{"id":12845,"date":"2026-06-08T12:22:41","date_gmt":"2026-06-08T12:22:41","guid":{"rendered":"https:\/\/promotionexams.com\/?page_id=12845"},"modified":"2026-06-08T12:25:45","modified_gmt":"2026-06-08T12:25:45","slug":"generic-internal-audit-manual-2","status":"publish","type":"page","link":"https:\/\/promotionexams.com\/?page_id=12845","title":{"rendered":"Generic Internal Audit Manual"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"12845\" class=\"elementor elementor-12845\">\n\t\t\t\t<div class=\"elementor-element elementor-element-40f2276 e-con-full e-flex e-con e-parent\" data-id=\"40f2276\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5c67fd1 elementor-widget elementor-widget-html\" data-id=\"5c67fd1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t\t<!DOCTYPE html>\r\n<html lang=\"en\">\r\n<head>\r\n<meta charset=\"UTF-8\">\r\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\r\n<title>Generic Internal Audit Manual for Central Civil Ministries \u2014 Study Notes<\/title>\r\n<style>\r\n.elementor-section.elementor-section-stretched,\r\n    .elementor-section-full_width,\r\n    .elementor-container,\r\n    .elementor-column,\r\n    .elementor-column-wrap,\r\n    .elementor-widget-wrap,\r\n    .elementor-element {\r\n        padding: 0 !important;\r\n        margin: 0 !important;\r\n        gap: 0 !important;\r\n    }\r\n  *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }\r\n  :root {\r\n    --navy:   #0f2a4a;\r\n    --blue:   #1a5fa8;\r\n    --sky:    #2d8ecf;\r\n    --teal:   #0e8f7a;\r\n    --amber:  #c97c10;\r\n    --red:    #c0392b;\r\n    --gold:   #c89b0a;\r\n    --purple: #7e3eb5;\r\n    --text:   #1c2b3a;\r\n    --muted:  #5a6d80;\r\n    --border: #e0e8f0;\r\n  }\r\n  html { scroll-behavior: smooth; }\r\n  body {\r\n    font-family: 'DM Sans', -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;\r\n    background: #ffffff;\r\n    color: var(--text);\r\n    font-size: 15px;\r\n    line-height: 1.85;\r\n  }\r\n  a { text-decoration: none; color: inherit; }\r\n\r\n  \/* \u2500\u2500 HERO \u2500\u2500 *\/\r\n  .hero {\r\n    width: 100%;\r\n    background: linear-gradient(130deg, #0f2a4a 0%, #1a5fa8 38%, #7e3eb5 78%, #c89b0a 100%);\r\n    padding: 60px 48px 56px;\r\n    color: #fff;\r\n    position: relative;\r\n    overflow: hidden;\r\n  }\r\n  .hero::before {\r\n    content: ''; position: absolute; inset: 0;\r\n    background: url(\"data:image\/svg+xml,%3Csvg width='60' height='60' viewBox='0 0 60 60' xmlns='http:\/\/www.w3.org\/2000\/svg'%3E%3Cg fill='none'%3E%3Cg fill='%23ffffff' fill-opacity='0.05'%3E%3Cpath d='M36 34v-4h-2v4h-4v2h4v4h2v-4h4v-2h-4zm0-30V0h-2v4h-4v2h4v4h2V6h4V4h-4zM6 34v-4H4v4H0v2h4v4h2v-4h4v-2H6zM6 4V0H4v4H0v2h4v4h2V6h4V4H6z'\/%3E%3C\/g%3E%3C\/g%3E%3C\/svg%3E\");\r\n    pointer-events: none;\r\n  }\r\n  .hero::after {\r\n    content: ''; position: absolute; right: -80px; top: -100px;\r\n    width: 500px; height: 500px; border-radius: 50%;\r\n    background: radial-gradient(circle, rgba(255,255,255,0.10) 0%, transparent 65%);\r\n    pointer-events: none;\r\n  }\r\n  .hero-inner { max-width: 1100px; margin: 0 auto; position: relative; z-index: 1; }\r\n  .hero-grid {\r\n    display: grid;\r\n    grid-template-columns: 1fr 320px;\r\n    gap: 36px;\r\n    align-items: center;\r\n  }\r\n  .hero-text { min-width: 0; }\r\n  .hero-illustration {\r\n    width: 320px; max-width: 100%;\r\n    filter: drop-shadow(0 10px 22px rgba(0,0,0,0.22));\r\n    animation: heroFloat 6s ease-in-out infinite;\r\n  }\r\n  .hero-illustration svg { width: 100%; height: auto; display: block; }\r\n  @keyframes heroFloat {\r\n    0%, 100% { transform: translateY(0); }\r\n    50%      { transform: translateY(-6px); }\r\n  }\r\n  .hero-kicker {\r\n    display: inline-block;\r\n    background: rgba(255,255,255,0.18); color: #fff;\r\n    font-size: 11px; font-weight: 700;\r\n    padding: 6px 14px; border-radius: 20px;\r\n    letter-spacing: 0.14em; text-transform: uppercase;\r\n    margin-bottom: 18px;\r\n    backdrop-filter: blur(4px);\r\n  }\r\n  .hero h1 {\r\n    font-family: 'Crimson Pro', Georgia, serif;\r\n    font-size: clamp(28px, 4.2vw, 44px);\r\n    font-weight: 700; line-height: 1.2;\r\n    margin-bottom: 14px; color: #fff;\r\n    text-shadow: 0 2px 8px rgba(0,0,0,0.18);\r\n  }\r\n  .hero-sub { font-size: 15px; opacity: 0.92; margin-bottom: 24px; max-width: 720px; color: #fff; }\r\n  .hero-pills { display: flex; flex-wrap: wrap; gap: 8px; }\r\n  .hero-pill {\r\n    background: rgba(255,255,255,0.18);\r\n    border: 1px solid rgba(255,255,255,0.30);\r\n    color: #fff; font-size: 12px; font-weight: 600;\r\n    padding: 6px 14px; border-radius: 20px;\r\n    backdrop-filter: blur(6px);\r\n  }\r\n\r\n  \/* \u2500\u2500 BREADCRUMB \u2500\u2500 *\/\r\n  .breadcrumb-bar { background: #fff; border-bottom: 1px solid var(--border); padding: 10px 48px; }\r\n  .breadcrumb-inner {\r\n    max-width: 1100px; margin: 0 auto;\r\n    font-size: 12.5px; color: #aaa;\r\n    display: flex; align-items: center; gap: 6px;\r\n  }\r\n  .breadcrumb-inner a { color: var(--blue); }\r\n  .breadcrumb-inner a:hover { text-decoration: underline; }\r\n  .breadcrumb-inner .sep { color: #ddd; }\r\n\r\n  \/* \u2500\u2500 LAYOUT \u2500\u2500 *\/\r\n  .layout {\r\n    max-width: 1100px; margin: 0 auto;\r\n    padding: 44px 48px 88px;\r\n    display: grid;\r\n    grid-template-columns: 256px 1fr;\r\n    gap: 56px;\r\n    align-items: start;\r\n  }\r\n\r\n  \/* \u2500\u2500 CHAPTER HEADING \u2500\u2500 *\/\r\n  .chapter-heading-block {\r\n    display: flex; align-items: center; gap: 14px;\r\n    margin: 52px 0 22px;\r\n    padding-bottom: 14px;\r\n    border-bottom: 2.5px solid var(--navy);\r\n  }\r\n  .chapter-heading-block:first-child { margin-top: 0; }\r\n  .chapter-badge {\r\n    background: var(--navy); color: #fff;\r\n    font-size: 10px; font-weight: 700;\r\n    padding: 5px 16px; border-radius: 4px;\r\n    letter-spacing: 0.1em; text-transform: uppercase;\r\n    white-space: nowrap; flex-shrink: 0;\r\n  }\r\n  .chapter-heading-block h2 {\r\n    font-family: 'Crimson Pro', Georgia, serif;\r\n    font-size: 23px; font-weight: 700; color: var(--navy); margin: 0;\r\n  }\r\n\r\n  \/* \u2500\u2500 SECTION HEADING \u2500\u2500 *\/\r\n  .section-heading-block {\r\n    display: flex; align-items: center; gap: 12px;\r\n    margin: 38px 0 14px;\r\n  }\r\n  .section-badge {\r\n    background: var(--blue); color: #fff;\r\n    font-size: 9.5px; font-weight: 700;\r\n    padding: 4px 12px; border-radius: 3px;\r\n    letter-spacing: 0.08em; white-space: nowrap; flex-shrink: 0;\r\n  }\r\n  .section-badge.amber  { background: var(--amber); }\r\n  .section-badge.teal   { background: var(--teal); }\r\n  .section-badge.purple { background: var(--purple); }\r\n  .section-badge.red    { background: var(--red); }\r\n  .section-badge.gold   { background: var(--gold); }\r\n  .section-heading-block h3 { font-size: 17px; font-weight: 700; color: var(--navy); margin: 0; }\r\n\r\n  .article h4 { font-size: 14.5px; font-weight: 700; color: var(--navy); margin: 22px 0 10px; }\r\n  .article p { color: #2c3e50; margin-bottom: 12px; text-align: justify; hyphens: auto; }\r\n  .article strong { color: #111; }\r\n\r\n  \/* \u2500\u2500 ICON LIST \u2500\u2500 *\/\r\n  .icon-list { list-style: none; margin: 0 0 14px; display: flex; flex-direction: column; gap: 8px; }\r\n  .icon-list li { display: flex; align-items: flex-start; gap: 10px; font-size: 15px; color: #2c3e50; line-height: 1.78; text-align: justify; }\r\n  .icon-list li .ico { font-size: 15px; flex-shrink: 0; margin-top: 4px; width: 20px; text-align: center; }\r\n\r\n  \/* \u2500\u2500 CALLOUT \u2500\u2500 *\/\r\n  .callout {\r\n    border-left: 3px solid var(--blue);\r\n    padding: 14px 18px; margin: 16px 0 20px;\r\n    background: #f8fbff; border-radius: 0 6px 6px 0;\r\n  }\r\n  .callout.amber  { border-left-color: var(--amber);  background: #fffbf5; }\r\n  .callout.red    { border-left-color: var(--red);    background: #fff8f7; }\r\n  .callout.teal   { border-left-color: var(--teal);   background: #f4fdf9; }\r\n  .callout.purple { border-left-color: var(--purple); background: #faf6ff; }\r\n  .callout.gold   { border-left-color: var(--gold);   background: #fffcf0; }\r\n  .callout-label {\r\n    font-size: 10px; font-weight: 700; text-transform: uppercase;\r\n    letter-spacing: 0.12em; margin-bottom: 8px; color: var(--blue);\r\n  }\r\n  .callout.amber  .callout-label { color: var(--amber); }\r\n  .callout.red    .callout-label { color: var(--red); }\r\n  .callout.teal   .callout-label { color: var(--teal); }\r\n  .callout.purple .callout-label { color: var(--purple); }\r\n  .callout.gold   .callout-label { color: #8a6a00; }\r\n  .callout p { text-align: justify; }\r\n\r\n  \/* \u2500\u2500 DEFINITION CARD \u2500\u2500 *\/\r\n  .def-card {\r\n    background: linear-gradient(135deg, #fffcf0 0%, #fff7e0 100%);\r\n    border: 1.5px solid #e8c87a;\r\n    border-radius: 12px; padding: 22px 26px;\r\n    margin: 18px 0 26px; position: relative;\r\n  }\r\n  .def-card::before {\r\n    content: '\\201C';\r\n    position: absolute; top: 6px; left: 14px;\r\n    font-family: Georgia, serif;\r\n    font-size: 60px; color: rgba(200,155,10,0.25); line-height: 1;\r\n  }\r\n  .def-card .def-label {\r\n    font-size: 10.5px; font-weight: 700; text-transform: uppercase;\r\n    letter-spacing: 0.14em; color: #8a6a00; margin-bottom: 8px;\r\n    position: relative; z-index: 1;\r\n  }\r\n  .def-card .def-text {\r\n    font-size: 15px; color: #4a3500; line-height: 1.78;\r\n    position: relative; z-index: 1;\r\n    text-align: justify;\r\n  }\r\n\r\n  \/* \u2500\u2500 FLOW \u2500\u2500 *\/\r\n  .flow { display: flex; flex-direction: column; margin: 18px 0 24px; }\r\n  .flow-step { display: flex; align-items: flex-start; gap: 18px; position: relative; }\r\n  .flow-step:not(:last-child)::after {\r\n    content: ''; position: absolute; left: 19px; top: 42px;\r\n    width: 2px; height: calc(100% - 6px);\r\n    background: linear-gradient(180deg, var(--blue) 0%, #d0dce6 100%);\r\n  }\r\n  .flow-num {\r\n    width: 40px; height: 40px; border-radius: 50%;\r\n    background: var(--blue); color: #fff;\r\n    display: flex; align-items: center; justify-content: center;\r\n    font-weight: 700; font-size: 14px; flex-shrink: 0;\r\n  }\r\n  .flow-content { flex: 1; padding: 8px 0 26px; }\r\n  .flow-content h5 { font-size: 14.5px; font-weight: 700; color: var(--navy); margin-bottom: 4px; }\r\n  .flow-content p { font-size: 14px; color: var(--muted); margin: 0; }\r\n\r\n  \/* \u2500\u2500 COMPARE TABLE \u2500\u2500 *\/\r\n  .compare-table { width: 100%; border-collapse: collapse; margin: 16px 0 24px; border-radius: 8px; overflow: hidden; border: 1px solid var(--border); }\r\n  .compare-table thead tr { background: var(--navy); color: #fff; }\r\n  .compare-table th { padding: 12px 16px; text-align: left; font-size: 12.5px; font-weight: 700; }\r\n  .compare-table td { padding: 11px 16px; font-size: 14px; border-bottom: 1px solid var(--border); color: #2c3e50; vertical-align: top; }\r\n  .compare-table tr:nth-child(even) td { background: #f9fbfd; }\r\n  .compare-table td.label-cell { font-weight: 700; color: var(--navy); background: #f1f5f9 !important; width: 22%; }\r\n\r\n  \/* \u2500\u2500 PARTS LIST \u2500\u2500 *\/\r\n  .parts-list {\r\n    list-style: none; counter-reset: parts;\r\n    margin: 14px 0 22px;\r\n    display: flex; flex-direction: column; gap: 12px;\r\n  }\r\n  .parts-list > li {\r\n    background: #fff;\r\n    border: 1.5px solid var(--border);\r\n    border-radius: 10px;\r\n    padding: 16px 18px 16px 60px;\r\n    position: relative;\r\n    font-size: 14.5px; color: #2c3e50;\r\n    line-height: 1.72;\r\n    counter-increment: parts;\r\n    text-align: justify;\r\n  }\r\n  .parts-list > li::before {\r\n    content: counter(parts, lower-alpha);\r\n    position: absolute; left: 16px; top: 16px;\r\n    width: 32px; height: 32px;\r\n    background: var(--blue); color: #fff;\r\n    border-radius: 50%;\r\n    display: flex; align-items: center; justify-content: center;\r\n    font-size: 14px; font-weight: 700;\r\n    font-family: 'JetBrains Mono', monospace;\r\n  }\r\n  .parts-list.roman > li::before { content: counter(parts, lower-roman); font-size: 12px; }\r\n  .parts-list.decimal > li::before { content: counter(parts); font-size: 13px; }\r\n  .parts-list.teal > li::before { background: var(--teal); }\r\n  .parts-list.amber > li::before { background: var(--amber); }\r\n  .parts-list.purple > li::before { background: var(--purple); }\r\n  .parts-list.red > li::before { background: var(--red); }\r\n  .parts-list.gold > li::before { background: var(--gold); }\r\n  .parts-list > li strong { color: var(--navy); }\r\n\r\n  \/* \u2500\u2500 NUMBERED LIST (slim) \u2500\u2500 *\/\r\n  .num-list { list-style: none; counter-reset: numlist; margin: 14px 0 18px; }\r\n  .num-list li {\r\n    counter-increment: numlist;\r\n    display: flex; align-items: flex-start; gap: 12px;\r\n    margin-bottom: 8px; font-size: 14.5px; color: #2c3e50;\r\n    line-height: 1.75;\r\n    text-align: justify;\r\n  }\r\n  .num-list li::before {\r\n    content: counter(numlist);\r\n    background: var(--blue); color: #fff;\r\n    width: 26px; height: 26px; border-radius: 50%;\r\n    display: flex; align-items: center; justify-content: center;\r\n    font-size: 12px; font-weight: 700; flex-shrink: 0; margin-top: 2px;\r\n    font-family: 'JetBrains Mono', monospace;\r\n  }\r\n  .num-list.amber li::before { background: var(--amber); }\r\n  .num-list.teal li::before { background: var(--teal); }\r\n\r\n  \/* \u2500\u2500 HIGHLIGHT BOX \u2500\u2500 *\/\r\n  .highlight-box {\r\n    background: linear-gradient(135deg, #f0f7ff 0%, #e8f1fc 100%);\r\n    border-left: 4px solid var(--blue);\r\n    border-radius: 0 10px 10px 0;\r\n    padding: 16px 20px;\r\n    margin: 16px 0 22px;\r\n  }\r\n  .highlight-box .hl-label {\r\n    font-size: 10px; font-weight: 700; text-transform: uppercase;\r\n    letter-spacing: 0.12em; color: var(--blue); margin-bottom: 6px;\r\n  }\r\n  .highlight-box .hl-text { font-size: 14.5px; color: #2c3e50; line-height: 1.72; text-align: justify; }\r\n\r\n  \/* \u2500\u2500 STAT GRID \u2500\u2500 *\/\r\n  .stat-grid { display: grid; grid-template-columns: repeat(4, 1fr); gap: 12px; margin: 18px 0 26px; }\r\n  .stat-card {\r\n    background: #fff; border: 1.5px solid var(--border);\r\n    border-radius: 10px; padding: 16px;\r\n    text-align: center;\r\n  }\r\n  .stat-card.b { border-color: #9dc3ec; background: #f0f7ff; }\r\n  .stat-card.t { border-color: #7fd3c5; background: #f0fdf8; }\r\n  .stat-card.a { border-color: #f0d58a; background: #fffbf0; }\r\n  .stat-card.r { border-color: #f5a0a0; background: #fff5f5; }\r\n  .stat-card .stat-num {\r\n    font-family: 'JetBrains Mono', monospace;\r\n    font-size: 22px; font-weight: 700;\r\n    color: var(--navy); line-height: 1.1;\r\n    margin-bottom: 6px;\r\n  }\r\n  .stat-card.b .stat-num { color: var(--blue); }\r\n  .stat-card.t .stat-num { color: var(--teal); }\r\n  .stat-card.a .stat-num { color: var(--amber); }\r\n  .stat-card.r .stat-num { color: var(--red); }\r\n  .stat-card .stat-label { font-size: 11px; font-weight: 700; text-transform: uppercase; letter-spacing: 0.06em; color: var(--muted); }\r\n  .stat-card .stat-icon { font-size: 24px; margin-bottom: 4px; display: block; }\r\n\r\n  \/* \u2500\u2500 CATEGORY CARDS \u2500\u2500 *\/\r\n  .cat-grid { display: grid; grid-template-columns: repeat(2, 1fr); gap: 14px; margin: 20px 0 28px; }\r\n  .cat-grid.three { grid-template-columns: repeat(3, 1fr); }\r\n  .cat-grid.four { grid-template-columns: repeat(4, 1fr); }\r\n  .cat-card { border-radius: 10px; padding: 18px 18px; border: 1.5px solid var(--border); }\r\n  .cat-card.a { border-color: #9dc3ec; background: #f0f7ff; }\r\n  .cat-card.b { border-color: #7fd3c5; background: #f0fdf8; }\r\n  .cat-card.c { border-color: #f0d58a; background: #fffbf0; }\r\n  .cat-card.d { border-color: #f5a0a0; background: #fff5f5; }\r\n  .cat-card.e { border-color: #d1baf0; background: #f9f5ff; }\r\n  .cat-label { font-size: 9.5px; font-weight: 700; text-transform: uppercase; letter-spacing: 0.12em; color: var(--muted); margin-bottom: 6px; }\r\n  .cat-title { font-size: 14.5px; font-weight: 700; color: var(--navy); margin-bottom: 8px; }\r\n  .cat-card.a .cat-title { color: var(--blue); }\r\n  .cat-card.b .cat-title { color: var(--teal); }\r\n  .cat-card.c .cat-title { color: var(--amber); }\r\n  .cat-card.d .cat-title { color: var(--red); }\r\n  .cat-card.e .cat-title { color: var(--purple); }\r\n  .cat-card p { font-size: 13px; color: #2c3e50; line-height: 1.7; text-align: justify; }\r\n  .cat-badge { display: inline-block; font-size: 24px; font-weight: 900; margin-bottom: 6px; font-family: 'Crimson Pro', Georgia, serif; line-height: 1; }\r\n  .cat-card.a .cat-badge { color: var(--blue); }\r\n  .cat-card.b .cat-badge { color: var(--teal); }\r\n  .cat-card.c .cat-badge { color: var(--amber); }\r\n  .cat-card.d .cat-badge { color: var(--red); }\r\n  .cat-card.e .cat-badge { color: var(--purple); }\r\n\r\n  \/* \u2500\u2500 SCHEDULE BANNER \u2500\u2500 *\/\r\n  .schedule-banner { border: 2px solid var(--amber); border-radius: 10px; padding: 22px 24px; margin: 20px 0 26px; background: #fffcf0; position: relative; }\r\n  .schedule-stamp { position: absolute; top: -11px; left: 20px; background: var(--amber); color: #fff; font-size: 10px; font-weight: 700; letter-spacing: 0.1em; text-transform: uppercase; padding: 3px 14px; border-radius: 4px; }\r\n  .schedule-banner h4 { font-size: 15px; font-weight: 700; color: #4a3500; margin-bottom: 12px; margin-top: 8px; }\r\n\r\n  \/* \u2500\u2500 TAGS \u2500\u2500 *\/\r\n  .tag-yes { background: #edfaf6; color: var(--teal); border-radius: 4px; padding: 2px 8px; font-size: 12px; font-weight: 700; }\r\n  .tag-no  { background: #fef3f2; color: var(--red); border-radius: 4px; padding: 2px 8px; font-size: 12px; font-weight: 700; }\r\n  .tag-b   { background: #e8f2ff; color: var(--blue); border-radius: 4px; padding: 2px 8px; font-size: 12px; font-weight: 700; }\r\n  .tag-c   { background: #fff8e8; color: var(--amber); border-radius: 4px; padding: 2px 8px; font-size: 12px; font-weight: 700; }\r\n\r\n  \/* \u2500\u2500 CHAPTER PANE (tab-style switching) \u2500\u2500 *\/\r\n  .chapter-pane { display: none; animation: fadeIn 0.3s ease; }\r\n  .chapter-pane.active { display: block; }\r\n  @keyframes fadeIn {\r\n    from { opacity: 0; transform: translateY(4px); }\r\n    to   { opacity: 1; transform: translateY(0); }\r\n  }\r\n\r\n  \/* \u2500\u2500 SIDEBAR \u2500\u2500 *\/\r\n  .sidebar { position: sticky; top: 24px; max-height: calc(100vh - 48px); }\r\n  .toc-card {\r\n    background: #fff; border: 1px solid var(--border);\r\n    border-radius: 12px; padding: 16px 12px;\r\n    max-height: calc(100vh - 48px); overflow-y: auto;\r\n  }\r\n  .toc-card-title {\r\n    font-size: 10px; font-weight: 700;\r\n    text-transform: uppercase; letter-spacing: 0.14em;\r\n    color: var(--muted); margin: 4px 0 14px; padding: 0 4px;\r\n  }\r\n  .toc-chapter { margin-bottom: 8px; }\r\n  .toc-chapter-header {\r\n    background: var(--navy);\r\n    border-radius: 10px;\r\n    padding: 12px;\r\n    color: #fff;\r\n    cursor: pointer;\r\n    display: flex; align-items: center; gap: 10px;\r\n    list-style: none;\r\n    transition: background 0.18s;\r\n  }\r\n  .toc-chapter-header::-webkit-details-marker { display: none; }\r\n  .toc-chapter-header:hover { background: #173860; }\r\n  .toc-ch-badge {\r\n    background: #ffd95a;\r\n    color: #0f2a4a;\r\n    font-size: 10px; font-weight: 800;\r\n    letter-spacing: 0.06em;\r\n    padding: 4px 8px; border-radius: 5px;\r\n    flex-shrink: 0;\r\n    min-width: 38px;\r\n    text-align: center;\r\n    line-height: 1;\r\n  }\r\n  .toc-ch-title {\r\n    flex: 1;\r\n    font-size: 13.5px;\r\n    font-weight: 700;\r\n    line-height: 1.25;\r\n    color: #fff;\r\n  }\r\n  .toc-ch-chev {\r\n    font-size: 10px;\r\n    color: rgba(255,255,255,0.8);\r\n    transition: transform 0.22s ease;\r\n    flex-shrink: 0;\r\n  }\r\n  .toc-chapter[open] > .toc-chapter-header { background: #173860; }\r\n  .toc-chapter[open] > .toc-chapter-header .toc-ch-chev { transform: rotate(90deg); }\r\n  .toc-sub-wrap {\r\n    position: relative;\r\n    margin: 6px 0 6px 18px;\r\n    padding-left: 14px;\r\n  }\r\n  .toc-sub-wrap::before {\r\n    content: '';\r\n    position: absolute;\r\n    left: 0; top: 6px; bottom: 8px;\r\n    width: 1px;\r\n    background: repeating-linear-gradient(to bottom, #d0d8e2 0px, #d0d8e2 2px, transparent 2px, transparent 5px);\r\n  }\r\n  .toc-sub-list { list-style: none; }\r\n  .toc-sub-list li {\r\n    display: flex;\r\n    align-items: flex-start;\r\n    gap: 6px;\r\n    padding: 5px 4px 5px 0;\r\n  }\r\n  .toc-sub-num {\r\n    flex-shrink: 0;\r\n    font-family: 'JetBrains Mono', monospace;\r\n    font-size: 10.5px;\r\n    color: var(--muted);\r\n    font-weight: 600;\r\n    line-height: 1.5;\r\n    min-width: 32px;\r\n    padding-top: 1px;\r\n  }\r\n  .toc-sub-list a {\r\n    flex: 1;\r\n    font-size: 13px;\r\n    color: #2c3e50;\r\n    line-height: 1.45;\r\n    padding: 1px 4px;\r\n    border-radius: 3px;\r\n    transition: color 0.15s;\r\n  }\r\n  .toc-sub-list a:hover { color: var(--blue); }\r\n  .toc-sub-list a.active { color: var(--blue); font-weight: 700; }\r\n  .toc-sub-list .toc-app .toc-sub-num,\r\n  .toc-sub-list .toc-app a { color: var(--purple); }\r\n  .toc-sub-list .toc-app a:hover,\r\n  .toc-sub-list .toc-app a.active { color: #5a2a8a; font-weight: 700; }\r\n\r\n  \/* \u2500\u2500 RECAP \u2500\u2500 *\/\r\n  .recap {\r\n    background: linear-gradient(135deg, #0f2a4a 0%, #1a3d6a 100%);\r\n    border-radius: 14px; padding: 28px 30px;\r\n    margin: 44px 0 0; color: #fff;\r\n  }\r\n  .recap-title {\r\n    font-family: 'Crimson Pro', Georgia, serif;\r\n    font-size: 20px; font-weight: 700;\r\n    margin-bottom: 18px;\r\n    display: flex; align-items: center; gap: 10px;\r\n  }\r\n  .recap table { width: 100%; border-collapse: collapse; }\r\n  .recap th, .recap td {\r\n    padding: 10px 14px;\r\n    text-align: left;\r\n    border-bottom: 1px solid rgba(255,255,255,0.12);\r\n    font-size: 13.5px;\r\n  }\r\n  .recap th { font-size: 11px; text-transform: uppercase; letter-spacing: 0.1em; opacity: 0.7; font-weight: 700; }\r\n  .recap td:first-child { font-weight: 700; color: #ffd700; width: 36%; }\r\n  .recap td strong { color: #ffd95a; font-weight: 700; }\r\n  .recap td:first-child strong { color: inherit; }\r\n\r\n  \/* \u2500\u2500 RESPONSIVE \u2500\u2500 *\/\r\n  @media (max-width: 860px) {\r\n    .layout { grid-template-columns: 1fr; gap: 32px; padding: 28px 24px 64px; }\r\n    .sidebar { position: static; }\r\n    .stat-grid, .cat-grid, .cat-grid.three, .cat-grid.four { grid-template-columns: 1fr 1fr; }\r\n    .hero { padding: 48px 24px 44px; }\r\n    .breadcrumb-bar { padding: 10px 24px; }\r\n    .hero-grid { grid-template-columns: 1fr; gap: 24px; text-align: left; }\r\n    .hero-illustration { width: 240px; margin: 0 auto; }\r\n  }\r\n  @media (max-width: 500px) {\r\n    .hero h1 { font-size: 24px; }\r\n    .stat-grid, .cat-grid, .cat-grid.three, .cat-grid.four { grid-template-columns: 1fr; }\r\n    .hero-illustration { display: none; }\r\n    .compare-table td.label-cell { width: auto; }\r\n  }\r\n<\/style>\r\n<link rel=\"preconnect\" href=\"https:\/\/fonts.googleapis.com\">\r\n<link rel=\"preconnect\" href=\"https:\/\/fonts.gstatic.com\" crossorigin>\r\n<link href=\"https:\/\/fonts.googleapis.com\/css2?family=Crimson+Pro:wght@400;600;700&family=DM+Sans:wght@400;500;700&family=JetBrains+Mono:wght@400;700&display=swap\" rel=\"stylesheet\">\r\n<\/head>\r\n<body>\r\n\r\n<!-- \u2500\u2500 HERO \u2500\u2500 -->\r\n<div class=\"hero\">\r\n  <div class=\"hero-inner hero-grid\">\r\n    <div class=\"hero-text\">\r\n      <span class=\"hero-kicker\">Study Notes \u00b7 Internal Audit \u00b7 O\/o CGA<\/span>\r\n      <h1>Generic Internal Audit Manual for Central Civil Ministries<\/h1>\r\n      <p class=\"hero-sub\">Issued in 2014 by the Centre of Excellence, Internal Audit Division, O\/o Controller General of Accounts (Ministry of Finance, Department of Expenditure). A foundational guide that takes internal audit from a compliance-only past to a risk-based future \u2014 explaining risks and controls, the COSO framework, what internal audit is, the five-phase audit process, governance through Audit Committees, and quality assurance \u2014 and serving as the template from which each Ministry builds its own detailed manual.<\/p>\r\n      <div class=\"hero-pills\">\r\n        <span class=\"hero-pill\">6 Chapters<\/span>\r\n        <span class=\"hero-pill\">COSO Framework<\/span>\r\n        <span class=\"hero-pill\">5-Phase Process<\/span>\r\n        <span class=\"hero-pill\">5-C Reporting<\/span>\r\n        <span class=\"hero-pill\">Glossary + Annexures<\/span>\r\n      <\/div>\r\n    <\/div>\r\n    <div class=\"hero-illustration\" aria-hidden=\"true\">\r\n      <svg viewBox=\"0 0 320 280\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" role=\"img\" aria-label=\"Balance scale of assurance over a shield, with risk gears\">\r\n        <ellipse cx=\"160\" cy=\"252\" rx=\"118\" ry=\"13\" fill=\"rgba(0,0,0,0.18)\"\/>\r\n        <!-- shield -->\r\n        <g transform=\"translate(96,92)\">\r\n          <path d=\"M64 4 L122 24 V96 C122 142 96 172 64 188 C32 172 6 142 6 96 V24 Z\" fill=\"rgba(255,255,255,0.10)\" stroke=\"#c89b0a\" stroke-width=\"3\"\/>\r\n          <path d=\"M64 20 L106 35 V94 C106 130 86 154 64 167 C42 154 22 130 22 94 V35 Z\" fill=\"#1a5fa8\" opacity=\"0.55\"\/>\r\n          <!-- check inside shield -->\r\n          <path d=\"M44 96 l16 18 l34 -42\" fill=\"none\" stroke=\"#0e8f7a\" stroke-width=\"7\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/>\r\n          <text x=\"64\" y=\"150\" text-anchor=\"middle\" font-family=\"DM Sans, sans-serif\" font-size=\"11\" font-weight=\"700\" fill=\"#ffd95a\" letter-spacing=\"2\">IAW<\/text>\r\n        <\/g>\r\n        <!-- balance scale of assurance -->\r\n        <g transform=\"translate(160,38)\" stroke=\"#daa520\" stroke-width=\"4\" fill=\"none\" stroke-linecap=\"round\">\r\n          <line x1=\"0\" y1=\"2\" x2=\"0\" y2=\"40\"\/>\r\n          <line x1=\"-44\" y1=\"14\" x2=\"44\" y2=\"14\"\/>\r\n          <circle cx=\"0\" cy=\"4\" r=\"4\" fill=\"#daa520\" stroke=\"none\"\/>\r\n          <!-- left pan -->\r\n          <line x1=\"-44\" y1=\"14\" x2=\"-44\" y2=\"30\"\/>\r\n          <path d=\"M-60 30 A16 12 0 0 0 -28 30 Z\" fill=\"rgba(255,255,255,0.16)\"\/>\r\n          <!-- right pan -->\r\n          <line x1=\"44\" y1=\"14\" x2=\"44\" y2=\"30\"\/>\r\n          <path d=\"M28 30 A16 12 0 0 0 60 30 Z\" fill=\"rgba(255,255,255,0.16)\"\/>\r\n        <\/g>\r\n        <!-- risk\/control gears -->\r\n        <g transform=\"translate(40,52)\" fill=\"#c89b0a\" opacity=\"0.9\">\r\n          <path d=\"M22 4 l3 0 l1.5 5.5 l5 1.2 l3.8 -4.2 l2.6 1.5 l-1.7 5.4 l3.6 3.6 l5.4 -1.7 l1.5 2.6 l-4.2 3.8 l1.2 5 l5.5 1.5 l0 3 l-5.5 1.5 l-1.2 5 l4.2 3.8 l-1.5 2.6 l-5.4 -1.7 l-3.6 3.6 l1.7 5.4 l-2.6 1.5 l-3.8 -4.2 l-5 1.2 l-1.5 5.5 l-3 0 l-1.5 -5.5 l-5 -1.2 l-3.8 4.2 l-2.6 -1.5 l1.7 -5.4 l-3.6 -3.6 l-5.4 1.7 l-1.5 -2.6 l4.2 -3.8 l-1.2 -5 l-5.5 -1.5 l0 -3 l5.5 -1.5 l1.2 -5 l-4.2 -3.8 l1.5 -2.6 l5.4 1.7 l3.6 -3.6 l-1.7 -5.4 l2.6 -1.5 l3.8 4.2 l5 -1.2 Z\"\/>\r\n          <circle cx=\"23.5\" cy=\"38\" r=\"9\" fill=\"#0f2a4a\"\/>\r\n        <\/g>\r\n        <g transform=\"translate(248,148)\" fill=\"#0e8f7a\" opacity=\"0.85\">\r\n          <path d=\"M16 3 l2.2 0 l1.1 4 l3.6 0.9 l2.8 -3 l1.9 1.1 l-1.2 3.9 l2.6 2.6 l3.9 -1.2 l1.1 1.9 l-3 2.8 l0.9 3.6 l4 1.1 l0 2.2 l-4 1.1 l-0.9 3.6 l3 2.8 l-1.1 1.9 l-3.9 -1.2 l-2.6 2.6 l1.2 3.9 l-1.9 1.1 l-2.8 -3 l-3.6 0.9 l-1.1 4 l-2.2 0 l-1.1 -4 l-3.6 -0.9 l-2.8 3 l-1.9 -1.1 l1.2 -3.9 l-2.6 -2.6 l-3.9 1.2 l-1.1 -1.9 l3 -2.8 l-0.9 -3.6 l-4 -1.1 l0 -2.2 l4 -1.1 l0.9 -3.6 l-3 -2.8 l1.1 -1.9 l3.9 1.2 l2.6 -2.6 l-1.2 -3.9 l1.9 -1.1 l2.8 3 l3.6 -0.9 Z\"\/>\r\n          <circle cx=\"17\" cy=\"27\" r=\"6.5\" fill=\"#0f2a4a\"\/>\r\n        <\/g>\r\n        <g fill=\"#fff\" opacity=\"0.85\">\r\n          <circle cx=\"295\" cy=\"70\" r=\"2\"\/>\r\n          <circle cx=\"22\" cy=\"200\" r=\"1.5\"\/>\r\n          <circle cx=\"300\" cy=\"210\" r=\"1.5\"\/>\r\n        <\/g>\r\n      <\/svg>\r\n    <\/div>\r\n  <\/div>\r\n<\/div>\r\n\r\n<!-- \u2500\u2500 BREADCRUMB \u2500\u2500 -->\r\n<div class=\"breadcrumb-bar\">\r\n  <div class=\"breadcrumb-inner\">\r\n    <a href=\"https:\/\/promotionexams.com\/\">Home<\/a>\r\n    <span class=\"sep\">&rsaquo;<\/span>\r\n    <a href=\"https:\/\/promotionexams.com\/?page_id=9409\">Notes<\/a>\r\n    <span class=\"sep\">&rsaquo;<\/span>\r\n    <span>Generic Internal Audit Manual for Central Civil Ministries<\/span>\r\n  <\/div>\r\n<\/div>\r\n\r\n<div class=\"layout\">\r\n\r\n  <!-- \u2500\u2500 SIDEBAR \u2500\u2500 -->\r\n  <aside class=\"sidebar\">\r\n    <div class=\"toc-card\">\r\n      <div class=\"toc-card-title\">Table of Contents<\/div>\r\n\r\n      <details class=\"toc-chapter\" data-chapter=\"0\" open>\r\n        <summary class=\"toc-chapter-header\">\r\n          <span class=\"toc-ch-badge\">CH I<\/span>\r\n          <span class=\"toc-ch-title\">Introduction &amp; Acronyms<\/span>\r\n          <span class=\"toc-ch-chev\">&#9654;<\/span>\r\n        <\/summary>\r\n        <div class=\"toc-sub-wrap\">\r\n          <ul class=\"toc-sub-list\">\r\n            <li><span class=\"toc-sub-num\">0.1<\/span><a href=\"#c0-what\">What This Manual Is<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">0.2<\/span><a href=\"#c0-mandate\">The CGA Mandate &amp; GFR 64<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">0.3<\/span><a href=\"#c0-charter\">The Revised Charter Shift<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">0.4<\/span><a href=\"#c0-acro\">Key Acronyms<\/a><\/li>\r\n            <li class=\"toc-app\"><span class=\"toc-sub-num\">&#9733;<\/span><a href=\"#c0-recap\">Chapter I \u2014 Quick Recap<\/a><\/li>\r\n          <\/ul>\r\n        <\/div>\r\n      <\/details>\r\n\r\n      <details class=\"toc-chapter\" data-chapter=\"1\">\r\n        <summary class=\"toc-chapter-header\">\r\n          <span class=\"toc-ch-badge\">CH II<\/span>\r\n          <span class=\"toc-ch-title\">Risks, Controls &amp; the Internal Control Framework<\/span>\r\n          <span class=\"toc-ch-chev\">&#9654;<\/span>\r\n        <\/summary>\r\n        <div class=\"toc-sub-wrap\">\r\n          <ul class=\"toc-sub-list\">\r\n            <li><span class=\"toc-sub-num\">1.1<\/span><a href=\"#c1-theory\">Theoretical Framework<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">1.2<\/span><a href=\"#c1-risk\">Understanding Risk<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">1.3<\/span><a href=\"#c1-4t\">The 4 T's \u2014 Risk Response<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">1.4<\/span><a href=\"#c1-icf\">Internal Control Framework<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">1.5<\/span><a href=\"#c1-coso\">The 5 COSO Components<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">1.6<\/span><a href=\"#c1-activities\">Control Activities<\/a><\/li>\r\n            <li class=\"toc-app\"><span class=\"toc-sub-num\">&#9733;<\/span><a href=\"#c1-recap\">Chapter II \u2014 Quick Recap<\/a><\/li>\r\n          <\/ul>\r\n        <\/div>\r\n      <\/details>\r\n\r\n      <details class=\"toc-chapter\" data-chapter=\"2\">\r\n        <summary class=\"toc-chapter-header\">\r\n          <span class=\"toc-ch-badge\">CH III<\/span>\r\n          <span class=\"toc-ch-title\">Internal Audit<\/span>\r\n          <span class=\"toc-ch-chev\">&#9654;<\/span>\r\n        <\/summary>\r\n        <div class=\"toc-sub-wrap\">\r\n          <ul class=\"toc-sub-list\">\r\n            <li><span class=\"toc-sub-num\">2.1<\/span><a href=\"#c2-need\">Why Internal Audit Exists<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">2.2<\/span><a href=\"#c2-defs\">The Four Definitions<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">2.3<\/span><a href=\"#c2-services\">Assurance vs Consulting<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">2.4<\/span><a href=\"#c2-types\">Types of Internal Audit<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">2.5<\/span><a href=\"#c2-rbia\">Risk-Based Auditing<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">2.6<\/span><a href=\"#c2-sampling\">Audit Sampling<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">2.7<\/span><a href=\"#c2-caats\">CAATs<\/a><\/li>\r\n            <li class=\"toc-app\"><span class=\"toc-sub-num\">&#9733;<\/span><a href=\"#c2-recap\">Chapter III \u2014 Quick Recap<\/a><\/li>\r\n          <\/ul>\r\n        <\/div>\r\n      <\/details>\r\n\r\n      <details class=\"toc-chapter\" data-chapter=\"3\">\r\n        <summary class=\"toc-chapter-header\">\r\n          <span class=\"toc-ch-badge\">CH IV<\/span>\r\n          <span class=\"toc-ch-title\">Management of Internal Audit<\/span>\r\n          <span class=\"toc-ch-chev\">&#9654;<\/span>\r\n        <\/summary>\r\n        <div class=\"toc-sub-wrap\">\r\n          <ul class=\"toc-sub-list\">\r\n            <li><span class=\"toc-sub-num\">3.1<\/span><a href=\"#c3-setup\">Purpose, Scope &amp; Mandate<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">3.2<\/span><a href=\"#c3-committee\">The Audit Committee<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">3.3<\/span><a href=\"#c3-charter\">The Internal Audit Charter<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">3.4<\/span><a href=\"#c3-structure\">Structure of the IAW<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">3.5<\/span><a href=\"#c3-teams\">Teams, Independence &amp; Access<\/a><\/li>\r\n            <li class=\"toc-app\"><span class=\"toc-sub-num\">&#9733;<\/span><a href=\"#c3-recap\">Chapter IV \u2014 Quick Recap<\/a><\/li>\r\n          <\/ul>\r\n        <\/div>\r\n      <\/details>\r\n\r\n      <details class=\"toc-chapter\" data-chapter=\"4\">\r\n        <summary class=\"toc-chapter-header\">\r\n          <span class=\"toc-ch-badge\">CH V<\/span>\r\n          <span class=\"toc-ch-title\">The Internal Audit Process<\/span>\r\n          <span class=\"toc-ch-chev\">&#9654;<\/span>\r\n        <\/summary>\r\n        <div class=\"toc-sub-wrap\">\r\n          <ul class=\"toc-sub-list\">\r\n            <li><span class=\"toc-sub-num\">4.1<\/span><a href=\"#c4-phases\">The Five Phases<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">4.2<\/span><a href=\"#c4-steps\">Seven Steps of an Assignment<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">4.3<\/span><a href=\"#c4-annual\">Annual Audit Programme<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">4.4<\/span><a href=\"#c4-individual\">Planning Individual Audits<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">4.5<\/span><a href=\"#c4-perform\">Performing the Engagement<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">4.6<\/span><a href=\"#c4-evidence\">Audit Evidence<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">4.7<\/span><a href=\"#c4-papers\">Working Papers &amp; Exit<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">4.8<\/span><a href=\"#c4-report\">Reporting &amp; the 5-C Framework<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">4.9<\/span><a href=\"#c4-followup\">Follow-up Action<\/a><\/li>\r\n            <li class=\"toc-app\"><span class=\"toc-sub-num\">&#9733;<\/span><a href=\"#c4-recap\">Chapter V \u2014 Quick Recap<\/a><\/li>\r\n          <\/ul>\r\n        <\/div>\r\n      <\/details>\r\n\r\n      <details class=\"toc-chapter\" data-chapter=\"5\">\r\n        <summary class=\"toc-chapter-header\">\r\n          <span class=\"toc-ch-badge\">CH VI<\/span>\r\n          <span class=\"toc-ch-title\">Quality Assurance<\/span>\r\n          <span class=\"toc-ch-chev\">&#9654;<\/span>\r\n        <\/summary>\r\n        <div class=\"toc-sub-wrap\">\r\n          <ul class=\"toc-sub-list\">\r\n            <li><span class=\"toc-sub-num\">5.1<\/span><a href=\"#c5-qa\">Why Quality Assurance<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">5.2<\/span><a href=\"#c5-hierarchy\">Hierarchy of QA Elements<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">5.3<\/span><a href=\"#c5-measure\">Measuring Performance<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">5.4<\/span><a href=\"#c5-hr\">HR, Training &amp; Staffing<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">5.5<\/span><a href=\"#c5-ethics\">Code of Ethics<\/a><\/li>\r\n            <li class=\"toc-app\"><span class=\"toc-sub-num\">&#9733;<\/span><a href=\"#c5-recap\">Chapter VI \u2014 Quick Recap<\/a><\/li>\r\n          <\/ul>\r\n        <\/div>\r\n      <\/details>\r\n\r\n      <details class=\"toc-chapter\" data-chapter=\"6\">\r\n        <summary class=\"toc-chapter-header\">\r\n          <span class=\"toc-ch-badge\">REF<\/span>\r\n          <span class=\"toc-ch-title\">Glossary, Annexures &amp; Report Tips<\/span>\r\n          <span class=\"toc-ch-chev\">&#9654;<\/span>\r\n        <\/summary>\r\n        <div class=\"toc-sub-wrap\">\r\n          <ul class=\"toc-sub-list\">\r\n            <li><span class=\"toc-sub-num\">6.1<\/span><a href=\"#c6-annexures\">The Three Annexures<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">6.2<\/span><a href=\"#c6-review\">Annual Review &amp; 10 Irregularities<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">6.3<\/span><a href=\"#c6-tips\">10 Things Not to Say<\/a><\/li>\r\n            <li><span class=\"toc-sub-num\">6.4<\/span><a href=\"#c6-glossary\">Glossary Quick Reference<\/a><\/li>\r\n            <li class=\"toc-app\"><span class=\"toc-sub-num\">&#9733;<\/span><a href=\"#c6-recap\">Reference \u2014 Quick Recap<\/a><\/li>\r\n          <\/ul>\r\n        <\/div>\r\n      <\/details>\r\n\r\n    <\/div>\r\n  <\/aside>\r\n\r\n  <main class=\"article\">\r\n\r\n    <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 CHAPTER I \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\r\n    <section class=\"chapter-pane active\" id=\"pane-ch0\" data-chapter=\"0\">\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c0-what\">\r\n      <span class=\"chapter-badge\">CH I \u00b7 PART A<\/span>\r\n      <h2>Introduction \u2014 What This Manual Is<\/h2>\r\n    <\/div>\r\n\r\n    <div class=\"def-card\">\r\n      <div class=\"def-label\">The document in one breath<\/div>\r\n      <div class=\"def-text\">\r\n        This is the <strong>Generic Internal Audit Manual for Central Civil Ministries<\/strong>, issued on <strong>30 September 2014<\/strong> by the <strong>Centre of Excellence, Internal Audit Division<\/strong> in the Office of the Controller General of Accounts (Ministry of Finance, Department of Expenditure). It is a <em>generic<\/em> template \u2014 its express purpose is to help each central civil Ministry\/Department develop its <strong>own detailed Internal Audit Manual<\/strong>, and to guide internal audit engagements end to end: from building a work programme through planning, performing, reporting and following up.\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"callout\">\r\n      <div class=\"callout-label\">The big idea \u2014 a shift in approach<\/div>\r\n      <p>The whole manual turns on one transition: internal audit moving <strong>from a compliance-only \/ regularity past to a risk-based future<\/strong>. The defining difference between the traditional and modern approach is the explicit recognition of the twin concepts of <strong>\"risks\" and \"controls.\"<\/strong> While compliance audit remains important, auditors are now expected to evaluate controls <em>against the risks<\/em> and assure management that controls work as intended.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c0-mandate\">\r\n      <span class=\"section-badge teal\">&sect;1<\/span>\r\n      <h3>The CGA Mandate &amp; Rule 64 of GFR 2005<\/h3>\r\n    <\/div>\r\n\r\n    <p>The Controller General of Accounts is mandated under the Allocation of Business Rules to oversee accounting standards in Central Civil Accounts Offices, and has guided internal audit in the civil ministries since the <strong>departmentalisation of accounts in 1976<\/strong>. The scope of the internal audit function is codified in the <strong>Civil Accounts Manual<\/strong> and the <strong>Inspection Code<\/strong>.<\/p>\r\n\r\n    <div class=\"highlight-box\">\r\n      <div class=\"hl-label\">&#11088; Rule 64, GFR 2005 \u2014 memorise this<\/div>\r\n      <div class=\"hl-text\"><strong>Rule 64 of the General Financial Rules 2005<\/strong> designates the <strong>Secretary of the Ministry\/Department as the Chief Accounting Authority<\/strong>, responsible and accountable for financial management. The internal audit wings \u2014 headed by <strong>Pr.CCAs \/ CCAs \/ CAs<\/strong> and working under the overall supervision of the <strong>Financial Adviser<\/strong> \u2014 assist the Secretary in discharging this responsibility.<\/div>\r\n    <\/div>\r\n\r\n    <p>The key objectives of ministries and departments that internal audit serves are threefold:<\/p>\r\n\r\n    <div class=\"cat-grid three\">\r\n      <div class=\"cat-card a\">\r\n        <div class=\"cat-label\">Objective 1<\/div>\r\n        <div class=\"cat-title\">Proper Resource Management<\/div>\r\n        <p>Proper management of public resources and government authority, ensuring compliance with laws, regulations, policies and procedures.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card b\">\r\n        <div class=\"cat-label\">Objective 2<\/div>\r\n        <div class=\"cat-title\">Reliable Reporting<\/div>\r\n        <p>Ensuring the reliability of financial reporting.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card c\">\r\n        <div class=\"cat-label\">Objective 3<\/div>\r\n        <div class=\"cat-title\">Operational Performance<\/div>\r\n        <p>Ensuring operational efficiency and effectiveness.<\/p>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c0-charter\">\r\n      <span class=\"section-badge amber\">&sect;2<\/span>\r\n      <h3>The Revised Charter of Financial Advisers (2006)<\/h3>\r\n    <\/div>\r\n\r\n    <p>The Ministry of Finance, Department of Expenditure O.M. F.No.5(6)\/L&amp;C\/2006 dated <strong>1 June 2006<\/strong> redefined the charter for Financial Advisers and the role of internal audit wings working under CCAs\/CAs. It stipulated that internal audit move <strong>beyond compliance\/regulatory audit<\/strong> and focus on four things:<\/p>\r\n\r\n    <ol class=\"parts-list roman amber\">\r\n      <li><strong>Adequacy &amp; effectiveness of internal controls<\/strong> in general \u2014 and soundness of financial systems and reliability of financial\/accounting reports in particular.<\/li>\r\n      <li><strong>Identification and monitoring of risk factors<\/strong> \u2014 including those contained in the Outcome Budget.<\/li>\r\n      <li><strong>Critical assessment of economy, efficiency and effectiveness<\/strong> of the service-delivery mechanism, to ensure <em>value for money<\/em>.<\/li>\r\n      <li><strong>An effective monitoring system<\/strong> to facilitate mid-course corrections.<\/li>\r\n    <\/ol>\r\n\r\n    <div class=\"section-heading-block\" id=\"c0-acro\">\r\n      <span class=\"section-badge purple\">&sect;3<\/span>\r\n      <h3>Key Acronyms You Must Know<\/h3>\r\n    <\/div>\r\n\r\n    <table class=\"compare-table\">\r\n      <thead><tr><th>Acronym<\/th><th>Expansion<\/th><\/tr><\/thead>\r\n      <tbody>\r\n        <tr><td class=\"label-cell\">CAE<\/td><td>Chief Audit Executive (refers to Pr. CCA \/ CCA \/ CA)<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Pr.CCA \/ CCA \/ CA<\/td><td>Principal Chief Controller \/ Chief Controller \/ Controller of Accounts<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Dy.CA<\/td><td>Deputy Controller of Accounts<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">AO \/ Sr.AO \/ AAO<\/td><td>Accounts Officer \/ Senior Accounts Officer \/ Assistant Accounts Officer<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">IAW<\/td><td>Internal Audit Wing<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">ATR<\/td><td>Action Taken Report<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">DDO<\/td><td>Drawing and Disbursing Officer<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">CAAT<\/td><td>Computer Assisted Audit Techniques<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">COSO<\/td><td>Committee of Sponsoring Organizations<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">IDEA \/ ACL<\/td><td>Interactive Data Extraction &amp; Analysis \/ Audit Command Language (audit software)<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">IIA \/ ICAI \/ CIPFA<\/td><td>Institute of Internal Auditors \/ Institute of Chartered Accountants of India \/ Chartered Institute of Public Finance and Accountancy<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">INTOSAI \/ ISSAI<\/td><td>Int'l Organization of Supreme Audit Institutions \/ its International Standards<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">C&amp;AG<\/td><td>Comptroller &amp; Auditor General<\/td><\/tr>\r\n      <\/tbody>\r\n    <\/table>\r\n\r\n    <div class=\"recap\" id=\"c0-recap\">\r\n      <div class=\"recap-title\">&#9889; Chapter I \u2014 Quick Recap<\/div>\r\n      <table>\r\n        <thead><tr><th>Concept<\/th><th>Key Fact<\/th><\/tr><\/thead>\r\n        <tbody>\r\n          <tr><td>Issued by<\/td><td>Centre of Excellence, <strong>Internal Audit Division, O\/o CGA<\/strong>, M\/o Finance<\/td><\/tr>\r\n          <tr><td>Date issued<\/td><td><strong>30 September 2014<\/strong><\/td><\/tr>\r\n          <tr><td>Document's purpose<\/td><td>A <strong>generic template<\/strong> for Ministries to build their own detailed IA manuals<\/td><\/tr>\r\n          <tr><td>Accounts departmentalised<\/td><td><strong>1976<\/strong><\/td><\/tr>\r\n          <tr><td>IA scope codified in<\/td><td>Civil Accounts Manual &amp; Inspection Code<\/td><\/tr>\r\n          <tr><td>Rule 64, GFR 2005<\/td><td>Secretary = <strong>Chief Accounting Authority<\/strong><\/td><\/tr>\r\n          <tr><td>IAW headed by<\/td><td>Pr.CCA \/ CCA \/ CA, under the Financial Adviser<\/td><\/tr>\r\n          <tr><td>Revised Charter<\/td><td>O.M. dated <strong>1 June 2006<\/strong> \u2014 move beyond compliance audit<\/td><\/tr>\r\n          <tr><td>The defining shift<\/td><td>Explicit recognition of <strong>\"risks\" &amp; \"controls\"<\/strong><\/td><\/tr>\r\n          <tr><td>Three Ministry objectives<\/td><td>Resource management \u00b7 reliable reporting \u00b7 operational efficiency<\/td><\/tr>\r\n        <\/tbody>\r\n      <\/table>\r\n    <\/div>\r\n\r\n    <\/section><!-- \/pane-ch0 -->\r\n\r\n    <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 CHAPTER II \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\r\n    <section class=\"chapter-pane\" id=\"pane-ch1\" data-chapter=\"1\">\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c1-theory\">\r\n      <span class=\"chapter-badge\">CH II \u00b7 PART A<\/span>\r\n      <h2>Theoretical Framework \u2014 Risks &amp; Controls<\/h2>\r\n    <\/div>\r\n\r\n    <div class=\"def-card\">\r\n      <div class=\"def-label\">What this chapter does<\/div>\r\n      <div class=\"def-text\">\r\n        Chapter II builds the conceptual foundation. A sound public financial management system needs resources valued correctly, receipts realised in full, and expenditure incurred economically, efficiently and effectively. Above all it needs <strong>continuous assurance to stakeholders \u2014 most importantly citizens<\/strong> \u2014 that objectives are clearly spelt out, strategies are in place, and risks that threaten those objectives have been identified, assessed and contained within acceptable levels.\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"callout teal\">\r\n      <div class=\"callout-label\">Accountability \u2014 what stakeholders want assured<\/div>\r\n      <p>Accountability is a core principle of democratic government. Stakeholders want assurance that: public resources are <strong>managed properly and used lawfully<\/strong>; government programmes are <strong>achieving their objectives and outcomes<\/strong>; and government services are delivered <strong>ethically, efficiently, economically and effectively<\/strong>. Governments have traditionally relied on in-built controls like <em>\"checks and balances\"<\/em> and <em>\"segregation of duties,\"<\/em> plus rules such as the GFR and Receipt &amp; Payment Rules.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c1-risk\">\r\n      <span class=\"section-badge\">&sect;1<\/span>\r\n      <h3>Understanding Risk<\/h3>\r\n    <\/div>\r\n\r\n    <div class=\"def-card\">\r\n      <div class=\"def-label\">Definition \u2014 Risk<\/div>\r\n      <div class=\"def-text\">\r\n        A <strong>risk<\/strong> is the possibility of an event occurring that will have an <strong>adverse impact on the achievement of objectives<\/strong>. To be protected, each risk must be identified, assessed and measured in two dimensions \u2014 <strong>impact (severity)<\/strong> and <strong>likelihood of occurrence (probability)<\/strong> \u2014 and then an appropriate response developed.\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <p>Some activities are inherently more risk-prone than others \u2014 procurement, for instance, carries more risk than routine accounting for expenditure. A change in circumstances can also shift the risk structure: year-end expenditure, driven by the urge to avoid lapse of budget, needs closer monitoring of controls. When analysing risk, three questions are asked:<\/p>\r\n\r\n    <ul class=\"icon-list\">\r\n      <li><span class=\"ico\">&#10067;<\/span><span>What can go wrong?<\/span><\/li>\r\n      <li><span class=\"ico\">&#127922;<\/span><span>What is the probability of it going wrong?<\/span><\/li>\r\n      <li><span class=\"ico\">&#9888;&#65039;<\/span><span>What are the consequences?<\/span><\/li>\r\n    <\/ul>\r\n\r\n    <div class=\"section-heading-block\" id=\"c1-4t\">\r\n      <span class=\"section-badge amber\">&sect;2<\/span>\r\n      <h3>Responding to Risk \u2014 The Four T's<\/h3>\r\n    <\/div>\r\n\r\n    <p>After identifying and evaluating risks, the Ministry develops a response to eliminate the risk or contain it within acceptable limits. Four options exist:<\/p>\r\n\r\n    <div class=\"cat-grid four\">\r\n      <div class=\"cat-card a\">\r\n        <span class=\"cat-badge\">T<\/span>\r\n        <div class=\"cat-label\">Transfer<\/div>\r\n        <div class=\"cat-title\">Transfer<\/div>\r\n        <p>Shift the risk to a third party \u2014 <strong>obtaining insurance<\/strong> is the classic example.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card b\">\r\n        <span class=\"cat-badge\">T<\/span>\r\n        <div class=\"cat-label\">Tolerate<\/div>\r\n        <div class=\"cat-title\">Tolerate<\/div>\r\n        <p>Accept the risk when the cost of control outweighs the benefit, or the adverse outcome is inconsequential.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card d\">\r\n        <span class=\"cat-badge\">T<\/span>\r\n        <div class=\"cat-label\">Terminate<\/div>\r\n        <div class=\"cat-title\">Terminate<\/div>\r\n        <p>End the activity itself \u2014 needed where the risk could cause grave consequences or project failure. Not always possible in Government due to political\/social sensitivities.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card c\">\r\n        <span class=\"cat-badge\">T<\/span>\r\n        <div class=\"cat-label\">Treat<\/div>\r\n        <div class=\"cat-title\">Treat<\/div>\r\n        <p>Manage the risk through <strong>appropriate control activities<\/strong> \u2014 the most obvious choice for Ministries and the most relevant for this manual.<\/p>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"callout\">\r\n      <div class=\"callout-label\">Residual &amp; acceptable risk<\/div>\r\n      <p>Some risk remains even after controls are instituted \u2014 this is <strong>\"residual risk.\"<\/strong> It may be advisable to tolerate it, especially where elimination costs are very high and it sits within acceptable limits. <strong>\"Acceptable risk\"<\/strong> is a risk understood and tolerated, usually because the cost or difficulty of an effective countermeasure exceeds the expected loss. What is acceptable is a <strong>judgement exercised by Management<\/strong>. Since controls have costs, the benefit of risk reduction must exceed the cost of the control.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"highlight-box\">\r\n      <div class=\"hl-label\">&#128202; The Risk Management Process (5 steps)<\/div>\r\n      <div class=\"hl-text\"><strong>Establish context<\/strong> (understand objectives &amp; environment) &rarr; <strong>Risk identification<\/strong> (write a \"risk statement\") &rarr; <strong>Analysis<\/strong> (comprehend the nature, determine consequences &amp; likelihood) &rarr; <strong>Evaluation<\/strong> (compare against risk criteria \u2014 is it acceptable?) &rarr; <strong>Response<\/strong> (modify by mitigating, avoiding, transferring or accepting). Wrapped around all five: continuous <strong>monitoring<\/strong> and <strong>reporting &amp; communication<\/strong> with stakeholders.<\/div>\r\n    <\/div>\r\n\r\n    <div class=\"callout teal\">\r\n      <div class=\"callout-label\">What \"controls\" formally are<\/div>\r\n      <p>In formal terms, <strong>controls comprise the actions taken by management, the audit committee and other parties to manage risks<\/strong> and increase the likelihood that established objectives and goals will be achieved.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c1-icf\">\r\n      <span class=\"chapter-badge\">CH II \u00b7 PART B<\/span>\r\n      <h2>The Internal Control Framework<\/h2>\r\n    <\/div>\r\n\r\n    <div class=\"def-card\">\r\n      <div class=\"def-label\">Definition \u2014 Internal Control<\/div>\r\n      <div class=\"def-text\">\r\n        <strong>Internal control<\/strong> is an integral process operated by an organisation's management and personnel, designed to address risks and provide <strong>reasonable assurance<\/strong> that, in pursuit of the mission, four general objectives are met: executing <strong>orderly, ethical, economical, efficient and effective<\/strong> operations; fulfilling <strong>accountability<\/strong> obligations; <strong>complying<\/strong> with applicable laws and regulations; and <strong>safeguarding resources<\/strong> against loss, misuse and damage.\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"callout amber\">\r\n      <div class=\"callout-label\">&#9888; Controls are continuous, not events<\/div>\r\n      <p>Internal controls are <strong>continuous processes<\/strong>, not isolated efforts. Per the COSO framework, <strong>everyone in an organisation has some responsibility for internal control<\/strong> \u2014 and the commitment of those at the top is critical. Control is most effective when <strong>\"built in\" and not \"superimposed\"<\/strong> on the entity's systems.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c1-coso\">\r\n      <span class=\"section-badge teal\">&sect;3<\/span>\r\n      <h3>The Five COSO Components<\/h3>\r\n    <\/div>\r\n\r\n    <p>The Committee of Sponsoring Organizations (COSO) developed the internal control framework now accepted worldwide. Its five key concepts:<\/p>\r\n\r\n    <div class=\"cat-grid\">\r\n      <div class=\"cat-card a\">\r\n        <span class=\"cat-badge\">1<\/span>\r\n        <div class=\"cat-label\">The foundation<\/div>\r\n        <div class=\"cat-title\">Control Environment<\/div>\r\n        <p>Sets the tone of the organisation \u2014 integrity and ethical values of individuals and the organisation as a whole. Includes management's philosophy, structure, assignment of authority, HR practices and competence.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card b\">\r\n        <span class=\"cat-badge\">2<\/span>\r\n        <div class=\"cat-label\">Find the threats<\/div>\r\n        <div class=\"cat-title\">Risk Assessment<\/div>\r\n        <p>Identifying and analysing risks that threaten objectives. Elements: risk identification, risk evaluation (likelihood &amp; significance, rated <strong>High \/ Medium \/ Low<\/strong>), and risk acceptance.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card c\">\r\n        <span class=\"cat-badge\">3<\/span>\r\n        <div class=\"cat-label\">The actions<\/div>\r\n        <div class=\"cat-title\">Control Activities<\/div>\r\n        <p>The actions that manage risk \u2014 split into <strong>preventive<\/strong> and <strong>detective<\/strong> controls (see below).<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card e\">\r\n        <span class=\"cat-badge\">4<\/span>\r\n        <div class=\"cat-label\">The flow<\/div>\r\n        <div class=\"cat-title\">Information &amp; Communication<\/div>\r\n        <p>For controls to work, management needs timely, reliable feedback. Communication must flow <strong>down, across and up<\/strong> the organisation.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card d\">\r\n        <span class=\"cat-badge\">5<\/span>\r\n        <div class=\"cat-label\">The check<\/div>\r\n        <div class=\"cat-title\">Monitoring<\/div>\r\n        <p>A well-designed review process \u2014 comprising <strong>ongoing monitoring<\/strong> and\/or <strong>separate evaluations<\/strong>. Scope and frequency of separate evaluations depend on risk assessment and the effectiveness of ongoing monitoring.<\/p>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c1-activities\">\r\n      <span class=\"section-badge purple\">&sect;4<\/span>\r\n      <h3>Control Activities \u2014 Two Types &amp; Common Examples<\/h3>\r\n    <\/div>\r\n\r\n    <table class=\"compare-table\">\r\n      <thead><tr><th>Type<\/th><th>What it does<\/th><th>Examples<\/th><\/tr><\/thead>\r\n      <tbody>\r\n        <tr>\r\n          <td class=\"label-cell\">Preventive<\/td>\r\n          <td>Stop a risk from occurring in the first place.<\/td>\r\n          <td>Barring entry of unauthorised personnel; segregation of duties; limiting access to sensitive information.<\/td>\r\n        <\/tr>\r\n        <tr>\r\n          <td class=\"label-cell\">Detective<\/td>\r\n          <td>Help discover inaccuracies, misconduct etc. after the fact.<\/td>\r\n          <td>Preparing bank reconciliation statements; monitoring and supervision.<\/td>\r\n        <\/tr>\r\n      <\/tbody>\r\n    <\/table>\r\n\r\n    <p>The manual lists common control activities worth memorising:<\/p>\r\n\r\n    <ul class=\"icon-list\">\r\n      <li><span class=\"ico\">&#9878;&#65039;<\/span><span><strong>Segregation of duties<\/strong> \u2014 separating authorisation, custody and record-keeping roles.<\/span><\/li>\r\n      <li><span class=\"ico\">&#9989;<\/span><span><strong>Authorisation<\/strong> of transactions \u2014 review by an appropriate person.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128196;<\/span><span><strong>Retention of records<\/strong> \u2014 documentation that substantiates transactions.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128065;&#65039;<\/span><span><strong>Supervision<\/strong> or monitoring of operations.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128274;<\/span><span><strong>Physical safeguards<\/strong> \u2014 cameras, locks, physical barriers to protect property.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128202;<\/span><span><strong>Top-level reviews<\/strong> \u2014 actual results vs goals\/plans, periodic operational reviews, metrics and KPIs.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128273;<\/span><span><strong>IT security controls<\/strong> \u2014 restrict system\/data access to authorised personnel (passwords, access-log review).<\/span><\/li>\r\n      <li><span class=\"ico\">&#128187;<\/span><span><strong>IT application controls<\/strong> \u2014 edit checks to validate data entry, numerical-sequence accounting, comparing file totals with control accounts.<\/span><\/li>\r\n    <\/ul>\r\n\r\n    <div class=\"highlight-box\">\r\n      <div class=\"hl-label\">&#11088; Internal audit is itself a control<\/div>\r\n      <div class=\"hl-text\">Internal Audit is a <strong>critical component of the internal control system<\/strong>, entrusted with the review function. Like all controls, internal audit entails costs \u2014 so, in keeping with economy, efficiency and effectiveness, the audit function must itself be conducted with due regard to these principles.<\/div>\r\n    <\/div>\r\n\r\n    <div class=\"recap\" id=\"c1-recap\">\r\n      <div class=\"recap-title\">&#9889; Chapter II \u2014 Quick Recap<\/div>\r\n      <table>\r\n        <thead><tr><th>Concept<\/th><th>Key Fact<\/th><\/tr><\/thead>\r\n        <tbody>\r\n          <tr><td>Risk defined<\/td><td>Possibility of an event with <strong>adverse impact on objectives<\/strong><\/td><\/tr>\r\n          <tr><td>Risk measured by<\/td><td>Impact (severity) &amp; likelihood (probability)<\/td><\/tr>\r\n          <tr><td>3 risk-analysis questions<\/td><td>What can go wrong? \u00b7 probability? \u00b7 consequences?<\/td><\/tr>\r\n          <tr><td>The 4 T's<\/td><td><strong>Transfer \u00b7 Tolerate \u00b7 Terminate \u00b7 Treat<\/strong><\/td><\/tr>\r\n          <tr><td>Insurance is an example of<\/td><td>Transferring risk<\/td><\/tr>\r\n          <tr><td>Residual risk<\/td><td>Risk remaining after controls; tolerate if within limits<\/td><\/tr>\r\n          <tr><td>Controls defined<\/td><td>Actions by management\/audit committee to manage risk<\/td><\/tr>\r\n          <tr><td>Internal control objectives<\/td><td>Orderly\/ethical ops \u00b7 accountability \u00b7 compliance \u00b7 safeguard resources<\/td><\/tr>\r\n          <tr><td>Framework used<\/td><td><strong>COSO<\/strong><\/td><\/tr>\r\n          <tr><td>5 COSO components<\/td><td>Control environment \u00b7 risk assessment \u00b7 control activities \u00b7 info &amp; communication \u00b7 monitoring<\/td><\/tr>\r\n          <tr><td>Risk rating scale<\/td><td>High \/ Medium \/ Low<\/td><\/tr>\r\n          <tr><td>2 control types<\/td><td>Preventive &amp; Detective<\/td><\/tr>\r\n          <tr><td>Best controls are<\/td><td><strong>\"Built in,\" not \"superimposed\"<\/strong><\/td><\/tr>\r\n        <\/tbody>\r\n      <\/table>\r\n    <\/div>\r\n\r\n    <\/section><!-- \/pane-ch1 -->\r\n\r\n    <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 CHAPTER III \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\r\n    <section class=\"chapter-pane\" id=\"pane-ch2\" data-chapter=\"2\">\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c2-need\">\r\n      <span class=\"chapter-badge\">CH III \u00b7 PART A<\/span>\r\n      <h2>Internal Audit \u2014 Definitions &amp; Services<\/h2>\r\n    <\/div>\r\n\r\n    <div class=\"def-card\">\r\n      <div class=\"def-label\">Why internal audit exists<\/div>\r\n      <div class=\"def-text\">\r\n        The need for internal audit stems from the need for <strong>feedback to Management through periodic review of internal controls<\/strong>. Its primary function is the <em>\"measurement and effectiveness of other controls.\"<\/em> This places internal audit in a unique position \u2014 it is <strong>both a part of the internal control system, and the function required to comment on the adequacy and effectiveness of the other controls<\/strong>. It aids management by giving periodic feedback on how controls are functioning and suggesting measures to strengthen them.\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c2-defs\">\r\n      <span class=\"section-badge teal\">&sect;1<\/span>\r\n      <h3>The Four Authoritative Definitions<\/h3>\r\n    <\/div>\r\n\r\n    <p>To meet widely accepted norms, the manual cites four bodies' definitions of internal audit:<\/p>\r\n\r\n    <table class=\"compare-table\">\r\n      <thead><tr><th style=\"width:16%;\">Body<\/th><th>How it defines internal audit<\/th><\/tr><\/thead>\r\n      <tbody>\r\n        <tr><td class=\"label-cell\">INTOSAI (ISSAI 1003)<\/td><td>An <strong>appraisal activity<\/strong> established as a service to an entity; functions include examining, evaluating and monitoring the adequacy of internal control.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">CIPFA<\/td><td>An <strong>assurance function<\/strong> giving an independent, objective opinion on the control environment (risk management, control, governance) by evaluating its effectiveness in achieving objectives.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">IIA<\/td><td>An <strong>independent, objective assurance and consulting activity<\/strong> designed to add value and improve operations; helps the organisation accomplish objectives via a systematic, disciplined approach to evaluate and improve risk management, control and governance.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">ICAI<\/td><td>An <strong>independent management function<\/strong> involving continuous critical appraisal of the entity to suggest improvements and add value to the overall governance, strategic risk management and internal control system.<\/td><\/tr>\r\n      <\/tbody>\r\n    <\/table>\r\n\r\n    <div class=\"callout\">\r\n      <div class=\"callout-label\">The common thread + the public-interest overlay<\/div>\r\n      <p>All four see internal audit as evaluating the adequacy and effectiveness of <strong>risk management, governance and control processes<\/strong>, thereby adding value. In government and the public sector, one more principle overrides everything: <strong>serving the public interest must be the overriding objective<\/strong>.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c2-services\">\r\n      <span class=\"section-badge amber\">&sect;2<\/span>\r\n      <h3>The Two Primary Services \u2014 Assurance vs Consulting<\/h3>\r\n    <\/div>\r\n\r\n    <div class=\"cat-grid\">\r\n      <div class=\"cat-card a\">\r\n        <div class=\"cat-label\">Service 1<\/div>\r\n        <div class=\"cat-title\">Assurance Services<\/div>\r\n        <p>The auditor's <strong>objective assessment of evidence<\/strong> to provide an independent opinion or conclusion on the processes, systems or mechanisms put in place by the executive to ensure achievement of objectives.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card e\">\r\n        <div class=\"cat-label\">Service 2<\/div>\r\n        <div class=\"cat-title\">Consulting Services<\/div>\r\n        <p>Advisory in nature \u2014 positive recommendations to improve performance and\/or controls, generally at the specific request of the agency. The auditor must <strong>maintain objectivity and not assume management responsibility<\/strong>.<\/p>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"callout teal\">\r\n      <div class=\"callout-label\">What both services assess (reasonable assurance that\u2026)<\/div>\r\n      <p>In both, internal audit focuses on whether governance, risk management and control provide reasonable assurance that: significant <strong>information is accurate, reliable and timely<\/strong>; resources are <strong>acquired economically and used efficiently<\/strong>; <strong>assets are safeguarded<\/strong>; actions <strong>comply<\/strong> with policies, procedures, contracts and laws; and significant <strong>programmes, plans and objectives will be achieved<\/strong>.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c2-types\">\r\n      <span class=\"chapter-badge\">CH III \u00b7 PART B<\/span>\r\n      <h2>Types of Internal Audit<\/h2>\r\n    <\/div>\r\n\r\n    <p>In government, internal audit may conduct several types of audit. The main ones:<\/p>\r\n\r\n    <ol class=\"parts-list decimal\">\r\n      <li><strong>Regularity Audit (audit against rules &amp; orders)<\/strong> \u2014 verifies that expenditure conforms to the laws, rules and orders governing the power to sanction\/incur expenditure, and that rules on service conditions, pay, allowances and pensions are followed. The auditor flags deviations and suggests remedies; further action rests with Management.<\/li>\r\n      <li><strong>Propriety Audit<\/strong> \u2014 focuses on improper expenditure or waste <em>even where it conforms to rules<\/em>. Per Hallam, it <em>\"extends beyond the formality of the expenditure to its wisdom, faithfulness and economy.\"<\/em> Catches improper or infructuous spending not caught by regularity audit.<\/li>\r\n      <li><strong>Performance (Value-for-Money) Audit<\/strong> \u2014 checks whether stated objectives are achieved with due regard to economy and efficiency. Examines the relationship between <strong>inputs, outputs and outcomes<\/strong> against the <strong>3 E's<\/strong> (see callout below).<\/li>\r\n      <li><strong>Information Systems \/ IT Audit<\/strong> \u2014 determines whether IT systems are designed to achieve organisational goals; focuses on attributes of <strong>data<\/strong> (correct, consistent, reliable), <strong>assets<\/strong> (hardware &amp; software) and <strong>resources<\/strong> (technological, physical, human).<\/li>\r\n      <li><strong>Financial Audit<\/strong> \u2014 provides reasonable assurance the financial statements show a true and fair view. For government accounts, this is performed by the <strong>C&amp;AG<\/strong>.<\/li>\r\n      <li><strong>Grant or Contract Audits<\/strong> \u2014 evaluate compliance with grant conditions, the contracting process and third-party contractual performance.<\/li>\r\n      <li><strong>Fraud &amp; Financial Irregularity Audits<\/strong> \u2014 verify the existence and magnitude of suspected fraud\/irregularities, usually triggered by discovery or suspicion.<\/li>\r\n    <\/ol>\r\n\r\n    <div class=\"callout amber\">\r\n      <div class=\"callout-label\">The 3 E's of Performance Audit<\/div>\r\n      <p><strong>Economy<\/strong> \u2014 expenditure incurred was not in excess of requirement. <strong>Efficiency<\/strong> \u2014 output achieved with minimum inputs (or maximum output for given inputs). <strong>Effectiveness<\/strong> \u2014 expenditure achieved the intended objective.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"highlight-box\">\r\n      <div class=\"hl-label\">&#128221; The one-line summary<\/div>\r\n      <div class=\"hl-text\">The various kinds of audit differ in focus, scope and approach \u2014 but <strong>internal audit is primarily used for verifying the effectiveness of internal controls in operation, and compliance with laws, rules, regulations and government orders<\/strong>.<\/div>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c2-rbia\">\r\n      <span class=\"section-badge purple\">&sect;3<\/span>\r\n      <h3>Risk-Based Auditing<\/h3>\r\n    <\/div>\r\n\r\n    <div class=\"def-card\">\r\n      <div class=\"def-label\">Definition \u2014 Risk-Based Auditing<\/div>\r\n      <div class=\"def-text\">\r\n        An approach that focuses on the <strong>organisational response to the risks<\/strong> it faces in achieving its goals. The context for audits comes from the Department's <strong>objectives, associated risks and risk-management process<\/strong> \u2014 rather than from \"controls\" and deviations therefrom. The auditor's role shifts from examining compliance with controls to <strong>reviewing the risk-management processes<\/strong>.\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"callout\">\r\n      <div class=\"callout-label\">A pragmatic caveat for Government<\/div>\r\n      <p>Until risk-management processes are well-designed and embedded in government systems, Internal Audit <strong>cannot yet rely on the Department's own view of risks<\/strong> for scoping. The pragmatic approach: Internal Audit, <strong>in conjunction with management<\/strong>, undertakes the risk-assessment exercise itself and draws up its audit plan. Over time, greater reliance can be placed on Departments' own risk assessments and risk-control matrices.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c2-sampling\">\r\n      <span class=\"chapter-badge\">CH III \u00b7 PART C<\/span>\r\n      <h2>Audit Sampling<\/h2>\r\n    <\/div>\r\n\r\n    <div class=\"def-card\">\r\n      <div class=\"def-label\">Definition \u2014 Audit Sampling<\/div>\r\n      <div class=\"def-text\">\r\n        Applying audit procedures to <strong>less than 100%<\/strong> of the items within a class of transactions, so the auditor can obtain and evaluate evidence about some characteristic of the selected items and <strong>form a conclusion about the whole population<\/strong>. A 100% check is unnecessary \u2014 the objective is well served by a test check.\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"highlight-box\">\r\n      <div class=\"hl-label\">&#128161; How auditors choose what to test<\/div>\r\n      <div class=\"hl-text\">Areas where the department exercises <strong>discretion<\/strong> are riskier than rule-bound ones. Higher-value transactions are often examined for material impact \u2014 but <strong>materiality is irrelevant where compliance is required by law<\/strong>. Past audit reports are a good guide to the control environment, and <strong>March vouchers are invariably selected<\/strong> because of the well-known \"March rush\" in expenditure.<\/div>\r\n    <\/div>\r\n\r\n    <h4>Judgemental vs Statistical Sampling<\/h4>\r\n    <table class=\"compare-table\">\r\n      <thead><tr><th>Approach<\/th><th>How it works<\/th><th>Trade-off<\/th><\/tr><\/thead>\r\n      <tbody>\r\n        <tr>\r\n          <td class=\"label-cell\">Judgemental<\/td>\r\n          <td>Items chosen on the auditor's experience, intuition and judgement.<\/td>\r\n          <td>Simple and popular \u2014 but no scientific basis, so findings are hard to extrapolate to the population.<\/td>\r\n        <\/tr>\r\n        <tr>\r\n          <td class=\"label-cell\">Statistical<\/td>\r\n          <td>Every unit has an equal chance of selection, eliminating bias.<\/td>\r\n          <td>Lets findings be asserted with a known <strong>degree of confidence<\/strong>; requires decisions on sample size and technique.<\/td>\r\n        <\/tr>\r\n      <\/tbody>\r\n    <\/table>\r\n\r\n    <div class=\"callout\">\r\n      <div class=\"callout-label\">Sample size<\/div>\r\n      <p>Influenced by the <strong>purpose of audit, population size &amp; homogeneity, required precision and confidence level<\/strong>. For a small population, the whole group can be the sample; for a homogeneous population, a small sample suffices. In general, a sample of <strong>10% or more is considered reasonable<\/strong>.<\/p>\r\n    <\/div>\r\n\r\n    <h4>Four common statistical sampling techniques<\/h4>\r\n    <div class=\"cat-grid\">\r\n      <div class=\"cat-card a\">\r\n        <div class=\"cat-label\">Technique 1<\/div>\r\n        <div class=\"cat-title\">Random Number<\/div>\r\n        <p>Number all items in the population, then use a random-number generator to select the sample.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card b\">\r\n        <div class=\"cat-label\">Technique 2<\/div>\r\n        <div class=\"cat-title\">Interval Sampling<\/div>\r\n        <p>Select items at defined intervals \u2014 e.g. every 10th, 15th or 35th voucher. The interval is set by population size and the number needed.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card c\">\r\n        <div class=\"cat-label\">Technique 3<\/div>\r\n        <div class=\"cat-title\">Stratified Sampling<\/div>\r\n        <p>Divide the population into discrete homogeneous groups, then select a pre-decided number from each group.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card d\">\r\n        <div class=\"cat-label\">Technique 4<\/div>\r\n        <div class=\"cat-title\">Attribute Sampling<\/div>\r\n        <p>Select all items sharing certain attributes; objective in nature \u2014 items chosen by compliance (yes) or non-compliance (no). Good for evaluating controls over many similarly-characterised transactions.<\/p>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c2-caats\">\r\n      <span class=\"section-badge red\">&sect;4<\/span>\r\n      <h3>Computer Assisted Audit Techniques (CAATs)<\/h3>\r\n    <\/div>\r\n\r\n    <p>As government operations computerise, vast volumes of electronic data accumulate that are impractical to extract manually \u2014 and manual audit limits how much data can be audited in a given time. <strong>CAATs are computer-based tools that run tests on data or IT systems<\/strong>, especially useful when significant data is electronic.<\/p>\r\n\r\n    <ul class=\"icon-list\">\r\n      <li><span class=\"ico\">&#9889;<\/span><span>CAATs permit <strong>100% testing<\/strong> of data in a short span, repeated tests on different files, and standardisation of audit activity.<\/span><\/li>\r\n      <li><span class=\"ico\">&#129518;<\/span><span><strong>Two broad categories:<\/strong> <em>add-on<\/em> tools used inside already-installed programs (Excel, MS Access); and <em>general-purpose audit software<\/em> built off-the-shelf for auditors.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128187;<\/span><span>Commonly used general-purpose software: <strong>IDEA<\/strong> (Interactive Data Extraction and Analysis) and <strong>ACL<\/strong> (Audit Command Language).<\/span><\/li>\r\n      <li><span class=\"ico\">&#127891;<\/span><span>Internal Audit Wings should <strong>train staff<\/strong> to use these tools in engagements.<\/span><\/li>\r\n    <\/ul>\r\n\r\n    <div class=\"highlight-box\">\r\n      <div class=\"hl-label\">&#128221; The evolution of audit (per the manual's box)<\/div>\r\n      <div class=\"hl-text\">From \"tick and check\" audits &rarr; systems-based audits focused on key controls &rarr; CAATs. The principle of taking the client's books to audit them hasn't changed \u2014 only the practices, now that books are electronic. <strong>Auditors who fail to embrace new techniques will find themselves \"surplus to requirements.\"<\/strong> <em>(Source cited: The Internal Auditing Handbook, 2nd ed., K. H. Spencer Pickett.)<\/em><\/div>\r\n    <\/div>\r\n\r\n    <div class=\"recap\" id=\"c2-recap\">\r\n      <div class=\"recap-title\">&#9889; Chapter III \u2014 Quick Recap<\/div>\r\n      <table>\r\n        <thead><tr><th>Concept<\/th><th>Key Fact<\/th><\/tr><\/thead>\r\n        <tbody>\r\n          <tr><td>IA's primary function<\/td><td><strong>Measurement &amp; effectiveness of other controls<\/strong><\/td><\/tr>\r\n          <tr><td>IA's unique position<\/td><td>Both part of the control system &amp; reviewer of it<\/td><\/tr>\r\n          <tr><td>4 defining bodies<\/td><td>INTOSAI (ISSAI 1003) \u00b7 CIPFA \u00b7 IIA \u00b7 ICAI<\/td><\/tr>\r\n          <tr><td>Overriding public-sector aim<\/td><td>Serving the <strong>public interest<\/strong><\/td><\/tr>\r\n          <tr><td>2 primary services<\/td><td>Assurance &amp; Consulting<\/td><\/tr>\r\n          <tr><td>Consulting caution<\/td><td>Don't assume management responsibility<\/td><\/tr>\r\n          <tr><td>Audit types<\/td><td>Regularity \u00b7 Propriety \u00b7 Performance \u00b7 IT \u00b7 Financial \u00b7 Grant \u00b7 Fraud<\/td><\/tr>\r\n          <tr><td>Propriety audit (Hallam)<\/td><td>\"Wisdom, faithfulness and economy\"<\/td><\/tr>\r\n          <tr><td>Performance audit 3 E's<\/td><td>Economy \u00b7 Efficiency \u00b7 Effectiveness<\/td><\/tr>\r\n          <tr><td>Financial audit by<\/td><td><strong>C&amp;AG<\/strong><\/td><\/tr>\r\n          <tr><td>Risk-based auditing<\/td><td>Focus on org's <strong>response to risk<\/strong>, not controls\/deviations<\/td><\/tr>\r\n          <tr><td>Audit sampling<\/td><td>Procedures on &lt;100% of items<\/td><\/tr>\r\n          <tr><td>Materiality &amp; law<\/td><td>Materiality irrelevant where compliance is legally required<\/td><\/tr>\r\n          <tr><td>March vouchers<\/td><td>Invariably selected (\"March rush\")<\/td><\/tr>\r\n          <tr><td>Reasonable sample size<\/td><td>10% or more in general<\/td><\/tr>\r\n          <tr><td>4 statistical techniques<\/td><td>Random number \u00b7 interval \u00b7 stratified \u00b7 attribute<\/td><\/tr>\r\n          <tr><td>CAATs enable<\/td><td>100% testing \u00b7 repeated tests \u00b7 standardisation<\/td><\/tr>\r\n          <tr><td>General-purpose software<\/td><td>IDEA &amp; ACL<\/td><\/tr>\r\n        <\/tbody>\r\n      <\/table>\r\n    <\/div>\r\n\r\n    <\/section><!-- \/pane-ch2 -->\r\n\r\n    <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 CHAPTER IV \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\r\n    <section class=\"chapter-pane\" id=\"pane-ch3\" data-chapter=\"3\">\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c3-setup\">\r\n      <span class=\"chapter-badge\">CH IV \u00b7 PART A<\/span>\r\n      <h2>Management of Internal Audit in Government<\/h2>\r\n    <\/div>\r\n\r\n    <div class=\"def-card\">\r\n      <div class=\"def-label\">What this chapter does<\/div>\r\n      <div class=\"def-text\">\r\n        Chapter IV is about <strong>governance and setup<\/strong> \u2014 how the internal audit function is positioned, mandated and supervised within a Ministry. It covers the organisational setup, the audit mandate and charter, the Audit Committee, the structure of the wing, the management team, audit teams, independence and access. Much of it is written as guidance for what each Ministry's <em>own<\/em> detailed manual should contain.\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"callout\">\r\n      <div class=\"callout-label\">Mandate &amp; Charter<\/div>\r\n      <p>The requirement for internal audit must be set out in a clearly defined <strong>audit mandate<\/strong>, formally documented in the <strong>Internal Audit Charter<\/strong>. The charter defines the framework within which internal audit operates, establishes its functional and administrative reporting lines, fixes its position within the organisation, and <strong>serves as the foundation for the annual audit plan<\/strong>. A carefully developed mandate and charter are critical for an effective function.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c3-committee\">\r\n      <span class=\"section-badge teal\">&sect;1<\/span>\r\n      <h3>The Audit Committee \u2014 Composition &amp; Role<\/h3>\r\n    <\/div>\r\n\r\n    <p>To provide oversight of the IAW, an <strong>Audit Committee should be constituted in each Ministry<\/strong> (or the mandate of an existing Standing Audit Committee enlarged). Its composition:<\/p>\r\n\r\n    <table class=\"compare-table\">\r\n      <thead><tr><th>Role on Committee<\/th><th>Officer<\/th><\/tr><\/thead>\r\n      <tbody>\r\n        <tr><td class=\"label-cell\">Chairperson<\/td><td>Secretary of the Ministry\/Department<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Vice-Chairperson<\/td><td>Financial Adviser<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Convener \/ Member Secretary<\/td><td>Chief Controller of Accounts \/ Controller of Accounts (i.e. the CAE, or his nominee)<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Members<\/td><td>Programme Division Heads; subject experts may be associated as needed<\/td><\/tr>\r\n      <\/tbody>\r\n    <\/table>\r\n\r\n    <div class=\"callout teal\">\r\n      <div class=\"callout-label\">Terms of reference of the Audit Committee<\/div>\r\n      <p>Ensure development of an <strong>effective Risk Management system<\/strong>; supervise the IAW's overall functioning and set its priorities; provide strategic direction and resources; <strong>approve the Internal Audit Charter<\/strong> and the function's role\/structure; <strong>approve the annual internal audit plan<\/strong>; evaluate IAW performance and offer guidance; ensure audit observations are implemented; and determine modalities to resolve key audit issues.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"highlight-box\">\r\n      <div class=\"hl-label\">&#11088; The reporting relationship<\/div>\r\n      <div class=\"hl-text\">Internal audit has a <strong>formal reporting relationship with the Audit Committee<\/strong>. The CAE (Pr.CCA\/CCA\/CA) puts up a <strong>quarterly review<\/strong> of the internal audit function before the Committee. The Committee may also assign <strong>special audits<\/strong> directly to the CAE, who would then report directly to the Committee within a prescribed time-frame.<\/div>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c3-charter\">\r\n      <span class=\"section-badge amber\">&sect;2<\/span>\r\n      <h3>The Internal Audit Charter<\/h3>\r\n    <\/div>\r\n\r\n    <p>Rule 64 of GFR 2005 places the responsibility for sound financial management on the Secretary as Chief Accounting Authority, who must ensure full and proper records and systems affording better internal controls. The revised charter of Financial Advisers (2006) stipulates that IAWs <strong>move beyond compliance\/regulatory audit<\/strong> to the four focus areas (assessment of controls, monitoring risk factors, value-for-money assessment, mid-course-correction monitoring). Each Ministry's manual should contain an Internal Audit Charter <strong>approved by the Audit Committee<\/strong>. A model charter covers:<\/p>\r\n\r\n    <ol class=\"parts-list decimal amber\">\r\n      <li><strong>Role of the function<\/strong> \u2014 internal audit as an independent, objective assurance and consulting activity adding value, concerned with controls that ensure: reliability\/integrity of information; effectiveness\/efficiency of operations; safeguarding of assets; compliance with laws, regulations and contracts.<\/li>\r\n      <li><strong>Responsibilities<\/strong> \u2014 Programme divisions own the system of internal controls; internal audit <strong>provides assurance<\/strong> on the adequacy of those controls (and may consult, but never assumes the role of management).<\/li>\r\n      <li><strong>Annual Audit Programme<\/strong> \u2014 submitted by <strong>15 January<\/strong> each year through the Financial Adviser to the Audit Committee, based on the Divisions' risk assessments (or the CAE's own assessment where these don't exist).<\/li>\r\n      <li><strong>Reports<\/strong> \u2014 issued within <strong>one week<\/strong> of CAE approval; significant-issue reports circulated with the Vice-Chairman's approval; an <strong>Annual Audit Review<\/strong> goes to the Committee Chairperson and to O\/o CGA by <strong>31 May<\/strong> (Annexure I).<\/li>\r\n      <li><strong>Access<\/strong> \u2014 internal audit has <strong>unfettered access<\/strong> to all officers, buildings, information and documentation.<\/li>\r\n      <li><strong>Independence<\/strong> \u2014 objective service per the Guidelines and Code of Ethics issued by O\/o CGA, whose performance is periodically reviewed by O\/o CGA, with results shared with the Audit Committee.<\/li>\r\n    <\/ol>\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c3-structure\">\r\n      <span class=\"chapter-badge\">CH IV \u00b7 PART B<\/span>\r\n      <h2>Structure of the Internal Audit Wing<\/h2>\r\n    <\/div>\r\n\r\n    <div class=\"flow\">\r\n      <div class=\"flow-step\">\r\n        <div class=\"flow-num\">1<\/div>\r\n        <div class=\"flow-content\">\r\n          <h5>Chief Audit Executive (CAE)<\/h5>\r\n          <p>Pr.CCA \/ CCA \/ CA heads the function. Reports to the Secretary <strong>through the Financial Adviser<\/strong> administratively; functionally reports to the <strong>Audit Committee<\/strong>.<\/p>\r\n        <\/div>\r\n      <\/div>\r\n      <div class=\"flow-step\">\r\n        <div class=\"flow-num\">2<\/div>\r\n        <div class=\"flow-content\">\r\n          <h5>Internal Audit Management Team<\/h5>\r\n          <p>Headed by the CAE, comprising key Accounts &amp; Audit functionaries \u2014 for closer supervision and quality assurance. Meets regularly to discuss plan execution, coordinate audit teams, decide approach, and issue guidance\/advisories.<\/p>\r\n        <\/div>\r\n      <\/div>\r\n      <div class=\"flow-step\">\r\n        <div class=\"flow-num\">3<\/div>\r\n        <div class=\"flow-content\">\r\n          <h5>Audit Teams &amp; Staff<\/h5>\r\n          <p>Regular IAW staff + PAO staff not involved in the auditee's payment\/accounting + other officials + Consultants hired as needed. A typical team: <strong>1 Sr.AO\/AO, 2 AAOs, 2 Accountants<\/strong>.<\/p>\r\n        <\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c3-teams\">\r\n      <span class=\"section-badge purple\">&sect;3<\/span>\r\n      <h3>The Independence Rule, Access &amp; Service Types<\/h3>\r\n    <\/div>\r\n\r\n    <div class=\"callout red\">\r\n      <div class=\"callout-label\">&#9888; The self-audit prohibition<\/div>\r\n      <p><strong>No auditor should audit his own decision<\/strong>, nor be involved in the audit of a unit where he may have worked <strong>within the past one year<\/strong>. This is the core independence safeguard for team composition.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"cat-grid\">\r\n      <div class=\"cat-card a\">\r\n        <div class=\"cat-label\">Standard work<\/div>\r\n        <div class=\"cat-title\">Assurance &amp; Consulting Engagements<\/div>\r\n        <p>Undertaken as per the overall directions of the Audit Committee.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card c\">\r\n        <div class=\"cat-label\">On request<\/div>\r\n        <div class=\"cat-title\">Special Audit Engagements<\/div>\r\n        <p>Taken up with <strong>defined Terms of Reference given by the executive wing<\/strong>; intimated to the Audit Committee at its next meeting.<\/p>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"highlight-box\">\r\n      <div class=\"hl-label\">&#128221; What the function actually does for the Ministry<\/div>\r\n      <div class=\"hl-text\">Internal audit improves operating effectiveness of programmes through independent evaluation against policy guidelines and scheme objectives; looks into planning, execution and monitoring of spending units; comments on control weaknesses and risks; checks accuracy of accounting\/financial records; and assists Financial Advisers in the appraisal, monitoring and evaluation of individual schemes. Its audit plan <strong>concentrates on high-risk areas<\/strong>, setting priorities by risk assessment and available resources.<\/div>\r\n    <\/div>\r\n\r\n    <div class=\"recap\" id=\"c3-recap\">\r\n      <div class=\"recap-title\">&#9889; Chapter IV \u2014 Quick Recap<\/div>\r\n      <table>\r\n        <thead><tr><th>Concept<\/th><th>Key Fact<\/th><\/tr><\/thead>\r\n        <tbody>\r\n          <tr><td>Audit mandate documented in<\/td><td>The <strong>Internal Audit Charter<\/strong> (foundation for the annual plan)<\/td><\/tr>\r\n          <tr><td>Audit Committee Chair<\/td><td><strong>Secretary<\/strong> of the Ministry<\/td><\/tr>\r\n          <tr><td>Vice-Chairperson<\/td><td>Financial Adviser<\/td><\/tr>\r\n          <tr><td>Convener \/ Member Secretary<\/td><td>CCA \/ CA (the CAE or nominee)<\/td><\/tr>\r\n          <tr><td>CAE reports administratively<\/td><td>To Secretary <strong>through Financial Adviser<\/strong><\/td><\/tr>\r\n          <tr><td>CAE reports functionally<\/td><td>To the <strong>Audit Committee<\/strong><\/td><\/tr>\r\n          <tr><td>CAE's review to Committee<\/td><td><strong>Quarterly<\/strong><\/td><\/tr>\r\n          <tr><td>Annual Audit Programme due<\/td><td><strong>15 January<\/strong>, via Financial Adviser<\/td><\/tr>\r\n          <tr><td>Reports issued within<\/td><td><strong>One week<\/strong> of CAE approval<\/td><\/tr>\r\n          <tr><td>Annual Review to O\/o CGA by<\/td><td><strong>31 May<\/strong> (Annexure I)<\/td><\/tr>\r\n          <tr><td>Independence rule<\/td><td>No self-audit; no unit worked at within <strong>past 1 year<\/strong><\/td><\/tr>\r\n          <tr><td>Typical team<\/td><td>1 Sr.AO\/AO + 2 AAOs + 2 Accountants<\/td><\/tr>\r\n          <tr><td>Special audits<\/td><td>Executive's ToR; Committee informed at next meeting<\/td><\/tr>\r\n        <\/tbody>\r\n      <\/table>\r\n    <\/div>\r\n\r\n    <\/section><!-- \/pane-ch3 -->\r\n\r\n    <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 CHAPTER V \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\r\n    <section class=\"chapter-pane\" id=\"pane-ch4\" data-chapter=\"4\">\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c4-phases\">\r\n      <span class=\"chapter-badge\">CH V \u00b7 PART A<\/span>\r\n      <h2>The Internal Audit Process<\/h2>\r\n    <\/div>\r\n\r\n    <div class=\"def-card\">\r\n      <div class=\"def-label\">What this chapter does<\/div>\r\n      <div class=\"def-text\">\r\n        Chapter V is the operational heart of the manual \u2014 the <strong>end-to-end audit process<\/strong>. It applies at both levels: the individual engagement and the Ministry-wide function. It covers planning, preparing, performing, reporting and following up, including audit evidence, working papers, the exit meeting, and the <strong>5-C framework<\/strong> for drafting observations.\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <p>The internal audit process comprises <strong>five main phases<\/strong>. They can be compressed into three (planning, execution, reporting) for ease of understanding:<\/p>\r\n\r\n    <div class=\"flow\">\r\n      <div class=\"flow-step\">\r\n        <div class=\"flow-num\">1<\/div>\r\n        <div class=\"flow-content\">\r\n          <h5>Planning the Engagement<\/h5>\r\n          <p>Establish <em>what<\/em> is going to be audited \u2014 preliminary survey and research about the auditee unit.<\/p>\r\n        <\/div>\r\n      <\/div>\r\n      <div class=\"flow-step\">\r\n        <div class=\"flow-num\">2<\/div>\r\n        <div class=\"flow-content\">\r\n          <h5>Preparing for Audit<\/h5>\r\n          <p>Gather relevant information from internal &amp; external sources and prepare a work programme.<\/p>\r\n        <\/div>\r\n      <\/div>\r\n      <div class=\"flow-step\">\r\n        <div class=\"flow-num\">3<\/div>\r\n        <div class=\"flow-content\">\r\n          <h5>Performing the Engagement<\/h5>\r\n          <p>Implement the approved plan \u2014 intimation, entry conference, testing, evidence.<\/p>\r\n        <\/div>\r\n      <\/div>\r\n      <div class=\"flow-step\">\r\n        <div class=\"flow-num\">4<\/div>\r\n        <div class=\"flow-content\">\r\n          <h5>Reporting upon the Engagement<\/h5>\r\n          <p>Communicate the results achieved via the audit report.<\/p>\r\n        <\/div>\r\n      <\/div>\r\n      <div class=\"flow-step\">\r\n        <div class=\"flow-num\">5<\/div>\r\n        <div class=\"flow-content\">\r\n          <h5>Follow-up Action<\/h5>\r\n          <p>Report on implementation of agreed improvement measures.<\/p>\r\n        <\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c4-steps\">\r\n      <span class=\"section-badge\">&sect;1<\/span>\r\n      <h3>Seven Steps of a Typical Assignment<\/h3>\r\n    <\/div>\r\n\r\n    <p>A typical internal audit assignment runs through seven steps (many are iterative and may not occur strictly in sequence):<\/p>\r\n\r\n    <ol class=\"parts-list decimal\">\r\n      <li>Establish and communicate the <strong>scope and objectives<\/strong> to appropriate management.<\/li>\r\n      <li>Develop an <strong>understanding of the operational area<\/strong> \u2014 objectives, measurements, key transaction types \u2014 via document review and interviews (flowcharts\/narratives if needed).<\/li>\r\n      <li>Describe the <strong>key risks<\/strong> facing the business activities within scope.<\/li>\r\n      <li>Identify the <strong>control procedures<\/strong> ensuring each key risk and transaction type is controlled and monitored.<\/li>\r\n      <li>Develop and execute a <strong>risk-based sampling and testing approach<\/strong> to check whether the most important controls operate as intended.<\/li>\r\n      <li><strong>Report problems<\/strong> identified and negotiate action plans with management.<\/li>\r\n      <li><strong>Follow up<\/strong> on reported findings at appropriate intervals (maintaining a follow-up database).<\/li>\r\n    <\/ol>\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c4-annual\">\r\n      <span class=\"chapter-badge\">CH V \u00b7 PART B<\/span>\r\n      <h2>Planning &amp; Preparing for Audit Engagements<\/h2>\r\n    <\/div>\r\n\r\n    <p>Audit planning has two levels: the <strong>macro plan (Annual Audit Programme)<\/strong> and plans for specific assignments. The annual programme is developed in consultation with Management, finalised by <strong>15 January<\/strong> each year, communicated to auditee units with sufficient notice, with a copy to O\/o CGA.<\/p>\r\n\r\n    <div class=\"schedule-banner\">\r\n      <span class=\"schedule-stamp\">Capacity Maths<\/span>\r\n      <h4>Planning the year \u2014 the working-days arithmetic<\/h4>\r\n      <p>Plan for about <strong>210 working days<\/strong> per auditor (after deducting weekly\/public holidays, eligible leave, travel, report preparation, follow-up and training). Keep an average of <strong>10 working days for regular audits<\/strong> and <strong>15\u201323 days for special audits<\/strong>. Given the available audit teams (1 Sr.AO\/AO, 2 AAOs, 2 Accountants), the number of units that can be audited is then derived.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"cat-grid\">\r\n      <div class=\"cat-card a\">\r\n        <div class=\"cat-label\">Step 1<\/div>\r\n        <div class=\"cat-title\">Review the Audit Universe<\/div>\r\n        <p>The audit universe is the <strong>aggregate of all auditable areas<\/strong> \u2014 defined by function\/activity, organisational unit\/division, or project\/programme. Examples: information systems, major contracts, procurement, payment, accounting. Budgetary allocations are a consideration.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card b\">\r\n        <div class=\"cat-label\">Step 2<\/div>\r\n        <div class=\"cat-title\">Risk Assessment &amp; Prioritisation<\/div>\r\n        <p>An elaborate exercise with the Ministry's executive authorities, deciding which processes\/units\/schemes to audit. Use <strong>random sampling<\/strong> for selecting among similar units (so the sample is representative); judgemental sampling may pick areas\/states\/districts.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card d\">\r\n        <div class=\"cat-label\">Step 3<\/div>\r\n        <div class=\"cat-title\">Identify High-Risk Areas<\/div>\r\n        <p>Develop the work programme from the risk rating. Early on this involves substantial judgement; the process matures once <strong>Risk Registers<\/strong> and <strong>Risk Committees<\/strong> are functional.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card c\">\r\n        <div class=\"cat-label\">Step 4<\/div>\r\n        <div class=\"cat-title\">Fold in Special Audits<\/div>\r\n        <p>Special audits are undertaken per the Ministry's Terms of Reference; the Audit Committee is informed subsequently.<\/p>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c4-individual\">\r\n      <span class=\"section-badge teal\">&sect;2<\/span>\r\n      <h3>Planning Individual Audits<\/h3>\r\n    <\/div>\r\n\r\n    <p>Because audit itself spends public funds, each engagement must be economical, efficient and effective. Planning an individual engagement follows a logical chain:<\/p>\r\n\r\n    <ol class=\"parts-list decimal teal\">\r\n      <li><strong>Background study &amp; research<\/strong> \u2014 understand the unit's business operations, objectives, processes, policies, environment, and any significant or recent\/proposed changes.<\/li>\r\n      <li><strong>Preliminary analysis of key controls &amp; risks<\/strong> \u2014 consider entity-wide risks identified at the institutional level; for each activity\/process\/system, identify control objectives and the key controls that mitigate the risks, then evaluate their design effectiveness.<\/li>\r\n      <li><strong>Develop engagement objectives, scope, criteria and approach<\/strong> \u2014 the objective is a broad statement, often a <em>question the auditor seeks to answer<\/em>, with a conclusion drawn for each objective. The work must yield <strong>sufficient evidence<\/strong> to meet the objectives.<\/li>\r\n      <li><strong>Finalise the audit plan<\/strong> \u2014 a detailed scope statement describing the areas\/processes\/systems covered, the time period and locations, and any areas <strong>excluded<\/strong> from scope.<\/li>\r\n    <\/ol>\r\n\r\n    <div class=\"highlight-box\">\r\n      <div class=\"hl-label\">&#128161; Good planning is half the job done<\/div>\r\n      <div class=\"hl-text\">Audit planning is often given low priority because auditors rush to get on with the job \u2014 but a good plan ensures high quality and provides evidence of <strong>due diligence<\/strong>. Note too that planning <strong>continues throughout the audit<\/strong> as additional information is gathered. The detailed Ministry manual should develop <strong>standard testing\/working methodology and checklist work-programmes<\/strong> for a few key schemes.<\/div>\r\n    <\/div>\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c4-perform\">\r\n      <span class=\"chapter-badge\">CH V \u00b7 PART C<\/span>\r\n      <h2>Performing the Audit Engagement<\/h2>\r\n    <\/div>\r\n\r\n    <p>Once the programme is finalised, it is communicated to auditee units <strong>30 days before commencement<\/strong> (a questionnaire may accompany it).<\/p>\r\n\r\n    <div class=\"section-heading-block\" id=\"c4-intimation2\">\r\n      <span class=\"section-badge\">&sect;3<\/span>\r\n      <h3>Intimation &amp; Entry Conference<\/h3>\r\n    <\/div>\r\n\r\n    <p>A <strong>Commencement Letter<\/strong>, addressed to the highest individual responsible for the function\/department, is sent <strong>at least a month before<\/strong> the audit. It includes:<\/p>\r\n\r\n    <ul class=\"icon-list\">\r\n      <li><span class=\"ico\">&#127919;<\/span><span>Objective of the audit.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128208;<\/span><span>Scope and the period it covers.<\/span><\/li>\r\n      <li><span class=\"ico\">&#9201;&#65039;<\/span><span>Estimated duration.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128101;<\/span><span>Names of auditors \u2014 especially the <strong>Team Leader<\/strong>.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128197;<\/span><span>Information on entry and exit conferences.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128196;<\/span><span>Request for necessary information and documents.<\/span><\/li>\r\n    <\/ul>\r\n\r\n    <p>The engagement normally starts with an <strong>entry conference<\/strong> between the auditors and the Head of Department\/Office. Its purpose is to establish an appropriate environment: auditors communicate the proposed objectives and scope, seek to understand the organisation's objectives and risk-management practices, learn of areas of special concern, and settle logistics (a nodal officer for space, records, meetings). The conference validates information gathered during planning and gauges attitudes toward controls.<\/p>\r\n\r\n    <div class=\"callout red\">\r\n      <div class=\"callout-label\">&#9888; The surprise-audit exception<\/div>\r\n      <p>Audits with an <strong>element of surprise do not have any entry conference<\/strong>. (All meetings that do occur must be documented and minuted, forming part of the working papers.)<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"callout teal\">\r\n      <div class=\"callout-label\">Operating effectiveness \u2014 what's tested<\/div>\r\n      <p>The auditor tests the <strong>operating effectiveness of the key controls<\/strong>. A control's operation is <strong>not effective<\/strong> when a properly-designed control isn't operating as designed, or the person performing it lacks the necessary authority or qualifications. Each test's results and evidence are documented on the applicable matrix, recording: the objective\/criterion the test links to; the information sources used; the means of testing; the results and analysis; and the observations\/recommendations.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c4-evidence\">\r\n      <span class=\"section-badge amber\">&sect;4<\/span>\r\n      <h3>Audit Evidence &amp; Its Reliability<\/h3>\r\n    <\/div>\r\n\r\n    <div class=\"def-card\">\r\n      <div class=\"def-label\">Definition \u2014 Audit Evidence<\/div>\r\n      <div class=\"def-text\">\r\n        Information collected, analysed and evaluated by the auditor to support an observation. It must be <strong>sufficient, appropriate and reliable<\/strong>. <strong>Sufficiency<\/strong> is the measure of <em>quantity<\/em>; <strong>appropriateness<\/strong> refers to <em>reliability<\/em> and relevance to a particular assertion. Evidence is appropriate when it is both <strong>relevant and reliable<\/strong>.\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <p>Reliability is influenced by source (internal or external) and nature (visual, documentary or oral). The manual's reliability hierarchy:<\/p>\r\n\r\n    <ul class=\"icon-list\">\r\n      <li><span class=\"ico\">&#127760;<\/span><span>Evidence from <strong>external sources<\/strong> (e.g. third-party confirmation) is more reliable than from the entity's records.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128279;<\/span><span>Evidence from the entity's records is more reliable when the related <strong>accounting and internal-control systems operate effectively<\/strong>.<\/span><\/li>\r\n      <li><span class=\"ico\">&#9989;<\/span><span>Evidence obtained <strong>directly by the auditor<\/strong> is more reliable than that obtained by or from the entity.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128196;<\/span><span><strong>Documents and written representations<\/strong> are more reliable than oral representations.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128209;<\/span><span><strong>Original documents<\/strong> are more reliable than photocopies, telexes or facsimiles.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128202;<\/span><span><strong>Large samples<\/strong> are more reliable than smaller ones; statistical samples more persuasive than non-statistical.<\/span><\/li>\r\n    <\/ul>\r\n\r\n    <div class=\"callout purple\">\r\n      <div class=\"callout-label\">When evidence is consistent \u2014 or isn't<\/div>\r\n      <p>When evidence from different sources is <strong>consistent<\/strong>, it becomes persuasive. When sources are <strong>inconsistent<\/strong>, it is the auditor's responsibility to determine and perform the <strong>additional procedures<\/strong> needed to resolve the inconsistency. Decisions on what evidence to seek and how much is sufficient require due diligence and professional judgement.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c4-papers\">\r\n      <span class=\"chapter-badge\">CH V \u00b7 PART D<\/span>\r\n      <h2>Working Papers, Observations &amp; the Exit Meeting<\/h2>\r\n    <\/div>\r\n\r\n    <p>Working papers are the supporting documents for the whole engagement \u2014 they provide a complete <strong>audit trail<\/strong>, demonstrate how the audit was performed, and contain the evidence behind the Summary of Observations and the final report. They must be <strong>indexed, referenced and cross-referenced<\/strong> to the relevant observations. They sit in two files:<\/p>\r\n\r\n    <div class=\"cat-grid\">\r\n      <div class=\"cat-card a\">\r\n        <div class=\"cat-label\">File 1<\/div>\r\n        <div class=\"cat-title\">Permanent Audit File<\/div>\r\n        <p>Information relevant to current <em>and future<\/em> audits \u2014 allowing comparison of KPIs over time: (i) organisational chart; (ii) descriptions of schemes\/programs\/systems\/procedures &amp; business plans; (iii) corrective action plans; (iv) legal &amp; regulatory issues; (v) risk assessment; (vi) correspondence of continuing interest; (vii) updated audit programmes.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card b\">\r\n        <div class=\"cat-label\">File 2<\/div>\r\n        <div class=\"cat-title\">Current Audit File<\/div>\r\n        <p>Records relevant to the current audit: (i) draft &amp; final report copies; (ii) significant findings &amp; how resolved; (iii) planning documentation; (iv) administration\/correspondence; (v) follow-up of previous reports; (vi) updated programmes; (vii) supporting documentation; (viii) minutes of entry &amp; exit meetings.<\/p>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"def-card\">\r\n      <div class=\"def-label\">How an audit observation is born<\/div>\r\n      <div class=\"def-text\">\r\n        An observation emerges by comparing <strong>\"what should exist\"<\/strong> (the audit criteria) with <strong>\"what exists\"<\/strong> (the audit evidence). When they differ, the auditor assesses the <strong>effect, impact and cause<\/strong> of the variance and documents it. The <strong>accumulation of observations<\/strong> provides the foundation for the engagement's conclusions, recommendations and report.\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"callout\">\r\n      <div class=\"callout-label\">The Exit Meeting<\/div>\r\n      <p>The supervisor reviews all working papers and supporting evidence, then prepares a <strong>draft report<\/strong> flagging control-design\/implementation weaknesses, non-compliance, and transactions short of <strong>standards of propriety<\/strong>. The draft goes to the Head of Department for the Department's views. A formal <strong>exit meeting<\/strong> with key officials discusses the draft, obtains views and additional facts, and records disagreements with reasons. If the entity won't or can't comment in reasonable time, the report may issue noting the absence of comments. Ideally, the exit meeting turns the draft into an <strong>agreed document<\/strong>. The meeting is minuted; a copy goes to the Department.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c4-report\">\r\n      <span class=\"chapter-badge\">CH V \u00b7 PART E<\/span>\r\n      <h2>Reporting &amp; the 5-C Framework<\/h2>\r\n    <\/div>\r\n\r\n    <p>Audit reports are the end products. They must be <strong>accurate, objective, clear, concise and complete<\/strong> and issued timely (normally <strong>within a fortnight<\/strong> of completing the engagement). Satisfactory performance of the auditee should also be acknowledged. Key formal requirements:<\/p>\r\n\r\n    <ul class=\"icon-list\">\r\n      <li><span class=\"ico\">&#128209;<\/span><span>Cover page legend: <em>\"Internal Audit Report of ___ for the period ___\"<\/em>, plus the date of issue.<\/span><\/li>\r\n      <li><span class=\"ico\">&#9878;&#65039;<\/span><span>States the <strong>responsibility split<\/strong>: management owns internal controls &amp; financial statements; the auditor's job is to <strong>express an opinion on the efficiency of internal controls<\/strong> in achieving management objectives.<\/span><\/li>\r\n      <li><span class=\"ico\">&#9989;<\/span><span>Approved by competent authority, signed by the designated authority, addressed per the Internal Audit Charter.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128202;<\/span><span>Carries an <strong>Executive Summary<\/strong> \u2014 objectives, scope, summary of observations, highlighting those needing immediate senior-management action.<\/span><\/li>\r\n      <li><span class=\"ico\">&#128221;<\/span><span>Issued in the format prescribed by O\/o CGA (Annexure II); fact-based, free of personal criticism, constructively worded.<\/span><\/li>\r\n    <\/ul>\r\n\r\n    <p>Every observation is developed with the <strong>5-C framework<\/strong> \u2014 a logical chain from what was expected, through what happened, to what should be done:<\/p>\r\n\r\n    <ol class=\"parts-list decimal teal\">\r\n      <li><strong>Criteria \u2014 \"What should exist?\"<\/strong> The benchmarks or expectations against which audit evidence is compared (policy, norm, SOP).<\/li>\r\n      <li><strong>Condition \u2014 \"What exists?\"<\/strong> The factual evidence found; identifies the nature and extent of the observation \u2014 the result of comparing actual evidence with criteria.<\/li>\r\n      <li><strong>Consequence \/ Effect \/ Impact \u2014 \"What effect did it have?\"<\/strong> The risk or exposure from the gap between criteria and condition; often quantitative. The effect must be serious enough to justify the cost of correction.<\/li>\r\n      <li><strong>Cause \u2014 \"Why did it happen?\"<\/strong> The likely reason for the gap. Similar causes across observations may reveal an underlying theme; identifying the cause is a <strong>prerequisite to a meaningful recommendation<\/strong>.<\/li>\r\n      <li><strong>Corrective Action \/ Recommendation \u2014 \"What should be done?\"<\/strong> Actions to correct and prevent recurrence \u2014 within the client's scope, addressing the cause not the symptoms, and at least intuitively viable.<\/li>\r\n    <\/ol>\r\n\r\n    <div class=\"highlight-box\">\r\n      <div class=\"hl-label\">&#11088; Memory hook for the 5 C's<\/div>\r\n      <div class=\"hl-text\"><strong>Criteria<\/strong> (should) &rarr; <strong>Condition<\/strong> (is) &rarr; <strong>Consequence<\/strong> (so what) &rarr; <strong>Cause<\/strong> (why) &rarr; <strong>Corrective action<\/strong> (fix). Two states, an impact, a reason, a remedy.<\/div>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c4-risk2\">\r\n      <span class=\"section-badge amber\">&sect;5<\/span>\r\n      <h3>Grouping Findings by Risk Severity<\/h3>\r\n    <\/div>\r\n\r\n    <div class=\"cat-grid three\">\r\n      <div class=\"cat-card d\">\r\n        <div class=\"cat-label\">High Risk<\/div>\r\n        <div class=\"cat-title\">Major Negative Impact<\/div>\r\n        <p>Absence of <strong>immediate<\/strong> corrective action may have a <strong>major negative impact<\/strong> on achievement of objectives.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card c\">\r\n        <div class=\"cat-label\">Medium Risk<\/div>\r\n        <div class=\"cat-title\">Significant Consequences<\/div>\r\n        <p>Failure to take action could result in <strong>significant consequences<\/strong>.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card b\">\r\n        <div class=\"cat-label\">Low Risk<\/div>\r\n        <div class=\"cat-title\">Efficiency Gains<\/div>\r\n        <p>Suggested action would bring <strong>greater efficiency or enhanced controls<\/strong> at minimal additional cost.<\/p>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c4-followup\">\r\n      <span class=\"section-badge red\">&sect;6<\/span>\r\n      <h3>Follow-up Action<\/h3>\r\n    <\/div>\r\n\r\n    <p>The <strong>true achievement of an audit is reflected in implementation<\/strong> of its recommendations and an improved control system \u2014 this phase must not be underestimated. There must be a <strong>defined time-frame for Action Taken Reports (ATRs)<\/strong>. The IAW examines ATRs and offers comments to the administrative division; monitoring of audit paras also aims to <strong>resolve old paras<\/strong>, watched closely by the Pr.CCA\/CCA\/CA.<\/p>\r\n\r\n    <div class=\"callout red\">\r\n      <div class=\"callout-label\">&#9888; Escalation of unresolved issues<\/div>\r\n      <p>Issues that could <strong>not be resolved within six months<\/strong> through communication with the administrative division \/ audit client are <strong>reported to the Audit Committee<\/strong>, whose Chairman issues further directions.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"recap\" id=\"c4-recap\">\r\n      <div class=\"recap-title\">&#9889; Chapter V \u2014 Quick Recap<\/div>\r\n      <table>\r\n        <thead><tr><th>Concept<\/th><th>Key Fact<\/th><\/tr><\/thead>\r\n        <tbody>\r\n          <tr><td>Five phases<\/td><td>Plan \u00b7 Prepare \u00b7 Perform \u00b7 Report \u00b7 Follow-up<\/td><\/tr>\r\n          <tr><td>Compressed into<\/td><td>Planning \u00b7 Execution \u00b7 Reporting<\/td><\/tr>\r\n          <tr><td>Typical assignment<\/td><td>7 steps (scope &rarr; understand &rarr; risks &rarr; controls &rarr; test &rarr; report &rarr; follow-up)<\/td><\/tr>\r\n          <tr><td>Annual Programme due<\/td><td>15 January; copy to O\/o CGA<\/td><\/tr>\r\n          <tr><td>Capacity planning<\/td><td><strong>210 working days<\/strong>\/auditor; 10 days regular, 15\u201323 special<\/td><\/tr>\r\n          <tr><td>Programme communicated<\/td><td><strong>30 days<\/strong> before commencement<\/td><\/tr>\r\n          <tr><td>Commencement Letter<\/td><td>Sent <strong>\u2265 1 month before<\/strong> the audit<\/td><\/tr>\r\n          <tr><td>Surprise audits<\/td><td><strong>No entry conference<\/strong><\/td><\/tr>\r\n          <tr><td>Evidence must be<\/td><td>Sufficient (quantity) \u00b7 appropriate (reliable + relevant)<\/td><\/tr>\r\n          <tr><td>Most reliable evidence<\/td><td>External \u00b7 auditor-obtained \u00b7 documentary \u00b7 originals \u00b7 large samples<\/td><\/tr>\r\n          <tr><td>Two working-paper files<\/td><td>Permanent &amp; Current<\/td><\/tr>\r\n          <tr><td>Observation =<\/td><td>\"Should exist\" vs \"exists\" + effect, impact, cause<\/td><\/tr>\r\n          <tr><td>Report qualities<\/td><td>Accurate \u00b7 Objective \u00b7 Clear \u00b7 Concise \u00b7 Complete<\/td><\/tr>\r\n          <tr><td>Report timeline<\/td><td>Within a <strong>fortnight<\/strong> of completion<\/td><\/tr>\r\n          <tr><td>Responsibility split<\/td><td>Management owns controls; auditor opines on efficiency<\/td><\/tr>\r\n          <tr><td>The 5 C's<\/td><td>Criteria \u00b7 Condition \u00b7 Consequence \u00b7 Cause \u00b7 Corrective action<\/td><\/tr>\r\n          <tr><td>Risk grouping<\/td><td>High \u00b7 Medium \u00b7 Low<\/td><\/tr>\r\n          <tr><td>ATR escalation window<\/td><td>Unresolved in <strong>6 months<\/strong> &rarr; Audit Committee<\/td><\/tr>\r\n        <\/tbody>\r\n      <\/table>\r\n    <\/div>\r\n\r\n    <\/section><!-- \/pane-ch4 -->\r\n\r\n    <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 CHAPTER VI \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\r\n    <section class=\"chapter-pane\" id=\"pane-ch5\" data-chapter=\"5\">\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c5-qa\">\r\n      <span class=\"chapter-badge\">CH VI \u00b7 PART A<\/span>\r\n      <h2>Quality Assurance in Internal Audit<\/h2>\r\n    <\/div>\r\n\r\n    <div class=\"def-card\">\r\n      <div class=\"def-label\">What this chapter does<\/div>\r\n      <div class=\"def-text\">\r\n        Since audit engagements spend public money, they must be conducted with economy, efficiency and effectiveness. A <strong>Quality Assurance and Improvement Programme<\/strong> supports internal audits that consistently add value, and provides assurance that the activity <strong>conforms to prescribed guidance<\/strong>. Understanding the expectations of senior management and the Audit Committee is a key step in building the performance-measurement process.\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"callout teal\">\r\n      <div class=\"callout-label\">Benefits of a quality assurance programme<\/div>\r\n      <p>Consistent application of processes; standardisation and completeness of documentation; adequate linkage of recommendations to working papers; enhanced credibility. It increases the effectiveness of the supervisory function \u2014 and thereby the reliability of reports.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c5-hierarchy\">\r\n      <span class=\"section-badge\">&sect;1<\/span>\r\n      <h3>Hierarchy of Quality Assurance Elements<\/h3>\r\n    <\/div>\r\n\r\n    <p>Quality assurance operates at four levels, each with its own control objective, the party responsible, and the level that receives assurance:<\/p>\r\n\r\n    <table class=\"compare-table\">\r\n      <thead><tr><th>Element<\/th><th>Control objective<\/th><th>Responsible party<\/th><th>Assurance to<\/th><\/tr><\/thead>\r\n      <tbody>\r\n        <tr><td class=\"label-cell\">Professionalism (Due Care)<\/td><td>Individual auditor's work<\/td><td>Individual auditor<\/td><td>Individual<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Supervisory Review<\/td><td>The engagement<\/td><td>Supervisor within line of responsibility<\/td><td>Audit function management<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Internal Review<\/td><td>Aggregate of engagements \/ divisional offices<\/td><td>Supervisor or peer outside line of responsibility<\/td><td>Chief Audit Executive<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">External Review<\/td><td>Audit function as a whole<\/td><td>Qualified persons from outside the organisation<\/td><td>Audit Committee &amp; senior management<\/td><\/tr>\r\n      <\/tbody>\r\n    <\/table>\r\n\r\n    <div class=\"cat-grid three\">\r\n      <div class=\"cat-card a\">\r\n        <div class=\"cat-label\">By the CAE<\/div>\r\n        <div class=\"cat-title\">Self-Assessment<\/div>\r\n        <p>The responsibility of the Chief Audit Executive.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card b\">\r\n        <div class=\"cat-label\">By other Ministries<\/div>\r\n        <div class=\"cat-title\">Peer Review<\/div>\r\n        <p>Conducted by members of IAWs of <strong>other<\/strong> Ministries\/Departments.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card e\">\r\n        <div class=\"cat-label\">By O\/o CGA<\/div>\r\n        <div class=\"cat-title\">External Review<\/div>\r\n        <p>Examines the audit plan, working papers, related report and follow-up \u2014 before or after reports are finalised. Deficiencies must be rectified in a time-bound manner.<\/p>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c5-measure\">\r\n      <span class=\"section-badge amber\">&sect;2<\/span>\r\n      <h3>Measuring the Performance of Internal Audit<\/h3>\r\n    <\/div>\r\n\r\n    <p>Performance can be evaluated on several key areas (a <strong>balanced scorecard<\/strong> approach helps, supplemented by customer surveys to managers after each engagement and an annual survey to the Audit Committee):<\/p>\r\n\r\n    <div class=\"cat-grid\">\r\n      <div class=\"cat-card a\">\r\n        <div class=\"cat-label\">Metric 1<\/div>\r\n        <div class=\"cat-title\">Plan Completion<\/div>\r\n        <p>The degree to which the annual plan of engagements is completed.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card b\">\r\n        <div class=\"cat-label\">Metric 2<\/div>\r\n        <div class=\"cat-title\">Report Issuance<\/div>\r\n        <p>Time elapsed from completion of testing to issuance of the final report.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card c\">\r\n        <div class=\"cat-label\">Metric 3<\/div>\r\n        <div class=\"cat-title\">Issue Closure<\/div>\r\n        <p>Audit findings acted upon and resolved.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card d\">\r\n        <div class=\"cat-label\">Metric 4<\/div>\r\n        <div class=\"cat-title\">Staff Qualifications<\/div>\r\n        <p>% of staff with professional certifications, graduate degrees, and years of experience.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card a\">\r\n        <div class=\"cat-label\">Metric 5<\/div>\r\n        <div class=\"cat-title\">Staff Utilisation Rate<\/div>\r\n        <p>% of time spent on engagements vs administrative time (training, vacation).<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card e\">\r\n        <div class=\"cat-label\">Metric 6<\/div>\r\n        <div class=\"cat-title\">Staffing Level<\/div>\r\n        <p>Positions filled vs authorised. May use rotational\/\"guest\" auditors or \"co-sourcing\" of contract auditors.<\/p>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c5-hr\">\r\n      <span class=\"chapter-badge\">CH VI \u00b7 PART B<\/span>\r\n      <h2>Human Resources, Training &amp; Staffing Norms<\/h2>\r\n    <\/div>\r\n\r\n    <div class=\"highlight-box\">\r\n      <div class=\"hl-label\">&#128221; Why HR is critical<\/div>\r\n      <div class=\"hl-text\">Staffing level, staff qualifications and staff utilisation rates are <strong>critical performance parameters<\/strong>. The success of any plan is ultimately determined by the quality of personnel executing it. Each Department must have a <strong>dedicated IAW<\/strong> staffed by auditors and supervisors (Group A, B &amp; C officials) in adequate numbers, assessed rationally and scientifically.<\/div>\r\n    <\/div>\r\n\r\n    <p>Eight parameters drive the staffing requirement of an IAW (worked out into man-days against available working days \u2014 Annexure III):<\/p>\r\n\r\n    <ol class=\"parts-list roman amber\">\r\n      <li>Number of audit units.<\/li>\r\n      <li>Number of employees in each audit unit.<\/li>\r\n      <li>Budget of each audit unit.<\/li>\r\n      <li>Inherent risks in the functioning of each audit unit.<\/li>\r\n      <li>Time required to complete an engagement (including travel).<\/li>\r\n      <li>Time required for report writing.<\/li>\r\n      <li>Time reserved for training and continuous professional education.<\/li>\r\n      <li>Period that may be spent on leave etc.<\/li>\r\n    <\/ol>\r\n\r\n    <div class=\"callout\">\r\n      <div class=\"callout-label\">Hiring specialist consultants<\/div>\r\n      <p>With increasing complexity, internal audit may lack specialised knowledge. The CAE should have authority and resources to <strong>hire individuals and firms<\/strong> with the requisite skills (as the C&amp;AG does), assessing their <strong>competency, independence and objectivity<\/strong> (experience, education, training, professional membership). Consultants work under the CAE's overall control, and <strong>responsibility for quality and timely delivery lies only with the CAE<\/strong>.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"callout teal\">\r\n      <div class=\"callout-label\">Training focus &amp; professional certification<\/div>\r\n      <p>Training modules should cover risk assessment, designing the risk matrix, mapping risks with controls, evaluating internal controls, field work and testing plans, and auditing in a computerised environment (CAATs). Report-writing is a priority area. Auditors should acquire certifications from bodies like <strong>IIA, ISACA<\/strong>, with the CAE reimbursing fees and study material.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"callout purple\">\r\n      <div class=\"callout-label\">Developing &amp; retaining quality auditors<\/div>\r\n      <p>Effective methods: challenging, varied assignments; quality supervision; staff participation across audit phases; opportunities to lead (starting with structured engagements); participation on improvement task forces; rotation through teams\/audits; and involvement in annual risk-assessment.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c5-ethics\">\r\n      <span class=\"section-badge purple\">&sect;3<\/span>\r\n      <h3>The Code of Ethics \u2014 Four Principles<\/h3>\r\n    <\/div>\r\n\r\n    <div class=\"cat-grid four\">\r\n      <div class=\"cat-card a\">\r\n        <div class=\"cat-label\">Principle 1<\/div>\r\n        <div class=\"cat-title\">Integrity<\/div>\r\n        <p>Establishes trust; the reason an auditor's judgement is relied on. Perform with honesty, diligence and responsibility, in conformity with law; no party to illegal acts.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card b\">\r\n        <div class=\"cat-label\">Principle 2<\/div>\r\n        <div class=\"cat-title\">Objectivity<\/div>\r\n        <p>Impartial and transparent. No activity\/relationship that adversely affects balanced assessment; accept nothing that may influence professional judgement.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card c\">\r\n        <div class=\"cat-label\">Principle 3<\/div>\r\n        <div class=\"cat-title\">Confidentiality<\/div>\r\n        <p>Respect the value and ownership of information; don't disclose without proper authority unless legally\/professionally obliged.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card e\">\r\n        <div class=\"cat-label\">Principle 4<\/div>\r\n        <div class=\"cat-title\">Competency<\/div>\r\n        <p>Engage only in services for which one has the knowledge, skills and experience; continuously improve proficiency and quality.<\/p>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"callout amber\">\r\n      <div class=\"callout-label\">Interface with Statutory Audit<\/div>\r\n      <p>Internal and statutory audit should develop <strong>synergy<\/strong> and complement each other. The Audit Committee reviews statutory audit observations too. To track settlement of objections in <strong>Test Audit Notes<\/strong> issued by statutory officers, the IAW maintains a <strong>DDO-wise count<\/strong> of outstanding objections and monitors progress. Both audits' observations guide the risk-assessment and work-programme.<\/p>\r\n    <\/div>\r\n\r\n    <div class=\"recap\" id=\"c5-recap\">\r\n      <div class=\"recap-title\">&#9889; Chapter VI \u2014 Quick Recap<\/div>\r\n      <table>\r\n        <thead><tr><th>Concept<\/th><th>Key Fact<\/th><\/tr><\/thead>\r\n        <tbody>\r\n          <tr><td>QAIP purpose<\/td><td>Value-adding audits + assurance of <strong>conformance to guidance<\/strong><\/td><\/tr>\r\n          <tr><td>4 QA hierarchy levels<\/td><td>Professionalism \u00b7 Supervisory \u00b7 Internal \u00b7 External review<\/td><\/tr>\r\n          <tr><td>Self-assessment by<\/td><td>The <strong>CAE<\/strong><\/td><\/tr>\r\n          <tr><td>Peer review by<\/td><td>IAWs of <strong>other<\/strong> Ministries<\/td><\/tr>\r\n          <tr><td>External review by<\/td><td><strong>O\/o CGA<\/strong><\/td><\/tr>\r\n          <tr><td>6 performance metrics<\/td><td>Plan completion \u00b7 report issuance \u00b7 issue closure \u00b7 staff qualifications \u00b7 utilisation \u00b7 staffing level<\/td><\/tr>\r\n          <tr><td>Measurement approach<\/td><td>Balanced scorecard + customer surveys<\/td><\/tr>\r\n          <tr><td>8 staffing parameters<\/td><td>Units \u00b7 employees \u00b7 budget \u00b7 risk \u00b7 audit time \u00b7 report time \u00b7 training \u00b7 leave<\/td><\/tr>\r\n          <tr><td>Consultant responsibility<\/td><td>Lies <strong>only with the CAE<\/strong><\/td><\/tr>\r\n          <tr><td>4 Code of Ethics principles<\/td><td>Integrity \u00b7 Objectivity \u00b7 Confidentiality \u00b7 Competency<\/td><\/tr>\r\n          <tr><td>Statutory-audit tracking<\/td><td>DDO-wise count of Test Audit Note objections<\/td><\/tr>\r\n        <\/tbody>\r\n      <\/table>\r\n    <\/div>\r\n\r\n    <\/section><!-- \/pane-ch5 -->\r\n\r\n    <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 REFERENCE \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\r\n    <section class=\"chapter-pane\" id=\"pane-ch6\" data-chapter=\"6\">\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c6-annexures\">\r\n      <span class=\"chapter-badge\">REF \u00b7 PART A<\/span>\r\n      <h2>Glossary, Annexures &amp; Report-Writing Tips<\/h2>\r\n    <\/div>\r\n\r\n    <div class=\"def-card\">\r\n      <div class=\"def-label\">Why this reference matters<\/div>\r\n      <div class=\"def-text\">\r\n        The manual closes with a <strong>Glossary<\/strong>, three <strong>Annexures<\/strong> (formats and norms), and a memorable box on report-writing. These supply the formats a Ministry adapts and the exam-relevant specifics (deadlines, thresholds, irregularity categories) that don't fit neatly into the chapters.\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c6-annexures2\">\r\n      <span class=\"section-badge teal\">&sect;1<\/span>\r\n      <h3>The Three Annexures<\/h3>\r\n    <\/div>\r\n\r\n    <div class=\"cat-grid three\">\r\n      <div class=\"cat-card a\">\r\n        <span class=\"cat-badge\">I<\/span>\r\n        <div class=\"cat-label\">Reporting format<\/div>\r\n        <div class=\"cat-title\">Annual Review Format for IAW<\/div>\r\n        <p>Format for the wing's Annual Review, submitted to O\/o CGA by <strong>31 May<\/strong>. Built around four chapters: Executive Summary, Consolidated report of findings, Important findings (quantified), and Annexures.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card b\">\r\n        <span class=\"cat-badge\">II<\/span>\r\n        <div class=\"cat-label\">Report template<\/div>\r\n        <div class=\"cat-title\">Internal Audit Report Template<\/div>\r\n        <p>The prescribed report format \u2014 carries the legend <em>\"Internal Audit Report of ___ for the period ___,\"<\/em> the IAR number, and the responsibility split.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card c\">\r\n        <span class=\"cat-badge\">III<\/span>\r\n        <div class=\"cat-label\">Staffing norms<\/div>\r\n        <div class=\"cat-title\">Norms for Staff Requirement<\/div>\r\n        <p>The basis for assessing IAW staff requirement \u2014 auditee units by periodicity (annual \/ biennial \/ triennial), audit man-days required vs available working days in the year.<\/p>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"highlight-box\">\r\n      <div class=\"hl-label\">&#11088; The Rs. 25 lakh grant-audit threshold<\/div>\r\n      <div class=\"hl-text\">Per the correction slip to para 12.2.1 of the Civil Accounts Manual, the <strong>audit of institutions receiving less than Rs. 25 lakhs by way of grant<\/strong> is taken up by the Internal Audit Wing of the respective Ministry. Also note the reporting threshold: only irregularities of <strong>not less than Rs. One lakh<\/strong> in individual cases are highlighted in the Annual Review, and abbreviations must not be used.<\/div>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c6-review\">\r\n      <span class=\"section-badge amber\">&sect;2<\/span>\r\n      <h3>Annual Review \u2014 The Ten Categories of Irregularities<\/h3>\r\n    <\/div>\r\n\r\n    <p>The Annual Review highlights important irregularities (each \u2265 Rs. 1 lakh) under ten distinct headings \u2014 a useful checklist of what internal audit looks for:<\/p>\r\n\r\n    <ol class=\"parts-list decimal amber\">\r\n      <li>Non-recovery of Government dues (from Central\/State Govt., Govt. bodies, private parties).<\/li>\r\n      <li>Overpayments.<\/li>\r\n      <li>Idle machinery \/ surplus stores.<\/li>\r\n      <li>Loss \/ infructuous expenditure.<\/li>\r\n      <li>Irregular expenditure.<\/li>\r\n      <li>Irregular purchase.<\/li>\r\n      <li>Non-adjustment of advances (Contingency, TA, LTC advances).<\/li>\r\n      <li>Blocking of Government money.<\/li>\r\n      <li>Non-accountal of costly stores \/ Government money.<\/li>\r\n      <li>Any other item of special nature.<\/li>\r\n    <\/ol>\r\n\r\n    <div class=\"chapter-heading-block\" id=\"c6-tips\">\r\n      <span class=\"chapter-badge\">REF \u00b7 PART B<\/span>\r\n      <h2>Ten Things Not to Say in an Audit Report<\/h2>\r\n    <\/div>\r\n\r\n    <p>A memorable box (by Richard Chambers of the IIA) on report-writing craft \u2014 worth internalising for the principle that reports must drive action, not impress:<\/p>\r\n\r\n    <div class=\"cat-grid\">\r\n      <div class=\"cat-card a\">\r\n        <div class=\"cat-label\">1 &amp; 2<\/div>\r\n        <div class=\"cat-title\">No \"consider\"; no weasel words<\/div>\r\n        <p>Don't say \"management should <em>consider<\/em>\u2026\" \u2014 offer solid, specific recommendations. Avoid hedges like \"it seems that\" or \"there appears to be.\"<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card b\">\r\n        <div class=\"cat-label\">3 &amp; 4<\/div>\r\n        <div class=\"cat-title\">Sparing intensifiers; rarely universal<\/div>\r\n        <p>\"Clearly,\" \"very,\" \"significant\" are non-specific weaseling \u2014 numbers tell the story. Beware \"always\"\/\"never\"; the problem is rarely universal.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card c\">\r\n        <div class=\"cat-label\">5 &amp; 6<\/div>\r\n        <div class=\"cat-title\">No blame game; no \"failed\"<\/div>\r\n        <p>Aim for positive change, not blame \u2014 get to root cause. State the condition without \"management failed,\" which annoys those you need to act.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card e\">\r\n        <div class=\"cat-label\">7 &amp; 8<\/div>\r\n        <div class=\"cat-title\">\"Auditee\" is old-school; no jargon<\/div>\r\n        <p>Use \"audit client\"\/\"customer\" \u2014 audit is collaborative. Avoid audit-speak that loses readers.<\/p>\r\n      <\/div>\r\n      <div class=\"cat-card d\">\r\n        <div class=\"cat-label\">9 &amp; 10<\/div>\r\n        <div class=\"cat-title\">Don't grab credit; rewrite if \"impressive\"<\/div>\r\n        <p>Avoid \"we found\" (it reads like throwing management under the bus). If it sounds pompous, rewrite \u2014 use the <strong>\"fifth-grader test.\"<\/strong><\/p>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"section-heading-block\" id=\"c6-glossary\">\r\n      <span class=\"section-badge purple\">&sect;3<\/span>\r\n      <h3>Glossary \u2014 Quick Reference<\/h3>\r\n    <\/div>\r\n\r\n    <table class=\"compare-table\">\r\n      <thead><tr><th style=\"width:24%;\">Term<\/th><th>Meaning<\/th><\/tr><\/thead>\r\n      <tbody>\r\n        <tr><td class=\"label-cell\">Add Value<\/td><td>Facilitate achievement of objectives by identifying areas and recommending measures to reduce risk and\/or improve operations.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Audit Observation<\/td><td>Any identified and validated gap between the current and desired state arising from an engagement.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Auditee \/ Audit Client<\/td><td>The Government Ministry\/Department\/Unit that is the subject of an engagement.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Criteria<\/td><td>The standards or measures used in evaluation \u2014 <em>what should exist<\/em>.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Condition<\/td><td>The factual evidence the auditor found \u2014 <em>what does exist<\/em>.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Cause<\/td><td>The reason(s) for the difference between expected and actual conditions.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Effect \/ Consequence<\/td><td>The risk or exposure arising from the variance between condition and criteria.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Control Environment<\/td><td>Provides the discipline and structure \u2014 integrity\/ethics, management philosophy, structure, authority assignment, HR practices, competence.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Residual Risk<\/td><td>The portion of inherent risk remaining after management executes its risk-management process.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Risk Response (Mitigation)<\/td><td>Action to achieve a desired risk strategy \u2014 avoidance, reduction, sharing or acceptance.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Reasonable Assurance<\/td><td>A level of assurance supported by generally accepted auditing procedure and judgement.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Governance<\/td><td>The rules, procedures and processes that authorise, direct and oversee management to ensure objectives are achieved.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Engagement Work Program<\/td><td>A document listing the procedures to be followed during an engagement.<\/td><\/tr>\r\n        <tr><td class=\"label-cell\">Conflict of Interest<\/td><td>Any relationship that may prejudice an individual's ability to perform duties objectively.<\/td><\/tr>\r\n      <\/tbody>\r\n    <\/table>\r\n\r\n    <div class=\"recap\" id=\"c6-recap\">\r\n      <div class=\"recap-title\">&#9889; Reference \u2014 Quick Recap<\/div>\r\n      <table>\r\n        <thead><tr><th>Concept<\/th><th>Key Fact<\/th><\/tr><\/thead>\r\n        <tbody>\r\n          <tr><td>Annexure I<\/td><td>Annual Review Format (due <strong>31 May<\/strong>)<\/td><\/tr>\r\n          <tr><td>Annexure II<\/td><td>Internal Audit Report Template (O\/o CGA format)<\/td><\/tr>\r\n          <tr><td>Annexure III<\/td><td>Norms for staff requirement (annual\/biennial\/triennial)<\/td><\/tr>\r\n          <tr><td>Grant-audit threshold<\/td><td>IAW audits institutions getting <strong>&lt; Rs. 25 lakh<\/strong> in grant (CAM 12.2.1)<\/td><\/tr>\r\n          <tr><td>Irregularity reporting floor<\/td><td>\u2265 <strong>Rs. 1 lakh<\/strong> per case; no abbreviations<\/td><\/tr>\r\n          <tr><td>10 irregularity categories<\/td><td>Non-recovery \u00b7 overpayment \u00b7 idle machinery \u00b7 loss \u00b7 irregular expenditure \u00b7 irregular purchase \u00b7 advances \u00b7 blocked money \u00b7 non-accountal \u00b7 other<\/td><\/tr>\r\n          <tr><td>Report-writing test<\/td><td>The <strong>\"fifth-grader test\"<\/strong><\/td><\/tr>\r\n          <tr><td>Criteria vs Condition<\/td><td>\"What should exist\" vs \"what does exist\"<\/td><\/tr>\r\n          <tr><td>Residual risk<\/td><td>Inherent risk left after the risk-management process<\/td><\/tr>\r\n        <\/tbody>\r\n      <\/table>\r\n    <\/div>\r\n\r\n    <\/section><!-- \/pane-ch6 -->\r\n\r\n  <\/main>\r\n<\/div>\r\n\r\n<script>\r\n  \/\/ \u2500\u2500 Chapter tab switching \u2500\u2500\r\n  document.addEventListener('click', function (e) {\r\n    const header = e.target.closest('.toc-chapter-header');\r\n    if (header) {\r\n      const chapterEl = header.parentElement;\r\n      const chNum = chapterEl.getAttribute('data-chapter');\r\n      switchChapter(chNum);\r\n      setTimeout(function () {\r\n        document.querySelectorAll('.toc-chapter').forEach(function (other) {\r\n          if (other !== chapterEl) other.removeAttribute('open');\r\n        });\r\n      }, 0);\r\n      return;\r\n    }\r\n\r\n    const subLink = e.target.closest('.toc-sub-list a');\r\n    if (subLink) {\r\n      const chapterEl = subLink.closest('.toc-chapter');\r\n      const chNum = chapterEl.getAttribute('data-chapter');\r\n      switchChapter(chNum);\r\n      document.querySelectorAll('.toc-chapter').forEach(function (other) {\r\n        if (other !== chapterEl) other.removeAttribute('open');\r\n      });\r\n      document.querySelectorAll('.toc-sub-list a').forEach(function (a) { a.classList.remove('active'); });\r\n      subLink.classList.add('active');\r\n      const href = subLink.getAttribute('href');\r\n      if (href && href.startsWith('#')) {\r\n        e.preventDefault();\r\n        setTimeout(function () {\r\n          const target = document.querySelector(href);\r\n          if (target) target.scrollIntoView({ behavior: 'smooth', block: 'start' });\r\n        }, 60);\r\n      }\r\n      return;\r\n    }\r\n  });\r\n\r\n  function switchChapter (n) {\r\n    document.querySelectorAll('.chapter-pane').forEach(function (pane) {\r\n      if (pane.getAttribute('data-chapter') === n) {\r\n        pane.classList.add('active');\r\n      } else {\r\n        pane.classList.remove('active');\r\n      }\r\n    });\r\n  }\r\n<\/script>\r\n\r\n<\/body>\r\n<\/html>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Generic Internal Audit Manual for Central Civil Ministries \u2014 Study Notes Study Notes \u00b7 Internal Audit \u00b7 O\/o CGA Generic [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"site-sidebar-layout":"no-sidebar","site-content-layout":"","ast-site-content-layout":"full-width-container","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"disabled","ast-banner-title-visibility":"disabled","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"disabled","footer-sml-layout":"disabled","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[],"tags":[],"class_list":["post-12845","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/promotionexams.com\/index.php?rest_route=\/wp\/v2\/pages\/12845","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/promotionexams.com\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/promotionexams.com\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/promotionexams.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/promotionexams.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12845"}],"version-history":[{"count":7,"href":"https:\/\/promotionexams.com\/index.php?rest_route=\/wp\/v2\/pages\/12845\/revisions"}],"predecessor-version":[{"id":12852,"href":"https:\/\/promotionexams.com\/index.php?rest_route=\/wp\/v2\/pages\/12845\/revisions\/12852"}],"wp:attachment":[{"href":"https:\/\/promotionexams.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12845"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/promotionexams.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12845"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/promotionexams.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12845"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}