Operational Manual for Internal Audit in Central Ministries
Issued by the Internal Audit Division of the Controller General of Accounts (Ministry of Finance, Dept of Expenditure). A practical companion to the Internal Audit Handbook — it lays out how Internal Audit Wings are structured, how the audit cycle is planned and performed, the tools used, how results are reported, and how quality and special audits are conducted.
What This Manual Is
Seven chapters trace internal audit from setting up the wing → planning → choosing tools → performing the engagement → reporting & follow-up → quality control → special audits. Threaded through them are 23 numbered checklists, and eight detailed Exhibits at the back (sample risk registers, self-assessment forms, IT-audit templates).
Who's Who — The CAE and the Key Bodies
The Pr. CCA / CCA / CA acting as head of the Internal Audit Wing. Plans the audit, approves plans, manages resources, sets policies, coordinates with senior management, and owns quality assurance.
The team in each Central Civil Ministry that carries out the audits — at least five officials under the CAE.
Receives the CAE's quarterly reports, the Annual Audit Plan, and unresolved high-risk issues. The body to which internal audit is accountable.
The Internal Audit Division in the Office of the CGA — issues this manual, shares findings across wings, and compiles the annual review of all IAWs.
Key Acronyms You Must Know
| Acronym | Expansion |
|---|---|
| CAE | Chief Audit Executive (refers to Pr. CCA / CCA / CA) |
| IAW / IAD | Internal Audit Wing (at a Ministry) / Internal Audit Division (in O/o CGA) |
| ATR | Action Taken Report |
| CAAT | Computer Assisted Audit Techniques |
| RBIA | Risk Based Internal Audit |
| RAU | Risk and Audit Universe |
| KPI / KRI | Key Performance Indicator / Key Risk Indicator |
| QAIP | Quality Assurance and Improvement Program |
| IPPF | International Professional Practices Framework (of the IIA) |
| IIA | Institute of Internal Auditors |
| COSO | Committee of Sponsoring Organizations |
| ERM | Enterprise-wide Risk Management |
| IDEA / ACL | General-purpose audit software (Interactive Data Extraction & Analysis / Audit Command Language) |
| PPS | Programmes, Projects and Schemes |
| DDO / PAO | Drawing & Disbursing Officer / Pay & Accounts Officer |
| C&AG / CVC | Comptroller & Auditor General / Central Vigilance Commission |
The Four-Phase Cycle — the Spine of the Manual
Every internal audit engagement moves through four phases. Chapters 2–5 map onto them directly:
Planning & Preparing (Chapter 2)
Engagement planning, risk-based selection, Annual Plan and 3-Year Programme, work program.
Performing the Engagement (Chapter 4)
Intimation, entry conference, field work, evidence, working papers, exit meeting.
Reporting on the Engagement (Chapter 5)
Communicating results, drafting via the 5-C framework, grouping findings by risk.
Follow-up Action (Chapter 5)
Tracking Action Taken Reports, monitoring implementation, escalating unresolved issues.
| Concept | Key Fact |
|---|---|
| Issued by | Internal Audit Division, O/o CGA, M/o Finance (Dept of Expenditure) |
| Companion document | Handbook on Internal Audit in Central Civil Ministries/Departments |
| CAE means | Pr. CCA / CCA / CA as head of the IAW |
| Minimum team size | 5 officials |
| Numbered checklists | 23 |
| Exhibits at the back | 8 (I to VIII) |
| Four phases | Plan → Perform → Report → Follow-up |
| Mission of internal audit | Enhance & protect organisational value via risk-based assurance, advice & insight |
Structure & Management of Internal Audit Wings
Each IAW articulates its own mission statement. The model wording offered: "To enhance and protect organizational value at the Ministry by providing risk-based and objective assurance, advice and insight."
Role of the CAE
The Pr. CCA / CCA / CA, in their capacity as CAE, perform all activities of the head of the wing:
- 📋Planning the internal audit.
- ✅Communication and approval of the plans.
- 🤝Resource management for the wing.
- 📝Laying down policies and procedures for the IAW.
- 📤Coordination and reporting to senior management and the Audit Committee.
- 🎯Quality assurance across the wing.
The CAE's Reporting Calendar
Four hard reporting obligations sit on the CAE — three quarterly, one annual:
At least once a quarter on internal-audit status: progress against plan, limitations to independence/objectivity, and challenges faced by the team.
Report actual performance against KPIs and give a written assessment on KRIs for each significant risk — both every quarter.
Submit the risk-based Annual Audit Plan to the Audit Committee — consistent with Ministry goals.
Present the Annual Plan and 3-year rolling programme to the Committee, with the impact of resource limitations.
Composition of the Internal Audit Team
An Internal Audit Team headed by the CAE should comprise at least five officials:
The number may vary by assignment, scaled to six factors: organizational structure; functional activities; financial data (budget, expenditure, funding, receipts, assets); actual staffing; inherent risks in the audit unit's functioning; and scope of the internal audit.
Roles & Responsibilities — Three Levels
Responsibilities of the Chief Audit Executive
- 📝Develop and document an audit plan (including RBIA) for each engagement — objective, scope, quantum, timing, resource allocation.
- ✅Ensure assignments are initiated per the approved plan and established notification, standards, policies and procedures.
- 🔍Ensure the team obtains all relevant information to fix objective, scope, methodology and resources.
- 🏢Understand the entity's mandates, risks, structure, internal control and ongoing issues — and brief the team before the assignment.
- 📊Maintain and update Risk Registers for all audit units, schemes, programmes and projects based on findings and feedback.
- 🎓Continuously review team performance; provide training on schemes, programmes and audit tools.
- 📄Finalise standard report templates; maintain records of reports/findings; ensure timely action by audit units.
- 📤Share important findings with other teams and with the IAD in O/o CGA for cross-Ministry learning.
- 📅Compile the wing's year-end performance into an annual review report for the Chief Accounting Authority / Audit Committee, then to O/o CGA.
- 📧Start every assignment with an Audit Memorandum drafted by the wing.
Responsibilities of the Head of the Audit Team
- Issue the audit memorandum at least one month before the planned audit, so the entity can prepare.
- Discuss the plan with members; finalise audit strategy (objectives, scope, quantum).
- Attend the entry conference on day one — introduce the team, discuss issues, learn the entity's functions, status of past findings and high-risk areas.
- Guide staff in developing the plan and a checklist of questions; personally audit key activities / risk areas.
- Assign each member specific responsibilities in writing; supervise every phase; review and approve working papers and primary observations; ensure sufficient evidence.
- Conduct a formal exit conference; brief the entity head on objectives, findings, recommendations; consider the entity's views and additional facts.
- Ensure the draft report uses the prescribed template, is presented to the CAE with working papers and evidence on time, and that the approved report is issued within the prescribed timeline.
Responsibilities of Team Members
- 📝Carry out duties assigned in writing, verified fully per audit methodology.
- 📖Verify that prescribed records, books and ledgers are accurately maintained, compiled and reconciled; scrutinise sanctioning and purchase procedures for defects.
- 💰Verify payments are correct per rules, and that deductions and recoveries are timely accounted for.
- ⚙️Verify general office-management procedures with financial/accounting implications; suggest tightening of controls and streamlining of accounting.
- 📋Review scheme/programme implementation against notified guidelines; record observations within scope.
- 📁Maintain working papers, collect relevant evidence, and develop observations under the Team Head's guidance.
| Concept | Key Fact |
|---|---|
| Head of the wing | CAE = Pr. CCA / CCA / CA |
| CAE's six functions | Plan · approve · resource · policies · coordinate/report · QA |
| Reporting to Audit Committee | At least once per quarter |
| Annual Audit Plan due | By 15 January |
| Present Plan + 3-Year Programme | By 1 March |
| Minimum team | 1 A.O./Sr.AO + 2 A.A.O. + 2 Accountants = 5 |
| Team size factors | Structure · activities · financial data · staffing · inherent risk · scope |
| Memorandum timing | Audit memorandum issued ≥ 1 month before audit |
| Assignments start with | An Audit Memorandum |
| Three role levels | CAE · Head of Team · Team Members |
The Internal Audit Process
Planning and Preparing → Performing the engagement → Reporting upon the engagement → Follow-up action. This chapter is all about phase one.
Audit & Engagement Planning (Checklist 1)
Checklist 1 makes sure the team has answered the foundational questions before fieldwork. The key planning considerations:
- Categorise & risk-rate units. Have audit units been identified by category, with audit plans per category, and a risk rating/register driving selection of units, processes and areas?
- Document each engagement. Is there a well-developed, documented plan per engagement including objectives, scope, timing and resource allocation?
- Map objectives, controls, risks. Have the program's objectives, the controls ensuring achievement, and the significant risks (to the activity, its objectives, resources and operations) been assessed — including whether governance, risk management and control are adequate and working?
- Preliminary survey & risk assessment. Was a preliminary survey conducted and its results used to find areas of emphasis? Was a preliminary risk assessment of the scheme/program done in the planning stage?
- Engagement objective covers all risks. Does the engagement objective include every significant risk found in the preliminary risk assessment?
- Working-paper file ready. Before fieldwork, does the file contain the Audit Planning Memo (APM), Preliminary Survey findings (with the Risk Assessment Report), Engagement Terms of Reference (TOR), and the Engagement Program?
Annual Audit Plan & 3-Year Rolling Programme
The CAE builds a risk-based Annual Audit Plan on an understanding of the auditable unit's strategies, objectives and risk framework — then supplements it with a 3-Year Rolling Audit Programme. Key features:
A comprehensive list of auditable units: departmental units, cost centres, schemes, programs, policies, processes, systems, PSUs under the Ministry, financial statements, regulatory compliance.
High-risk areas audited once or more per year; low-risk areas only once in 2–3 years. Both assurance and advisory work are weighed.
Submit plan to the Committee by 15 January; revise for the Finance Bill's impact on Ministry outlay/operations by 15 February.
Revise plan and programme for revised risk ratings, outcome budget changes, anticipated 3-year changes, and new Government directives as they arise.
Planning for Risk-Based Internal Audit
When developing the plan, the CAE weighs these factors:
- ⚠️Inherent risks — identified and assessed?
- 🛡️Residual risks — identified and assessed (after controls)?
- 🔗Mitigating controls, contingency plans, monitoring — linked to individual events/risks?
- 📊Risk registers — systematic, complete and accurate?
- 📄Documentation — are the risks and activities documented?
Preparing for Audit — The Work Program (Checklist 2)
A documented engagement work program must include:
What the engagement sets out to achieve.
The risks, processes and transactions to be examined.
For identifying, analysing, evaluating and documenting information.
The kind of testing required.
A tentative schedule for all phases of the audit must be set and aligned with the Audit Calendar of the respective Ministry/Department.
| Concept | Key Fact |
|---|---|
| Four phases | Plan & Prepare · Perform · Report · Follow-up |
| Planning checklist | Checklist 1 (engagement planning) |
| Engagement plan contains | Objectives, scope, timing, resource allocation |
| Pre-fieldwork file | APM · Preliminary Survey (with RAR) · TOR · Engagement Program |
| Annual Plan due | 15 January; revise for Finance Bill by 15 February |
| Rolling programme | 3-Year Rolling Audit Programme |
| High vs low risk frequency | High: ≥1/yr | Low: once in 2–3 yrs |
| RBIA factors | Inherent · residual risk · controls · registers · documentation |
| Sample risk registers | Exhibit I — RKVY (M/o Agriculture) |
| Work program (Checklist 2) | Objectives · risks/transactions · procedures · testing |
Audit Tools & Techniques
Objectives of Sound Internal Controls
A sound internal control framework helps a Ministry meet its compliance, financial-reporting and operational goals, minimise surprises, and deal with change. During evaluation the auditor checks that controls achieve six objectives:
Promote operational efficiency and effectiveness.
Provide reliable financial information.
Safeguard assets and records.
Encourage adherence to prescribed policies.
Comply with regulatory agencies.
Correctly identify and measure liabilities.
Means of Evaluation & The Review Process
The wing evaluates internal controls through four means — questionnaires/checklists, flow charts/narratives, facilitated workshops, and control self-assessment (Checklist 3 supports this; a sample self-assessment is Exhibit II).
Has the Ministry: (1) identified its business objectives; (2) identified and assessed the risks threatening them; (3) designed controls to manage those risks; (4) operated the controls per their design; and (5) monitored the controls to ensure they work? Each "no" is a control gap.
Conducting Risk-Based Internal Audit (RBIA)
Before conducting RBIA, the wing must be able to answer: what is the Ministry's risk maturity? Has risk profiling been done and to what extent can it be relied on for planning? Do individual audits assure that all inherent risks above the risk appetite are managed down to within it?
Assess risk maturity
Gauge the Ministry's risk maturity.
Set up the Risk & Audit Universe (RAU)
Assign risks to audits and draw up a plan for carrying out audits, usually annual.
Carry out audits & feed back
Perform individual risk-based audits and feed the results back into the RAU.
Whether management's processes identify all significant risks; whether risks are correctly scored to prioritise them; whether responses are appropriate and policy-compliant; whether reporting of key risks to senior management is accurate, timely and effective; and whether controls are operational and monitored.
Audit Sampling
Judgemental vs Statistical Sampling
| Approach | How it works | Trade-off |
|---|---|---|
| Judgemental | Items chosen on the auditor's experience, intuition and judgement. | Simple and popular, but no scientific basis — hard to extrapolate findings to the population. |
| Statistical | Every unit has an equal chance of selection, eliminating bias. | Lets findings be asserted with a known degree of confidence; needs sample-size and technique decisions. |
Influenced by the purpose of audit, population size and homogeneity, required precision and confidence level. For a small or homogeneous population a small sample suffices; in general, a sample of 10% or more is considered reasonable.
Common statistical sampling techniques
Number all items, then use a random-number generator to select the sample.
Select items at fixed intervals — e.g. every 10th, 15th or 35th voucher; interval set by population size and sample needed.
Divide the population into discrete homogeneous groups, then pick a pre-decided number from each group.
Select items sharing certain attributes; objective in nature — items chosen by compliance (yes) or non-compliance (no) with standards. Good for evaluating controls over many similar transactions.
Computer Assisted Audit Techniques (CAATs)
As Government operations computerise, huge volumes of electronic data accumulate that are impractical to extract manually. CAATs are computer-based tools that run tests on data or IT systems — especially useful when significant data is electronic.
- ⚡CAATs permit 100% testing of data in a short span, repeated tests on different files, and standardisation of audit activity.
- 🧮Two broad categories: add-on tools used inside existing programs (Excel, MS Access); and general-purpose audit software built off-the-shelf for auditors.
- 💻Commonly used general-purpose software: IDEA (Interactive Data Extraction and Analysis) and ACL (Audit Command Language).
- 🎓Wings should train staff to use these tools in engagements.
| Concept | Key Fact |
|---|---|
| Internal control objectives | 6: efficiency · reliable info · safeguard assets · policy adherence · regulatory compliance · correct liabilities |
| Means of evaluation | Questionnaires · flowcharts/narratives · facilitated workshops · control self-assessment |
| Control review (Checklist 4) | Objectives → assess risks → design controls → operate → monitor |
| RBIA three stages | Assess maturity → set up RAU & plan → audit & feed back |
| Audit sampling | Procedures on <100% of items |
| Materiality & law | Materiality irrelevant where compliance is legally required |
| March vouchers | Invariably selected ("March rush") |
| Reasonable sample size | 10% or more in general |
| 4 statistical techniques | Random number · interval · stratified · attribute |
| CAATs enable | 100% testing, repeated tests, standardisation |
| General-purpose software | IDEA & ACL |
Performing the Audit Engagement
Intimation of Audit
Inform the unit of the audit schedule (Checklist 5).
Opening Meeting (Entry Conference)
Set scope and understand the entity (Checklist 6).
Performing Field Work
Evidence, working papers, observations (Checklists 7–12).
Conducting Exit Meeting
Discuss the draft report with the client (Checklist 13).
Intimation of Audit (Checklist 5)
A Commencement Letter, addressed to the highest individual responsible for the Ministry/Department/Scheme, must include:
- 🎯Objective of the audit.
- 📐Scope and the period it covers.
- ⏱️Estimated duration.
- 👥Names of auditors — especially the Team Leader.
- 📅Information on entry and exit conferences.
- 📄Request for necessary information and documents.
Opening / Entry Conference (Checklist 6)
The engagement normally starts with an entry conference with the Head of Department/Office. Points to cover: proposed objectives and scope; the entity's risk-management practices; areas of special concern; logistics (a nodal officer for space, records, meetings); the principal risks being audited; processes included and excluded; special considerations (C&AG findings, recent frauds, major system changes); the approach and testing plan; the communication/reporting strategy; and the auditee representative who will coordinate management action plans.
Audits with an element of surprise do not have any entry conference.
Performing Field Work & Evidence
Preliminary Field Work (Checklist 7)
Field work begins with an approved Audit Programme and standardised checklists for recurring schemes. The CAE ensures: staff interviews identifying detailed objectives, risks and high-risk areas; an agreed audit scope (reasons, objectives, main stages, staff and time, client contact, timetable with draft/final report dates); sufficient and appropriate evidence; adequate supervision scaled to proficiency and complexity; objective sampling at desired confidence; and minuted meetings kept as working papers.
Reliability of Audit Evidence (Checklist 8)
Evidence must be relevant to the audit objectives, drawn from appropriate sources, and free of unacceptable risk of improper findings, significant limitations, or an inadequate basis. The manual's hierarchy of reliability:
- 🌐Evidence from external sources is more reliable.
- ✅Evidence obtained directly by the auditor is more reliable.
- 📄Original documents are more reliable than copies.
- 📊Larger samples are more reliable than smaller ones.
- 🔗Reliability rises when accounting and internal-control systems operate effectively.
If limitations or uncertainties are significant, the wing should seek independent corroborating evidence, disclose the limitation in the report, and decide whether to report it as a finding. If sources are inconsistent, the auditor performs additional procedures to resolve the conflict.
Documenting & Testing Processes, Risks, Controls (Checklist 9)
The auditor performs walkthrough tests to confirm processes, surfaces any new risks, and identifies the controls that should operate to manage them plus the monitoring management uses. Tests of control effectiveness are defined and run, with special attention to controls carrying a high control score. The standard: documentation must let an experienced auditor with no prior connection understand the nature, timing, extent and results of procedures, the evidence obtained, its source, and the conclusions reached.
Working Papers & Observations
Working papers must be indexed, referenced and cross-referenced to the relevant observations. They split into two files:
Organizational chart; descriptions of schemes/programs/systems/procedures and business plans; corrective action plans; legal & regulatory issues; risk assessment; correspondence of continuing interest; updated audit programmes.
Draft & final report copies; significant findings and how resolved; planning documentation; administration/correspondence; follow-up of previous reports; updated programmes; supporting documentation; minutes of entry & exit meetings.
Conducting the Exit Meeting (Checklist 13)
A formal exit conference concludes field work. With key officials, the team discusses the Draft Audit Report, obtains their views and any additional facts, and records any disagreements with reasons. The exit conference is minuted, the minutes go into the working papers, and a copy is given to the Department.
| Concept | Key Fact |
|---|---|
| Four stages | Intimation → Entry conference → Field work → Exit meeting |
| Intimation document | Commencement Letter (Checklist 5) |
| Surprise audits | No entry conference |
| Most reliable evidence | External source · auditor-obtained · originals · larger samples |
| Confirming processes | Walkthrough tests (Checklist 9) |
| Documentation standard | Understandable to an experienced auditor with no prior connection |
| Two working-paper files | Permanent (Checklist 10) & Current (Checklist 11) |
| Observation = | "What should exist" vs "what exists" + effect, impact, cause |
| Exit conference | Discuss draft report; minuted; copy to Department (Checklist 13) |
| Field-work checklist | Checklist 12 |
Reporting & Follow-up
Communicating the Results of the Engagement
- ⏱️Results must be communicated in a timely manner.
- 📝Final communication must contain an opinion and/or conclusions; an overall opinion must account for the Ministry's expectations and be supported by sufficient, reliable, relevant, useful information.
- ⚠️The reason for an unfavourable overall opinion must be stated.
Before drafting, the supervisor reviews all working papers and checks supporting evidence. The report flags: weaknesses in internal-control design/implementation; non-compliance with policies, procedures, rules and regulations; and transactions that fall short of standards of propriety. It incorporates the auditee's response and planned corrective action (or notes the absence of a response), brings out any scope limitation, and acknowledges satisfactory performance and best practices.
Where an observation is so serious that delay could harm achievement of programme/scheme objectives, it must be communicated early — even during the audit. Errors or omissions in an issued report must be corrected and circulated to all earlier recipients.
The 5-C Framework
Every audit observation is developed with reference to engagement objectives using five C's. They form a logical chain — from what was expected, to what happened, to what should be done:
- Criteria — "What should exist?" The benchmarks or expectations audit evidence is compared against (policy, SOP, norm).
- Condition — "What exists?" The factual evidence found, stating the nature and extent of the observation — the result of comparing actual evidence with criteria.
- Consequence / Effect / Impact — "What effect did it have?" The risk or exposure from the gap between criteria and condition; often expressed quantitatively. The effect must be serious enough to justify the cost of correction.
- Cause — "Why did it happen?" The likely reason for the gap. Similar causes across observations may reveal an underlying theme; identifying the cause is a prerequisite to a meaningful recommendation.
- Corrective Action / Recommendation — "What should be done?" Actions to correct the situation and prevent recurrence — within the client's scope, addressing the cause not just the symptoms, and at least intuitively viable.
Grouping Findings by Risk Severity
Absence of immediate corrective action may have a major negative impact on achievement of objectives.
Failure to act could result in significant consequences.
Suggested action would bring greater efficiency or enhanced controls at minimal additional cost.
Reporting & Follow-up (Checklist 14)
Follow-up closes the loop. The CAE conducts follow-up of previous reports and communicates the findings. For the current report there must be a defined time-frame for Action Taken Reports (ATRs), and those timelines must be adhered to.
The CAE establishes a process to monitor whether management actions are effectively implemented — or that senior management has accepted the risk of not acting (per IIA Standard 2500.A1). Issues the auditee cannot resolve within six months are reported to the Audit Committee and included in the quarterly reporting on risks unacceptable to the Ministry.
| Concept | Key Fact |
|---|---|
| Final communication must contain | An opinion and/or conclusions |
| Unfavourable opinion | Reason must be stated |
| Report flags | Control weaknesses · non-compliance · propriety lapses |
| Serious findings | Communicate early — even during audit |
| The 5 C's | Criteria · Condition · Consequence · Cause · Corrective action |
| Criteria / Condition | "Should exist" / "What exists" |
| Risk colour coding | Red (high) · Orange (medium) · Green (low) |
| Action tracking | Action Taken Reports (ATRs) with timelines |
| Escalation window | Unresolved in 6 months → Audit Committee |
| Standard cited | IIA Standard 2500.A1 (management accepting risk) |
Performance Evaluation & Quality Control
What Is a QAIP?
- 🎯A QAIP evaluates the wing's conformance with the IPPF Standards and whether auditors apply the Code of Ethics.
- 📈It assesses the efficiency and effectiveness of the activity and identifies improvement opportunities.
- 📝The CAE must develop and maintain a QAIP covering all aspects of the internal audit activity (IIA Standard 1300), and it must include both internal and external assessments (IIA Standard 1310).
Internal vs External Assessment
Ongoing monitoring — part of day-to-day supervision, review and measurement, built into routine policies to evaluate conformance with the Code and Standards. Plus periodic self-assessments (or by others within the organisation with sufficient knowledge) to evaluate conformance with the Manual and Charter.
An independent assessment means no actual or perceived conflict of interest, and not being part of or under the control of the organisation the activity belongs to. The CAE communicates QAIP results to the Audit Committee and the IAD in O/o CGA.
Documentation Policy
The CAE must approve a documentation policy — consistent with organisational guidelines and regulatory requirements — governing custody, retention and release of engagement records. It must cover:
- 📄Sufficient, reliable, relevant documentation to support engagement results and conclusions.
- 🔒Controlled access to records — and approval of senior management and/or legal counsel before releasing records to external parties.
- 🗓️Retention requirements for records (regardless of storage medium), consistent with organisational and regulatory rules.
Quality Check of the Audit Report (Checklist 15)
Reports are issued in the format prescribed by O/o CGA. To be effective they must be complete, concise, accurate and objective, issued timely, fact-based, free of personal criticism, constructively worded, with recommendations focused on achieving objectives.
Accurate · Objective · Clear · Concise · Complete. The report structure includes the engagement's objectives, scope, conclusions, recommendations and action plans.
What the quality check verifies
- 📑Cover page states "Internal Audit Report of ____ for the period ____", plus date of issue.
- ⚖️Clearly states the responsibility split: management owns internal controls and financial statements; the auditor's job is to express an opinion on the efficiency of internal controls in achieving management objectives.
- ✅Approved by competent authority, signed by the designated authority, and addressed per the Internal Audit Charter.
- 📊Supplemented by an Executive Summary (objectives, scope, summary of observations).
- 🔴Uses colour coding (Red, Orange, Green) for significance/risk; develops observations via the 5-C framework; uses photographs where useful.
- ✅Acknowledges satisfactory performance and best practices; brings out any scope limitation.
Performance Evaluation of the IAW (Checklist 16)
This checklist lets O/o CGA evaluate a wing's performance. Highlights worth remembering:
Formally report to the Audit Committee at least 4 times a year (once per quarter), with 6 meetings per year as the ideal target.
Plan staffing at 210 working days per auditor, compute man-days required vs available, and decide how to fill the gap (consultants / deputation / outsourcing).
Reports include progress vs plan with timelines, limitations to independence/objectivity, challenges, delays in resolving issues, and action on outstanding paragraphs.
Adopt KPIs and dashboards; track risks mitigated, cost-saving opportunities, and financial-recovery opportunities; run a QAIP and gap analysis against the Handbook.
| Concept | Key Fact |
|---|---|
| QAIP evaluates | Conformance with IPPF Standards & Code of Ethics |
| QAIP must include | Both internal and external assessments (Std 1310) |
| Internal assessment | Ongoing monitoring + periodic self-assessment (Std 1311) |
| Independent assessment | No actual/perceived conflict; outside the organisation's control |
| QAIP results go to | Audit Committee & IAD in O/o CGA |
| Documentation policy covers | Sufficiency · controlled access · retention |
| Report qualities | Accurate · Objective · Clear · Concise · Complete |
| Responsibility split | Management owns controls; auditor opines on their efficiency |
| Colour coding | Red / Orange / Green |
| Committee meetings | Min 4/yr (quarterly); ideal 6/yr |
| Capacity assumption | 210 working days per auditor |
Special Audits
Gender Audit
A gender audit examines two sets of dimensions — what the programmes do, and how the organisation is set up.
Situational analysis (planning & annual plan development) · policy analysis (programme design, scheme guidelines) · budgetary allocations & expenditure · monitoring of implementation progress · evaluation procedures.
Gender policy & staffing (support and gender balance) · capacity building · monitoring systems (gender sensitivity) · resource allocation (how far the budget supports gender equity).
Process: set up a gender-audit team → brainstorm to freeze objectives and identify criteria → develop criteria into a checklist → build an Audit Matrix (criteria, questions, verifiable indicators, means of verification) → entry meeting → gather data → analyse → feedback → report. Tools: existing data & schematic guidelines, documentation review, field visits, field surveys, interviews, key-informant interviews, staff questionnaire, and a Gender Audit Score Card.
Information Technology (IT) Audit
The easiest boundary: Application Control Review Audits (controls relating to Ministry transactions/processes and their internal security settings) and General Control Review Audits. Everything that isn't an application control is treated as a General Computer Control (GCC) — and GCCs are reviewed first because they form the basis of the IT control environment.
The IT Audit Process
Prepare the IT Audit Universe
Understand the tech environment — list technologies, the IT processes/controls against them, and interview program & IT staff (Checklist 17). Sample in Exhibit V; vulnerability survey in Exhibit IV.
Prepare the Annual IT Audit Plan
List auditable units, identify their risks, prioritise by risk significance, fold into the Annual Audit Plan (Checklist 18).
Conduct IT Risk Assessment
Document the six IT risk areas; identify assets at risk, threat events, impact, frequency and uncertainty; then run a risk-mitigation analysis (Checklists 19 & 20).
Identify & Report on IT Controls
Review GCCs; report on information-security incidents, change-management exceptions, project status, etc. — integrating risks from programmes to IT in one format.
Non-availability of the system · unauthorised access to systems (security) · incomplete/inaccurate data (integrity) · unauthorised access to data (confidentiality) · non-delivery of expected function (effectiveness) · sub-optimal use of resources (efficiency).
Governance & Scheme Audits
Audit of Governance Activities (Checklist 21)
The CAE assesses whether the audit plan covers the Ministry's governance processes and their risks — so the wing helps the Ministry be accountable and transparent while achieving objectives effectively, efficiently, economically and ethically. Three core questions drive it:
- 📝Has the policy been implemented as intended?
- 💰Are funds being spent for the intended purpose?
- 🛡️Are managers implementing effective controls to minimise risks?
Scheme or Program Audit (Checklists 22 & 23)
Scheme audit works from two angles — the beneficiary's experience and the auditor's verification.
Awareness of the scheme and its benefits; how they heard of it; problems in availing it; online application difficulty; time to sanction and to credit; sufficiency of the amount; complaints and the management's response; whether life improved; whether they'd recommend it.
Three-year budget vs expenditure; delays in fund transfer at each level (Centre→State→District→CDPO→beneficiary); diversion of funds; projects completed on time / extended; unspent grant refunded; separate bank account under specified authority; periodic reports to the Centre; % of admin expenses; Utilization Certificate (incl. men/women ratio).
Special audits — Gender, IT, Governance, Grant or Scheme/Program — are undertaken as and when assigned by the Ministry, per its Terms of Reference. The Audit Committee is informed about these engagements subsequently. A sample Summary of Audit Paras for scheme audit is Exhibit VIII.
| Concept | Key Fact |
|---|---|
| Five special audits | Gender · IT · Governance · Grant · Scheme/Program |
| Gender audit dimensions | 5 programmatic + 4 organizational |
| Gender audit tool | Gender Audit Score Card + Audit Matrix |
| IT audit assures | Confidentiality · Integrity · Availability (CIA) |
| Two IT audit types | Application Control · General Control (GCC) |
| Six IT risk areas | Availability · security · integrity · confidentiality · effectiveness · efficiency |
| IIA IT guidance | GTAGs; support from CoE in O/o CGA |
| Governance audit (4 E's) | Effective · efficient · economical · ethical |
| Governance core questions | Policy as intended? · funds for purpose? · effective controls? |
| Scheme audit angles | Beneficiary (Checklist 22) + Auditor (Checklist 23) |
| Assignment basis | Ministry's Terms of Reference; Committee informed after |
The 23 Checklists — A Navigation Map
| Checklist | Purpose | Phase |
|---|---|---|
| 1 | Audit & Engagement Planning | Planning |
| 2 | Audit Work Program | Planning |
| 3 | Internal Control Evaluation | Tools |
| 4 | Reviewing effectiveness of internal controls | Tools |
| 5 | Audit Intimation (Commencement Letter) | Performing |
| 6 | Conducting the Entry Conference | Performing |
| 7 | Preliminary Audit Performance | Performing |
| 8 | Reliability & Documentation of Audit Evidence | Performing |
| 9 | Documentation & Testing of processes, risks, controls | Performing |
| 10 | Working Papers — Permanent Audit File | Performing |
| 11 | Working Papers — Current Audit File | Performing |
| 12 | Performing Internal Audit Field Work | Performing |
| 13 | Exit Meeting / Audit Communication: Reporting | Reporting |
| 14 | Audit Communication: Follow-up | Follow-up |
| 15 | Quality Check of Audit Report | Quality |
| 16 | Performance Evaluation of the IAW | Quality |
| 17 | Preparing audit universe for IT audit | Special — IT |
| 18 | Planning for IT audit | Special — IT |
| 19 | Undertaking IT risk assessment | Special — IT |
| 20 | Assisting CAEs in conducting IT audit | Special — IT |
| 21 | Audit of Governance Processes | Special — Gov |
| 22 | Scheme Audit Questionnaire — beneficiary | Special — Scheme |
| 23 | Scheme Audit Checklist — auditor | Special — Scheme |
The manual reuses "Checklist 13" for both the exit-meeting checklist and the reporting checklist — a quirk in the source text. Treat them as the same number serving the close-out / reporting boundary.
The Eight Exhibits
The Exhibits are full worked samples an auditor can adapt directly. Knowing what each contains is enough for revision:
For Rashtriya Krishi Vikas Yojana (M/o Agriculture). Maps sub-processes, inherent risks, impact/likelihood scoring, existing & required controls, residual risk.
A template for a unit to assess its own internal controls.
Checklist for compliance audit of Drawing & Disbursing Officers and Pay & Accounts Officers.
Sample survey to identify vulnerabilities in IT processes.
Sample for assembling the IT audit universe.
Sample system-audit checklist in the PFMS environment.
Checklist to examine the IT control framework.
Sample summary of audit paras for scheme audit, categorised by type (financial / operational / performance) and risk level.
Anatomy of a Risk Register (from Exhibit I)
The RKVY register is the clearest illustration of how risk is recorded. Each row carries the following columns — worth memorising as the standard structure:
- Sub-process — the activity (e.g. "Approval", "Release of funds").
- Inherent risk description — what could go wrong (e.g. "delay in approval of projects by States").
- Risk assessment — Impact and Likelihood, each scored L / M / H.
- Identification & listing of controls — split into existing controls and required controls.
- Residual risk — Impact and Likelihood again (L/M/H) after existing controls.
- Frequency of control, control owner, timeline — how often the control runs, who owns it (e.g. P.D — Programme Division), and the implementation date.
| Concept | Key Fact |
|---|---|
| Total numbered checklists | 23 (across Chapters 2–7) |
| Planning checklists | 1 & 2 |
| Control evaluation | Checklists 3 & 4 |
| Performing (heaviest) | Checklists 5–12 |
| Reporting / follow-up | Checklists 13 & 14 |
| Quality | Checklists 15 & 16 |
| IT audit | Checklists 17–20 |
| Governance / Scheme | Checklists 21 / 22 & 23 |
| Exhibit I | RKVY Risk Register (M/o Agriculture) |
| Exhibit III | Compliance audit of DDOs & PAOs |
| Exhibit VI | PFMS System Audit checklist |
| Risk register columns | Sub-process · inherent risk · scoring · controls · residual risk · owner/timeline |