8.

Internalcontrolandinternalaudit
8.1Meaningofinternalcontrol
Intheprivatesector,companydirectorsareresponsiblefordeterminingpolicy,
monitoringperformanceandtakingcorrectiveactionifeitherpolicyorits
implementationisdefective.Internalcontrolprovidesameansofassurancethat
corporateobjectivesarebeingachieved.Thusthedirectorsareresponsibleforinternal
control.TheInstituteofInternalAuditorsdefinesinternalcontrolasfollows:
aprocesswithinanorganisationdesignedtoprovidereasonableassuranceregarding
thefollowingprimarycorporateobjectives:

thereliabilityandintegrityofinformation

compliancewithpolicies,plans,procedures,lawsandregulations

thesafeguardingofassets

theeconomicalandefficientuseofresources

theaccomplishmentofestablishedobjectivesandgoalsofoperationsor
programs

Internalcontrolsystemsarethereforefundamentaltothesuccessandsurvivalof
organisations.Theykeeptheorganisationontherails.Butorganisationssometimesgo
offtherails.Thiswastheproblem(UScorporatefailure)thatresultedinthereportofthe
TreadwayCommission(onfraudulentfinancialreporting)andintheformationofthe
CommitteeofSponsoringOrganizationsoftheTreadwayCommission(COSO).
8.2COSO
COSOisavoluntaryprivatesectororganizationestablishedinUSA.Itisdedicatedto
improvingthequalityoffinancialreportingthroughbusinessethics,effectiveinternal
controls,andcorporategovernance.COSOwasoriginallyformedin1985tosponsorthe
NationalCommissiononFraudulentFinancialReporting,anindependentprivatesector
initiative.Itisconcernedwithfactorsthatcanleadtofraudulentfinancialreporting.
COSOhasdevelopedprinciplesofinternalcontrol.Itdefinesinternalcontrolasfollows:
Internalcontrolisaprocess,effectedbyanentitysboardofdirectors,managementand
otherpersonnel,designedtoprovidereasonableassuranceregardingtheachievementof
objectivesinthefollowingcategories:

Effectivenessandefficiencyofoperations
1

Reliabilityoffinancialreporting

Compliancewithapplicablelawsandregulations

Itidentifiesthekeyconceptsofinternalcontrolasfollows:

Internalcontrolisaprocess.Itisameanstoanend,notanendinitself.

Internalcontroliseffectedbypeople.Itsnotmerelypolicymanualsand
forms,butpeopleateverylevelofanorganization.

Internalcontrolcanbeexpectedtoprovideonlyreasonableassurance,not
absoluteassurance,toanentitysmanagementandboard.

Internalcontrolisgearedtotheachievementofobjectivesinoneormore
separatebutoverlappingcategories.

Thetypeofthinkingbehindthemodelisasfollows:

weakinternalcontrolsystemsleadtocorporatelossesandfailure

internalcontrolsystemsaretheresponsibilityofdirectors.managersand
employees

buttheyaretheparticularresponsibilityoftheboardofdirectors

financialcontrolsareimportant,butnonfinancialcontrolsmaybejustas
important

someinternalcontrolsystemsareformal;othersareinformal(forinstance,
unwrittenrulesobservedbymembersofateam)

bothformalandinformalsystemsareimportant.Thelattermayleadtoa
corporateenvironmentwhichiseitherfavourableorhostiletocontrol

internalcontrolisamovingtarget.Itmustbemonitoredandadaptedtofitthe
circumstances.Ifitisneglecteditwilldeteriorate,loserelevanceorprove
ineffective

directorsneedtoreportpubliclyonthestatusoftheirorganisations'internal
controlsystemsintheannualcorporatereportissuetoshareholderssothat
theyandothersareinformedonthisissue

8.3Internalcontrolingovernment
Ministriesdonothaveboardsofdirectors.Governmentwidelawsandregulations
regulatetheirbusinessaffairs.Certainassetssuchasbuildingsandinfrastructuremaybe
outsidethecontrolofthosewhooccupythem.Moreovergovernmententitiesrarelyif
evercollapseduetointernalcontrolfailuresanddonotneedtoreporttoshareholders.
Sowhatdoesinternalcontrolmeaninagovernmentcontext?
Theaverageministryhasanumberofresponsibilities(committingfunds,recruitingstaff,
contractingforsuppliesandservices,approvingactions,registeringtransactionsand
events,deployingresourcesandcontrolling,supervisingandreportingonimplementation
ofpolicies).Iftheseresponsibilitiesarefulfilledproperly,theresultwillbeeffective
controloverresources,decisionsandactivitiesandtheachievementofministry
objectives.Ifnot,abuseswillproliferateandefficiencydecline.
Someministriesarewellcontrolled;othersarenot.Majorfactorsinthehealthof
internalcontrolsarethequalityofmanagers,theirfamiliaritywithinternalcontrol
systemsandtheirpreparednesstodistinguishbetween"complyingwithregulations"and
"managingtheentity".Governmentregulationsdonotprovideacompletesetof
controlsforeachentityandcompliancewithregulationsisnotanabsolutestandard.The
extentandqualityofcompliancevariesfromentitytoentity.Itisthereforelogicalto
expectministriesandothergovernmentagenciestohavetheirowninternalcontrol
systemsandtotreatthemasanimportantmeansofachievingtheirmanagement
objectives.Theneedforinternalcontrolsystemsingovernmententities,thedutiesof
managersandauditorsandashortchecklistformanagersaregiveninarecentINTOSAI
publication(seesources,below).
Onewayofunderstandingtheneedforgovernmentsystemsofinternalcontrol,isto
thinkofgovernmententitiesascorporatebodiesandtoaskhowsystemsofcontrolused
inlargeprivatesectorentitiesarerelevanttomanagementimprovements.Thisisthe
pointofviewofarecentIFACpublication(CorporateGovernanceinthePublicSector,
2000).Theparallelbetweengovernmentandbigbusinessisnotalwaysperfectand
businessmayalsobeabletolearnagreatdealfromgovernment.Neverthelessthereare
valuableinsightsfromthistypeofapproach.Oninternalcontrolthepapersuggesttwo
principles:

Governingbodiesofpublicsectorentitiesneedtoensurethataframeworkof
controlisestablishedandoperatesinpracticeandthatastatementonits
effectivenessisincludedintheentity'sannualreport.

Governingbodiesofpublicsectorentitiesneedtoensurethateffective
systemsofriskmanagementareestablishedaspartoftheframeworkof
internalcontrol.

Riskmanagementisabouttheassessmentofrelativeriskandensuringthatcontrolsare
presentandeffectivewhererisksareattheirhighest.

8.4DefinitionofInternalaudit
Internalauditingisanindependentappraisalfunctionestablishedwithinanorganization
whichexaminesandevaluatesitsactivitiesasaservicetotheorganization.The
objectiveofinternalauditingistoassisttheorganization,inparticularmanagersand
membersoftheboardofdirectors,todischargeoftheirresponsibilitieseffectively.To
thisend,internalauditingfurnishesthemwithanalyses,appraisals,recommendations,
adviceandinformationconcerningtheactivitiesreviewed.Theauditobjectiveincludes
promotingeffectivecontrolatreasonablecost.ThisishowtheInstituteofInternal
Auditorsdefinesinternalauditing.Itcanalsoberegardedasthemeansbywhich
managementlearnsifitsinternalcontrolsystemsareappropriatelydesignedandinfact
working.
8.5Internalauditingovernment
Internalauditisessentialforensuringtheoperationandappropriatenessofcontrols
(thereforeessentialforgoodmanagement),butfrequentlyneglectedespeciallyinthe
publicsectorindevelopingcountries.
Itisunwisetobedogmaticaboutthedetailedresponsibilitiesofinternalauditors,asthese
willvaryagreatdealbetweengovernmentsandentitiesandeventhroughtimeforthe
samegovernmentsandentities.Theymightinclude:

Reviewingcompliancewithexistingfinancialregulations,instructions,
procedures

Evaluatingtheeffectivenessofselectedinternalcontrols

Appraisingtheefficiencyandeffectivenesswithwhichresourcesareused

Reviewingthereliabilityandintegrityofrecordkeepingandreporting

Verifyingclaimsforreimbursement,expenses,revenues,goodsreceived,etc.

Investigatingirregularities

Ensuringthatrevenueiscollected,depositedandcorrectlyaccountedfor

Verifyinginventoryrecordsandtheirrelationshipwithphysicalinventory

Themostsignificantproblemsencounteredininternalauditare:

Managementperceptionthatinternalauditorshavelittletooffer

Lowstatusofinternalauditors(minorbeancounters)
5

Internalauditorsbeingusedinadualcapacityasbothaccountantsand
auditors

Internalauditorsbeingusedprimarilyinpreauditorinoftrepeated
predictableroutines

Absenceofinternalauditunitsatthelevelofministries;internalauditunits
locatedintheministryoffinance(i.e.nolongerinternaltotheentity)

Lackofriskassessmentasabasisforplanningauditsandchoosingaudit
topics

Internalauditorswhoaretoomuchunderthethumbofasingletopmanager
(leadingtoconflictbetweencarryingoutprofessionalresponsibilitiesand
keepingone'sjob)

8.6INTOSAIinternalcontrolstandards
GeneralStandards
ReasonableAssurance:Internalcontrolstructuresaretoprovidereasonableassurance
thattheaforementionedgeneralobjectiveswillbeaccomplished.
SupportiveAttitude:Managersandemployeesaretomaintainanddemonstrateapositive
andsupportiveattitudetowardinternalcontrolsatalltimes.
IntegrityandCompetence:Managersandemployeesaretohavepersonaland
professionalintegrityandaretomaintainalevelofcompetencethatallowsthemto
understandtheimportanceofdeveloping,implementing,andmaintaininggoodinternal
controlsandtoaccomplishthegeneralobjectivesofinternalcontrols.
ControlObjectives:Specificcontrolobjectivesaretobeidentifiedordevelopedforeach
activityoftheorganizationandaretobeappropriate,comprehensive,reasonable,and
integratedintotheoverallorganizationalobjectives.
MonitoringControls:Managersaretocontinuallymonitortheiroperationsandtake
prompt,responsiveactiononallfindingsofirregular,uneconomical,inefficient,and
ineffectiveoperations.
DetailedStandards

Documentation:Theinternalcontrolstructureandalltransactionsandsignificantevents
aretobeclearlydocumented,andthedocumentationistobereadilyavailablefor
examination.
PromptandProperRecordingofTransactionsandEvents:Transactionsandsignificant
eventsaretobepromptlyrecordedandproperlyclassified.
AuthorizationandExecutionofTransactionsandEvents:Transactionsandsignificant
eventsaretobeauthorizedandexecutedonlybypersonsactingwithinthescopeoftheir
authority.
SeparationofDuties:Keydutiesandresponsibilitiesinauthorizing,processing,
recording,andreviewingtransactionsandeventsshouldbeseparatedamongindividuals.
Supervision:Competentsupervisionistobeprovidedtoensurethatinternalcontrol
objectivesareachieved.
AccesstoandAccountabilityforResourcesandRecords:Accesstoresourcesand
recordsistobelimitedtoauthorizedindividualswhoareaccountablefortheircustodyor
use.Toensureaccountability,theresourcesaretobeperiodicallycomparedwiththe
recordedamountstodeterminewhetherthetwoagree.Theasset'svulnerabilityshould
determinethefrequencyofthecomparison.
8.7Otherissuesrelevanttoagovernmentcontext

Whoisinchargeofinternalauditingandwhataretheirresponsibilities?This
concernsprimarilythetaskofprofessionalleadership(qualityassurance,
training,methodologicalimprovement)butalsoincludesmentoring.

Whatistheoptimumrelationshipbetweenexternalandinternalauditors?The
IIAsuggeststhatinternalauditorsshouldsharesignificantauditinformation
withexternalauditorsandthatthetwosetsofauditorsshouldcoordinatetheir
work.

Howistheinternalauditortofulfilresponsibilitiestothemanagementofthe
auditedentity?Whatarethelimitsoninstructionsthatmanagementmaygive
totheauditor?Whatauditreportsdocumentsshouldtheinternalauditor
supplytomanagement?Whattypesofinstructionfrommanagement
significantlylimittheindependenceandauthorityoftheinternalauditorand
underwhatcircumstancesshouldtheauditorinformoutsideauthoritiesof
limitationsimposed?Whoshouldtheauditorinforminsuchcircumstances?

Whoshouldbetherecipientsoftheinternalauditorsreports?Obviously
managementshouldreceivethem,butshouldtheexternalauditorsandMOF
too?

Whatbasicdocumentsshouldtheinternalauditorproduce?Shouldhe
produceanannualauditplan,anannualauditreport,adhocauditreports?

DoesgovernmentwishtofollowtheinternalauditstandardsoftheInstituteof
InternalAuditorsorguidancefromINTOSAI?

Sources
InternationalFederationofAccountants,Corporategovernanceinthepublicsector:a
governingbodyperspective,2000
InstituteofInternalAuditors(UK)Standardsandguidelinesfortheprofessionalpractice
ofinternalauditing,1998.
InternationalOrganisationofSupremeAuditInstitutionsGuidelinesforinternalcontrol
standards,1992.
InternationalOrganisationofSupremeAuditInstitutionsInternalcontrol:providinga
foundationforaccountabilityingovernment,2001
Annex
INTOSAI
GuidelinesforInternalControlStandards
June1992
ChapterI
OverviewofInternalControlConcepts,
Objectives,andStandards
1.Internalcontrolisamanagementtoolusedtoprovidereasonableassurancethat
management'sobjectivesarebeingachieved.Therefore,responsibilityfortheadequacy
andeffectivenessoftheinternalcontrolstructurerestswithmanagement.Theheadof

eachgovernmentalorganizationmustensurethataproperinternalcontrolstructureis
instituted,reviewed,andupdatedtokeepiteffective.
2.TheSupremeAuditInstitutionalsohasaresponsibilityforensuringadequateinternal
control.Itshouldencourageandsupport:
theestablishmentofdetailedorganizationalinternalcontrolstructuresforeach
governmentalunitbasedonthestandardspresentedinthisdocument;and
areviewofthatstructuretoassurethatthecontrolsareworkingasintendedandare
adequatetoachievethedesiredresults.
3.Astheyareultimatelyresponsiblefortheadequacyoftheinternalcontrolstructureand
itsimplementation,itisimportantthatmanagementsofallorganizationalunitswithin
governmentunderstandthenatureoftheinternalcontrolstructureandtheobjectives
internalcontrolsaretoachieve.Aninternalcontrolstructureisdefinedastheplansofan
organization,includingmanagement'sattitude,methods,procedures,andothermeasures
thatprovidereasonableassurancethatthefollowinggeneralobjectivesareachieved:
promotingorderly,economical,efficient,andeffectiveoperationsandqualityproducts
andservicesconsistentwiththeorganization'smission;
safeguardingresourcesagainstlossduetowaste,abuse,mismanagement,errors,and
fraudandotherirregularities;
adheringtolaws,regulations,andmanagementdirectives;and
developingandmaintainingreliablefinancialandmanagementdataandfairly
disclosingthatdataintimelyreports.
4.Thefollowingstandardsformtheframeworkforaninternalcontrolstructureandhave
beencategorizedasgeneralstandardsanddetailedstandards:
GeneralStandards
ReasonableAssurance:Internalcontrolstructuresaretoprovidereasonableassurance
thattheaforementionedgeneralobjectiveswillbeaccomplished.
SupportiveAttitude:Managersandemployeesaretomaintainanddemonstrateapositive
andsupportiveattitudetowardinternalcontrolsatalltimes.
IntegrityandCompetence:Managersandemployeesaretohavepersonaland
professionalintegrityandaretomaintainalevelofcompetencethatallowsthemto

understandtheimportanceofdeveloping,implementing,andmaintaininggoodinternal
controlsandtoaccomplishthegeneralobjectivesofinternalcontrols.
ControlObjectives:Specificcontrolobjectivesaretobeidentifiedordevelopedforeach
activityoftheorganizationandaretobeappropriate,comprehensive,reasonable,and
integratedintotheoverallorganizationalobjectives.
MonitoringControls:Managersaretocontinuallymonitortheiroperationsandtake
prompt,responsiveactiononallfindingsofirregular,uneconomical,inefficient,and
ineffectiveoperations.

10

DetailedStandards
Documentation:Theinternalcontrolstructureandalltransactionsandsignificantevents
aretobeclearlydocumented,andthedocumentationistobereadilyavailablefor
examination.
PromptandProperRecordingofTransactionsandEvents:Transactionsandsignificant
eventsaretobepromptlyrecordedandproperlyclassified.
AuthorizationandExecutionofTransactionsandEvents:Transactionsandsignificant
eventsaretobeauthorizedandexecutedonlybypersonsactingwithinthescopeoftheir
authority.
SeparationofDuties:Keydutiesandresponsibilitiesinauthorizing,processing,
recording,andreviewingtransactionsandeventsshouldbeseparatedamongindividuals.
Supervision:Competentsupervisionistobeprovidedtoensurethatinternalcontrol
objectivesareachieved.
AccesstoandAccountabilityforResourcesandRecords:Accesstoresourcesand
recordsistobelimitedtoauthorizedindividualswhoareaccountablefortheircustodyor
use.Toensureaccountability,theresourcesaretobeperiodicallycomparedwiththe
recordedamountstodeterminewhetherthetwoagree.Theasset'svulnerabilityshould
determinethefrequencyofthecomparison.
5.Thesestandardswouldbeapplicabletoallgovernmentalorganizationalunits.They
canbeviewedastheminimumacceptablestandardsthatorganizationsfollowwhen
institutinginternalcontrolsandprovidecriteriaforauditorswhenauditingtheinternal
controlstructure.
6.Thestandardspresentedherearenotnewideas.Manyofthemarecurrently
incorporatedingovernmentoperations.Theirpresentationasaframework,however,may
benew.Theremainderofthisdocumentdiscussesingreaterdetailthedefinitionand
limitationsofinternalcontrol,thestandardsofinternalcontrol,theestablishmentofthe
frameworkforinternalcontrols,andtheimplementationandmonitoringofinternal
controlstructures.
ChapterII
DefinitionandLimitationsofInternalControls
DefinitionandObjectives

11

7.Internalcontrolstructuresaredefinedastheplansofanorganization,including
management'sattitude,methods,procedures,andmeasuresthatprovidereasonable
assurancethattheobjectivesarebeingachieved.Thoseobjectivesare
promotingorderly,economical,efficient,andeffectiveoperationsandqualityproducts
andservicesconsistentwiththeorganization'smission;
safeguardingresourcesagainstlossduetowaste,abuse,mismanagement,errors,and
fraudandirregularities;
adheringtolaws,regulations,andmanagementdirectives;and
developingandmaintainingreliablefinancialandmanagementdataandfairly
disclosingthatdataintimelyreports.
8.Thisdefinitionofinternalcontrolstructuresandtheobjectivesforthemare
intentionallybroadinscopetocoverallgovernmentoperations.However,internal
controlshavebeenorganizedanddefinedinvariousotherways.Thefollowing
descriptionshavebeenprovidedasapointofreference.
9.Whendescribinginternalcontrolsbytheirroleintheorganizationalstructure,they
haveoftenbeenorganizedintothebroadcategoriesofmanagement,administrative,and
accountingcontrols.Managementcontrolsareoftenviewedasencompassingallcontrols.
Theyaretheframeworkoftheorganizationalltheplans,policies,procedures,and
practicesneededforemployeestoachievetheentity'sobjectives.Administrativecontrols
arethoseproceduresandrecordsconcerningthedecisionmakingprocessesthatlead
employeestocarryoutauthorizedactivitiesinachievingtheorganization'sobjectives.
Accountingcontrolscovertheproceduresanddocumentationconcernedwiththe
safeguardingofassetsandthereliabilityoffinancialrecords.
10.Internalcontrolshavealsobeencategorizedbytheirintendedpurpose:toprevent
errors(forexample,bysegregatingdutiesandauthorizationrequirements);todetect
errors(forexample,byestablishingproductionstandardstodetectvariancesinactual
results);tocorrecterrorsthathavebeendetected(forexample,bycollectingan
overpaymenttoavendor);ortocompensateforweakcontrolswheretheriskoflossis
highandadditionalcontrolsareneeded.
11.Inpractice,thedistinctionamongthesecategoriesandtypesisoftendifficultto
recognizebecauseaneffectiveinternalcontrolstructurerequireselementsofeach.Even
thedescriptionsofeachcategoryofcontrolcanvaryamongindividuals.However,
regardlessofhowinternalcontrolsareorganizedordefined,theyshouldnotbethought
ofasalternativestoeachother.Theyshouldbecomplementary.Anyonecontrolhas
advantagesanddisadvantages,soaneffectiveinternalcontrolstructureusesamixof
controlstocompensatefortheparticulardisadvantagesofindividualcontrols.

12

12.Tobeeffective,internalcontrolsmustsatisfythreebasiccriteria:
Theymustbeappropriate(thatis,therightcontrolintherightplaceandcommensurate
totheriskinvolved).
Theymustfunctionconsistentlyasplannedthroughouttheperiod(thatis,becomplied
withcarefullybyallemployeesinvolvedandnotbypassedwhenkeypersonnelareaway
ortheworkloadisheavy).
Theymustbecosteffective(thatis,thecostofimplementingthecontrolshouldnot
exceedthebenefitsderived).
Limitationsoneffectivenessofinternalcontrols
13.Nointernalcontrolstructure,howeverdetailedandcomprehensive,canbyitself
guaranteeefficientadministrationandcompleteandaccuraterecordsorbefoolproof
againstfraud,especiallywhenthoseinvolvedholdpositionsofauthorityortrust.Internal
controlsdependentonthesegregationofdutiescanalsoberenderedineffectivewhere
collusionbyseveralindividualsisinvolved.Also,authorizationcontrolscanbeabused
bythepersoninwhomtheauthorityisvested,andmanagementisfrequentlyinaposition
tooverridethecontrolsithasestablished.Tomaintainaninternalcontrolstructurethat
wouldeliminatetheriskoflossisnotrealisticandwouldprobablycostmorethanis
warrantedbythebenefitderived.
14.Becauseanyinternalcontrolstructuredependsonthehumanfactor,itissubjectto
flawsindesign,errorsofjudgmentorinterpretation,misunderstanding,carelessness,
fatigue,ordistraction.Whilethecompetenceandintegrityofthepersonneldesigningand
operatingthesystemmaybecontrolledbyselectionandtraining,thesequalitiesmay
alterduetopressuresfromwithinandoutsidetheagency.Furthermore,nomatterhow
competentthestaff,thecontroltheyoperatemaybecomeineffectiveiftheydonot
correctlyunderstandtheirfunctioninthecontrolprocessorchoosetoignoreit.
15.Organizationalchangesandmanagementattitudecanhaveaprofoundimpactonthe
effectivenessofaninternalcontrolstructureandthepersonneloperatingthestructure.
Thus,
managementneedstocontinuallyreviewandupdatecontrols,communicatechangesto
personnel,andsetanexamplebyadheringtothosecontrols.
ChapterIII
DiscussionoftheInternalControlStandards

13

16.Theestablishmentofdemandinginternalcontrolstandardsisnecessary,particularly
ingovernment,inviewofitssize;diversity;thevolumeoftransactions;themultiplicity
ofrecords;andnumerousrules,regulations,andlaws.Becausestatutoryprovisions
governthemanagementandcontrolofpublicresourcesandpublicprograms,standards
thatgovernandensuresuchcompliancearerequired.
17.Internalcontrolstandardsareseparatedintotwocategories:generalstandardsand
detailedstandards.Together,theydefinetheframeworkfortheminimumlevelof
acceptabilityforaninternalcontrolstructureinoperation.Theyshouldbeusedasthe
criteriaforbothdevelopingandevaluatinginternalcontrols.Theseinternalcontrol
standardsapplytoallmanagement,operational,andadministrativefunctionsandshould
notbelimitedtofinancialoperations.Theyalsoapplytoallsystems,whetherautomated
ormanual.
GeneralStandards
18.Thegeneralstandardsconsistofreasonableassurance,supportiveattitude,integrity
andcompetence,controlobjectives,andmonitoringcontrols.Together,theyprovidethe
propercontrolenvironmentwithintheorganization.
ReasonableAssurance
19.Internalcontrolstructuresaretoprovidereasonableassurancethatthegeneral
objectiveswillbeaccomplished.
20.Reasonableassuranceequatestoasatisfactorylevelofconfidenceundergiven
considerationsofcosts,benefits,andrisks.Determininghowmuchassuranceis
reasonablerequiresjudgment.Inexercisingthatjudgment,managersshould
identifytherisksinherentintheiroperationsandtheacceptablelevelsofriskunder
varyingcircumstancesand
assessriskbothquantitativelyandqualitatively.
21.Reasonableassurancerecognizesthatthecostofinternalcontrolshouldnotexceed
thebenefitderived.Costreferstothefinancialmeasureofresourcesconsumedin
accomplishingaspecifiedpurposeandtheeconomicmeasureofalostopportunity,such
asadelayinoperations,adeclineinservicelevelsorproductivity,orlowemployee
morale.Abenefitismeasuredbythedegreetowhichtheriskoffailingtoachievea
statedobjectiveisreduced.Examplesincludeincreasingtheprobabilityofdetecting
fraud,waste,abuse,orerror;preventinganimproperactivity;orenhancingregulatory
compliance.

14

22.Designinginternalcontrolsthatarecostbeneficialwhilereducingrisktoan
acceptablelevelrequiresthatmanagersclearlyunderstandtheoverallobjectivestobe
achieved.Governmentmanagersmaydesignsystemswithexcessivecontrolsinonearea
oftheiroperationsthatadverselyaffectotheroperations.Forexample,employeesmay
trytocircumventburdensomeprocedures,inefficientoperationsmaycausedelays,and
dilutedresponsibilitiesmaymakeitdifficulttoidentifyaccountableindividuals.Thus,
benefitsderivedfromexcessivecontrolsinoneareamaybeoutweighedbyincreased
costsinotheractivities.
23.Anexampleofinefficientoperationsfollows.Agovernmentagency'sfieldofficeis
responsibleforaconstructionprojectforhomelessindividuals.However,everyvariation
fromtheoriginalcontract,regardlessofitstechnicalorfinancialimpact,mustbe
approvedbyheadquarterswiththeobjectiveofcontrollingcostandproductquality.This
slowsdowntheconstructionproject'sprogress,whichmayincreasecostsandharmone
ormoreoftheindividualswhomtheconstructionwasintendedtobenefit.Toimprove
efficiency,headquarterscoulddelegatetheauthorityforminorcontractchangestothe
fieldoffice.Theheadquarters'officewouldstillhaveadequatecontroloftheconstruction
costsandqualitywhilereducingdelays.
SupportiveAttitude
24.Managersandemployeesaretomaintainanddemonstrateapositiveandsupportive
attitudetowardinternalcontrolsatalltimes.
25.Attitudeisestablishedbytopmanagementandisreflectedinallaspectsof
management'sactions.Theinvolvementandsupportoftopgovernmentofficialsand
legislatorswillfosterapositiveattitude.Thisattitudewillalsobefosteredbymanagers
committedtoachievingstrongcontrolsthroughactionsconcerningagencyorganization,
personnelpractices,supervision,communication,protectionanduseofresourcesthrough
systematicaccountability;monitoringandreportingsystems;seekingimprovement
suggestionsfromemployeesatalllevels;andgeneralleadership.Managementcan
demonstrateitssupportforgoodinternalcontrolsbyemphasizingthevalueof
independentandobjectiveinternalauditinginidentifyingareasforimproving
performancequalityandbyrespondingtoinformationdevelopedthroughinternalaudits.
26.Employeesmustfollowinternalcontrolsandtakestepstopromotetheeffectiveness
ofthecontrols.Asupportiveattitudewillaffectperformancequalityand,asaresult,the
qualityofinternalcontrols.Wheninternalcontrolsareaconsistentlyhighmanagement
priority,managementinitiatesandfostersapositiveandsupportiveattitude.
27.Inthefinalanalysis,thecommitmentbymanagementinsetting"thetoneatthetop"
iscriticaltomaintainingapositiveandsupportiveattitudetowardsinternalcontrolsinan
organization.

15

IntegrityandCompetence
28.Managersandemployeesaretohavepersonalandprofessionalintegrityandareto
maintainalevelofcompetencethatallowsthemtounderstandtheimportanceof
developing,implementing,andmaintaininggoodinternalcontrolsandtoaccomplishthe
generalobjectivesofinternalcontrols.
29.Managersandtheirstaffsmustmaintainanddemonstrate(1)personaland
professionalintegrityandethicalvalues,(2)alevelofskillnecessarytohelpensure
effectiveandefficientperformance,and(3)anunderstandingofinternalcontrols
sufficienttoeffectivelydischargetheirresponsibilities.
30.Manyelementsinfluencetheintegrityofmanagersandtheirstaffs.Thetoneatthe
topisimportant.Personnelshouldperiodicallyberemindedoftheirobligationsunderan
operativecodeofconductthatcomesfromtopmanagement.Counselingand
performanceappraisalsarealsoimportant.Overallperformanceappraisalsshouldbe
basedonanassessmentofmanycriticalfactors,includingtheimplementationand
maintenanceofeffectiveinternalcontrols.
31.Hiringandstaffingdecisionsshouldincludeassurancethatindividualshavethe
propereducationandexperiencetocarryouttheirassignedjobs.Onceonthejob,the
individualshouldbegiventhenecessaryformalandonthejobtraining.Managersand
employeeswhopossessagoodunderstandingofinternalcontrolsandarewillingtotake
responsibilityforthemarevitaltoaneffectivecontrolstructure.
ControlObjectives
32.Specificcontrolobjectivesaretobeidentifiedordevelopedforeach
ministry/department/agencyactivityandaretobeappropriate,comprehensive,
reasonable,andintegratedintotheoverallorganizationalobjectives.
33.Theobjectivesarethepositiveeffectsthatmanagementtriestoattainortheadverse
conditions/negativeeffectsthatmanagementseekstoavoid.Theobjectivesshouldbe
tailoredtofitthespecificoperationsineachactivitywhilebeingconsistentwiththe
overallinternalcontrolobjectives,similartothosepresentedinparagraph7,whichwould
besetforthbyacentraldepartment/ministryorinlegislation.
34.Todevelopspecificcontrolobjectives,alloperationsshouldbegroupedfirstinto
broadcategories.Then,withineachbroadcategory,operationsshouldbegroupedinto
oneormoresetsofregularlyrecurringactivities(suchasidentifying,classifying,
recording,andreportinginformation)thatarerequiredtoprocessaparticulartransaction
orevent.Thesegroupingsshouldbecompatiblewiththeorganizationalstructureofthe
entityanditsdivisionofresponsibilities.

16

35.Agencyoperationscanoftenbebroadlycategorizedasfollows:
Managementactivitiescovertheoverallpolicyandplanning,organization,andaudit
functions.
Program(operational)activitiesarethosethatrelatetotheagency'smission(s).
Financialactivitiescoverthetraditionalcontrolareasconcernedwithbudgets,theflow
offunds(revenuesandexpenditures),relatedassetsandliabilities,andfinancial
information.
Administrativeactivitiesarethosethatprovidesupporttotheagency'sprimarymission,
suchaslibraryservices,mailprocessinganddelivery,printing,andprocurement.
36.Todevelopthecontrolobjectives,thesetsofrecurringactivitiesmustbeidentified
andanalyzed.Forexample,therecurringactivitiesassociatedwiththeprocurementof
material(anadministrativeactivity),wouldinclude(1)identifyingneededitems,(2)
selectingavendor,(3)contractingfortheitems,(4)receivingtheitems,and(5)checking
forquality.Oneofthecontrolobjectivestobeachievedherecouldbethatonlythose
requestsformaterialsthatmeetmanagement'scriteriashouldbeapproved.Anothermay
bethatonlyrequestedmaterialsshouldbeaccepted.
37.Obviously,thebroadcategoriesmentionedaboveinteract,andcontrolobjectivesover
thisinteractionmustalsobeestablished.Forexample,whiletheaboveexamplewas
consideredanadministrativeactivity,paymentforthematerialsisafinancialactivityand
theuseofthematerialsmaybeaprogramactivity.Thecategorieswouldneedto
interfacetoproperlycontrolandrecordthepayment.
MonitoringControls
38.Managersaretocontinuallymonitortheiroperationsandtakeprompt,responsive
actiononallfindingsofirregular,uneconomical,inefficient,andineffectiveoperations.
39.Monitoringoperationsensuresthatinternalcontrolsareachievingthedesiredresults.
Monitoringofoperationsshouldbebuiltintothemethodsandproceduresmanagers
selecttocontroloperationsandensurethattheactivitiesmeettheobjectivesofthe
organization.Monitoringincludesaddressingauditfindingsandrecommendations
reportedbytheirinternalandexternalauditorstodeterminewhatcorrectiveactionsare
needed.
DetailedStandards
40.Detailedstandardsarethemechanismsorproceduresbywhichcontrolobjectivesare
achieved.Theyinclude,butarenotlimitedto,specificpolicies,procedures,plansof

17

organization(includingseparationofduties),andphysicalarrangements(suchaslocks
andfirealarms).Controlsmustprovidereasonableassurancethattheinternalcontrol
objectivesarebeingachievedcontinually.Todoso,theymustbeeffectiveandefficient
andbedesignedtoworktogetherasasystem,notindividually.
41.Tobeeffective,controlsshouldfulfilltheirintendedpurposeinactualapplication.A
setofcontrolsdesignedtooperateinamanualenvironmentmaynotbeeffectiveinan
automatedenvironment.Therefore,thecontrolsselectedshouldprovidethecoverage
theyaresupposedtoprovideandoperatewhenintended.Asforefficiency,controls
shouldbedesignedtoderivemaximumbenefitwithminimumeffort.Controlstestedfor
effectivenessandefficiencyshouldbethoseinactualoperationsandshouldbeevaluated
overtimetoensurethattheyarecontinuallyused.
42.Thefollowingcontrolsarethosewidelyusedindesigninganorderlyandeffective
internalcontrolstructure.Thespecificmethodsandproceduresdiscussedwithineachare
notexhaustivebutareusedasexamples.
Documentation
43.Theinternalcontrolstructureandalltransactionsandsignificanteventsaretobe
clearlydocumented,andthedocumentationistobereadilyavailableforexamination.
44.Anorganizationmusthavewrittenevidenceof(1)itsinternalcontrolstructure,
includingitsobjectivesandcontrolprocedures,and(2)allpertinentaspectsofsignificant
eventsandtransactions.Also,thedocumentationmustbeavailableandeasilyaccessible
forexaminationbyappropriatepersonnelandtheauditors.
45.Documentationoftheinternalcontrolstructureshouldincludeidentificationofan
organization'sstructureandpoliciesanditsoperatingcategoriesandrelatedobjectives
andcontrolprocedures.Theseshouldappearindocumentssuchasmanagement
directivesadministrativepolicies,proceduresmanuals,andaccountingmanuals.
46.Documentationoftransactionsorsignificanteventsshouldbecompleteandaccurate
andshouldenableeachtransactionorevent(andrelatedinformation)tobetracedfrom
itsinception,whileitisinprocess,toafteritiscompleted.
47.Documentationoftheinternalcontrolstructure,transactions,andsignificantevents
musthaveaclearpurpose,contributetoachievingtheorganization'sobjectives,andbe
usefultomanagersincontrollingtheiroperationsandtoauditorsorothersinvolvedin
analyzingoperations.Documentationwithoutaclearpurposewillhindertheefficiency
andeffectivenessofanorganization.
PromptandProperRecordingofTransactionsandEvents

18

48.Transactionsandsignificanteventsaretobepromptlyrecordedandproperly
classified.
49.Transactionsandeventsmustbepromptlyrecordedwhentheyoccurifinformationis
tomaintainitsrelevanceandvaluetomanagementincontrollingoperationsandmaking
decisions.Thisappliestotheentireprocessorlifecycleofatransactionorevent,
including(1)theinitiationandauthorization,(2)allstageswhileinprocess,and(3)its
finalclassificationinsummaryrecords.Italsoappliestopromptlyupdatingall
documentationtokeepitrelevant.
50.Properclassificationoftransactionsandeventsisalsorequiredtoensurethatreliable
informationisavailabletomanagement.Properclassificationistheorganizingand
formattingofinformationfromwhichreports,schedules,andfinancialstatementsare
prepared.
51.Promptandproperrecordingofinformationisessentialforassuringthetimeliness
andreliabilityofallinformationusedbytheorganizationtosupportitsoperationsand
decisionmaking.
AuthorizationandExecutionofTransactionsandEvents
52.Transactionsandsignificanteventsaretobeauthorizedandexecutedonlybypersons
actingwithinthescopeoftheirauthority.
53.Managementdecidestoexchange,transfer,use,orcommitresourcesforspecified
purposesunderspecificconditions.Authorizationistheprincipalmeansofensuringthat
onlyvalidtransactionsandeventsareinitiatedasintendedbymanagement.
Authorization,whichshouldbedocumentedandclearlycommunicatedtomanagersand
employees,shouldincludethespecificconditionsandtermsunderwhichauthorizations
aretobemade.Conformingtothetermsofanauthorizationmeansthatemployees
executetheirassigneddutiesinaccordancewithdirectivesandwithinthelimitations
establishedbymanagementorlegislation.
SeparationofDuties
54.Keydutiesandresponsibilitiesinauthorizing,processing,recording,andreviewing
transactionsandeventsshouldbeseparatedamongindividuals.
55.Toreducetheriskoferror,waste,orwrongfulactsandtheriskofnotdetectingsuch
problems,nooneindividualorsectionshouldcontrolallkeystagesofatransactionor
event.Rather,dutiesandresponsibilitiesshouldbeassignedsystematicallytoanumber
ofindividualstoensurethateffectivechecksandbalancesexist.Keydutiesinclude
authorizingandrecordingtransactions,issuingandreceivingassets,makingpayments,

19

andreviewingorauditingtransactions.Collusion,however,canreduceordestroythe
effectivenessofthisinternalcontroltechnique.
56.Asmallorganizationmayhavetoofewemployeestofullyimplementthistechnique.
Insuchcases,managementmustbeawareoftherisksandcompensatewithother
controls.Rotationofemployeesmayhelpensurenoonepersondealswithkeyaspectsof
transactionsoreventsforanunduelengthoftime.Also,encouragingorrequiringannual
holidaysmayhelpreducerisks.
Supervision
57.Competentsupervisionistobeprovidedtoensurethatinternalcontrolobjectivesare
achieved.
58.Supervisorsaretoreviewandapprove,asappropriate,theassignedworkoftheir
employees.Theymustalsoprovidetheiremployeeswiththenecessaryguidanceand
trainingtohelpensurethaterrors,waste,andwrongfulactsareminimizedandthat
specificmanagementdirectivesareunderstoodandachieved.
59.Assignment,review,andapprovalofanemployee'sworkrequires
clearlycommunicatingtheduties,responsibilities,andaccountabilitiesassignedeach
staffmember;
systematicallyreviewingeachmember'sworktotheextentnecessary;and
approvingworkatcriticalpointstoensurethatitflowsasintended.
60.Assignment,review,andapprovalofstaff'sworkshouldresultinthepropercontrol
oftheiractivities,including(1)followingapprovedproceduresandrequirements;(2)
detectingandeliminatingerrors,misunderstandings,andimproperpractices;(3)
discouragingwrongfulactsfromoccurringorfromrecurring;and(4)reviewingfor
efficientandeffectiveoperations.Asupervisor'sdelegationofworkshouldnotdiminish
thesupervisor'saccountabilityfortheseresponsibilitiesandduties.
AccesstoandAccountabilityforResourcesandRecords
61.Accesstoresourcesandrecordsistobelimitedtoauthorizedindividualswhoare
accountablefortheircustodyoruse.Toensureaccountability,theresourcesaretobe
periodicallycomparedwiththerecordedamountstodeterminewhetherthetwoagree.
Theasset'svulnerabilityshoulddeterminethefrequencyofthecomparison.
62.Restrictingaccesstoresourcesreducestheriskofunauthorizeduseorlosstothe
governmentandhelpsachievemanagementdirectives.Thedegreeofrestrictiondepends

20

onthevulnerabilityoftheresourceandtheperceivedriskofloss,bothofwhichshould
beperiodicallyassessed.Forexample,restrictedaccesstoandaccountabilityforhighly
vulnerabledocuments,suchascheckstocks,canbeachievedby
keepingthemlockedinasafe,
assigningasequentialnumbertoeachdocument,and
assigningcustodialaccountabilitytoresponsibleindividuals.
63.Whendetermininganasset'svulnerability,itscost,portability,exchangeability,and
perceivedriskoflossorimproperuseshouldbeconsidered.
ChapterIV
EstablishingtheFrameworkfor
InternalControlStructures
64.Aspecificauthorityshouldbeassignedtheresponsibilityfordevelopingand
promulgatingagovernmentwidedefinitionofaninternalcontrolstructure,theobjectives
tobeachievedbythatstructure,andthestandardstobefollowedwhendesigningan
internalcontrolstructure.Thisresponsibilitycouldbeassignedthroughconstitutionalor
otherlegalenactmentandgiventoacentralorganizationwithauthorityacrossvarious
governmental
organizations.
65.Insomecountries,thelegislatorswillestablishtheoverallobjectivesthattheinternal
controlstructuresshouldachievewhileleavingtheinternalcontrolstandardstobe
establishedtoaresponsiblecentralorganization.Inothers,thelegislatorssetspecific
controlsforcertainoperationsinlegislation.
66.Wherevertheauthorityisassigned,theSupremeAuditInstitutionhasavitalroleto
playinthedevelopmentoftheinternalcontrolstructure.Thisrolewillbeplayeddirectly
orindirectly,largelydependingontheSupremeAuditInstitution'slegalmandateandthe
organizationalstructureofthecountry'smanagementsystem.Iftheresponsibilityrests
withanauthorityotherthantheSupremeAuditInstitution,thatinstitution'scomments
andadviceshouldbesoughtasamatterofcourse.
67.WheretheSupremeAuditInstitutionisresponsibleforpromulgatingthestandards,a
cleardistinctionmustbemadebetweenthesestandardsandthespecificinternalcontrol
proceduresthatshouldbeinstitutedbyeachorganization.TheSupremeAuditInstitution
hasavestedinterestinensuringthatsatisfactoryinternalcontrolsexistinthe
organizationsitaudits.However,itisimportantandnecessarythatindependencebe
21

maintained.TheSupremeAuditInstitutionshouldthereforenottaketheresponsibilityfor
implementingthespecificsoftheinternalcontrolproceduresinanyauditedorganization.
Thisisproperlymanagement'sjob.However,itwouldbeappropriate,andinsome
countriesitisarequirement,fortheSupremeAuditInstitutiontocommentonthe
effectivenessofexistingcontrolarrangementsandtomakerecommendationsfor
improvement.Thiscanbedonewithoutalossofindependencesincetheresponsibility
fordecidingonandimplementingthecontrolprovisionswouldstillrestwiththeaudited
organization'smanagement.
68.Itmaybeappropriateforvariouscentralorganizationstobecomeinvolvedtosome
extentinsettinginternalcontrolstobefollowedbyallagencies.Insomeinstances,the
controlsmaybequitespecific(forexample,inmattersrelatingtorevenuecollections,
contractaward,specificationsforcomputerizedinformationsystems,andhumanresource
management).Inotherareas,especiallythosedealingwithmanagerialcontrols,the
controlsmayhavetobemoregeneral.Ineithersituation,theinternalcontrolsmust
permittheexerciseofmanagerialjudgmentandinitiativeaimedatimprovingeconomy,
efficiency,andeffectiveness.
69.Theresponsiblecentralorganizationshouldreviewitsinternalcontrolstandardsand
makenecessaryamendmentsfromtimetotime.Theinternalcontrolstandardsandany
amendmentsmustbefullydocumentedandpromptlycirculatedtoallorganizationsto
whichtheyapply.
70.Whenspecificinternalcontrolstandardsandproceduresarelegislatively
promulgated,thelegislationshouldnotbetoorestrictive.Itshouldallowmanagers
flexibilityinmodifyingproceduresastheoperationalenvironmentchanges.Otherwise,
internalcontrolsmaybecomeoutdatedandinefficientbeforethelegislationcanbe
amended.Thespecificsofaninternalcontrolstructuremustbeperiodicallyreviewedand
adjustedtokeeppacewithanorganization'schangingenvironment.
ChapterV
ImplementingandMonitoringInternal
ControlStructures
71.TheSupremeAuditorshouldencourageandsupportmanagement'sestablishmentof
internalcontrols.Thiscanbedonebyeducatingmanagementastoitsresponsibilitiesfor
implementingandmonitoringthecontrolstructures.TheSupremeAuditorshouldalso
auditthosestructurestoassurethatcontrolsareadequatetoachievethedesiredresult.
Management'sResponsibilities

22

72.Asstatedearlierinthisdocument,internalcontrolisamanagementtool.Itis
management'sresponsibilitytoimplementandmonitorthespecificinternalcontrolsfor
itsoperations.Evenincountrieswherespecificcontrolsaresetoutinlegislation,a
managerhasnolessaresponsibilityforimplementingandmonitoringthosecontrols.All
managersshouldrealizethatastronginternalcontrolstructureisfundamentaltotheir
controloftheorganization,itspurpose,operations,andresources.Theyshouldaccept
responsibilityforit.
73.Todesign,establish,andmaintainaneffectiveinternalcontrolstructure,managers
shouldunderstandtheobjectivestobeachieved.Legislationcanprovideacommon
understandingoftheinternalcontroldefinitionandobjectivestobeachieved.Itcan
alsoprescribethepoliciesmanagersaretofollowtoimplementandmonitortheirinternal
controlstructuresandtoreportontheadequacyofthosestructures.
74.Managementoftenestablishesaninternalauditunitaspartofitsinternalcontrol
structure.Whileinternalauditorscanbeavaluableresourcetoeducateandadviseon
internalcontrols,theinternalauditorshouldnotbeasubstituteforastronginternal
controlstructure.
75.Theinternalcontrolstandardsdiscussedearlierinthisdocumentrequiremanagersto
continuallymonitortheiroperations.Thequalityofinternalcontrolscanbemore
formallyassessedbyrequiringaperiodicevaluationandreportfrommanagerstoensure
thatthecontrolsforwhichtheyareresponsiblecontinuetobeappropriateandare
workingasplanned.Theseperiodicmanagementassessmentscanbemandatedina
numberofways.Theycanbecomepartofmanagement'spolicies,ortheycanbe
mandatedadministrativelybyacentraloversightorganizationchargedwithoverall
governmentmanagementresponsibility.Aneffectivemeans,however,isalegislative
mandatethatrequiresmanagerstoannuallyassesstheirinternalcontrolsandreporttothe
legislativebodyon(1)theeffectivenessandefficiencyoftheinternalcontrolsin
achievingtheirgoalsandobjectivesand(2)theirplanstocorrectweaknessesidentified.
76.Evenincountrieswherespecificinternalcontrolproceduresarelegislatively
mandated,managershaveanobligationtoidentifyineffectiveandinefficientcontrols
thatmayordocostmorethanthebenefitstheyaredesignedtoachieve.Aperiodic
managementreporttothelegislativebodyinadditiontoreportstotheorganization's
managementandacentralorganizationprovidessomeadditionalassurancethat
managementisgivinginternalcontrolstheattentionneededtopromoteefficientand
effectiveoperations.
77.Theseevaluationsshouldbemadeaccordingtoconsistentproceduresthatmeet
minimumlevelsofacceptability.Managementshouldhaveaclearplanforperiodically
evaluatingitsinternalcontrols,reportingproblems,andcorrectingweakness.Thetypes
ofproceduresthatmightbeconsideredinclude(1)segmentingtheorganizationinto
components;(2)identifyingprogramsandadministrativefunctionswithineach

23

component;(3)assessingthegeneralcontrolenvironmentandthevulnerabilitywithin
eachprogramandactivitytowaste,loss,impropriety,orfailuretomeetotherestablished
objectives;(4)planningandschedulinginternalcontrolevaluationsofselectedprograms
andfunctions;(5)evaluatingandtestingtheeffectivenessoftheinternalcontrolswithin
theselectedprogramsandfunctions;(6)determiningandschedulingcorrectiveaction
wherenecessary;and(7)reportingtheresultsoftheoverallassessmentandthecorrective
actiontobetaken.
78.Managementcanalsouseitsinternalauditunittohelpmonitortheeffectivenessof
internalcontrols.Theclosenessofinternalauditorstothedaytodayoperationsusually
placestheminapositiontocontinuallyassesstheadequacyandeffectivenessofinternal
controlsandtheextentofcompliance.Theinternalauditorshavearesponsibilityto
managementforreportinganyinadequaciesintheinternalcontrolsandanyfailureof
employeestoadheretothemandrecommendingareasneedingimprovement.Inaddition,
theyshouldestablishproceduresforfollowinguponpreviouslyreportedinternaland
externalauditfindingstoensurethatmanagershaveadequatelyaddressedandresolved
themattersbroughttotheirattention.
79.Assoonasweaknessesarefound,correctiveactionmustbetakenwhichcould
involveseverallevelsofgovernmentmanagement.Correctiveactionmayrequire
legislaturestochangeexistinglaws,centralorganizationstoreviseinternalcontrol
standardsandprocedures,andmanagementtoreviseitsinternalcontrolstructure.
TheSupremeAuditor'sResponsibilities
80.TheSupremeAuditInstitutionshouldgearitsworktowardassessingtheadequacyin
principleandtheeffectivenessinpracticeofexistinginternalcontrolsinaudited
organizations.Wherethesearefoundtobeinadequate,theweaknesses,theircauses,and
possibleeffectsshouldbefullydocumentedandpromptlycommunicatedtotheaudited
organization.Whendiscussingcontrolswithmanagement,theauditormaywanttouse
theterm"managementcontrol"insteadof"internalcontrol"toreinforcethenotionthat
controlissuesaremuchbroaderthantraditionalfinancialcontrols.Recommendations
shouldalsobemadebothformallyandinformallyonhowtocorrectthesituation.Before
makingtheserecommendations,theSupremeAuditInstitutionshouldseektheaudited
organization'sviewsandstrivetoensurethattherecommendationsarerelevantand
practical.Inparticular,thecostofimplementingtheproposedcontrolmeasuresshouldbe
relatedtotheriskinherentintheprevailingsituation.
81.Insomecountries,privatecommercialauditorsauditcertaingovernment
organizations.Insuchcases,theseauditorsandtheprofessionalbodiestowhichthey
belongshouldprovideadviceandrecommendationsontheinternalcontrolstheaudited
agenciesshouldimplement.
82.Whenassessinginternalcontrols,theauditorsshouldconsiderthefollowingsteps:

24

determinethesignificanceandthesensitivityoftheprogramsubjectmatterforwhich
controlsarebeingassessed;
assesssusceptibilitytomisuseofresources,failuretoattainobjectives,and
noncompliancewithlawsandregulations;
identifyandunderstandtherelevantinternalcontrols;
determinewhatisalreadyknownaboutcontroleffectiveness;
assessadequacyofthecontroldesign;
determine,throughtesting,ifcontrolsareeffective;and
reportontheinternalcontrolassessmentsanddiscussneededcorrectiveactions.
83.TheSupremeAuditInstitutionshouldensurethatsatisfactoryinternalcontrolsexist
inkeyfacetsoftheauditee'soperations.Withoutsatisfactorycontrols,managementmay
notdetectseriouserrorsandirregularities,andtheworkoftheSupremeAuditInstitution
becomesmoredifficultbecauseoftheincreasesneededinauditscope,staff,andtime.
Yet,availabletimeandotherresourcesareunlikelytoallowformorethanalimited
checkofprojects,operations,andtransactions.Withweakinternalcontrolsandlimited
auditcoverage,manythingscouldgowrongwithoutdetectionbyeithermanagementor
theSupremeAuditInstitution.
84.TheSupremeAuditInstitutionalsohasavestedinterestinensuringthatstrong
internalauditunitsexistwhereneeded.Thoseauditunitsconstituteanimportantelement
ofinternalcontrolbyprovidingacontinuousmeansforimprovinganorganization's
operations.Insomecountries,however,theinternalauditunitsmaylackindependence,
beweak,orbenonexistent.Inthosecases,theSupremeAuditInstitutionshould,
wheneverpossible,offerassistanceandguidanceforestablishinganddevelopingsuch
capability.Thisassistancemightincludesecondmentorlendingofstaff,conducting
lectures,sharingtrainingmaterials,anddevelopingmethodologiesandworkprograms.
85.TheSupremeAuditInstitutionalsoneedstodevelopagoodworkingrelationship
withtheinternalauditunitssothatexperienceandknowledgecanbesharedandthework
ofeachcanbesupplementedandcomplemented.Thisrelationshipcanbedeveloped
byincludinginternalauditobservationsandrecognizingtheircontributionsinthe
externalauditreportwhenappropriate.TheSupremeAuditInstitutionshoulddevelop
proceduresforassessingtheinternalauditunit'sworktodeterminetheextenttowhichit
canbereliedupon.Astronginternalauditunitcouldreducetheauditworknecessaryby
theSupremeAuditInstitutionandavoidneedlessduplicationofwork.TheSupreme
AuditInstitutionshouldensurethatithasaccesstointernalauditorreports,related
workingpapers,andauditresolutioninformation.

25

26

InstituteofInternalAuditors
Codeofethics
(condensedversion)

Internalauditorsshall:

Exercisehonesty,objectivityanddiligenceintheperformanceoftheirduties
andresponsibilities

Exhibitloyaltytotheaffairsoftheorganizationwhichemploysthemandto
government.Theyshallnotbeapartytoanyillegalorimproperactivity

Notknowinglyengageinactsoractivitieswhicharediscreditabletothe
professionofinternalauditing,totheorganizationwhichemploysthemorto
government

Refrainfromenteringintoanyactivitywhichmayconflictwiththeinterests
ofgovernmentandtheorganizationwhichemploysthem,orwhichwould
prejudicetheirabilitytocarryouttheirdutiesandresponsibilitiesobjectively

Notacceptanythingofvaluefromanemployer,client,customer,supplieror
businessassociateoftheorganizationwhichemploysthem,whichwould
impair,orbepresumedtoimpair,theirprofessionaljudgment

Undertakeonlythoseserviceswhichtheycanreasonablyexpecttocomplete
withprofessionalcompetence

Beprudentintheuseofinformationacquiredinthecourseoftheirduties.
Theyshallnotuseconfidentialinformationforanypersonalgainnorinany
mannerwhichwouldbecontrarytolawordetrimentaltothewelfareof
government

Whenreportingontheresultsoftheirwork,revealallmaterialfactsknownto
them,whichifnotrevealed,couldeitherdistortreportsofoperationsor
concealunlawfulpractices

Continuallystriveforimprovementintheproficiency,effectivenessand
qualityoftheserviceswhichtheysupply

Beevermindfulasprofessionalsoftheirobligationtomaintainhighstandards
ofcompetence,moralityanddignity
27

28