Generic Internal Audit Manual for Central Civil Ministries
Issued in 2014 by the Centre of Excellence, Internal Audit Division, O/o Controller General of Accounts (Ministry of Finance, Department of Expenditure). A foundational guide that takes internal audit from a compliance-only past to a risk-based future — explaining risks and controls, the COSO framework, what internal audit is, the five-phase audit process, governance through Audit Committees, and quality assurance — and serving as the template from which each Ministry builds its own detailed manual.
Introduction — What This Manual Is
The whole manual turns on one transition: internal audit moving from a compliance-only / regularity past to a risk-based future. The defining difference between the traditional and modern approach is the explicit recognition of the twin concepts of "risks" and "controls." While compliance audit remains important, auditors are now expected to evaluate controls against the risks and assure management that controls work as intended.
The CGA Mandate & Rule 64 of GFR 2005
The Controller General of Accounts is mandated under the Allocation of Business Rules to oversee accounting standards in Central Civil Accounts Offices, and has guided internal audit in the civil ministries since the departmentalisation of accounts in 1976. The scope of the internal audit function is codified in the Civil Accounts Manual and the Inspection Code.
The key objectives of ministries and departments that internal audit serves are threefold:
Proper management of public resources and government authority, ensuring compliance with laws, regulations, policies and procedures.
Ensuring the reliability of financial reporting.
Ensuring operational efficiency and effectiveness.
The Revised Charter of Financial Advisers (2006)
The Ministry of Finance, Department of Expenditure O.M. F.No.5(6)/L&C/2006 dated 1 June 2006 redefined the charter for Financial Advisers and the role of internal audit wings working under CCAs/CAs. It stipulated that internal audit move beyond compliance/regulatory audit and focus on four things:
- Adequacy & effectiveness of internal controls in general — and soundness of financial systems and reliability of financial/accounting reports in particular.
- Identification and monitoring of risk factors — including those contained in the Outcome Budget.
- Critical assessment of economy, efficiency and effectiveness of the service-delivery mechanism, to ensure value for money.
- An effective monitoring system to facilitate mid-course corrections.
Key Acronyms You Must Know
| Acronym | Expansion |
|---|---|
| CAE | Chief Audit Executive (refers to Pr. CCA / CCA / CA) |
| Pr.CCA / CCA / CA | Principal Chief Controller / Chief Controller / Controller of Accounts |
| Dy.CA | Deputy Controller of Accounts |
| AO / Sr.AO / AAO | Accounts Officer / Senior Accounts Officer / Assistant Accounts Officer |
| IAW | Internal Audit Wing |
| ATR | Action Taken Report |
| DDO | Drawing and Disbursing Officer |
| CAAT | Computer Assisted Audit Techniques |
| COSO | Committee of Sponsoring Organizations |
| IDEA / ACL | Interactive Data Extraction & Analysis / Audit Command Language (audit software) |
| IIA / ICAI / CIPFA | Institute of Internal Auditors / Institute of Chartered Accountants of India / Chartered Institute of Public Finance and Accountancy |
| INTOSAI / ISSAI | Int'l Organization of Supreme Audit Institutions / its International Standards |
| C&AG | Comptroller & Auditor General |
| Concept | Key Fact |
|---|---|
| Issued by | Centre of Excellence, Internal Audit Division, O/o CGA, M/o Finance |
| Date issued | 30 September 2014 |
| Document's purpose | A generic template for Ministries to build their own detailed IA manuals |
| Accounts departmentalised | 1976 |
| IA scope codified in | Civil Accounts Manual & Inspection Code |
| Rule 64, GFR 2005 | Secretary = Chief Accounting Authority |
| IAW headed by | Pr.CCA / CCA / CA, under the Financial Adviser |
| Revised Charter | O.M. dated 1 June 2006 — move beyond compliance audit |
| The defining shift | Explicit recognition of "risks" & "controls" |
| Three Ministry objectives | Resource management · reliable reporting · operational efficiency |
Theoretical Framework — Risks & Controls
Accountability is a core principle of democratic government. Stakeholders want assurance that: public resources are managed properly and used lawfully; government programmes are achieving their objectives and outcomes; and government services are delivered ethically, efficiently, economically and effectively. Governments have traditionally relied on in-built controls like "checks and balances" and "segregation of duties," plus rules such as the GFR and Receipt & Payment Rules.
Understanding Risk
Some activities are inherently more risk-prone than others — procurement, for instance, carries more risk than routine accounting for expenditure. A change in circumstances can also shift the risk structure: year-end expenditure, driven by the urge to avoid lapse of budget, needs closer monitoring of controls. When analysing risk, three questions are asked:
- ❓What can go wrong?
- 🎲What is the probability of it going wrong?
- ⚠️What are the consequences?
Responding to Risk — The Four T's
After identifying and evaluating risks, the Ministry develops a response to eliminate the risk or contain it within acceptable limits. Four options exist:
Shift the risk to a third party — obtaining insurance is the classic example.
Accept the risk when the cost of control outweighs the benefit, or the adverse outcome is inconsequential.
End the activity itself — needed where the risk could cause grave consequences or project failure. Not always possible in Government due to political/social sensitivities.
Manage the risk through appropriate control activities — the most obvious choice for Ministries and the most relevant for this manual.
Some risk remains even after controls are instituted — this is "residual risk." It may be advisable to tolerate it, especially where elimination costs are very high and it sits within acceptable limits. "Acceptable risk" is a risk understood and tolerated, usually because the cost or difficulty of an effective countermeasure exceeds the expected loss. What is acceptable is a judgement exercised by Management. Since controls have costs, the benefit of risk reduction must exceed the cost of the control.
In formal terms, controls comprise the actions taken by management, the audit committee and other parties to manage risks and increase the likelihood that established objectives and goals will be achieved.
The Internal Control Framework
Internal controls are continuous processes, not isolated efforts. Per the COSO framework, everyone in an organisation has some responsibility for internal control — and the commitment of those at the top is critical. Control is most effective when "built in" and not "superimposed" on the entity's systems.
The Five COSO Components
The Committee of Sponsoring Organizations (COSO) developed the internal control framework now accepted worldwide. Its five key concepts:
Sets the tone of the organisation — integrity and ethical values of individuals and the organisation as a whole. Includes management's philosophy, structure, assignment of authority, HR practices and competence.
Identifying and analysing risks that threaten objectives. Elements: risk identification, risk evaluation (likelihood & significance, rated High / Medium / Low), and risk acceptance.
The actions that manage risk — split into preventive and detective controls (see below).
For controls to work, management needs timely, reliable feedback. Communication must flow down, across and up the organisation.
A well-designed review process — comprising ongoing monitoring and/or separate evaluations. Scope and frequency of separate evaluations depend on risk assessment and the effectiveness of ongoing monitoring.
Control Activities — Two Types & Common Examples
| Type | What it does | Examples |
|---|---|---|
| Preventive | Stop a risk from occurring in the first place. | Barring entry of unauthorised personnel; segregation of duties; limiting access to sensitive information. |
| Detective | Help discover inaccuracies, misconduct etc. after the fact. | Preparing bank reconciliation statements; monitoring and supervision. |
The manual lists common control activities worth memorising:
- ⚖️Segregation of duties — separating authorisation, custody and record-keeping roles.
- ✅Authorisation of transactions — review by an appropriate person.
- 📄Retention of records — documentation that substantiates transactions.
- 👁️Supervision or monitoring of operations.
- 🔒Physical safeguards — cameras, locks, physical barriers to protect property.
- 📊Top-level reviews — actual results vs goals/plans, periodic operational reviews, metrics and KPIs.
- 🔑IT security controls — restrict system/data access to authorised personnel (passwords, access-log review).
- 💻IT application controls — edit checks to validate data entry, numerical-sequence accounting, comparing file totals with control accounts.
| Concept | Key Fact |
|---|---|
| Risk defined | Possibility of an event with adverse impact on objectives |
| Risk measured by | Impact (severity) & likelihood (probability) |
| 3 risk-analysis questions | What can go wrong? · probability? · consequences? |
| The 4 T's | Transfer · Tolerate · Terminate · Treat |
| Insurance is an example of | Transferring risk |
| Residual risk | Risk remaining after controls; tolerate if within limits |
| Controls defined | Actions by management/audit committee to manage risk |
| Internal control objectives | Orderly/ethical ops · accountability · compliance · safeguard resources |
| Framework used | COSO |
| 5 COSO components | Control environment · risk assessment · control activities · info & communication · monitoring |
| Risk rating scale | High / Medium / Low |
| 2 control types | Preventive & Detective |
| Best controls are | "Built in," not "superimposed" |
Internal Audit — Definitions & Services
The Four Authoritative Definitions
To meet widely accepted norms, the manual cites four bodies' definitions of internal audit:
| Body | How it defines internal audit |
|---|---|
| INTOSAI (ISSAI 1003) | An appraisal activity established as a service to an entity; functions include examining, evaluating and monitoring the adequacy of internal control. |
| CIPFA | An assurance function giving an independent, objective opinion on the control environment (risk management, control, governance) by evaluating its effectiveness in achieving objectives. |
| IIA | An independent, objective assurance and consulting activity designed to add value and improve operations; helps the organisation accomplish objectives via a systematic, disciplined approach to evaluate and improve risk management, control and governance. |
| ICAI | An independent management function involving continuous critical appraisal of the entity to suggest improvements and add value to the overall governance, strategic risk management and internal control system. |
All four see internal audit as evaluating the adequacy and effectiveness of risk management, governance and control processes, thereby adding value. In government and the public sector, one more principle overrides everything: serving the public interest must be the overriding objective.
The Two Primary Services — Assurance vs Consulting
The auditor's objective assessment of evidence to provide an independent opinion or conclusion on the processes, systems or mechanisms put in place by the executive to ensure achievement of objectives.
Advisory in nature — positive recommendations to improve performance and/or controls, generally at the specific request of the agency. The auditor must maintain objectivity and not assume management responsibility.
In both, internal audit focuses on whether governance, risk management and control provide reasonable assurance that: significant information is accurate, reliable and timely; resources are acquired economically and used efficiently; assets are safeguarded; actions comply with policies, procedures, contracts and laws; and significant programmes, plans and objectives will be achieved.
Types of Internal Audit
In government, internal audit may conduct several types of audit. The main ones:
- Regularity Audit (audit against rules & orders) — verifies that expenditure conforms to the laws, rules and orders governing the power to sanction/incur expenditure, and that rules on service conditions, pay, allowances and pensions are followed. The auditor flags deviations and suggests remedies; further action rests with Management.
- Propriety Audit — focuses on improper expenditure or waste even where it conforms to rules. Per Hallam, it "extends beyond the formality of the expenditure to its wisdom, faithfulness and economy." Catches improper or infructuous spending not caught by regularity audit.
- Performance (Value-for-Money) Audit — checks whether stated objectives are achieved with due regard to economy and efficiency. Examines the relationship between inputs, outputs and outcomes against the 3 E's (see callout below).
- Information Systems / IT Audit — determines whether IT systems are designed to achieve organisational goals; focuses on attributes of data (correct, consistent, reliable), assets (hardware & software) and resources (technological, physical, human).
- Financial Audit — provides reasonable assurance the financial statements show a true and fair view. For government accounts, this is performed by the C&AG.
- Grant or Contract Audits — evaluate compliance with grant conditions, the contracting process and third-party contractual performance.
- Fraud & Financial Irregularity Audits — verify the existence and magnitude of suspected fraud/irregularities, usually triggered by discovery or suspicion.
Economy — expenditure incurred was not in excess of requirement. Efficiency — output achieved with minimum inputs (or maximum output for given inputs). Effectiveness — expenditure achieved the intended objective.
Risk-Based Auditing
Until risk-management processes are well-designed and embedded in government systems, Internal Audit cannot yet rely on the Department's own view of risks for scoping. The pragmatic approach: Internal Audit, in conjunction with management, undertakes the risk-assessment exercise itself and draws up its audit plan. Over time, greater reliance can be placed on Departments' own risk assessments and risk-control matrices.
Audit Sampling
Judgemental vs Statistical Sampling
| Approach | How it works | Trade-off |
|---|---|---|
| Judgemental | Items chosen on the auditor's experience, intuition and judgement. | Simple and popular — but no scientific basis, so findings are hard to extrapolate to the population. |
| Statistical | Every unit has an equal chance of selection, eliminating bias. | Lets findings be asserted with a known degree of confidence; requires decisions on sample size and technique. |
Influenced by the purpose of audit, population size & homogeneity, required precision and confidence level. For a small population, the whole group can be the sample; for a homogeneous population, a small sample suffices. In general, a sample of 10% or more is considered reasonable.
Four common statistical sampling techniques
Number all items in the population, then use a random-number generator to select the sample.
Select items at defined intervals — e.g. every 10th, 15th or 35th voucher. The interval is set by population size and the number needed.
Divide the population into discrete homogeneous groups, then select a pre-decided number from each group.
Select all items sharing certain attributes; objective in nature — items chosen by compliance (yes) or non-compliance (no). Good for evaluating controls over many similarly-characterised transactions.
Computer Assisted Audit Techniques (CAATs)
As government operations computerise, vast volumes of electronic data accumulate that are impractical to extract manually — and manual audit limits how much data can be audited in a given time. CAATs are computer-based tools that run tests on data or IT systems, especially useful when significant data is electronic.
- ⚡CAATs permit 100% testing of data in a short span, repeated tests on different files, and standardisation of audit activity.
- 🧮Two broad categories: add-on tools used inside already-installed programs (Excel, MS Access); and general-purpose audit software built off-the-shelf for auditors.
- 💻Commonly used general-purpose software: IDEA (Interactive Data Extraction and Analysis) and ACL (Audit Command Language).
- 🎓Internal Audit Wings should train staff to use these tools in engagements.
| Concept | Key Fact |
|---|---|
| IA's primary function | Measurement & effectiveness of other controls |
| IA's unique position | Both part of the control system & reviewer of it |
| 4 defining bodies | INTOSAI (ISSAI 1003) · CIPFA · IIA · ICAI |
| Overriding public-sector aim | Serving the public interest |
| 2 primary services | Assurance & Consulting |
| Consulting caution | Don't assume management responsibility |
| Audit types | Regularity · Propriety · Performance · IT · Financial · Grant · Fraud |
| Propriety audit (Hallam) | "Wisdom, faithfulness and economy" |
| Performance audit 3 E's | Economy · Efficiency · Effectiveness |
| Financial audit by | C&AG |
| Risk-based auditing | Focus on org's response to risk, not controls/deviations |
| Audit sampling | Procedures on <100% of items |
| Materiality & law | Materiality irrelevant where compliance is legally required |
| March vouchers | Invariably selected ("March rush") |
| Reasonable sample size | 10% or more in general |
| 4 statistical techniques | Random number · interval · stratified · attribute |
| CAATs enable | 100% testing · repeated tests · standardisation |
| General-purpose software | IDEA & ACL |
Management of Internal Audit in Government
The requirement for internal audit must be set out in a clearly defined audit mandate, formally documented in the Internal Audit Charter. The charter defines the framework within which internal audit operates, establishes its functional and administrative reporting lines, fixes its position within the organisation, and serves as the foundation for the annual audit plan. A carefully developed mandate and charter are critical for an effective function.
The Audit Committee — Composition & Role
To provide oversight of the IAW, an Audit Committee should be constituted in each Ministry (or the mandate of an existing Standing Audit Committee enlarged). Its composition:
| Role on Committee | Officer |
|---|---|
| Chairperson | Secretary of the Ministry/Department |
| Vice-Chairperson | Financial Adviser |
| Convener / Member Secretary | Chief Controller of Accounts / Controller of Accounts (i.e. the CAE, or his nominee) |
| Members | Programme Division Heads; subject experts may be associated as needed |
Ensure development of an effective Risk Management system; supervise the IAW's overall functioning and set its priorities; provide strategic direction and resources; approve the Internal Audit Charter and the function's role/structure; approve the annual internal audit plan; evaluate IAW performance and offer guidance; ensure audit observations are implemented; and determine modalities to resolve key audit issues.
The Internal Audit Charter
Rule 64 of GFR 2005 places the responsibility for sound financial management on the Secretary as Chief Accounting Authority, who must ensure full and proper records and systems affording better internal controls. The revised charter of Financial Advisers (2006) stipulates that IAWs move beyond compliance/regulatory audit to the four focus areas (assessment of controls, monitoring risk factors, value-for-money assessment, mid-course-correction monitoring). Each Ministry's manual should contain an Internal Audit Charter approved by the Audit Committee. A model charter covers:
- Role of the function — internal audit as an independent, objective assurance and consulting activity adding value, concerned with controls that ensure: reliability/integrity of information; effectiveness/efficiency of operations; safeguarding of assets; compliance with laws, regulations and contracts.
- Responsibilities — Programme divisions own the system of internal controls; internal audit provides assurance on the adequacy of those controls (and may consult, but never assumes the role of management).
- Annual Audit Programme — submitted by 15 January each year through the Financial Adviser to the Audit Committee, based on the Divisions' risk assessments (or the CAE's own assessment where these don't exist).
- Reports — issued within one week of CAE approval; significant-issue reports circulated with the Vice-Chairman's approval; an Annual Audit Review goes to the Committee Chairperson and to O/o CGA by 31 May (Annexure I).
- Access — internal audit has unfettered access to all officers, buildings, information and documentation.
- Independence — objective service per the Guidelines and Code of Ethics issued by O/o CGA, whose performance is periodically reviewed by O/o CGA, with results shared with the Audit Committee.
Structure of the Internal Audit Wing
Chief Audit Executive (CAE)
Pr.CCA / CCA / CA heads the function. Reports to the Secretary through the Financial Adviser administratively; functionally reports to the Audit Committee.
Internal Audit Management Team
Headed by the CAE, comprising key Accounts & Audit functionaries — for closer supervision and quality assurance. Meets regularly to discuss plan execution, coordinate audit teams, decide approach, and issue guidance/advisories.
Audit Teams & Staff
Regular IAW staff + PAO staff not involved in the auditee's payment/accounting + other officials + Consultants hired as needed. A typical team: 1 Sr.AO/AO, 2 AAOs, 2 Accountants.
The Independence Rule, Access & Service Types
No auditor should audit his own decision, nor be involved in the audit of a unit where he may have worked within the past one year. This is the core independence safeguard for team composition.
Undertaken as per the overall directions of the Audit Committee.
Taken up with defined Terms of Reference given by the executive wing; intimated to the Audit Committee at its next meeting.
| Concept | Key Fact |
|---|---|
| Audit mandate documented in | The Internal Audit Charter (foundation for the annual plan) |
| Audit Committee Chair | Secretary of the Ministry |
| Vice-Chairperson | Financial Adviser |
| Convener / Member Secretary | CCA / CA (the CAE or nominee) |
| CAE reports administratively | To Secretary through Financial Adviser |
| CAE reports functionally | To the Audit Committee |
| CAE's review to Committee | Quarterly |
| Annual Audit Programme due | 15 January, via Financial Adviser |
| Reports issued within | One week of CAE approval |
| Annual Review to O/o CGA by | 31 May (Annexure I) |
| Independence rule | No self-audit; no unit worked at within past 1 year |
| Typical team | 1 Sr.AO/AO + 2 AAOs + 2 Accountants |
| Special audits | Executive's ToR; Committee informed at next meeting |
The Internal Audit Process
The internal audit process comprises five main phases. They can be compressed into three (planning, execution, reporting) for ease of understanding:
Planning the Engagement
Establish what is going to be audited — preliminary survey and research about the auditee unit.
Preparing for Audit
Gather relevant information from internal & external sources and prepare a work programme.
Performing the Engagement
Implement the approved plan — intimation, entry conference, testing, evidence.
Reporting upon the Engagement
Communicate the results achieved via the audit report.
Follow-up Action
Report on implementation of agreed improvement measures.
Seven Steps of a Typical Assignment
A typical internal audit assignment runs through seven steps (many are iterative and may not occur strictly in sequence):
- Establish and communicate the scope and objectives to appropriate management.
- Develop an understanding of the operational area — objectives, measurements, key transaction types — via document review and interviews (flowcharts/narratives if needed).
- Describe the key risks facing the business activities within scope.
- Identify the control procedures ensuring each key risk and transaction type is controlled and monitored.
- Develop and execute a risk-based sampling and testing approach to check whether the most important controls operate as intended.
- Report problems identified and negotiate action plans with management.
- Follow up on reported findings at appropriate intervals (maintaining a follow-up database).
Planning & Preparing for Audit Engagements
Audit planning has two levels: the macro plan (Annual Audit Programme) and plans for specific assignments. The annual programme is developed in consultation with Management, finalised by 15 January each year, communicated to auditee units with sufficient notice, with a copy to O/o CGA.
Planning the year — the working-days arithmetic
Plan for about 210 working days per auditor (after deducting weekly/public holidays, eligible leave, travel, report preparation, follow-up and training). Keep an average of 10 working days for regular audits and 15–23 days for special audits. Given the available audit teams (1 Sr.AO/AO, 2 AAOs, 2 Accountants), the number of units that can be audited is then derived.
The audit universe is the aggregate of all auditable areas — defined by function/activity, organisational unit/division, or project/programme. Examples: information systems, major contracts, procurement, payment, accounting. Budgetary allocations are a consideration.
An elaborate exercise with the Ministry's executive authorities, deciding which processes/units/schemes to audit. Use random sampling for selecting among similar units (so the sample is representative); judgemental sampling may pick areas/states/districts.
Develop the work programme from the risk rating. Early on this involves substantial judgement; the process matures once Risk Registers and Risk Committees are functional.
Special audits are undertaken per the Ministry's Terms of Reference; the Audit Committee is informed subsequently.
Planning Individual Audits
Because audit itself spends public funds, each engagement must be economical, efficient and effective. Planning an individual engagement follows a logical chain:
- Background study & research — understand the unit's business operations, objectives, processes, policies, environment, and any significant or recent/proposed changes.
- Preliminary analysis of key controls & risks — consider entity-wide risks identified at the institutional level; for each activity/process/system, identify control objectives and the key controls that mitigate the risks, then evaluate their design effectiveness.
- Develop engagement objectives, scope, criteria and approach — the objective is a broad statement, often a question the auditor seeks to answer, with a conclusion drawn for each objective. The work must yield sufficient evidence to meet the objectives.
- Finalise the audit plan — a detailed scope statement describing the areas/processes/systems covered, the time period and locations, and any areas excluded from scope.
Performing the Audit Engagement
Once the programme is finalised, it is communicated to auditee units 30 days before commencement (a questionnaire may accompany it).
Intimation & Entry Conference
A Commencement Letter, addressed to the highest individual responsible for the function/department, is sent at least a month before the audit. It includes:
- 🎯Objective of the audit.
- 📐Scope and the period it covers.
- ⏱️Estimated duration.
- 👥Names of auditors — especially the Team Leader.
- 📅Information on entry and exit conferences.
- 📄Request for necessary information and documents.
The engagement normally starts with an entry conference between the auditors and the Head of Department/Office. Its purpose is to establish an appropriate environment: auditors communicate the proposed objectives and scope, seek to understand the organisation's objectives and risk-management practices, learn of areas of special concern, and settle logistics (a nodal officer for space, records, meetings). The conference validates information gathered during planning and gauges attitudes toward controls.
Audits with an element of surprise do not have any entry conference. (All meetings that do occur must be documented and minuted, forming part of the working papers.)
The auditor tests the operating effectiveness of the key controls. A control's operation is not effective when a properly-designed control isn't operating as designed, or the person performing it lacks the necessary authority or qualifications. Each test's results and evidence are documented on the applicable matrix, recording: the objective/criterion the test links to; the information sources used; the means of testing; the results and analysis; and the observations/recommendations.
Audit Evidence & Its Reliability
Reliability is influenced by source (internal or external) and nature (visual, documentary or oral). The manual's reliability hierarchy:
- 🌐Evidence from external sources (e.g. third-party confirmation) is more reliable than from the entity's records.
- 🔗Evidence from the entity's records is more reliable when the related accounting and internal-control systems operate effectively.
- ✅Evidence obtained directly by the auditor is more reliable than that obtained by or from the entity.
- 📄Documents and written representations are more reliable than oral representations.
- 📑Original documents are more reliable than photocopies, telexes or facsimiles.
- 📊Large samples are more reliable than smaller ones; statistical samples more persuasive than non-statistical.
When evidence from different sources is consistent, it becomes persuasive. When sources are inconsistent, it is the auditor's responsibility to determine and perform the additional procedures needed to resolve the inconsistency. Decisions on what evidence to seek and how much is sufficient require due diligence and professional judgement.
Working Papers, Observations & the Exit Meeting
Working papers are the supporting documents for the whole engagement — they provide a complete audit trail, demonstrate how the audit was performed, and contain the evidence behind the Summary of Observations and the final report. They must be indexed, referenced and cross-referenced to the relevant observations. They sit in two files:
Information relevant to current and future audits — allowing comparison of KPIs over time: (i) organisational chart; (ii) descriptions of schemes/programs/systems/procedures & business plans; (iii) corrective action plans; (iv) legal & regulatory issues; (v) risk assessment; (vi) correspondence of continuing interest; (vii) updated audit programmes.
Records relevant to the current audit: (i) draft & final report copies; (ii) significant findings & how resolved; (iii) planning documentation; (iv) administration/correspondence; (v) follow-up of previous reports; (vi) updated programmes; (vii) supporting documentation; (viii) minutes of entry & exit meetings.
The supervisor reviews all working papers and supporting evidence, then prepares a draft report flagging control-design/implementation weaknesses, non-compliance, and transactions short of standards of propriety. The draft goes to the Head of Department for the Department's views. A formal exit meeting with key officials discusses the draft, obtains views and additional facts, and records disagreements with reasons. If the entity won't or can't comment in reasonable time, the report may issue noting the absence of comments. Ideally, the exit meeting turns the draft into an agreed document. The meeting is minuted; a copy goes to the Department.
Reporting & the 5-C Framework
Audit reports are the end products. They must be accurate, objective, clear, concise and complete and issued timely (normally within a fortnight of completing the engagement). Satisfactory performance of the auditee should also be acknowledged. Key formal requirements:
- 📑Cover page legend: "Internal Audit Report of ___ for the period ___", plus the date of issue.
- ⚖️States the responsibility split: management owns internal controls & financial statements; the auditor's job is to express an opinion on the efficiency of internal controls in achieving management objectives.
- ✅Approved by competent authority, signed by the designated authority, addressed per the Internal Audit Charter.
- 📊Carries an Executive Summary — objectives, scope, summary of observations, highlighting those needing immediate senior-management action.
- 📝Issued in the format prescribed by O/o CGA (Annexure II); fact-based, free of personal criticism, constructively worded.
Every observation is developed with the 5-C framework — a logical chain from what was expected, through what happened, to what should be done:
- Criteria — "What should exist?" The benchmarks or expectations against which audit evidence is compared (policy, norm, SOP).
- Condition — "What exists?" The factual evidence found; identifies the nature and extent of the observation — the result of comparing actual evidence with criteria.
- Consequence / Effect / Impact — "What effect did it have?" The risk or exposure from the gap between criteria and condition; often quantitative. The effect must be serious enough to justify the cost of correction.
- Cause — "Why did it happen?" The likely reason for the gap. Similar causes across observations may reveal an underlying theme; identifying the cause is a prerequisite to a meaningful recommendation.
- Corrective Action / Recommendation — "What should be done?" Actions to correct and prevent recurrence — within the client's scope, addressing the cause not the symptoms, and at least intuitively viable.
Grouping Findings by Risk Severity
Absence of immediate corrective action may have a major negative impact on achievement of objectives.
Failure to take action could result in significant consequences.
Suggested action would bring greater efficiency or enhanced controls at minimal additional cost.
Follow-up Action
The true achievement of an audit is reflected in implementation of its recommendations and an improved control system — this phase must not be underestimated. There must be a defined time-frame for Action Taken Reports (ATRs). The IAW examines ATRs and offers comments to the administrative division; monitoring of audit paras also aims to resolve old paras, watched closely by the Pr.CCA/CCA/CA.
Issues that could not be resolved within six months through communication with the administrative division / audit client are reported to the Audit Committee, whose Chairman issues further directions.
| Concept | Key Fact |
|---|---|
| Five phases | Plan · Prepare · Perform · Report · Follow-up |
| Compressed into | Planning · Execution · Reporting |
| Typical assignment | 7 steps (scope → understand → risks → controls → test → report → follow-up) |
| Annual Programme due | 15 January; copy to O/o CGA |
| Capacity planning | 210 working days/auditor; 10 days regular, 15–23 special |
| Programme communicated | 30 days before commencement |
| Commencement Letter | Sent ≥ 1 month before the audit |
| Surprise audits | No entry conference |
| Evidence must be | Sufficient (quantity) · appropriate (reliable + relevant) |
| Most reliable evidence | External · auditor-obtained · documentary · originals · large samples |
| Two working-paper files | Permanent & Current |
| Observation = | "Should exist" vs "exists" + effect, impact, cause |
| Report qualities | Accurate · Objective · Clear · Concise · Complete |
| Report timeline | Within a fortnight of completion |
| Responsibility split | Management owns controls; auditor opines on efficiency |
| The 5 C's | Criteria · Condition · Consequence · Cause · Corrective action |
| Risk grouping | High · Medium · Low |
| ATR escalation window | Unresolved in 6 months → Audit Committee |
Quality Assurance in Internal Audit
Consistent application of processes; standardisation and completeness of documentation; adequate linkage of recommendations to working papers; enhanced credibility. It increases the effectiveness of the supervisory function — and thereby the reliability of reports.
Hierarchy of Quality Assurance Elements
Quality assurance operates at four levels, each with its own control objective, the party responsible, and the level that receives assurance:
| Element | Control objective | Responsible party | Assurance to |
|---|---|---|---|
| Professionalism (Due Care) | Individual auditor's work | Individual auditor | Individual |
| Supervisory Review | The engagement | Supervisor within line of responsibility | Audit function management |
| Internal Review | Aggregate of engagements / divisional offices | Supervisor or peer outside line of responsibility | Chief Audit Executive |
| External Review | Audit function as a whole | Qualified persons from outside the organisation | Audit Committee & senior management |
The responsibility of the Chief Audit Executive.
Conducted by members of IAWs of other Ministries/Departments.
Examines the audit plan, working papers, related report and follow-up — before or after reports are finalised. Deficiencies must be rectified in a time-bound manner.
Measuring the Performance of Internal Audit
Performance can be evaluated on several key areas (a balanced scorecard approach helps, supplemented by customer surveys to managers after each engagement and an annual survey to the Audit Committee):
The degree to which the annual plan of engagements is completed.
Time elapsed from completion of testing to issuance of the final report.
Audit findings acted upon and resolved.
% of staff with professional certifications, graduate degrees, and years of experience.
% of time spent on engagements vs administrative time (training, vacation).
Positions filled vs authorised. May use rotational/"guest" auditors or "co-sourcing" of contract auditors.
Human Resources, Training & Staffing Norms
Eight parameters drive the staffing requirement of an IAW (worked out into man-days against available working days — Annexure III):
- Number of audit units.
- Number of employees in each audit unit.
- Budget of each audit unit.
- Inherent risks in the functioning of each audit unit.
- Time required to complete an engagement (including travel).
- Time required for report writing.
- Time reserved for training and continuous professional education.
- Period that may be spent on leave etc.
With increasing complexity, internal audit may lack specialised knowledge. The CAE should have authority and resources to hire individuals and firms with the requisite skills (as the C&AG does), assessing their competency, independence and objectivity (experience, education, training, professional membership). Consultants work under the CAE's overall control, and responsibility for quality and timely delivery lies only with the CAE.
Training modules should cover risk assessment, designing the risk matrix, mapping risks with controls, evaluating internal controls, field work and testing plans, and auditing in a computerised environment (CAATs). Report-writing is a priority area. Auditors should acquire certifications from bodies like IIA, ISACA, with the CAE reimbursing fees and study material.
Effective methods: challenging, varied assignments; quality supervision; staff participation across audit phases; opportunities to lead (starting with structured engagements); participation on improvement task forces; rotation through teams/audits; and involvement in annual risk-assessment.
The Code of Ethics — Four Principles
Establishes trust; the reason an auditor's judgement is relied on. Perform with honesty, diligence and responsibility, in conformity with law; no party to illegal acts.
Impartial and transparent. No activity/relationship that adversely affects balanced assessment; accept nothing that may influence professional judgement.
Respect the value and ownership of information; don't disclose without proper authority unless legally/professionally obliged.
Engage only in services for which one has the knowledge, skills and experience; continuously improve proficiency and quality.
Internal and statutory audit should develop synergy and complement each other. The Audit Committee reviews statutory audit observations too. To track settlement of objections in Test Audit Notes issued by statutory officers, the IAW maintains a DDO-wise count of outstanding objections and monitors progress. Both audits' observations guide the risk-assessment and work-programme.
| Concept | Key Fact |
|---|---|
| QAIP purpose | Value-adding audits + assurance of conformance to guidance |
| 4 QA hierarchy levels | Professionalism · Supervisory · Internal · External review |
| Self-assessment by | The CAE |
| Peer review by | IAWs of other Ministries |
| External review by | O/o CGA |
| 6 performance metrics | Plan completion · report issuance · issue closure · staff qualifications · utilisation · staffing level |
| Measurement approach | Balanced scorecard + customer surveys |
| 8 staffing parameters | Units · employees · budget · risk · audit time · report time · training · leave |
| Consultant responsibility | Lies only with the CAE |
| 4 Code of Ethics principles | Integrity · Objectivity · Confidentiality · Competency |
| Statutory-audit tracking | DDO-wise count of Test Audit Note objections |
Glossary, Annexures & Report-Writing Tips
The Three Annexures
Format for the wing's Annual Review, submitted to O/o CGA by 31 May. Built around four chapters: Executive Summary, Consolidated report of findings, Important findings (quantified), and Annexures.
The prescribed report format — carries the legend "Internal Audit Report of ___ for the period ___," the IAR number, and the responsibility split.
The basis for assessing IAW staff requirement — auditee units by periodicity (annual / biennial / triennial), audit man-days required vs available working days in the year.
Annual Review — The Ten Categories of Irregularities
The Annual Review highlights important irregularities (each ≥ Rs. 1 lakh) under ten distinct headings — a useful checklist of what internal audit looks for:
- Non-recovery of Government dues (from Central/State Govt., Govt. bodies, private parties).
- Overpayments.
- Idle machinery / surplus stores.
- Loss / infructuous expenditure.
- Irregular expenditure.
- Irregular purchase.
- Non-adjustment of advances (Contingency, TA, LTC advances).
- Blocking of Government money.
- Non-accountal of costly stores / Government money.
- Any other item of special nature.
Ten Things Not to Say in an Audit Report
A memorable box (by Richard Chambers of the IIA) on report-writing craft — worth internalising for the principle that reports must drive action, not impress:
Don't say "management should consider…" — offer solid, specific recommendations. Avoid hedges like "it seems that" or "there appears to be."
"Clearly," "very," "significant" are non-specific weaseling — numbers tell the story. Beware "always"/"never"; the problem is rarely universal.
Aim for positive change, not blame — get to root cause. State the condition without "management failed," which annoys those you need to act.
Use "audit client"/"customer" — audit is collaborative. Avoid audit-speak that loses readers.
Avoid "we found" (it reads like throwing management under the bus). If it sounds pompous, rewrite — use the "fifth-grader test."
Glossary — Quick Reference
| Term | Meaning |
|---|---|
| Add Value | Facilitate achievement of objectives by identifying areas and recommending measures to reduce risk and/or improve operations. |
| Audit Observation | Any identified and validated gap between the current and desired state arising from an engagement. |
| Auditee / Audit Client | The Government Ministry/Department/Unit that is the subject of an engagement. |
| Criteria | The standards or measures used in evaluation — what should exist. |
| Condition | The factual evidence the auditor found — what does exist. |
| Cause | The reason(s) for the difference between expected and actual conditions. |
| Effect / Consequence | The risk or exposure arising from the variance between condition and criteria. |
| Control Environment | Provides the discipline and structure — integrity/ethics, management philosophy, structure, authority assignment, HR practices, competence. |
| Residual Risk | The portion of inherent risk remaining after management executes its risk-management process. |
| Risk Response (Mitigation) | Action to achieve a desired risk strategy — avoidance, reduction, sharing or acceptance. |
| Reasonable Assurance | A level of assurance supported by generally accepted auditing procedure and judgement. |
| Governance | The rules, procedures and processes that authorise, direct and oversee management to ensure objectives are achieved. |
| Engagement Work Program | A document listing the procedures to be followed during an engagement. |
| Conflict of Interest | Any relationship that may prejudice an individual's ability to perform duties objectively. |
| Concept | Key Fact |
|---|---|
| Annexure I | Annual Review Format (due 31 May) |
| Annexure II | Internal Audit Report Template (O/o CGA format) |
| Annexure III | Norms for staff requirement (annual/biennial/triennial) |
| Grant-audit threshold | IAW audits institutions getting < Rs. 25 lakh in grant (CAM 12.2.1) |
| Irregularity reporting floor | ≥ Rs. 1 lakh per case; no abbreviations |
| 10 irregularity categories | Non-recovery · overpayment · idle machinery · loss · irregular expenditure · irregular purchase · advances · blocked money · non-accountal · other |
| Report-writing test | The "fifth-grader test" |
| Criteria vs Condition | "What should exist" vs "what does exist" |
| Residual risk | Inherent risk left after the risk-management process |