Handbook on Internal Audit in Central Civil Ministries/Departments — Interactive Study Notes

Handbook on Internal Audit in Central Civil Ministries/Departments

The policy-and-principles reference issued by the Internal Audit Division of the Controller General of Accounts (Ministry of Finance, Department of Expenditure). Anchored in Article 150 of the Constitution, the GFR 2017 (Rules 70, 72 & 236), the Civil Accounts Manual and the IIA's IPPF, it embeds the 32 CGA Internal Audit Guidelines and the theory of risk, COSO controls and RBIA. These notes cover the Foundations and all six chapters plus the six Exhibits, each with a self-test.

This covers the complete handbook. Foundations (history, statutory anchors & acronyms) · Ch 1 Introduction & the 32 Guidelines · Ch 2 Audits, Risks & Controls · Ch 3 Management of Internal Audit · Ch 4 Other Domains (Gender, IT, Governance) · Ch 5 Quality Assurance · Ch 6 Human Resource Management · Exhibits & Glossary.
FND · FOUNDATIONS

History, Statutory Anchors & Acronyms

The document in one line
This is the Handbook on Internal Audit in Central Civil Ministries/Departments, issued by the Internal Audit Division (IAD) of the Controller General of Accounts (M/o Finance, Department of Expenditure). It is the conceptual and policy reference — it explains the background, the theory of risk and control, and embeds the 32 CGA Internal Audit Guidelines that are mandatory for every Internal Audit Wing (IAW).

Handbook vs Manual — the framework is a two-book set, each serving a distinct purpose.

AspectHandbook (this document)Manual (companion)
AnswersThe "why" and "what".The "how".
ContentsTheory, concepts, definitions, and the 32 Guidelines.Practice advisories, checklists, and worked exhibits.
When usedTo understand principles, risk, COSO and the management framework.While actually performing the engagement.
Two words that carry legal weight

The Guidelines use "must" for an unconditional requirement and "should" where conformance is expected unless, on applying functional judgment, circumstances justify deviation. The word "Program" denotes any auditable unit — programs, schemes, departments, units, processes, structures or PSUs.

F.2

Historical milestones

DateWhat happened
Jan 1973Group of Ministers (GOM) constituted; a sub-group of eight members under Finance Secretary Shri M.P. Yardi ("Yardi Committee") set up on 27 Feb 1973.
14 Aug 1973Yardi Committee report submitted (endorsed by GOM on 4 Sep 1973) — recommended Departmentalisation of Accounts, a Management Accounting System (MAS), and strengthening of Internal Audit.
1 Mar 1976Two ordinances promulgated — the C&AG (DPC) Amendment Ordinance and the Departmentalisation of Union Accounts (Transfer of Personnel) Ordinance.
1 Apr 1976The Civil Accounts Organisation under the Controller General of Accounts came into existence.
27 Sep 1980Role of the Civil Accounting Organisation outlined in the Allocation of Business Rules (notification CD-896/80, Annexure 2.3).
Apr 1989High Powered Committee under Shri S.B. Lal reviewed the Departmentalisation scheme — noted qualitative improvement in Internal Audit.
1 Jun 2006Redefined Charter of Financial Advisers (OM 5(6)/L&C/2006) — moved internal audit beyond compliance to controls, risk and value-for-money.
F.3

The statutory & rule anchors — exact citations

These provisions recur throughout the Handbook, each cited below with its exact number and full scope.

  • GFR 70Rule 70, GFR 2017 — the Secretary, as Chief Accounting Authority, is responsible and accountable for the financial management of the Ministry/Department, must ensure public funds are used for their intended purpose, and must keep full & proper records and adopt systems/procedures that at all times afford internal controls, to avoid unauthorised, irregular and wasteful expenditure.
  • GFR 72Rule 72, GFR 2017 (read with Article 150 of the Constitution) — the accounts of the Union shall be kept in such form as the President prescribes on the advice of the C&AG; the CGA (M/o Finance, Dept of Expenditure) is responsible for prescribing the form of accounts of the Union and States and for framing/revising the related rules and manuals on the President's behalf.
  • CAM 12.2.1Para 12.2.1, Civil Accounts Manual — the Internal Audit Unit works directly under the Pr. CCA / CCA / CA (with independent charge), with overall responsibility remaining with the concerned Financial Adviser and the Secretary. Its jurisdiction covers the Principal Accounts Office, the Pay & Accounts Offices, the offices of the DDOs, Indian Missions and other GoI offices abroad — and, in addition, the implementing agencies of the Ministry's schemes/programmes.
  • GFR 236Rule 236(1), GFR 2017 — the accounts of all Grantee Institutions or Organisations shall be open to inspection by the sanctioning authority and to audit by both — (a) the Comptroller & Auditor General of India under the provisions of the C&AG's (DPC) Act, 1971, and (b) internal audit by the Principal Accounts Office of the Ministry/Department — whenever the Institution or Organisation is called upon to do so. A provision to this effect must invariably be incorporated in all orders sanctioning Grants-in-aid.

Two further roots worth noting: the digitisation of Government accounts through PFMS was approved by an OM dated 2 December 2014; and the Eleventh Five Year Plan (2007–12) recorded the Government's commitment to undertaking gender audits, with Gender Budgeting adopted by India in 2005.

F.4

Key acronyms

AcronymExpansion
CAEChief Audit Executive (refers to Pr. CCA / CCA / CA)
Pr.CCA / CCA / CAPrincipal Chief Controller / Chief Controller / Controller of Accounts
IAW / IADInternal Audit Wing (at a Ministry) / Internal Audit Division (in O/o CGA)
IAGInternal Audit Guidelines (the 32 CGA guidelines)
IPPF / IIAInternational Professional Practices Framework / Institute of Internal Auditors
COSO / ERMCommittee of Sponsoring Organizations / Enterprise-wide Risk Management
RBIA / RAURisk Based Internal Audit / Risk and Audit Universe
IA-CM / IA-CoEInternal Audit Capability Maturity Model / IA Centre of Excellence (IAD)
QAIPQuality Assurance and Improvement Program
KPI / KRIKey Performance Indicator / Key Risk Indicator
PPSProgrammes, Projects and Schemes
GFR / DDOGeneral Financial Rules (2017) / Drawing & Disbursing Officer
PFMS / INGAFPublic Financial Management System / Institute of Govt Accounts & Finance
CIPFA / ICAIChartered Institute of Public Finance & Accountancy / Institute of Chartered Accountants of India
CVC / C&AGCentral Vigilance Commission / Comptroller & Auditor General
ISSAIInternational Standards of Supreme Audit Institutions
Self-test

Foundations Quiz — history & the rule anchors

Eight questions on the history and the statutory anchors. Pick an answer to lock it; the explanation appears below.

Score 0 / 0
⚡ Foundations — Quick Recap
ConceptKey Fact
Issued byInternal Audit Division, O/o CGA, M/o Finance (Dept of Expenditure)
Handbook vs ManualTheory + 32 Guidelines  |  advisories, checklists, exhibits
Yardi Committee1973 — recommended Departmentalisation of Accounts
CGA organisation born1 April 1976
Rule 70 GFRSecretary = Chief Accounting Authority
Rule 72 GFR + Art 150President prescribes form of accounts on C&AG's advice; CGA prescribes it
Rule 236(1) GFRGrantee accounts open to audit by both — C&AG (DPC Act 1971) and internal audit by the PAO
Para 12.2.1 CAMIAU under Pr.CCA/CCA/CA; jurisdiction = PAO, PAOs, DDOs, Missions, offices abroad + implementing agencies
PFMS digitisation OM2 December 2014
CH 1 · INTRODUCTION

Introduction to Internal Audit & the 32 Guidelines

IIA Definition of Internal Auditing
"An independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes." It was earlier described as "a managerial control which functions by measuring and evaluating the effectiveness of other controls."

Each IAW articulates its own Mission; the model wording is: "To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight." The need for the function stems from the need for objective feedback to Government through periodic review of risks, internal controls and governance.

§ 1.2

The ten Core Principles (IIA)

Taken as a whole, these articulate an effective internal audit. All should be present and operating — failure on any one implies the activity is not as effective as it could be in achieving its mission.

1
Integrity

Demonstrates integrity.

2
Competence

Competence & due professional care.

3
Objective

Objective & free from undue influence (independent).

4
Aligned

Aligns with strategies, objectives & risks.

5
Positioned

Appropriately positioned & adequately resourced.

6
Quality

Quality & continuous improvement.

7
Communicates

Communicates effectively.

8
Risk-based

Provides risk-based assurance.

9
Insightful

Insightful, proactive, future-focused.

10
Improving

Promotes organizational improvement.

§ 1.3

The IAG architecture & "Audit Risk"

The CGA's Internal Audit Guidelines exist to decrease Audit Risk. There are 32 guidelines in 4 Sections, mandatory and principle-based. The word "professional" is read to include the "function" of internal audit from the Civil Ministries' perspective.

Audit Risk — the two failures it guards against

False positive — giving a positive assurance when there is actually a substantial issue. False negative — giving an adverse opinion when the actual conditions are satisfactory. Tolerable audit risk is set by the Ministry's Audit Committee.

Section A
Guidelines 1–8 — General. The foundation for objective, risk-based assurance.
Section B
Guidelines 9–13 — CGA Level. CGA's oversight of audit across all Ministries.
Section C
Guidelines 14–24 — Ministry Level. Managing the IAW at each Ministry.
Section D
Guidelines 25–32 — Engagement. Performing each engagement.
§ 1.4

Section A — General Guidelines (1–8)

No.GuidelineThe crux
1Internal Audit PrinciplesThe ten core principles; mandatory and CGA-updated.
2Code of Conduct & EthicsServe the public interest; follow GoI rules & CVC ethical guidelines. Five ethical principles: public interest, integrity, objectivity, proper use of Govt information/resources/positions, professional behaviour (adapted from US GAO Yellow Book). A yearly declaration of adherence is taken from each auditor.
3Independence & ObjectivityActivity must be independent; auditors objective — in fact and appearance. Achieved via a dual-reporting relationship with direct, unrestricted access to senior management. (Five-test rule below.)
4Proficiency & Due CareConsider extent of work; complexity/materiality; adequacy of GRC; probability of fraud/non-compliance; cost vs benefit. Must consider technology-based & data-analysis techniques.
5Use of Professional JudgementDocument significant decisions affecting objectives, scope, methodology, findings, conclusions; built on independence, objectivity, integrity, proficiency, skepticism & critical thinking.
6Definition of Internal AuditThe IIA definition — assurance + advisory.
7Nature of WorkEvaluate & improve Governance, Risk Management, Control via a systematic, risk-based approach (IIA Std 2100/2110/2120/2130).
8Types of ServicesAssurance (3 parties: process owner, auditor, user) & Advisory (2 parties: auditor, Ministry). Procedures: examination, review, agreed-upon procedures.
Guideline 3 — the five-test presumption of independence

A Ministry's IAW is presumed free of organizational impairment if the CAE meets ALL of:
(a) is accountable to the Secretary;
(b) reports audit results to both the Secretary and the Audit Committee;
(c) is located outside the staff or line management of the Ministry;
(d) has access to the Audit Committee;
(e) is sufficiently removed from political pressure to report findings without fear of political reprisal.

Under Guideline 8 the three engagement procedures differ sharply: an examination forms an opinion on conformance with criteria in all material respects (used for controls/compliance); a review does sufficient testing to express a conclusion on whether anything came to attention showing non-conformity; an agreed-upon procedure engagement expresses no opinion or conclusion — it only reports the findings of the applied procedure.

§ 1.5

Section B — CGA Level Guidelines (9–13)

No.GuidelineThe crux
9Managing Govt Internal AuditCGA's oversight; IAD obtains Annual Reviews and reports the "Annual Review at a Glance" to the Finance/Expenditure Secretary.
10Establishing Best PracticesCGA lays down best practices including the IAGs in the Handbook; the new Charter of duties (Secretary, Dept of Expenditure) to be adopted by Ministries.
11Supporting Engagement with Audit CommitteesCGA builds the working relationship between the CAE and the Audit Committee.
12Technical Support (Data Analytics)Delivered through the Internal Audit Centre of Excellence (IA-CoE) — a central repository of best practice; helps IAWs climb the IA-CM; signed an MoU with IIA India.
13Maintaining ProficiencyCertification via INGAF; where a resource gap carries significant audit risk, CGA may nominate proficient auditors / outsourced providers to that team.
§ 1.6

Section C — Ministry Level Guidelines (14–24)

No.GuidelineThe crux
14Role of the CAEEffectively managed (achieves charter purpose, conforms to the Handbook), adds value (considers strategies/objectives/risks), proficiency (sought for advice on risks & controls).
15Reporting by the CAEReport regularly to the IFA, periodically to Secretary & Audit Committee; at least once a quarter on status. Report against KPIs each quarter; the Audit Committee fixes risk appetite/tolerance; the CAE gives a written assessment on KRIs each quarter. Introduces the IA-CM (six elements).
16Annual Plan & 3-Year ProgrammeRisk-based Annual Plan by 15 January; revise by 15 February for the Finance Bill. High-risk areas ≥1/year; low-risk once in 2–3 years. Plan must contain both assurance and advisory; documented risk assessment at least annually.
17Communication & Approval of PlansPresent plan + 3-year programme to the Audit Committee by 1 March, with impact of resource limitations; present challenges in three risk categories: audit failure, false assurance, reputation risk.
18Resource ManagementResources must be appropriate (right mix), sufficient (right quantity), effectively deployed; gaps reported in writing before every meeting.
19Mandatory ComplianceCompliance is mandatory and part of the CAE's appraisal; non-conformance during an engagement must be stated in the report.
20Technical Support from IA-CoECAE prepares the Ministry's own IA Manual, maintains a Risk Register, reports IA-CM capability, shares best practices.
21Internal Audit of GovernanceReport to Secretary, IFA & Audit Committee on the adequacy of governance processes.
22External Service ProvidersFill competency gaps; each member needn't be qualified in all disciplines, but the team collectively must be competent; document scope in an engagement letter.
23Value Add to Risk ManagementReview/advise on ERM, facilitate Risk Self-Assessment workshops — but do not assume management responsibility by actually managing risks.
24QAIPCAE maintains a QAIP covering all IAW activities; communicate results annually to IFA & Audit Committee; covers internal & external assessments; the external assessment is done by an assessor engaged by the CGA.
§ 1.7

Section D — Engagement Guidelines (25–32)

No.GuidelineThe crux
25Engagement PlanningPlan = objectives, scope, timing, resources; submit a TOR before the field visit. Pre-fieldwork file: Audit Planning Memo (APM), Preliminary Survey Findings (incl. Risk Assessment Report — RAR), Engagement TOR.
26Engagement Work ProgramWritten, updated program: objectives; risks/processes/transactions; nature of testing; procedures. Ready before the field visit except sample size.
27Engagement SupervisionOversight scaled to auditor proficiency/experience and engagement complexity, to mitigate audit risk.
28Sufficient & Appropriate EvidenceAppropriateness = quality (relevance, reliability, usefulness); Sufficiency = quantity. Where limitations are significant: seek corroboration, disclose in report, decide whether to report as a finding.
29Performing Field WorkGather via surveys/interviews/checklists, analytical procedures, process maps; use Generalised Audit Software (GAS) & continuous monitoring; secure electronic working papers. Be proficient in choosing sampling — statistical, judgemental, discovery.
30Documenting Engagement ActivitiesDetail enough for an experienced auditor with no previous connection to understand nature/timing/extent/results; control access & retention (IIA Std 2330 series).
31Communicating ResultsTimely; contains an opinion and/or conclusion; the reason for an unfavourable opinion must be stated; communicate serious findings early; CAE issues all reports and circulates corrections.
32Monitoring Progress & Acceptance of RiskMonitor disposition of results; inordinate delay implies management has accepted the risk — include in yearly reporting of unacceptable risks to the Audit Committee.
Self-test

Chapter 1 Quiz — principles & the 32 Guidelines

Eight questions from Chapter 1. Pick an answer to lock it; the explanation appears below.

Score 0 / 0
⚡ Chapter 1 — Quick Recap
ConceptKey Fact
Total guidelines / sections32 guidelines · 4 Sections (A 1–8 · B 9–13 · C 14–24 · D 25–32)
Core principles10 — all should operate effectively
Audit RiskFalse positive / false negative
Five ethical principlesPublic interest · integrity · objectivity · proper use of Govt resources · professional behaviour
Independence viaDual-reporting relationship (five-test presumption)
Three services proceduresExamination · review · agreed-upon procedures
Plan deadlines15 Jan (plan) · 15 Feb (Finance Bill) · 1 Mar (present)
Three engagement risksAudit failure · false assurance · reputation risk
Pre-fieldwork fileAPM · Preliminary Survey (incl. RAR) · TOR
QAIP results reportedAnnually to IFA & Audit Committee
CH 2 · RISK & CONTROL

Internal Audits, Risks & Internal Controls

The pivot of the chapter
The Revised Charter of Financial Advisers (June 2006) shifted Central Ministries from auditing everything on a fixed periodicity to auditing by criticality and risk. The chapter explains the three audit types, the RBIA methodology, and the theory of risk, risk management and internal control — anchored in COSO.
§ 2.1

The three types of audit

Type 1
Compliance Audit

Verifies expenditure conforms to laws, rules & orders governing the power to incur/sanction, and that service, pay, allowance & pension rules are followed. The auditor flags deviations and suggests remedies; further action rests with the Ministry.

Type 2
Propriety Audit

Reviews actions suggesting improper expenditure or waste even if covered by rules. Extends "beyond the formality of the expenditure, to its wisdom, faithfulness and economy" (Hallam). Financial Audit is conducted as part of it — grant/contract audits and fraud/financial-irregularity audits.

Type 3
Performance Audit

Ascertains whether stated objectives are achieved with economy & efficiency; examines the inputs → outputs → outcomes chain in schemes/programmes.

Performance Audit is assessed from five angles: Effectiveness (program accomplishments — gender-disaggregated data is a pre-requisite to measuring it), Efficiency (productivity, unit cost, utilisation), Economy (minimising input use consistent with quality), Data reliability (controls over non-financial reporting), and Risk assessment (including the political and societal risks unique to Government).

§ 2.2–2.3

Risk Based Internal Audit (RBIA) methodology

Definition
RBIA is "a methodology that links internal auditing to the Ministry's overall risk management framework." The distinction matters: compliance, propriety and performance are types of audit, whereas RBIA is a methodology for planning and conducting them. It begins by assessing the ERM system at the specific program/scheme.
Strategy depends on the program's risk maturity

Where risk maturity is low: report the ERM deficiencies, provide advisory to train program officers to prepare a risk register, and build the plan on the auditor's own risk assessment. Where it is adequate: use the program's risk register, identify significant risks, and include them in the plan. Risk assessment is done separately for each unit/geography — there is no one plan that fits all.

Implementation has three stages (detailed in Exhibit IV) — the CAE shall:

STAGE 1
Assess risk maturity
Of the Ministry/Department, determining the internal audit strategy.
STAGE 2
Prepare the Audit Plan
Assign risks to audits; set up the Risk & Audit Universe (RAU).
STAGE 3
Carry out audits
Perform individual risk-based audits and feed results back into the RAU.
§ 2.4

Risk & its scoring

Definition of Risk
Risk is "the possibility of an event occurring that will have an adverse impact on the achievement of objectives." Every risk has two components — likelihood and impact. The three analysis questions: What can go wrong? (identification) · What is the probability? (likelihood) · What are the consequences? (impact). Some activities are inherently riskier — e.g. procurement more than accounting for expenditure; year-end expenditure driven by avoiding budget lapse needs closer control.
1 to 3
Consequence & likelihood each scored (e.g. L/M/H = 1–3), then combined.
9
The highest possible score on a 1–3 grid (impact × likelihood).
≥ 6
Any risk scoring 6 or above is a "key risk" — action must be taken.
Control score
Inherent minus residual risk; the higher the control score, the more important the control.
§ 2.5

Risk response — the 4 T's

T
Transfer

Shift the risk elsewhere — e.g. obtaining insurance.

T
Tolerate

Accept it — when control cost outweighs benefit, or the outcome is inconsequential.

T
Terminate

Stop the activity — for grave consequences; not always possible in Govt due to political/social sensitivities.

T
Treat

Apply control activities — usually the most obvious & relevant choice for Ministries.

Residual risk remaining after controls may be tolerated if elimination costs are high and it is within acceptable limits. Acceptable risk is one understood and tolerated because the cost/difficulty of a countermeasure exceeds the expected loss — a judgement for the Ministry. The benefits of risk reduction must exceed the cost of controls; the target is bringing risk within the Ministry's risk appetite.

§ 2.6

Internal control & the COSO framework

Internal Control (INTOSAI)
"The process by which an organization governs its activities to effectively and efficiently accomplish its mission." It is a continuous process, not isolated events — and everyone in the Ministry has some responsibility for it. It gives reasonable assurance of: orderly/ethical/economical/efficient/effective/equitable operations; accountability; legal compliance; and safeguarding resources against loss, misuse & damage.
1
Control Environment — sets the tone; integrity & ethical values.
2
Risk Assessment — identification, evaluation (L/M/H), acceptance.
3
Control Activities — the controls themselves.
4
Information & Communication — must flow down, across & up; timely, reliable, gender-sensitive.
5
Monitoring — ongoing activities and/or separate evaluations.

Types of control — with representative examples of each.

TypePurposeExamples
PreventivePrevents/minimises errors before they occur.Segregation of duties; dual cheque-signing; purchase policy; barring unauthorised entry.
DetectiveHighlights errors after they occur.Bank reconciliation; audit; physical verification of fixed assets; supervision.
ReconstructiveProvides effective backup.Disaster Recovery Procedures.

Internal control is most effective when controls are "built in" and not "superimposed." Internal Audit is itself a critical component of the internal control system — entrusted with the review function — and, being a control, also entails costs, so must be run with due regard to economy, efficiency and effectiveness.

§ 2.7

The internal auditor's role in risk management

  • 📢Be advocates for formal risk management and help expedite and sustain it.
  • 🎯Provide assurance on risk management as a whole, not just on individual risks.
  • 🔗When conducting a risk-based audit, link the audit scope to specific risks faced by the Ministry's objectives.
  • 🔄Update the risk assessment as and when risks arise, not on a fixed periodicity.
  • ⚠️Be cautious that Ministry requests don't divert resources from higher-risk areas; never assume a management role.
Self-test

Chapter 2 Quiz — audit types, RBIA & COSO

Eight questions from Chapter 2. Pick an answer to lock it; the explanation appears below.

Score 0 / 0
⚡ Chapter 2 — Quick Recap
ConceptKey Fact
Three audit typesCompliance · Propriety · Performance
Propriety (Hallam)Beyond formality — to wisdom, faithfulness, economy
Financial Audit sits withinPropriety Audit
Performance audit anglesEffectiveness · efficiency · economy · data reliability · risk assessment
RBIA is aMethodology (not a type); links audit to ERM
RBIA three stagesAssess maturity → prepare plan/RAU → audit & feed back
Risk componentsLikelihood & impact
Key risk thresholdScore ≥6 (1–3 grid; max 9)
Control scoreInherent minus residual risk
4 T'sTransfer · Tolerate · Terminate · Treat
COSO 5 componentsControl environment · risk assessment · control activities · info & communication · monitoring
Control typesPreventive · Detective · Reconstructive
Controls best when"Built in," not "superimposed"
CH 3 · MANAGEMENT

Management of Internal Audit in Government

What this chapter does
Chapter III shows the reporting levels at the Centre and the Ministry, and the activities the CAE performs to organise and manage the IAW. Its big-ticket items: the Audit Committee, the Internal Audit Charter (with a model charter), the Documentation Policy, and the KPI dashboard.
CGA Vision & Mission (approved 6 Aug 2011)

Vision: "As a professional accounting organization, our vision is to strengthen governance through excellence in public financial management." One mission limb is squarely about audit: "Develop new paradigms of internal audit for improved transparency and accountability." The IAD's own stated mission is to provide "dynamic leadership" for Government internal auditing in India.

§ 3.1–3.4

Reporting by CGA to the Expenditure Secretary

The CGA has a direct relationship with the Secretary (Expenditure), M/o Finance, and submits the Annual Review — a consolidation of the Annual Reviews received from line Ministries. The IAD compiles an "Annual Review at a Glance" summarising important observations and reflecting financial implications above Rupees One Crore.

15 Jan
Annual Audit Plan finalised.
15 Feb
Copy of the plan endorsed to IAD, O/o CGA.
31 May
Annual Review on the previous year's performance reaches O/o CGA (Exhibit I format).
Quarterly
The CAE puts a quarterly review before the Audit Committee.
§ 3.6

Mandate of internal audit & the Audit Committee

The requirements are detailed in a clearly defined Audit Mandate, which the Internal Audit Charter formally documents. An Audit Committee is constituted in each Ministry for oversight, with this composition:

RoleOffice holder
ChairpersonSecretary of the Ministry/Department
Vice-ChairpersonFinancial Advisor
Convener / Member SecretaryCCA / CA (the CAE), or an officer nominated by the CAE
MembersProgramme Division Heads; plus subject-matter experts (e.g. a Gender Audit or Internal Audit expert) where necessary
The Audit Committee's eight terms of reference

Ensure an effective Risk Management system; supervise the IAW & set priorities; provide strategic direction & resources; approve the Internal Audit Charter; approve the Annual Internal Audit Plan; evaluate IAW performance & guide improvement; ensure observations are implemented; determine modalities to resolve key audit issues. The committee may also assign special audits on which the CAE reports directly to it within a prescribed time-frame.

§ 3.7

The Internal Audit Charter

The Charter is the reference point for internal audit at the Ministry — it defines purpose, authority & responsibility, sets functional & administrative reporting lines, establishes the IAW's position, authorises access to records/personnel/property, and is the foundation for the Annual Audit Plan. It must be gender inclusive and approved by the Audit Committee. The 2006 revised charter moved audit beyond compliance to:

  1. Appraisal, monitoring & evaluation of individual schemes.
  2. Assessment of adequacy & effectiveness of internal controls and soundness of financial systems.
  3. Identification & monitoring of risk factors (including those in the Outcome Budget).
  4. Critical assessment of economy, efficiency & effectiveness of service delivery — value for money.
  5. Providing an effective monitoring system to facilitate mid-course corrections.
The 60/40 working-days rule

CGA guidelines recommend utilising 60% of working days for Risk-Based Internal Audit of Schemes and 40% for Compliance/Regularity Audit — and planning for both follows a risk-based approach. Reports should be prepared within one week and issued after the CAE's approval. An auditor must not audit his own decision, nor a unit where he worked within the past one year.

Reporting lines under the Charter: the IAW is headed by a Pr.CCA/CCA/CA acting as CAE; administratively the CAE reports to the Secretary through the Financial Advisor, while functionally the IAW reports to the Audit Committee. The IAD in O/o CGA is structured in three sections — (i) Centre of Excellence, (ii) Planning & Coordination, (iii) Inspection Wing. Each Ministry also has an Internal Audit Management Team headed by the CAE for closer supervision & quality assurance.

§ 3.8–3.9

Managing the activity & the documentation policy

To add value, the CAE (per IIA Standards 2000–2060): establishes a risk-based plan; communicates plans & resource needs (Std 2020); ensures resources are appropriate, sufficient & effectively deployed (Std 2030); establishes guidelines & procedures (Std 2040); shares information & relies on other assurance providers (Std 2050) — while remaining accountable for the conclusions; and reports periodically (Std 2060) on purpose, authority, responsibility & performance, including any risk management deems unacceptable.

Documentation Policy (Para 3.9)

The CAE approves a documentation policy covering: the need to document sufficient, reliable, relevant information; controlled access (the CAE obtains approval of senior management and/or legal counsel before releasing records to external parties); and retention requirements regardless of storage medium — consistent with Ministry guidelines and regulatory requirements.

§ 3.10

KPIs & dashboards — the six IA-CM elements

KPIs are organised around the six elements of the Internal Audit Capability Model for the public sector:

Element 1
Services of IA

Completed vs planned assignments; man-days utilised; % consulting & % RBIA assignments; recommendations by H/M/L; impact (recoveries, overpayments, idle machinery, irregular expenditure); client satisfaction.

Element 2
People Management

Staff utilisation; training plan vs actual; staffing requirement & authorised vs actual; appropriately qualified vs total; persons recognised for certification.

Element 3
Professional Practices

IA-CM assessment & action plans; QAIP; gap analysis against the Handbook.

Element 4
Performance Mgmt & Accountability

MIS periodicity; stakeholder feedback; ability to meet plans; risks mitigated, cost-saving & recovery opportunities.

Element 5
Organisation Relationships & Culture

Org structure plan vs actual; CAE in the management team; access to information/people; relations with external auditors.

Element 6
Governance Structure

How the CAE fits in; reporting relationship; how independence is assured. Audit Committee KPIs: meeting frequency, attendance, induction of external SMEs.

Self-test

Chapter 3 Quiz — committee, charter & KPIs

Eight questions from Chapter 3. Pick an answer to lock it; the explanation appears below.

Score 0 / 0
⚡ Chapter 3 — Quick Recap
ConceptKey Fact
CGA reports toSecretary (Expenditure), M/o Finance
"At a Glance" thresholdFinancial implications above Rs 1 Crore
Annual Review reaches CGA by31 May (Exhibit I format)
Audit Committee ChairSecretary of the Ministry
Vice-Chair / ConvenerFinancial Advisor / CCA-CA (CAE)
Committee approvesThe Charter & the Annual Audit Plan
Charter definesPurpose, authority, responsibility
The 60/40 rule60% RBIA of schemes · 40% compliance/regularity
Reports prepared withinOne week
Independence ruleNo self-audit; no unit worked in within past 1 year
IAD three sectionsCoE · Planning & Coordination · Inspection Wing
IA-CM elements6 (drive the KPI dashboard)
CH 4 · DOMAINS

Other Domains of Internal Audit

What this chapter does
Chapter IV covers three specialised domains every IAW must weave into the plan: Gender Audit, the IT Audit framework, and Audit of Governance Processes.
§ 4.1

Gender Audit

Definition (UNICEF / UNESCO)
Gender Audit is a tool for evaluating the degree to which gender issues are mainstreamed into an office or programme (UNICEF); a management & planning tool assessing how far gender equality is progressing (UNESCO). It assesses accountability to, and the extent of, Gender Budgeting — adopted by the Government of India in 2005. The ultimate goal of the gender-equality process is Gender Mainstreaming. Women constitute about 48% of India's population.

Mandate — Gender Audit is inclusive in two of the audit types.

As part of…Objective
Compliance AuditEnsure adherence to constitutional provisions and Government regulations/procedures from a gender-sensitive perspective.
Performance AuditAssess the economy, efficiency & effectiveness of gender equality in a project/programme (most performance audits do not focus on gender-equality results).
The five sections of any audit checklist

Every gender-audit checklist (built at the planning stage, encoded by serial numbers) has five sections:
(i) scope,
(ii) evidence collection,
(iii) audit tests,
(iv) analysis of results,
(v) conclusion
.
For beneficiary-oriented schemes, evidence collection must include sex-disaggregated data; both direct and indirect (proxy) evidence is collected.

The expected output is three-fold: an insight into the status of gender mainstreaming in the scheme; a pool of information on gender mainstreaming for discussion & analysis; and a participatory process that builds organisational ownership of the gender-equality objective.

§ 4.2

IT Audit framework

Purpose & the CIA triad
IT Audit evaluates an entity's information systems and the safeguards protecting them from emerging risks including cyber risk. It reviews attributes of data — the CIA objectives: Confidentiality (prevent unauthorised disclosure), Integrity (prevent unauthorised modification), Availability (prevent disruption of service) — plus physical storage and IT assets/resources, through review of General Controls and Application Controls.
Key issues the CAE must grasp

IT Audit Risk (early stages → engage SMEs); understanding the technology environment; auditing in a Big Data environment with integrated auditing; identifying IT risks & controls — General Computer Controls (GCC) are reviewed first because they form the basis of the IT control environment; the interplay between manual and automated controls; and using technology as an audit opportunity (CAATs).

§ 4.2.4

Performing the IT audit

STEP 1
Prepare the IT Audit Universe
List specific technologies, then the IT processes/controls/activities against them (sample in Exhibit V). Benchmark with a framework like COSO ERM.
STEP 2
Prepare the Annual IT Audit Plan
Prioritise auditable units by risk significance; fold into the Annual Plan + 3-year programme; keep an emerging-risk register; quarterly review.
STEP 3
Undertake IT Risk Assessment
Determine inherent risk over key IT processes — development, operations, business continuity, network, information security, change management.
STEP 4
Report on IT Risks & Controls
Cover security incidents, change-management exceptions, project status — an integrated format from Programmes/Processes to IT.
IIA's GTAGs & the Centre of Excellence

IT audits draw on the IIA's GTAGs (Global Technology Audit Guides) — e.g. GTAG 5 (managing & auditing IT risks), GTAG 6 (IT vulnerabilities), GTAG 9 (identity & access management), GTAG 10 (business continuity), GTAG 11 (developing an IT audit plan), GTAG 12 (auditing IT projects), GTAG 13 (fraud prevention in an automated world) — plus GAIT for IT general controls. Until Ministries build capability, the CoE in O/o CGA develops an in-house team or outsources to specialist firms, and compiles a library of sample IT Audit Reports.

§ 4.3

Audit of Governance Processes

Definition of Governance
"The combination of processes and structures implemented by the Audit Committee to inform, direct, manage and monitor the activities of the Ministry/Department toward the achievement of its objectives." Governance, risk management and internal control are interrelated — not independent. The IAW supports being accountable, transparent and achieving objectives effectively, efficiently, economically and ethically.

The IAW supports three governance roles — oversight, insight, foresight.

RoleWhat it does
OversightWhether Ministries are doing what they should — serves to detect & deter public corruption; verifies spending for the intended purpose.
InsightAn independent assessment of which programs & policies are working and which are not; benchmarking & best practice.
ForesightIdentifies trends & emerging challenges (demographic, economic, security) in implementing PPS.
Four key objectives of a governance audit

Assess how the Ministry:
(1) promotes ethics & values (code of conduct, RTI, anti-fraud/whistleblowing, hotline);
(2) ensures performance management & accountability (objective-setting, KPIs);
(3) communicates risk & control information to appropriate areas; and
(4) coordinates activities among the board, external/internal auditors & management.

Beyond these, the chapter distinguishes Detection (identifying inappropriate/illegal/fraudulent acts already transpired — e.g. payroll, accounts-payable, IS-security audits) from Deterrence (reducing the conditions that allow corruption — assessing controls, reviewing contracts for conflicts of interest). Auditors may give advisory, assistance or investigative services, but may not make management decisions or assume a management role, and must keep independence for subsequent audits — in short, they should not audit their own work.

Self-test

Chapter 4 Quiz — Gender, IT & Governance audits

Seven questions from Chapter 4. Pick an answer to lock it; the explanation appears below.

Score 0 / 0
⚡ Chapter 4 — Quick Recap
ConceptKey Fact
Three domainsGender · IT · Governance
Gender Budgeting adopted2005; commitment in 11th Plan (2007–12)
Gender audit mandateBoth Compliance & Performance audit
Audit checklist sectionsScope · evidence · tests · analysis · conclusion
Gender evidence needsSex-disaggregated data
IT Audit assuresConfidentiality · Integrity · Availability (CIA)
Reviewed first in ITGCC (General Computer Controls)
IT guidanceGTAGs (5,6,9,10,11,12,13) & GAIT
Governance =Processes & structures to inform, direct, manage, monitor
Three governance rolesOversight · Insight · Foresight
Four governance objectivesEthics · performance/accountability · risk communication · coordination
Advisory limitNo management role; no auditing own work
CH 5 · QUALITY

Quality Assurance

What this chapter does
Chapter V establishes a Quality Assurance & Improvement Programme (QAIP) so the IAW is seen as a trusted advisor. It covers the QA hierarchy, self/peer/external reviews, the statutory-audit interface, confidentiality, working papers, and Richard Chambers' "Ten Things Not to Say in an Internal Audit Report."

QA matters because audit engagements review the use of public money and must be done with due regard for ethics, economy, efficiency & effectiveness. Its benefits: consistent application of processes, standardisation & completeness of documentation, adequate linkage of recommendations to working papers, and enhanced credibility — increasing the effectiveness of supervisory elements and the reliability of reports.

§ 5.3

Hierarchy of Quality Assurance elements

Control elementCoversSource / who reviewsAssurance level
Professionalism (Due Care)The individual auditor's workIndividualIndividual Auditor
Supervisory ReviewThe engagementSupervisor within the line of responsibilityAudit Function Management
Internal ReviewAggregate of engagements / divisional officesSupervisor/peer outside the line of responsibilityChief Audit Executive
External ReviewThe audit function as a wholeQualified persons from outside the MinistryAudit Committee
§ 5.3.3

Self, peer & external reviews

Responsibility: CAE
Self-Assessment

The responsibility of the Chief Audit Executive; built into ongoing supervision & monitoring.

Responsibility: IAW members
Peer Review

Conducted by members of IAWs of (other) Ministries/Departments.

Responsibility: O/o CGA or IIA
External Review

Done by O/o CGA or outsourced reviewers from the IIA — examines the audit plan, working papers, report & follow-up; can be before or after reports are finalised; deficiencies rectified timely.

§ 5.4–5.5

Statutory interface, confidentiality & work papers

Internal audit must develop synergy with statutory audit, the two complementing each other. The Audit Committee reviews statutory observations too; the IAW maintains a DDO-wise count of outstanding objections from the Test Audit Notes issued by statutory audit, and monitors settlement. Auditors must respect the confidentiality of information — used only for the purpose obtained, disclosed only with proper authorisation.

The two working-paper files — same split that appears in the Manual.

FileTypical contents
Permanent Audit FileOrganisational chart; descriptions of schemes/programs/systems/procedures & business plans; corrective action plans; legal & regulatory issues; risk assessment; correspondence of continuing interest; updated audit programmes.
Current Audit FileDraft & final report copies; significant findings & how resolved; planning documentation; administration correspondence; follow-up of previous reports; updated programmes; supporting documentation; minutes of entry & exit meetings.
§ 5.6

Ten Things Not to Say in an Internal Audit Report

Richard Chambers' reflections, embedded in the Handbook as a reporting-quality aid:

  1. Don't say "Management should consider…" — offer solid, specific recommendations, not a nebulous call to action.
  2. Don't use "weasel words" ("it seems that," "our impression is," "there appears to be") — they make solid recommendations sound like hunches.
  3. Use "intensifiers" sparingly ("clearly," "significant," "very large") — numbers like 23% or $3 billion tell a story; vague intensifiers don't.
  4. The problem is rarely universal — avoid "everything," "nothing," "never," "always."
  5. Avoid the "blame game" — get to the root cause, not "it was Fred's fault."
  6. Don't say "management failed" — state the condition without assigning blame.
  7. "Auditee" is old-school — prefer "audit client" / "audit customer"; audit is collaborative.
  8. Avoid unnecessary technical jargon ("asynchronous transfer mode," "stratified sampling methodology").
  9. Avoid taking all the credit — "internal audit found / we found" can sound like throwing management under the bus.
  10. If it sounds impressive, you probably need a re-write — apply the "fifth-grader test": if a middle-schooler can't understand it, it's too complicated.
Self-test

Chapter 5 Quiz — QA hierarchy, reviews & reporting

Seven questions from Chapter 5. Pick an answer to lock it; the explanation appears below.

Score 0 / 0
⚡ Chapter 5 — Quick Recap
ConceptKey Fact
QA benefitsConsistency · standardisation · linkage · credibility
QA hierarchy (4 levels)Professionalism · Supervisory · Internal · External review
Self-assessment byThe CAE
Peer review byMembers of IAWs of Ministries
External review byO/o CGA or IIA reviewers
Statutory interfaceMaintain DDO-wise count of outstanding objections (Test Audit Notes)
Two working-paper filesPermanent & Current
"Ten Things" authorRichard Chambers
The readability testThe "fifth-grader" test
CH 6 · HR

Human Resource Management

Why people are decisive
"The success of any plan or strategy will ultimately be determined by the quality, appropriateness, sufficiency and effective deployment of personnel responsible for its execution." Three critical evaluation parameters run through the chapter: staffing levels, staff qualifications, and staff utilization rates.
§ 6.2

HR planning — staffing the wing

Each Department must have a dedicated IAW staffed by auditors & supervisors at Group A, B and C levels in adequate numbers, assessed rationally and scientifically. Parameters for setting staffing requirements:

  • UNITSNumber of audit units, and number of employees in each unit.
  • BUDGETBudget of each audit unit, and the inherent risks in its functioning.
  • TIMETime to complete an engagement (incl. travel) and for report writing.
  • CPETime reserved for training & continuous professional education, and the period spent on leave.
  • EXTRANature & length of assignments, plus additional special audits; staff requirement reviewed at periodic intervals.

Manpower is worked out from these parameters plus the number of auditee units identified for annual, biennial and triennial audit, the audit man-days required, and the available working days in a calendar year. The numbers vary by Ministry; only generic parameters are given, and forming the team is the CAE's responsibility.

§ 6.3

External service providers

Hiring specialists — the conditions

With increasingly complex operations, the CAE may hire individuals/firms with the requisite skills, after adhering to GFR provisions and Government orders. The CAE assesses their competency, independence & objectivity against experience, education, training and professional membership. Consultants work under the CAE's overall control, and responsibility for quality & timely delivery remains with the CAE.

§ 6.4

Skills, training & proficiency

With RBIA, computerisation, governance thrust and Big Data, auditors must be trained extensively in seven areas:

1
Evaluation of internal controls.
2
Risk-based audit, risk assessment, risk-matrix design, mapping risks with controls.
3
Application of professional standards.
4
Sampling techniques.
5
Report-writing techniques.
6
Auditing in a computerised environment (CAATs).
7
Performance & governance audits.

Auditors are encouraged to pursue certifications — the Certified Internal Auditor (CIA) and CGAP designations — and must continue their education (CPE) to stay current with the IIA's IPPF guidance. The internal audit activity must collectively possess the necessary knowledge, skills & competencies — an annual analysis identifies gaps to fill by development, recruiting or co-sourcing. Maintaining proficiency also covers the knowledge to identify indicators of fraud, knowledge of key IT risks/controls, understanding of Government rules for assessing materiality of deviations, and strong people & communication skills.

§ 6.5–6.6

Competency planning & the Professional Development Plan

The five stages of competency planning.

  1. Establish the vision & desired capability level of the Internal Audit Department.
  2. Develop a strategic competency plan.
  3. Identify existing competencies.
  4. Identify competency gaps.
  5. Develop an action plan to fill the gaps — "buy, build, retain" people strategies.

The four steps to establish the Professional Development Plan (a strategic driver presented to the Audit Committee):

STEP 1
Review now
Including gaps from the strategic competency plan.
STEP 2
Decide vision & skills
Goals, audit plan and the skills to develop.
STEP 3
Decide how
Incorporate into a professional development plan.
STEP 4
Implement & report
Periodically report results to the Audit Committee.

Time-tested methods for developing & retaining quality professionals: challenging, varied assignments; quality supervision; participation across audit phases; opportunities to lead; involvement in QA-review prep & Departmental task forces; rotation through teams/programs; and participation in annual risk-assessment activities.

Self-test

Chapter 6 Quiz — staffing, skills & development

Seven questions from Chapter 6. Pick an answer to lock it; the explanation appears below.

Score 0 / 0
⚡ Chapter 6 — Quick Recap
ConceptKey Fact
Three evaluation parametersStaffing levels · qualifications · utilization rates
Staff levelsGroup A, B and C officials
Audit periodicity classesAnnual · biennial · triennial
External providers — GFRHired per GFR; CAE retains responsibility for quality
Seven training areasControls · RBIA · standards · sampling · reporting · CAATs · perf/governance
CertificationsCIA & CGAP; ongoing CPE
Competency planning5 stages → "buy, build, retain"
Development plan4 steps; presented to Audit Committee
CH 7 · REFERENCE

Exhibits & Glossary

Why this reference matters
The Handbook closes with six Exhibits — worked formats an auditor can adapt directly. Exhibits IV (RBIA steps) and VI (Risk Register) carry the most operational detail.
#ExhibitWhat it contains
IAnnual Review Format for IAWThe prescribed format submitted to O/o CGA by 31 May. Three chapters: executive summary & performance; summary of paras; and the list of important irregularities (non-recovery of Govt dues, overpayment, idle machinery/surplus stores, loss/infructuous stores).
IIInternal Audit Report TemplateThe sample structure for an internal audit report.
IIIRole of Financial AdvisorThe Redefined Charter for Financial Advisers (OM F.No.5(6)/L&C/2006, dated 1 June 2006) — the scheme of the Integrated Financial Adviser.
IVSteps on Risk Based AuditThe detailed three-stage RBIA methodology and the five-level risk-maturity ladder (see §7.2 below).
VVulnerable Areas of ITSample survey for identifying vulnerable areas of IT (and the IT Audit Universe).
VISample Risk RegisterA sample risk register for Ministries/Departments — maps risks, impact/likelihood, existing & required controls, residual risk, control owner & timeline.
§ 7.2

RBIA stages & the maturity ladder (Exhibit IV)

Before commencing RBIA, the CAE presents the benefits and challenges to the Ministry and prepares a register of significant risks and audit activities — the Risk and Audit Universe (RAU). The three stages:

STAGE 1
Assess risk maturity
Meet officials; assemble objectives, risk-scoring & risk-appetite info; audit the risk-management processes; conclude with a Report on Risk Maturity.
STAGE 2
Produce the audit plan
Filter inherent risks (no-audit / tolerate / third-party / assured), assign risks to audits, set up the RAU.
STAGE 3
Individual assurance audits
Perform risk-based audits and feed results back into the RAU.

The five levels of risk maturity (IIA position statement) — they depend on the design & effectiveness of the ERM system.

LevelMeaning
Risk NaïveNo formal approach to risk management developed.
Risk AwareScattered, silo approach to risk management; no risk register, only a few managers have determined their risks.
Risk DefinedStrategy & policies defined and communicated.
Risk ManagedEnterprise-wide approach developed and communicated.
Risk EnabledRisk management & internal control fully embedded in operations.
The naïve / aware caution

For Departments subject to risk-management regulations, the "risk naïve" and "risk aware" levels are not acceptable, and the Audit Committee must be told. At low maturity, internal audit should not determine risks without Ministry involvement or maintain its own list — that reinforces the false belief that internal audit owns risk management. But where the Ministry cannot participate, the IAW may prepare its own Risk Registers, share them, and conclude (after a specified reasonable period without feedback) that its assessment is acceptable — a short-term solution only.

§ 7.3

Glossary of key terms

The Handbook's glossary supplies the precise wording of the key terms used throughout. The principal terms:

TermDefinition
Add ValueFacilitate achievement of objectives by identifying areas & recommending measures to reduce risk and/or improve operations.
Audit ObservationAny identified & validated gap between the current and desired state arising from an engagement.
Audit SamplingAuditing a part of a population to draw an inference about the entire population.
CriteriaThe standards/measures used in evaluation — "what should exist."
ConditionThe factual evidence the auditor found — "what does exist."
CauseThe reason(s) for the difference between expected and actual conditions.
Effect / ConsequenceThe risk or exposure arising from the variance between condition and criteria.
Residual RiskThe portion of inherent risk remaining after management executes its risk-management process.
Reasonable AssuranceA level of assurance supported by generally accepted procedures and judgments.
Internal ControlA process providing reasonable assurance on effectiveness/efficiency of operations, reliability of financial reporting, and compliance with laws.
Gender MainstreamingIncorporating a gender-equality perspective at all levels/stages of policy; ultimate goal is gender equality.
Risk Response (Mitigation)Action to achieve a risk strategy — avoidance, reduction, sharing or acceptance.
FraudAny illegal act to obtain money/property/services, avoid payment, or secure personal/business advantage.
Self-test

Exhibits Quiz — Exhibits, RBIA stages & glossary

Eight questions from the Exhibits & glossary. Pick an answer to lock it; the explanation appears below.

Score 0 / 0
⚡ Exhibits — Quick Recap
ConceptKey Fact
Total Exhibits6 (I–VI)
Exhibit IAnnual Review Format (due 31 May)
Exhibit IIIRedefined Charter for Financial Advisers (1 June 2006)
Exhibit IVRBIA steps & maturity ladder
Exhibit VISample Risk Register
RBIA three stagesAssess maturity → produce plan/RAU → assurance audits
5 maturity levelsNaïve · Aware · Defined · Managed · Enabled
Naïve/Aware acceptable?No for regulated Departments — tell the Committee
Criteria / Condition"Should exist" / "What exists"
Residual riskInherent risk remaining after risk management

Gateway to Promotion Exams

Single Device Policy: You can only be logged in on one device at a time. Logging in here will end any existing session.
Forgot Password?

Enter your email to receive a password reset link.

Back to Login