning documentation; (iv) administration/correspondence; (v) follow-up of previous reports; (vi) updated programmes; (vii) supporting documentation; (viii) minutes of entry & exit meetings.

How an audit observation is born
An observation emerges by comparing "what should exist" (the audit criteria) with "what exists" (the audit evidence). When they differ, the auditor assesses the effect, impact and cause of the variance and documents it. The accumulation of observations provides the foundation for the engagement's conclusions, recommendations and report.
The Exit Meeting

The supervisor reviews all working papers and supporting evidence, then prepares a draft report flagging control-design/implementation weaknesses, non-compliance, and transactions short of standards of propriety. The draft goes to the Head of Department for the Department's views. A formal exit meeting with key officials discusses the draft, obtains views and additional facts, and records disagreements with reasons. If the entity won't or can't comment in reasonable time, the report may issue noting the absence of comments. Ideally, the exit meeting turns the draft into an agreed document. The meeting is minuted; a copy goes to the Department.

CH V · PART E

Reporting & the 5-C Framework

Audit reports are the end products. They must be accurate, objective, clear, concise and complete and issued timely (normally within a fortnight of completing the engagement). Satisfactory performance of the auditee should also be acknowledged. Key formal requirements:

  • 📑Cover page legend: "Internal Audit Report of ___ for the period ___", plus the date of issue.
  • ⚖️States the responsibility split: management owns internal controls & financial statements; the auditor's job is to express an opinion on the efficiency of internal controls in achieving management objectives.
  • Approved by competent authority, signed by the designated authority, addressed per the Internal Audit Charter.
  • 📊Carries an Executive Summary — objectives, scope, summary of observations, highlighting those needing immediate senior-management action.
  • 📝Issued in the format prescribed by O/o CGA (Annexure II); fact-based, free of personal criticism, constructively worded.

Every observation is developed with the 5-C framework — a logical chain from what was expected, through what happened, to what should be done:

  1. Criteria — "What should exist?" The benchmarks or expectations against which audit evidence is compared (policy, norm, SOP).
  2. Condition — "What exists?" The factual evidence found; identifies the nature and extent of the observation — the result of comparing actual evidence with criteria.
  3. Consequence / Effect / Impact — "What effect did it have?" The risk or exposure from the gap between criteria and condition; often quantitative. The effect must be serious enough to justify the cost of correction.
  4. Cause — "Why did it happen?" The likely reason for the gap. Similar causes across observations may reveal an underlying theme; identifying the cause is a prerequisite to a meaningful recommendation.
  5. Corrective Action / Recommendation — "What should be done?" Actions to correct and prevent recurrence — within the client's scope, addressing the cause not the symptoms, and at least intuitively viable.
⭐ Memory hook for the 5 C's
Criteria (should) → Condition (is) → Consequence (so what) → Cause (why) → Corrective action (fix). Two states, an impact, a reason, a remedy.
§5

Grouping Findings by Risk Severity

High Risk
Major Negative Impact

Absence of immediate corrective action may have a major negative impact on achievement of objectives.

Medium Risk
Significant Consequences

Failure to take action could result in significant consequences.

Low Risk
Efficiency Gains

Suggested action would bring greater efficiency or enhanced controls at minimal additional cost.

§6

Follow-up Action

The true achievement of an audit is reflected in implementation of its recommendations and an improved control system — this phase must not be underestimated. There must be a defined time-frame for Action Taken Reports (ATRs). The IAW examines ATRs and offers comments to the administrative division; monitoring of audit paras also aims to resolve old paras, watched closely by the Pr.CCA/CCA/CA.

⚠ Escalation of unresolved issues

Issues that could not be resolved within six months through communication with the administrative division / audit client are reported to the Audit Committee, whose Chairman issues further directions.

⚡ Chapter V — Quick Recap
ConceptKey Fact
Five phasesPlan · Prepare · Perform · Report · Follow-up
Compressed intoPlanning · Execution · Reporting
Typical assignment7 steps (scope → understand → risks → controls → test → report → follow-up)
Annual Programme due15 January; copy to O/o CGA
Capacity planning210 working days/auditor; 10 days regular, 15–23 special
Programme communicated30 days before commencement
Commencement LetterSent ≥ 1 month before the audit
Surprise auditsNo entry conference
Evidence must beSufficient (quantity) · appropriate (reliable + relevant)
Most reliable evidenceExternal · auditor-obtained · documentary · originals · large samples
Two working-paper filesPermanent & Current
Observation ="Should exist" vs "exists" + effect, impact, cause
Report qualitiesAccurate · Objective · Clear · Concise · Complete
Report timelineWithin a fortnight of completion
Responsibility splitManagement owns controls; auditor opines on efficiency
The 5 C'sCriteria · Condition · Consequence · Cause · Corrective action
Risk groupingHigh · Medium · Low
ATR escalation windowUnresolved in 6 months → Audit Committee
CH VI · PART A

Quality Assurance in Internal Audit

What this chapter does
Since audit engagements spend public money, they must be conducted with economy, efficiency and effectiveness. A Quality Assurance and Improvement Programme supports internal audits that consistently add value, and provides assurance that the activity conforms to prescribed guidance. Understanding the expectations of senior management and the Audit Committee is a key step in building the performance-measurement process.
Benefits of a quality assurance programme

Consistent application of processes; standardisation and completeness of documentation; adequate linkage of recommendations to working papers; enhanced credibility. It increases the effectiveness of the supervisory function — and thereby the reliability of reports.

§1

Hierarchy of Quality Assurance Elements

Quality assurance operates at four levels, each with its own control objective, the party responsible, and the level that receives assurance:

ElementControl objectiveResponsible partyAssurance to
Professionalism (Due Care)Individual auditor's workIndividual auditorIndividual
Supervisory ReviewThe engagementSupervisor within line of responsibilityAudit function management
Internal ReviewAggregate of engagements / divisional officesSupervisor or peer outside line of responsibilityChief Audit Executive
External ReviewAudit function as a wholeQualified persons from outside the organisationAudit Committee & senior management
By the CAE
Self-Assessment

The responsibility of the Chief Audit Executive.

By other Ministries
Peer Review

Conducted by members of IAWs of other Ministries/Departments.

By O/o CGA
External Review

Examines the audit plan, working papers, related report and follow-up — before or after reports are finalised. Deficiencies must be rectified in a time-bound manner.

§2

Measuring the Performance of Internal Audit

Performance can be evaluated on several key areas (a balanced scorecard approach helps, supplemented by customer surveys to managers after each engagement and an annual survey to the Audit Committee):

Metric 1
Plan Completion

The degree to which the annual plan of engagements is completed.

Metric 2
Report Issuance

Time elapsed from completion of testing to issuance of the final report.

Metric 3
Issue Closure

Audit findings acted upon and resolved.

Metric 4
Staff Qualifications

% of staff with professional certifications, graduate degrees, and years of experience.

Metric 5
Staff Utilisation Rate

% of time spent on engagements vs administrative time (training, vacation).

Metric 6
Staffing Level

Positions filled vs authorised. May use rotational/"guest" auditors or "co-sourcing" of contract auditors.

CH VI · PART B

Human Resources, Training & Staffing Norms

📝 Why HR is critical
Staffing level, staff qualifications and staff utilisation rates are critical performance parameters. The success of any plan is ultimately determined by the quality of personnel executing it. Each Department must have a dedicated IAW staffed by auditors and supervisors (Group A, B & C officials) in adequate numbers, assessed rationally and scientifically.

Eight parameters drive the staffing requirement of an IAW (worked out into man-days against available working days — Annexure III):

  1. Number of audit units.
  2. Number of employees in each audit unit.
  3. Budget of each audit unit.
  4. Inherent risks in the functioning of each audit unit.
  5. Time required to complete an engagement (including travel).
  6. Time required for report writing.
  7. Time reserved for training and continuous professional education.
  8. Period that may be spent on leave etc.
Hiring specialist consultants

With increasing complexity, internal audit may lack specialised knowledge. The CAE should have authority and resources to hire individuals and firms with the requisite skills (as the C&AG does), assessing their competency, independence and objectivity (experience, education, training, professional membership). Consultants work under the CAE's overall control, and responsibility for quality and timely delivery lies only with the CAE.

Training focus & professional certification

Training modules should cover risk assessment, designing the risk matrix, mapping risks with controls, evaluating internal controls, field work and testing plans, and auditing in a computerised environment (CAATs). Report-writing is a priority area. Auditors should acquire certifications from bodies like IIA, ISACA, with the CAE reimbursing fees and study material.

Developing & retaining quality auditors

Effective methods: challenging, varied assignments; quality supervision; staff participation across audit phases; opportunities to lead (starting with structured engagements); participation on improvement task forces; rotation through teams/audits; and involvement in annual risk-assessment.

§3

The Code of Ethics — Four Principles

Principle 1
Integrity

Establishes trust; the reason an auditor's judgement is relied on. Perform with honesty, diligence and responsibility, in conformity with law; no party to illegal acts.

Principle 2
Objectivity

Impartial and transparent. No activity/relationship that adversely affects balanced assessment; accept nothing that may influence professional judgement.

Principle 3
Confidentiality

Respect the value and ownership of information; don't disclose without proper authority unless legally/professionally obliged.

Principle 4
Competency

Engage only in services for which one has the knowledge, skills and experience; continuously improve proficiency and quality.

Interface with Statutory Audit

Internal and statutory audit should develop synergy and complement each other. The Audit Committee reviews statutory audit observations too. To track settlement of objections in Test Audit Notes issued by statutory officers, the IAW maintains a DDO-wise count of outstanding objections and monitors progress. Both audits' observations guide the risk-assessment and work-programme.

⚡ Chapter VI — Quick Recap
ConceptKey Fact
QAIP purposeValue-adding audits + assurance of conformance to guidance
4 QA hierarchy levelsProfessionalism · Supervisory · Internal · External review
Self-assessment byThe CAE
Peer review byIAWs of other Ministries
External review byO/o CGA
6 performance metricsPlan completion · report issuance · issue closure · staff qualifications · utilisation · staffing level
Measurement approachBalanced scorecard + customer surveys
8 staffing parametersUnits · employees · budget · risk · audit time · report time · training · leave
Consultant responsibilityLies only with the CAE
4 Code of Ethics principlesIntegrity · Objectivity · Confidentiality · Competency
Statutory-audit trackingDDO-wise count of Test Audit Note objections
REF · PART A

Glossary, Annexures & Report-Writing Tips

Why this reference matters
The manual closes with a Glossary, three Annexures (formats and norms), and a memorable box on report-writing. These supply the formats a Ministry adapts and the exam-relevant specifics (deadlines, thresholds, irregularity categories) that don't fit neatly into the chapters.
§1

The Three Annexures

I
Reporting format
Annual Review Format for IAW

Format for the wing's Annual Review, submitted to O/o CGA by 31 May. Built around four chapters: Executive Summary, Consolidated report of findings, Important findings (quantified), and Annexures.

II
Report template
Internal Audit Report Template

The prescribed report format — carries the legend "Internal Audit Report of ___ for the period ___," the IAR number, and the responsibility split.

III
Staffing norms
Norms for Staff Requirement

The basis for assessing IAW staff requirement — auditee units by periodicity (annual / biennial / triennial), audit man-days required vs available working days in the year.

⭐ The Rs. 25 lakh grant-audit threshold
Per the correction slip to para 12.2.1 of the Civil Accounts Manual, the audit of institutions receiving less than Rs. 25 lakhs by way of grant is taken up by the Internal Audit Wing of the respective Ministry. Also note the reporting threshold: only irregularities of not less than Rs. One lakh in individual cases are highlighted in the Annual Review, and abbreviations must not be used.
§2

Annual Review — The Ten Categories of Irregularities

The Annual Review highlights important irregularities (each ≥ Rs. 1 lakh) under ten distinct headings — a useful checklist of what internal audit looks for:

  1. Non-recovery of Government dues (from Central/State Govt., Govt. bodies, private parties).
  2. Overpayments.
  3. Idle machinery / surplus stores.
  4. Loss / infructuous expenditure.
  5. Irregular expenditure.
  6. Irregular purchase.
  7. Non-adjustment of advances (Contingency, TA, LTC advances).
  8. Blocking of Government money.
  9. Non-accountal of costly stores / Government money.
  10. Any other item of special nature.
REF · PART B

Ten Things Not to Say in an Audit Report

A memorable box (by Richard Chambers of the IIA) on report-writing craft — worth internalising for the principle that reports must drive action, not impress:

1 & 2
No "consider"; no weasel words

Don't say "management should consider…" — offer solid, specific recommendations. Avoid hedges like "it seems that" or "there appears to be."

3 & 4
Sparing intensifiers; rarely universal

"Clearly," "very," "significant" are non-specific weaseling — numbers tell the story. Beware "always"/"never"; the problem is rarely universal.

5 & 6
No blame game; no "failed"

Aim for positive change, not blame — get to root cause. State the condition without "management failed," which annoys those you need to act.

7 & 8
"Auditee" is old-school; no jargon

Use "audit client"/"customer" — audit is collaborative. Avoid audit-speak that loses readers.

9 & 10
Don't grab credit; rewrite if "impressive"

Avoid "we found" (it reads like throwing management under the bus). If it sounds pompous, rewrite — use the "fifth-grader test."

§3

Glossary — Quick Reference

TermMeaning
Add ValueFacilitate achievement of objectives by identifying areas and recommending measures to reduce risk and/or improve operations.
Audit ObservationAny identified and validated gap between the current and desired state arising from an engagement.
Auditee / Audit ClientThe Government Ministry/Department/Unit that is the subject of an engagement.
CriteriaThe standards or measures used in evaluation — what should exist.
ConditionThe factual evidence the auditor found — what does exist.
CauseThe reason(s) for the difference between expected and actual conditions.
Effect / ConsequenceThe risk or exposure arising from the variance between condition and criteria.
Control EnvironmentProvides the discipline and structure — integrity/ethics, management philosophy, structure, authority assignment, HR practices, competence.
Residual RiskThe portion of inherent risk remaining after management executes its risk-management process.
Risk Response (Mitigation)Action to achieve a desired risk strategy — avoidance, reduction, sharing or acceptance.
Reasonable AssuranceA level of assurance supported by generally accepted auditing procedure and judgement.
GovernanceThe rules, procedures and processes that authorise, direct and oversee management to ensure objectives are achieved.
Engagement Work ProgramA document listing the procedures to be followed during an engagement.
Conflict of InterestAny relationship that may prejudice an individual's ability to perform duties objectively.
⚡ Reference — Quick Recap
ConceptKey Fact
Annexure IAnnual Review Format (due 31 May)
Annexure IIInternal Audit Report Template (O/o CGA format)
Annexure IIINorms for staff requirement (annual/biennial/triennial)
Grant-audit thresholdIAW audits institutions getting < Rs. 25 lakh in grant (CAM 12.2.1)
Irregularity reporting floorRs. 1 lakh per case; no abbreviations
10 irregularity categoriesNon-recovery · overpayment · idle machinery · loss · irregular expenditure · irregular purchase · advances · blocked money · non-accountal · other
Report-writing testThe "fifth-grader test"
Criteria vs Condition"What should exist" vs "what does exist"
Residual riskInherent risk left after the risk-management process

Gateway to Promotion Exams

Single Device Policy: You can only be logged in on one device at a time. Logging in here will end any existing session.
Forgot Password?

Enter your email to receive a password reset link.

Back to Login