4.7 Audit Sampling
4.7.2 Testing Template
Auditors will use the Internal Audit area's standard Audit Testing Template to determine sample sizes, based on population and risk, and to draw conclusions as to what is happening in a population of audited items.
This template is now built into CCH TeamMate (EWP module) and details:
Test performed;
What population the sample was selected from;
Page 38 of 57
Why the sample size was selected;
Who provided the documentation to be tested;
Any exceptions found; and
Test conclusion.
NOTE: Where the audit period selected is such that the sample size cannot be achieved, the Auditor must exercise his/her judgement in determining what to sample and in what period. It may mean that the whole population in the audit period is selected, plus other transactions outside of the period in order to achieve a reasonable sample for testing, based on the guideline in the template.
4.7.3 Sample Selection
Once a sample size has been determined, each item to be sampled will be selected on the basis of the following:
On a completely random basis and in such a manner that each item in the population has an equal or known chance of being selected; or
On a fixed interval basis, with a random starting point.
Page 39 of 57 5.0 Major Project Development Audits
5.1 Audit Objectives 5.1.1 General
The following guidelines provide Audit personnel with direction in respect to the audit activity to be undertaken during major project development in the University (should Internal Audit be required to participate in such work).
These guidelines have been separately documented because of the unique nature of audit involvement in the project development process.
These guidelines are not, however, intended to restrict any project development audit to a limited set of activities or to impose a precise solution for such an audit.
5.1.2 Audit Objectives
Auditors may participate in the development of selected major new University projects (providing oral and/or written input and advice as required), with the objective of gaining assurances that business risks are identified and managed and suitable controls implemented.
5.2 Audit Approach 5.2.1 General
Auditors may be assigned to major project developments by the Director Internal Audit.
The Director Internal Audit will contact representatives on these projects to advise them of Audit involvement.
5.2.2 Audit Scope
In order to achieve the primary audit objective described above, the scope and degree of auditor involvement on each project will be at the discretion of the auditor.
Auditor involvement will, however, be guided by way of a Standard Audit Checklist (see Section 9 – Forms and Templates List) which will be made available to the auditor at the commencement of that auditor's involvement in the project.
An auditor's time involvement may be limited or expanded with the prior approval of the Director Internal Audit, after consideration of existing budgeted audit time constraints.
5.2.3 Audit Deliverables
Auditor involvement on major project developments will focus on adding value during the course of the project development, rather than on producing detailed audit documentation and working papers.
Page 40 of 57
However, an audit report should always be issued upon implementation of a project (see Section 9 – Forms and Templates List). The format of this report will be non-standard in that the auditor is not expected to raise new major issues and obtain management recommendations (as such matters should have been resolved during the course of the project). Instead, the report should outline the auditor's involvement, the auditor's conclusion, and list any issues that remain outstanding (but which do not materially affect the project outcomes).
During the course of the audit, it may also be necessary to publish action memos where significant control deficiencies or other issues require immediate management consideration.
5.3 Major Project Development Audit Working Papers
5.3.1 General
The auditor will maintain a file of documentation arising from, or produced as a result of, audit involvement on the selected project.
This documentation should be structured in accordance with the Standard Audit Checklist referred to above i.e. checklist at the front, followed by published audit report and other supporting papers.
It will not be necessary for the auditor to produce written working papers as evidence that the checklist items have been addressed, however, a working paper file, as described above, should be maintained (containing memos, correspondence, documents, plans etc).
5.4 System Documentation 5.4.1 Introduction
The system documentation described below may be produced in support of major project development audits undertaken, where considered necessary.
This documentation will be produced and maintained on the Internal Audit Area’s LAN J drive directories.
This documentation is as follows:
System Description
Flowcharts or Dataflow diagrams
Identification of risks and controls 5.4.2 System Description
The System Description provides an overview of the system under review.
The System Description outlines:
Page 41 of 57
Input data, media and preparation or transmission locations;
The major processes and files used;
Output data, media and receiving locations;
Interfaces with other systems;
The hardware and software used;
Any special or unusual features of the system;
Key controls regarding processing accuracy and authorisation; and
Management trails.
5.4.3 Identification of Risks and Controls
The identification of risks and controls may be performed to assess the quality of controls being built into the new system.
Page 42 of 57 6.0 Audit Evaluation and Performance
6.1 Audit Client Questionnaire Form 6.1.1 General
Two to three days after the issue of a major audit report, Internal Audit is to issue an Audit Client Questionnaire Form (see Section 9 – Forms and Templates List) to one or more auditees, requesting formal comments on the auditor's performance.
The form is to be electronically emailed (with the details of the audit already input on the form) by the Director Internal Audit to the nominated auditees.
The auditee is to formally respond to the Director Internal Audit who, upon receiving the completed form, will provide it to the auditor for his/her information and comment.
The Director Internal Audit may follow up issues raised, or any negative comments made, with the auditor, and in some cases, may contact the auditee for clarification.
Completed forms will be filed by the Director Internal Audit in an official records file i.e. completed forms are not to be stored with the working papers.
6.2 Performance Reviews - KRIs and KPIs 6.2.1 General
Auditor Performance Reviews are to be performed in accordance with University requirements, with a major review being performed around February each year.
KRIs (Key Result Areas) and KPIs (Key Performance Indicators) are to be formulated and agreed with the Audit Team every year, but the comments received via the Audit Client Questionnaire Forms should always be included as a major KPI.
Page 43 of 57 7.0 Miscellaneous
7.1 LAN Permanent File Naming Standards - Effective 1 May 2003 to 30 June 2012 (now replaced by CCH TeamMate)
7.1.1 General
During the course of an audit, the auditor may develop permanent documentation (flowcharts, audit programme, a system description etc) which will need to be retained and updated at the next audit.
This documentation is to be stored on the LAN to ensure it is available for the auditor the next time an audit is conducted.
Within the Permanent Files subdirectory are further subdirectories.
Each of these subdirectories is identified by a two character alphabetic code e.g. MG (for Management and Governance) represents a subsection of the Audit Universe. Therefore, all auditable areas in the MG section of the Audit Universe will have their permanent information stored in the MG subdirectory of the Permanent Files subdirectory.
Permanent files will be stored as Word, Excel etc files in subdirectories, using a standard naming format i.e. XX.YY.FCC, where:
XX = the two character alphabetic code representing the appropriate section of the Audit Universe e.g. MG, US, GR etc
YY = a unique two digit numeric to identify a separate auditable area within the relevant section of the Audit Universe e.g. MG.10 represents an audit called Corporate Governance and Leadership, SM.10 represents an audit called Library and Information Services etc.
F = an alphabetic number that describes the file type i.e.
"A" = Risks and Controls
"C" = CAATs
"S" = System Description
"F" = Flowchart
"N" = Permanent Notes
"P" = Audit Programme
"V" = Various other papers
CC = two numeric digits, in the range 01 - 99, representing a unique document number.
Multiple successive versions of audit programs will be identified by these two digits.
Two examples illustrate the naming convention:
Page 44 of 57
The audit programme for the audit of the Copyright Act would be stored in the LR (Legislative/Regulatory Compliance) subdirectory of Permanent Files as LR.10.P01, while the Risks and Controls would be stored as LR.10.A01
The audit programme for the audit of Expenditure Controls would be stored in the FA (Financial Activities) subdirectory of Permanent Files as FA.21.P01, while two sets of flowcharts would be stored as FA.21.F01 and FA.21.F02
Note: With the implementation of the CCH TeamMate electronic working papers system, the above arrangements will eventually be phased out.
7.2 Important LAN Directories/Files 7.2.1 Subdirectories
All Internal Audit Area LAN data is stored on J drive.
Data is stored in accordance with University recordkeeping standards.
The subdirectories of importance are:
J:\ODVC\PQ\AUDIT\OPERATIONAL MANAGEMENT\Standards\Internal Audit Administrative Files and Directories. This contains a word file with a list of all important Internal Audit subdirectories and their purpose.
J:\ODVC\PQ\AUDIT\OPERATIONAL MANAGEMENT\Standards\Internal Audit Permanent Files.
This contains further subdirectories of permanent documentation structured along the lines of the Audit Universe (up to 30 June 2012).
Note: With the implementation of the CCH TeamMate electronic working papers system, the above arrangements in relation to storage of permanent information has been phased out.
However, it remains as a repository for old audit programs and documents.
Page 45 of 57 8.0 Other Special Audit Work
8.1 Audit Certificates 8.1.1 General
The University may be required to provide signed certificates which set out the disposition of funds provided or obligations undertaken.
The most common types of certifications required relate to various grants provided by relevant federal, state and private sector bodies.
The University may also be required to provide an audit certificate to an external party in relation to the financial operations of other activities in which it is engaged e.g.
Curtin Radio FM 100.1
Western Australian Satellite Technology Consortium
Most requirements for certification are governed by contracts, procedure manuals or legislation which set out the format and frequency of certifications as well as defining exactly what is being certified. They can also define who is qualified to sign the certificate.
8.1.2 Preferred External Service Providers
Where such an audit is required, it is standard procedure (from 1 March 2007) that the work should not be undertaken internally (unless there is a specific requirement for Internal Audit to provide such an audit opinion).
This type of audit is not covered within the scope of work described in the Internal Audit Charter. In addition, the provision of audit certificates, particularly to external bodies, may create a legal liability for the University should the opinion offered later be found to be incorrect or deficient.
The University has access to preferred external suppliers of such services who will provide a quote for the work to be done (on a fee for service basis). Information concerning these service providers is available on the Strategic Procurement website.
8.2 Special Investigations 8.2.1 Introduction
Special investigations will be conducted with the urgency and priority established at the time the investigation is requested or the circumstances determine.
From time to time, the Internal Audit Area may be called upon to perform special investigations.
These, unfortunately, often relate to investigating an incidence of fraud or other type of misconduct, as described under the Corruption and Crime Commission Act 2003 (WA). In such
Page 46 of 57
cases, the Professional Standards and Conduct Unit may contact Internal Audit and request that an investigation be done in relation to an allegation of staff misconduct.
However, they may also be urgent investigations of an aspect of operations which do not fit the
"traditional" definitions of compliance audits (e.g. investigating the effectiveness of destruction of confidential documents) and cannot be scheduled as part of the normal audit program. In these cases, an Internal Auditor will be contacted to perform the investigation.
In all cases, the Chair of the Audit Committee is to be notified and permission sought for the work to be done (as per resolution made at the Audit Committee meeting held on 14 November 2003).
Page 47 of 57 9.0 Forms and Templates List
9.1 Introduction
The following list of forms and templates outlines and displays the standard forms and templates to be used in the conduct of internal audits at Curtin University.
NOTE: These forms and templates are in most cases taken direct from the CCH TeamMate system so do not match the standard forms currently used for non-TeamMate audits.
Electronic forms and templates are primarily held in the EWP module of TeamMate but are also backed up to J drive at:
J:\ODVC\PQ\AUDIT\INFORMATION AND COMMUNICATION TECHNOLOGY\Compliance\CCH TeamMate\CCH TeamMate Electronic Form Templates - BACKUP ONLY - DO NOT DELETE
with the exception of the standard timesheet which is held on J drive at:
J:\ODVC\PQ\AUDIT\PUBLICATION\Corporate Style\Forms and Templates\Other Internal Audit Forms – General
9.2 Time Recording 9.2.1 Timesheet
Page 48 of 57 9.3 Section 1 - Planning and Evaluation
9.3.1 Email Notification of Audit Commencement (example)
9.3.2 Audit Checklist (two pages)
Page 49 of 57 9.3.3 Field Audit Plan (two pages)
9.3.4 Audit Engagement Letter (usually four to five pages)
Page 50 of 57 9.3.5 Internal Audit Request – IAR (one page)
Page 51 of 57 9.3.6 List of CAATs (one page)
9.3.7 PANA (one page)
Page 52 of 57
9.3.8 Reference File – System Description (up to three pages)
9.3.9 Audit Budgeted Hours Estimate Sheet (one page)
Page 53 of 57 9.4 Section 2 - Reporting
9.4.1 Draft Audit Report Covering Memo (one page)
9.4.2 Audit Observations (variable no. of pages)
Page 54 of 57 9.4.3 Main Audit Report (variable no. of pages)
Page 55 of 57
Page 56 of 57 9.4.4 Audit Client Questionnaire (one page)
Page 57 of 57
9.4.5 Hardcopy Cover Sheet for Official Records File (one page)
9.5 Section 3 - Verification 9.5.1 General
Standard templates for audit programs, working papers, appendices, audit testing, review notes are built into the CCH TeamMate system – please refer to the CCH TeamMate User Guide for Curtin Auditors, for sample screens.
9.6 Other
9.6.1 Major Project Development Checklist (available on request) 9.6.2 Major Project Development Report (available on request)