Handbook on Internal Audit in Central Civil Ministries/Departments
The policy-and-principles reference issued by the Internal Audit Division of the Controller General of Accounts (Ministry of Finance, Department of Expenditure). Anchored in Article 150 of the Constitution, the GFR 2017 (Rules 70, 72 & 236), the Civil Accounts Manual and the IIA's IPPF, it embeds the 32 CGA Internal Audit Guidelines and the theory of risk, COSO controls and RBIA. These notes cover the Foundations and all six chapters plus the six Exhibits, each with a self-test.
History, Statutory Anchors & Acronyms
Handbook vs Manual — the framework is a two-book set, each serving a distinct purpose.
| Aspect | Handbook (this document) | Manual (companion) |
|---|---|---|
| Answers | The "why" and "what". | The "how". |
| Contents | Theory, concepts, definitions, and the 32 Guidelines. | Practice advisories, checklists, and worked exhibits. |
| When used | To understand principles, risk, COSO and the management framework. | While actually performing the engagement. |
The Guidelines use "must" for an unconditional requirement and "should" where conformance is expected unless, on applying functional judgment, circumstances justify deviation. The word "Program" denotes any auditable unit — programs, schemes, departments, units, processes, structures or PSUs.
Historical milestones
| Date | What happened |
|---|---|
| Jan 1973 | Group of Ministers (GOM) constituted; a sub-group of eight members under Finance Secretary Shri M.P. Yardi ("Yardi Committee") set up on 27 Feb 1973. |
| 14 Aug 1973 | Yardi Committee report submitted (endorsed by GOM on 4 Sep 1973) — recommended Departmentalisation of Accounts, a Management Accounting System (MAS), and strengthening of Internal Audit. |
| 1 Mar 1976 | Two ordinances promulgated — the C&AG (DPC) Amendment Ordinance and the Departmentalisation of Union Accounts (Transfer of Personnel) Ordinance. |
| 1 Apr 1976 | The Civil Accounts Organisation under the Controller General of Accounts came into existence. |
| 27 Sep 1980 | Role of the Civil Accounting Organisation outlined in the Allocation of Business Rules (notification CD-896/80, Annexure 2.3). |
| Apr 1989 | High Powered Committee under Shri S.B. Lal reviewed the Departmentalisation scheme — noted qualitative improvement in Internal Audit. |
| 1 Jun 2006 | Redefined Charter of Financial Advisers (OM 5(6)/L&C/2006) — moved internal audit beyond compliance to controls, risk and value-for-money. |
The statutory & rule anchors — exact citations
These provisions recur throughout the Handbook, each cited below with its exact number and full scope.
- GFR 70Rule 70, GFR 2017 — the Secretary, as Chief Accounting Authority, is responsible and accountable for the financial management of the Ministry/Department, must ensure public funds are used for their intended purpose, and must keep full & proper records and adopt systems/procedures that at all times afford internal controls, to avoid unauthorised, irregular and wasteful expenditure.
- GFR 72Rule 72, GFR 2017 (read with Article 150 of the Constitution) — the accounts of the Union shall be kept in such form as the President prescribes on the advice of the C&AG; the CGA (M/o Finance, Dept of Expenditure) is responsible for prescribing the form of accounts of the Union and States and for framing/revising the related rules and manuals on the President's behalf.
- CAM 12.2.1Para 12.2.1, Civil Accounts Manual — the Internal Audit Unit works directly under the Pr. CCA / CCA / CA (with independent charge), with overall responsibility remaining with the concerned Financial Adviser and the Secretary. Its jurisdiction covers the Principal Accounts Office, the Pay & Accounts Offices, the offices of the DDOs, Indian Missions and other GoI offices abroad — and, in addition, the implementing agencies of the Ministry's schemes/programmes.
- GFR 236Rule 236(1), GFR 2017 — the accounts of all Grantee Institutions or Organisations shall be open to inspection by the sanctioning authority and to audit by both — (a) the Comptroller & Auditor General of India under the provisions of the C&AG's (DPC) Act, 1971, and (b) internal audit by the Principal Accounts Office of the Ministry/Department — whenever the Institution or Organisation is called upon to do so. A provision to this effect must invariably be incorporated in all orders sanctioning Grants-in-aid.
Two further roots worth noting: the digitisation of Government accounts through PFMS was approved by an OM dated 2 December 2014; and the Eleventh Five Year Plan (2007–12) recorded the Government's commitment to undertaking gender audits, with Gender Budgeting adopted by India in 2005.
Key acronyms
| Acronym | Expansion |
|---|---|
| CAE | Chief Audit Executive (refers to Pr. CCA / CCA / CA) |
| Pr.CCA / CCA / CA | Principal Chief Controller / Chief Controller / Controller of Accounts |
| IAW / IAD | Internal Audit Wing (at a Ministry) / Internal Audit Division (in O/o CGA) |
| IAG | Internal Audit Guidelines (the 32 CGA guidelines) |
| IPPF / IIA | International Professional Practices Framework / Institute of Internal Auditors |
| COSO / ERM | Committee of Sponsoring Organizations / Enterprise-wide Risk Management |
| RBIA / RAU | Risk Based Internal Audit / Risk and Audit Universe |
| IA-CM / IA-CoE | Internal Audit Capability Maturity Model / IA Centre of Excellence (IAD) |
| QAIP | Quality Assurance and Improvement Program |
| KPI / KRI | Key Performance Indicator / Key Risk Indicator |
| PPS | Programmes, Projects and Schemes |
| GFR / DDO | General Financial Rules (2017) / Drawing & Disbursing Officer |
| PFMS / INGAF | Public Financial Management System / Institute of Govt Accounts & Finance |
| CIPFA / ICAI | Chartered Institute of Public Finance & Accountancy / Institute of Chartered Accountants of India |
| CVC / C&AG | Central Vigilance Commission / Comptroller & Auditor General |
| ISSAI | International Standards of Supreme Audit Institutions |
Foundations Quiz — history & the rule anchors
Eight questions on the history and the statutory anchors. Pick an answer to lock it; the explanation appears below.
| Concept | Key Fact |
|---|---|
| Issued by | Internal Audit Division, O/o CGA, M/o Finance (Dept of Expenditure) |
| Handbook vs Manual | Theory + 32 Guidelines | advisories, checklists, exhibits |
| Yardi Committee | 1973 — recommended Departmentalisation of Accounts |
| CGA organisation born | 1 April 1976 |
| Rule 70 GFR | Secretary = Chief Accounting Authority |
| Rule 72 GFR + Art 150 | President prescribes form of accounts on C&AG's advice; CGA prescribes it |
| Rule 236(1) GFR | Grantee accounts open to audit by both — C&AG (DPC Act 1971) and internal audit by the PAO |
| Para 12.2.1 CAM | IAU under Pr.CCA/CCA/CA; jurisdiction = PAO, PAOs, DDOs, Missions, offices abroad + implementing agencies |
| PFMS digitisation OM | 2 December 2014 |
Introduction to Internal Audit & the 32 Guidelines
Each IAW articulates its own Mission; the model wording is: "To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight." The need for the function stems from the need for objective feedback to Government through periodic review of risks, internal controls and governance.
The ten Core Principles (IIA)
Taken as a whole, these articulate an effective internal audit. All should be present and operating — failure on any one implies the activity is not as effective as it could be in achieving its mission.
Demonstrates integrity.
Competence & due professional care.
Objective & free from undue influence (independent).
Aligns with strategies, objectives & risks.
Appropriately positioned & adequately resourced.
Quality & continuous improvement.
Communicates effectively.
Provides risk-based assurance.
Insightful, proactive, future-focused.
Promotes organizational improvement.
The IAG architecture & "Audit Risk"
The CGA's Internal Audit Guidelines exist to decrease Audit Risk. There are 32 guidelines in 4 Sections, mandatory and principle-based. The word "professional" is read to include the "function" of internal audit from the Civil Ministries' perspective.
False positive — giving a positive assurance when there is actually a substantial issue. False negative — giving an adverse opinion when the actual conditions are satisfactory. Tolerable audit risk is set by the Ministry's Audit Committee.
Section A — General Guidelines (1–8)
| No. | Guideline | The crux |
|---|---|---|
| 1 | Internal Audit Principles | The ten core principles; mandatory and CGA-updated. |
| 2 | Code of Conduct & Ethics | Serve the public interest; follow GoI rules & CVC ethical guidelines. Five ethical principles: public interest, integrity, objectivity, proper use of Govt information/resources/positions, professional behaviour (adapted from US GAO Yellow Book). A yearly declaration of adherence is taken from each auditor. |
| 3 | Independence & Objectivity | Activity must be independent; auditors objective — in fact and appearance. Achieved via a dual-reporting relationship with direct, unrestricted access to senior management. (Five-test rule below.) |
| 4 | Proficiency & Due Care | Consider extent of work; complexity/materiality; adequacy of GRC; probability of fraud/non-compliance; cost vs benefit. Must consider technology-based & data-analysis techniques. |
| 5 | Use of Professional Judgement | Document significant decisions affecting objectives, scope, methodology, findings, conclusions; built on independence, objectivity, integrity, proficiency, skepticism & critical thinking. |
| 6 | Definition of Internal Audit | The IIA definition — assurance + advisory. |
| 7 | Nature of Work | Evaluate & improve Governance, Risk Management, Control via a systematic, risk-based approach (IIA Std 2100/2110/2120/2130). |
| 8 | Types of Services | Assurance (3 parties: process owner, auditor, user) & Advisory (2 parties: auditor, Ministry). Procedures: examination, review, agreed-upon procedures. |
A Ministry's IAW is presumed free of organizational impairment if the CAE meets ALL of:
(a) is accountable to the Secretary;
(b) reports audit results to both the Secretary and the Audit Committee;
(c) is located outside the staff or line management of the Ministry;
(d) has access to the Audit Committee;
(e) is sufficiently removed from political pressure to report findings without fear of political reprisal.
Under Guideline 8 the three engagement procedures differ sharply: an examination forms an opinion on conformance with criteria in all material respects (used for controls/compliance); a review does sufficient testing to express a conclusion on whether anything came to attention showing non-conformity; an agreed-upon procedure engagement expresses no opinion or conclusion — it only reports the findings of the applied procedure.
Section B — CGA Level Guidelines (9–13)
| No. | Guideline | The crux |
|---|---|---|
| 9 | Managing Govt Internal Audit | CGA's oversight; IAD obtains Annual Reviews and reports the "Annual Review at a Glance" to the Finance/Expenditure Secretary. |
| 10 | Establishing Best Practices | CGA lays down best practices including the IAGs in the Handbook; the new Charter of duties (Secretary, Dept of Expenditure) to be adopted by Ministries. |
| 11 | Supporting Engagement with Audit Committees | CGA builds the working relationship between the CAE and the Audit Committee. |
| 12 | Technical Support (Data Analytics) | Delivered through the Internal Audit Centre of Excellence (IA-CoE) — a central repository of best practice; helps IAWs climb the IA-CM; signed an MoU with IIA India. |
| 13 | Maintaining Proficiency | Certification via INGAF; where a resource gap carries significant audit risk, CGA may nominate proficient auditors / outsourced providers to that team. |
Section C — Ministry Level Guidelines (14–24)
| No. | Guideline | The crux |
|---|---|---|
| 14 | Role of the CAE | Effectively managed (achieves charter purpose, conforms to the Handbook), adds value (considers strategies/objectives/risks), proficiency (sought for advice on risks & controls). |
| 15 | Reporting by the CAE | Report regularly to the IFA, periodically to Secretary & Audit Committee; at least once a quarter on status. Report against KPIs each quarter; the Audit Committee fixes risk appetite/tolerance; the CAE gives a written assessment on KRIs each quarter. Introduces the IA-CM (six elements). |
| 16 | Annual Plan & 3-Year Programme | Risk-based Annual Plan by 15 January; revise by 15 February for the Finance Bill. High-risk areas ≥1/year; low-risk once in 2–3 years. Plan must contain both assurance and advisory; documented risk assessment at least annually. |
| 17 | Communication & Approval of Plans | Present plan + 3-year programme to the Audit Committee by 1 March, with impact of resource limitations; present challenges in three risk categories: audit failure, false assurance, reputation risk. |
| 18 | Resource Management | Resources must be appropriate (right mix), sufficient (right quantity), effectively deployed; gaps reported in writing before every meeting. |
| 19 | Mandatory Compliance | Compliance is mandatory and part of the CAE's appraisal; non-conformance during an engagement must be stated in the report. |
| 20 | Technical Support from IA-CoE | CAE prepares the Ministry's own IA Manual, maintains a Risk Register, reports IA-CM capability, shares best practices. |
| 21 | Internal Audit of Governance | Report to Secretary, IFA & Audit Committee on the adequacy of governance processes. |
| 22 | External Service Providers | Fill competency gaps; each member needn't be qualified in all disciplines, but the team collectively must be competent; document scope in an engagement letter. |
| 23 | Value Add to Risk Management | Review/advise on ERM, facilitate Risk Self-Assessment workshops — but do not assume management responsibility by actually managing risks. |
| 24 | QAIP | CAE maintains a QAIP covering all IAW activities; communicate results annually to IFA & Audit Committee; covers internal & external assessments; the external assessment is done by an assessor engaged by the CGA. |
Section D — Engagement Guidelines (25–32)
| No. | Guideline | The crux |
|---|---|---|
| 25 | Engagement Planning | Plan = objectives, scope, timing, resources; submit a TOR before the field visit. Pre-fieldwork file: Audit Planning Memo (APM), Preliminary Survey Findings (incl. Risk Assessment Report — RAR), Engagement TOR. |
| 26 | Engagement Work Program | Written, updated program: objectives; risks/processes/transactions; nature of testing; procedures. Ready before the field visit except sample size. |
| 27 | Engagement Supervision | Oversight scaled to auditor proficiency/experience and engagement complexity, to mitigate audit risk. |
| 28 | Sufficient & Appropriate Evidence | Appropriateness = quality (relevance, reliability, usefulness); Sufficiency = quantity. Where limitations are significant: seek corroboration, disclose in report, decide whether to report as a finding. |
| 29 | Performing Field Work | Gather via surveys/interviews/checklists, analytical procedures, process maps; use Generalised Audit Software (GAS) & continuous monitoring; secure electronic working papers. Be proficient in choosing sampling — statistical, judgemental, discovery. |
| 30 | Documenting Engagement Activities | Detail enough for an experienced auditor with no previous connection to understand nature/timing/extent/results; control access & retention (IIA Std 2330 series). |
| 31 | Communicating Results | Timely; contains an opinion and/or conclusion; the reason for an unfavourable opinion must be stated; communicate serious findings early; CAE issues all reports and circulates corrections. |
| 32 | Monitoring Progress & Acceptance of Risk | Monitor disposition of results; inordinate delay implies management has accepted the risk — include in yearly reporting of unacceptable risks to the Audit Committee. |
Chapter 1 Quiz — principles & the 32 Guidelines
Eight questions from Chapter 1. Pick an answer to lock it; the explanation appears below.
| Concept | Key Fact |
|---|---|
| Total guidelines / sections | 32 guidelines · 4 Sections (A 1–8 · B 9–13 · C 14–24 · D 25–32) |
| Core principles | 10 — all should operate effectively |
| Audit Risk | False positive / false negative |
| Five ethical principles | Public interest · integrity · objectivity · proper use of Govt resources · professional behaviour |
| Independence via | Dual-reporting relationship (five-test presumption) |
| Three services procedures | Examination · review · agreed-upon procedures |
| Plan deadlines | 15 Jan (plan) · 15 Feb (Finance Bill) · 1 Mar (present) |
| Three engagement risks | Audit failure · false assurance · reputation risk |
| Pre-fieldwork file | APM · Preliminary Survey (incl. RAR) · TOR |
| QAIP results reported | Annually to IFA & Audit Committee |
Internal Audits, Risks & Internal Controls
The three types of audit
Verifies expenditure conforms to laws, rules & orders governing the power to incur/sanction, and that service, pay, allowance & pension rules are followed. The auditor flags deviations and suggests remedies; further action rests with the Ministry.
Reviews actions suggesting improper expenditure or waste even if covered by rules. Extends "beyond the formality of the expenditure, to its wisdom, faithfulness and economy" (Hallam). Financial Audit is conducted as part of it — grant/contract audits and fraud/financial-irregularity audits.
Ascertains whether stated objectives are achieved with economy & efficiency; examines the inputs → outputs → outcomes chain in schemes/programmes.
Performance Audit is assessed from five angles: Effectiveness (program accomplishments — gender-disaggregated data is a pre-requisite to measuring it), Efficiency (productivity, unit cost, utilisation), Economy (minimising input use consistent with quality), Data reliability (controls over non-financial reporting), and Risk assessment (including the political and societal risks unique to Government).
Risk Based Internal Audit (RBIA) methodology
Where risk maturity is low: report the ERM deficiencies, provide advisory to train program officers to prepare a risk register, and build the plan on the auditor's own risk assessment. Where it is adequate: use the program's risk register, identify significant risks, and include them in the plan. Risk assessment is done separately for each unit/geography — there is no one plan that fits all.
Implementation has three stages (detailed in Exhibit IV) — the CAE shall:
Risk & its scoring
Risk response — the 4 T's
Shift the risk elsewhere — e.g. obtaining insurance.
Accept it — when control cost outweighs benefit, or the outcome is inconsequential.
Stop the activity — for grave consequences; not always possible in Govt due to political/social sensitivities.
Apply control activities — usually the most obvious & relevant choice for Ministries.
Residual risk remaining after controls may be tolerated if elimination costs are high and it is within acceptable limits. Acceptable risk is one understood and tolerated because the cost/difficulty of a countermeasure exceeds the expected loss — a judgement for the Ministry. The benefits of risk reduction must exceed the cost of controls; the target is bringing risk within the Ministry's risk appetite.
Internal control & the COSO framework
Types of control — with representative examples of each.
| Type | Purpose | Examples |
|---|---|---|
| Preventive | Prevents/minimises errors before they occur. | Segregation of duties; dual cheque-signing; purchase policy; barring unauthorised entry. |
| Detective | Highlights errors after they occur. | Bank reconciliation; audit; physical verification of fixed assets; supervision. |
| Reconstructive | Provides effective backup. | Disaster Recovery Procedures. |
Internal control is most effective when controls are "built in" and not "superimposed." Internal Audit is itself a critical component of the internal control system — entrusted with the review function — and, being a control, also entails costs, so must be run with due regard to economy, efficiency and effectiveness.
The internal auditor's role in risk management
- 📢Be advocates for formal risk management and help expedite and sustain it.
- 🎯Provide assurance on risk management as a whole, not just on individual risks.
- 🔗When conducting a risk-based audit, link the audit scope to specific risks faced by the Ministry's objectives.
- 🔄Update the risk assessment as and when risks arise, not on a fixed periodicity.
- ⚠️Be cautious that Ministry requests don't divert resources from higher-risk areas; never assume a management role.
Chapter 2 Quiz — audit types, RBIA & COSO
Eight questions from Chapter 2. Pick an answer to lock it; the explanation appears below.
| Concept | Key Fact |
|---|---|
| Three audit types | Compliance · Propriety · Performance |
| Propriety (Hallam) | Beyond formality — to wisdom, faithfulness, economy |
| Financial Audit sits within | Propriety Audit |
| Performance audit angles | Effectiveness · efficiency · economy · data reliability · risk assessment |
| RBIA is a | Methodology (not a type); links audit to ERM |
| RBIA three stages | Assess maturity → prepare plan/RAU → audit & feed back |
| Risk components | Likelihood & impact |
| Key risk threshold | Score ≥6 (1–3 grid; max 9) |
| Control score | Inherent minus residual risk |
| 4 T's | Transfer · Tolerate · Terminate · Treat |
| COSO 5 components | Control environment · risk assessment · control activities · info & communication · monitoring |
| Control types | Preventive · Detective · Reconstructive |
| Controls best when | "Built in," not "superimposed" |
Management of Internal Audit in Government
Vision: "As a professional accounting organization, our vision is to strengthen governance through excellence in public financial management." One mission limb is squarely about audit: "Develop new paradigms of internal audit for improved transparency and accountability." The IAD's own stated mission is to provide "dynamic leadership" for Government internal auditing in India.
Reporting by CGA to the Expenditure Secretary
The CGA has a direct relationship with the Secretary (Expenditure), M/o Finance, and submits the Annual Review — a consolidation of the Annual Reviews received from line Ministries. The IAD compiles an "Annual Review at a Glance" summarising important observations and reflecting financial implications above Rupees One Crore.
Mandate of internal audit & the Audit Committee
The requirements are detailed in a clearly defined Audit Mandate, which the Internal Audit Charter formally documents. An Audit Committee is constituted in each Ministry for oversight, with this composition:
| Role | Office holder |
|---|---|
| Chairperson | Secretary of the Ministry/Department |
| Vice-Chairperson | Financial Advisor |
| Convener / Member Secretary | CCA / CA (the CAE), or an officer nominated by the CAE |
| Members | Programme Division Heads; plus subject-matter experts (e.g. a Gender Audit or Internal Audit expert) where necessary |
Ensure an effective Risk Management system; supervise the IAW & set priorities; provide strategic direction & resources; approve the Internal Audit Charter; approve the Annual Internal Audit Plan; evaluate IAW performance & guide improvement; ensure observations are implemented; determine modalities to resolve key audit issues. The committee may also assign special audits on which the CAE reports directly to it within a prescribed time-frame.
The Internal Audit Charter
The Charter is the reference point for internal audit at the Ministry — it defines purpose, authority & responsibility, sets functional & administrative reporting lines, establishes the IAW's position, authorises access to records/personnel/property, and is the foundation for the Annual Audit Plan. It must be gender inclusive and approved by the Audit Committee. The 2006 revised charter moved audit beyond compliance to:
- Appraisal, monitoring & evaluation of individual schemes.
- Assessment of adequacy & effectiveness of internal controls and soundness of financial systems.
- Identification & monitoring of risk factors (including those in the Outcome Budget).
- Critical assessment of economy, efficiency & effectiveness of service delivery — value for money.
- Providing an effective monitoring system to facilitate mid-course corrections.
CGA guidelines recommend utilising 60% of working days for Risk-Based Internal Audit of Schemes and 40% for Compliance/Regularity Audit — and planning for both follows a risk-based approach. Reports should be prepared within one week and issued after the CAE's approval. An auditor must not audit his own decision, nor a unit where he worked within the past one year.
Reporting lines under the Charter: the IAW is headed by a Pr.CCA/CCA/CA acting as CAE; administratively the CAE reports to the Secretary through the Financial Advisor, while functionally the IAW reports to the Audit Committee. The IAD in O/o CGA is structured in three sections — (i) Centre of Excellence, (ii) Planning & Coordination, (iii) Inspection Wing. Each Ministry also has an Internal Audit Management Team headed by the CAE for closer supervision & quality assurance.
Managing the activity & the documentation policy
To add value, the CAE (per IIA Standards 2000–2060): establishes a risk-based plan; communicates plans & resource needs (Std 2020); ensures resources are appropriate, sufficient & effectively deployed (Std 2030); establishes guidelines & procedures (Std 2040); shares information & relies on other assurance providers (Std 2050) — while remaining accountable for the conclusions; and reports periodically (Std 2060) on purpose, authority, responsibility & performance, including any risk management deems unacceptable.
The CAE approves a documentation policy covering: the need to document sufficient, reliable, relevant information; controlled access (the CAE obtains approval of senior management and/or legal counsel before releasing records to external parties); and retention requirements regardless of storage medium — consistent with Ministry guidelines and regulatory requirements.
KPIs & dashboards — the six IA-CM elements
KPIs are organised around the six elements of the Internal Audit Capability Model for the public sector:
Completed vs planned assignments; man-days utilised; % consulting & % RBIA assignments; recommendations by H/M/L; impact (recoveries, overpayments, idle machinery, irregular expenditure); client satisfaction.
Staff utilisation; training plan vs actual; staffing requirement & authorised vs actual; appropriately qualified vs total; persons recognised for certification.
IA-CM assessment & action plans; QAIP; gap analysis against the Handbook.
MIS periodicity; stakeholder feedback; ability to meet plans; risks mitigated, cost-saving & recovery opportunities.
Org structure plan vs actual; CAE in the management team; access to information/people; relations with external auditors.
How the CAE fits in; reporting relationship; how independence is assured. Audit Committee KPIs: meeting frequency, attendance, induction of external SMEs.
Chapter 3 Quiz — committee, charter & KPIs
Eight questions from Chapter 3. Pick an answer to lock it; the explanation appears below.
| Concept | Key Fact |
|---|---|
| CGA reports to | Secretary (Expenditure), M/o Finance |
| "At a Glance" threshold | Financial implications above Rs 1 Crore |
| Annual Review reaches CGA by | 31 May (Exhibit I format) |
| Audit Committee Chair | Secretary of the Ministry |
| Vice-Chair / Convener | Financial Advisor / CCA-CA (CAE) |
| Committee approves | The Charter & the Annual Audit Plan |
| Charter defines | Purpose, authority, responsibility |
| The 60/40 rule | 60% RBIA of schemes · 40% compliance/regularity |
| Reports prepared within | One week |
| Independence rule | No self-audit; no unit worked in within past 1 year |
| IAD three sections | CoE · Planning & Coordination · Inspection Wing |
| IA-CM elements | 6 (drive the KPI dashboard) |
Other Domains of Internal Audit
Gender Audit
Mandate — Gender Audit is inclusive in two of the audit types.
| As part of… | Objective |
|---|---|
| Compliance Audit | Ensure adherence to constitutional provisions and Government regulations/procedures from a gender-sensitive perspective. |
| Performance Audit | Assess the economy, efficiency & effectiveness of gender equality in a project/programme (most performance audits do not focus on gender-equality results). |
Every gender-audit checklist (built at the planning stage, encoded by serial numbers) has five sections:
(i) scope,
(ii) evidence collection,
(iii) audit tests,
(iv) analysis of results,
(v) conclusion.
For beneficiary-oriented schemes, evidence collection must include sex-disaggregated data; both direct and indirect (proxy) evidence is collected.
The expected output is three-fold: an insight into the status of gender mainstreaming in the scheme; a pool of information on gender mainstreaming for discussion & analysis; and a participatory process that builds organisational ownership of the gender-equality objective.
IT Audit framework
IT Audit Risk (early stages → engage SMEs); understanding the technology environment; auditing in a Big Data environment with integrated auditing; identifying IT risks & controls — General Computer Controls (GCC) are reviewed first because they form the basis of the IT control environment; the interplay between manual and automated controls; and using technology as an audit opportunity (CAATs).
Performing the IT audit
IT audits draw on the IIA's GTAGs (Global Technology Audit Guides) — e.g. GTAG 5 (managing & auditing IT risks), GTAG 6 (IT vulnerabilities), GTAG 9 (identity & access management), GTAG 10 (business continuity), GTAG 11 (developing an IT audit plan), GTAG 12 (auditing IT projects), GTAG 13 (fraud prevention in an automated world) — plus GAIT for IT general controls. Until Ministries build capability, the CoE in O/o CGA develops an in-house team or outsources to specialist firms, and compiles a library of sample IT Audit Reports.
Audit of Governance Processes
The IAW supports three governance roles — oversight, insight, foresight.
| Role | What it does |
|---|---|
| Oversight | Whether Ministries are doing what they should — serves to detect & deter public corruption; verifies spending for the intended purpose. |
| Insight | An independent assessment of which programs & policies are working and which are not; benchmarking & best practice. |
| Foresight | Identifies trends & emerging challenges (demographic, economic, security) in implementing PPS. |
Assess how the Ministry:
(1) promotes ethics & values (code of conduct, RTI, anti-fraud/whistleblowing, hotline);
(2) ensures performance management & accountability (objective-setting, KPIs);
(3) communicates risk & control information to appropriate areas; and
(4) coordinates activities among the board, external/internal auditors & management.
Beyond these, the chapter distinguishes Detection (identifying inappropriate/illegal/fraudulent acts already transpired — e.g. payroll, accounts-payable, IS-security audits) from Deterrence (reducing the conditions that allow corruption — assessing controls, reviewing contracts for conflicts of interest). Auditors may give advisory, assistance or investigative services, but may not make management decisions or assume a management role, and must keep independence for subsequent audits — in short, they should not audit their own work.
Chapter 4 Quiz — Gender, IT & Governance audits
Seven questions from Chapter 4. Pick an answer to lock it; the explanation appears below.
| Concept | Key Fact |
|---|---|
| Three domains | Gender · IT · Governance |
| Gender Budgeting adopted | 2005; commitment in 11th Plan (2007–12) |
| Gender audit mandate | Both Compliance & Performance audit |
| Audit checklist sections | Scope · evidence · tests · analysis · conclusion |
| Gender evidence needs | Sex-disaggregated data |
| IT Audit assures | Confidentiality · Integrity · Availability (CIA) |
| Reviewed first in IT | GCC (General Computer Controls) |
| IT guidance | GTAGs (5,6,9,10,11,12,13) & GAIT |
| Governance = | Processes & structures to inform, direct, manage, monitor |
| Three governance roles | Oversight · Insight · Foresight |
| Four governance objectives | Ethics · performance/accountability · risk communication · coordination |
| Advisory limit | No management role; no auditing own work |
Quality Assurance
QA matters because audit engagements review the use of public money and must be done with due regard for ethics, economy, efficiency & effectiveness. Its benefits: consistent application of processes, standardisation & completeness of documentation, adequate linkage of recommendations to working papers, and enhanced credibility — increasing the effectiveness of supervisory elements and the reliability of reports.
Hierarchy of Quality Assurance elements
| Control element | Covers | Source / who reviews | Assurance level |
|---|---|---|---|
| Professionalism (Due Care) | The individual auditor's work | Individual | Individual Auditor |
| Supervisory Review | The engagement | Supervisor within the line of responsibility | Audit Function Management |
| Internal Review | Aggregate of engagements / divisional offices | Supervisor/peer outside the line of responsibility | Chief Audit Executive |
| External Review | The audit function as a whole | Qualified persons from outside the Ministry | Audit Committee |
Self, peer & external reviews
The responsibility of the Chief Audit Executive; built into ongoing supervision & monitoring.
Conducted by members of IAWs of (other) Ministries/Departments.
Done by O/o CGA or outsourced reviewers from the IIA — examines the audit plan, working papers, report & follow-up; can be before or after reports are finalised; deficiencies rectified timely.
Statutory interface, confidentiality & work papers
Internal audit must develop synergy with statutory audit, the two complementing each other. The Audit Committee reviews statutory observations too; the IAW maintains a DDO-wise count of outstanding objections from the Test Audit Notes issued by statutory audit, and monitors settlement. Auditors must respect the confidentiality of information — used only for the purpose obtained, disclosed only with proper authorisation.
The two working-paper files — same split that appears in the Manual.
| File | Typical contents |
|---|---|
| Permanent Audit File | Organisational chart; descriptions of schemes/programs/systems/procedures & business plans; corrective action plans; legal & regulatory issues; risk assessment; correspondence of continuing interest; updated audit programmes. |
| Current Audit File | Draft & final report copies; significant findings & how resolved; planning documentation; administration correspondence; follow-up of previous reports; updated programmes; supporting documentation; minutes of entry & exit meetings. |
Ten Things Not to Say in an Internal Audit Report
Richard Chambers' reflections, embedded in the Handbook as a reporting-quality aid:
- Don't say "Management should consider…" — offer solid, specific recommendations, not a nebulous call to action.
- Don't use "weasel words" ("it seems that," "our impression is," "there appears to be") — they make solid recommendations sound like hunches.
- Use "intensifiers" sparingly ("clearly," "significant," "very large") — numbers like 23% or $3 billion tell a story; vague intensifiers don't.
- The problem is rarely universal — avoid "everything," "nothing," "never," "always."
- Avoid the "blame game" — get to the root cause, not "it was Fred's fault."
- Don't say "management failed" — state the condition without assigning blame.
- "Auditee" is old-school — prefer "audit client" / "audit customer"; audit is collaborative.
- Avoid unnecessary technical jargon ("asynchronous transfer mode," "stratified sampling methodology").
- Avoid taking all the credit — "internal audit found / we found" can sound like throwing management under the bus.
- If it sounds impressive, you probably need a re-write — apply the "fifth-grader test": if a middle-schooler can't understand it, it's too complicated.
Chapter 5 Quiz — QA hierarchy, reviews & reporting
Seven questions from Chapter 5. Pick an answer to lock it; the explanation appears below.
| Concept | Key Fact |
|---|---|
| QA benefits | Consistency · standardisation · linkage · credibility |
| QA hierarchy (4 levels) | Professionalism · Supervisory · Internal · External review |
| Self-assessment by | The CAE |
| Peer review by | Members of IAWs of Ministries |
| External review by | O/o CGA or IIA reviewers |
| Statutory interface | Maintain DDO-wise count of outstanding objections (Test Audit Notes) |
| Two working-paper files | Permanent & Current |
| "Ten Things" author | Richard Chambers |
| The readability test | The "fifth-grader" test |
Human Resource Management
HR planning — staffing the wing
Each Department must have a dedicated IAW staffed by auditors & supervisors at Group A, B and C levels in adequate numbers, assessed rationally and scientifically. Parameters for setting staffing requirements:
- UNITSNumber of audit units, and number of employees in each unit.
- BUDGETBudget of each audit unit, and the inherent risks in its functioning.
- TIMETime to complete an engagement (incl. travel) and for report writing.
- CPETime reserved for training & continuous professional education, and the period spent on leave.
- EXTRANature & length of assignments, plus additional special audits; staff requirement reviewed at periodic intervals.
Manpower is worked out from these parameters plus the number of auditee units identified for annual, biennial and triennial audit, the audit man-days required, and the available working days in a calendar year. The numbers vary by Ministry; only generic parameters are given, and forming the team is the CAE's responsibility.
External service providers
With increasingly complex operations, the CAE may hire individuals/firms with the requisite skills, after adhering to GFR provisions and Government orders. The CAE assesses their competency, independence & objectivity against experience, education, training and professional membership. Consultants work under the CAE's overall control, and responsibility for quality & timely delivery remains with the CAE.
Skills, training & proficiency
With RBIA, computerisation, governance thrust and Big Data, auditors must be trained extensively in seven areas:
Auditors are encouraged to pursue certifications — the Certified Internal Auditor (CIA) and CGAP designations — and must continue their education (CPE) to stay current with the IIA's IPPF guidance. The internal audit activity must collectively possess the necessary knowledge, skills & competencies — an annual analysis identifies gaps to fill by development, recruiting or co-sourcing. Maintaining proficiency also covers the knowledge to identify indicators of fraud, knowledge of key IT risks/controls, understanding of Government rules for assessing materiality of deviations, and strong people & communication skills.
Competency planning & the Professional Development Plan
The five stages of competency planning.
- Establish the vision & desired capability level of the Internal Audit Department.
- Develop a strategic competency plan.
- Identify existing competencies.
- Identify competency gaps.
- Develop an action plan to fill the gaps — "buy, build, retain" people strategies.
The four steps to establish the Professional Development Plan (a strategic driver presented to the Audit Committee):
Time-tested methods for developing & retaining quality professionals: challenging, varied assignments; quality supervision; participation across audit phases; opportunities to lead; involvement in QA-review prep & Departmental task forces; rotation through teams/programs; and participation in annual risk-assessment activities.
Chapter 6 Quiz — staffing, skills & development
Seven questions from Chapter 6. Pick an answer to lock it; the explanation appears below.
| Concept | Key Fact |
|---|---|
| Three evaluation parameters | Staffing levels · qualifications · utilization rates |
| Staff levels | Group A, B and C officials |
| Audit periodicity classes | Annual · biennial · triennial |
| External providers — GFR | Hired per GFR; CAE retains responsibility for quality |
| Seven training areas | Controls · RBIA · standards · sampling · reporting · CAATs · perf/governance |
| Certifications | CIA & CGAP; ongoing CPE |
| Competency planning | 5 stages → "buy, build, retain" |
| Development plan | 4 steps; presented to Audit Committee |
Exhibits & Glossary
| # | Exhibit | What it contains |
|---|---|---|
| I | Annual Review Format for IAW | The prescribed format submitted to O/o CGA by 31 May. Three chapters: executive summary & performance; summary of paras; and the list of important irregularities (non-recovery of Govt dues, overpayment, idle machinery/surplus stores, loss/infructuous stores). |
| II | Internal Audit Report Template | The sample structure for an internal audit report. |
| III | Role of Financial Advisor | The Redefined Charter for Financial Advisers (OM F.No.5(6)/L&C/2006, dated 1 June 2006) — the scheme of the Integrated Financial Adviser. |
| IV | Steps on Risk Based Audit | The detailed three-stage RBIA methodology and the five-level risk-maturity ladder (see §7.2 below). |
| V | Vulnerable Areas of IT | Sample survey for identifying vulnerable areas of IT (and the IT Audit Universe). |
| VI | Sample Risk Register | A sample risk register for Ministries/Departments — maps risks, impact/likelihood, existing & required controls, residual risk, control owner & timeline. |
RBIA stages & the maturity ladder (Exhibit IV)
Before commencing RBIA, the CAE presents the benefits and challenges to the Ministry and prepares a register of significant risks and audit activities — the Risk and Audit Universe (RAU). The three stages:
The five levels of risk maturity (IIA position statement) — they depend on the design & effectiveness of the ERM system.
| Level | Meaning |
|---|---|
| Risk Naïve | No formal approach to risk management developed. |
| Risk Aware | Scattered, silo approach to risk management; no risk register, only a few managers have determined their risks. |
| Risk Defined | Strategy & policies defined and communicated. |
| Risk Managed | Enterprise-wide approach developed and communicated. |
| Risk Enabled | Risk management & internal control fully embedded in operations. |
For Departments subject to risk-management regulations, the "risk naïve" and "risk aware" levels are not acceptable, and the Audit Committee must be told. At low maturity, internal audit should not determine risks without Ministry involvement or maintain its own list — that reinforces the false belief that internal audit owns risk management. But where the Ministry cannot participate, the IAW may prepare its own Risk Registers, share them, and conclude (after a specified reasonable period without feedback) that its assessment is acceptable — a short-term solution only.
Glossary of key terms
The Handbook's glossary supplies the precise wording of the key terms used throughout. The principal terms:
| Term | Definition |
|---|---|
| Add Value | Facilitate achievement of objectives by identifying areas & recommending measures to reduce risk and/or improve operations. |
| Audit Observation | Any identified & validated gap between the current and desired state arising from an engagement. |
| Audit Sampling | Auditing a part of a population to draw an inference about the entire population. |
| Criteria | The standards/measures used in evaluation — "what should exist." |
| Condition | The factual evidence the auditor found — "what does exist." |
| Cause | The reason(s) for the difference between expected and actual conditions. |
| Effect / Consequence | The risk or exposure arising from the variance between condition and criteria. |
| Residual Risk | The portion of inherent risk remaining after management executes its risk-management process. |
| Reasonable Assurance | A level of assurance supported by generally accepted procedures and judgments. |
| Internal Control | A process providing reasonable assurance on effectiveness/efficiency of operations, reliability of financial reporting, and compliance with laws. |
| Gender Mainstreaming | Incorporating a gender-equality perspective at all levels/stages of policy; ultimate goal is gender equality. |
| Risk Response (Mitigation) | Action to achieve a risk strategy — avoidance, reduction, sharing or acceptance. |
| Fraud | Any illegal act to obtain money/property/services, avoid payment, or secure personal/business advantage. |
Exhibits Quiz — Exhibits, RBIA stages & glossary
Eight questions from the Exhibits & glossary. Pick an answer to lock it; the explanation appears below.
| Concept | Key Fact |
|---|---|
| Total Exhibits | 6 (I–VI) |
| Exhibit I | Annual Review Format (due 31 May) |
| Exhibit III | Redefined Charter for Financial Advisers (1 June 2006) |
| Exhibit IV | RBIA steps & maturity ladder |
| Exhibit VI | Sample Risk Register |
| RBIA three stages | Assess maturity → produce plan/RAU → assurance audits |
| 5 maturity levels | Naïve · Aware · Defined · Managed · Enabled |
| Naïve/Aware acceptable? | No for regulated Departments — tell the Committee |
| Criteria / Condition | "Should exist" / "What exists" |
| Residual risk | Inherent risk remaining after risk management |