Approved by the Order #1013

July 30 2010
Government of Georgia

Internal Audit Methodology

1. Introduction

Unlike external audit, internal audit is a new profession in Georgia, as well as all over the world.
Hence, it is natural that this profession is entity to permanent changes and improvements. This
document provides definition of the internal audit and discussion of the key principles thereof; it
provides detailed explanation on how internal audit function should be performed in accordance
with the International Professional Practices Framework developed by the International Institute of
Auditors (IIA). It should be noted that the feature of internal audit is unique for each institution and
depends upon environment in the institution. Therefore, to perform internal audit, culture, policies
and business processes of the institution should be studied and understood in details. Contemporary
internal auditors study the systems, watch effectiveness achievement of maximization of results
from the resources used in the activities of the audit object, cost-effectiveness, effectiveness
degree of meeting of the stated objectives by the audit object, regarding actual and expected results
and, if required, provide recommendations. Internal auditors study financial, operational, strategic
and compliance risks to ensure sustainability of the institutions control system. They conduct
assessment and identify required improvements. Main function of the internal audit is assistance to
the management in achievement of the institutions goals.

2. Definition and Principles of Internal Audit

What is internal audit?
According to IIA definition, internal audit is independent activity, including objective evidences
and consultancy activities, adding value and improving operation of the institution. It helps the
institution in achievement of its goals, in evaluation and improvement of the autonomous process of
risks management, control and management, using systemic and organized approach.

2. Charter of the Internal Audit Entity, Internal Audit Entity

Charter of internal audit entity is the official document stating purpose of internal audit activities, as
well as authorities and responsibilities. Internal audit charter specifies the place of internal audit
entity, as integral part of the organizational structure, availability of tangible and intangible assets,
as well as entitlement to the staff information and various assets, as required for fulfillment of the
internal audit function. Internal audit charter states also the scopes of internal audit. Head of the
internal audit entity should periodically review the internal audit charter to ensure its compliance
with the modern internal audit concept, code of ethics of internal auditors and internal audit
standards.

Head of the internal audit entity shall provide implementation of the internal audit entity work
quality assurance, maintenance and improvement strategic program (which shall be developed by
the head of internal audit entity and approved by the head of institution, upon agreement with the
center), which covers all aspects of internal audit entity activities.

By means of the mentioned program compliance of internal audit entity activities with the internal
audit definition, internal audit standards and internal audit code of ethics shall be provided.
Implementation of this program should allow evaluation of effectiveness and efficiency of internal
audit function, as well as identification of the improvement opportunities.

4. Internal Audit Independence

Internal audit entity shall be independent and the internal auditors shall be unbiased in internal audit
performing.

To ensure independence of internal audit the internal audit entity shall be directly subordinated to
the head of institution (minister, state attorney, major etc.), in the organizational respect. Internal
auditor should have possibility of open professional communication with the head of institution,
though, internal audit entity shall be entitled to freely select (even if the opinion of internal audit
entitys head is different) and inspect any sphere, where he/she regards that there is the risk of
substantial errors.

Head of internal audit entity shall be independent in selection of the sphere of internal audit entity
work, implementation of its activities and reporting of the results.

5. Overview of Internal Audit Function, Audit Evidences

Audit evidence is collected analysed and evaluated information, on which the audit findings are
based. Evidences shall meet the following conceptual requirements and shall be:
a) Sufficient is the measure of quantity of the evidence; should be collected and evaluated
sufficient information so that the reasonably informed unbiased person agreed with the auditors
conclusions.
b) Reliable comprises the measure of reliability and adequacy of the source of evidence and the
method of seeking thereof; generally, information received from the third, independent party is more
reliable than that, received from the audit objects; the evidence is reliable where it is gained via
direct physical examination, observations and inspection and where it is received in the
documentary form, rather than verbally. Degree of information reliability increases where it is
received from several sources;
c) Adequate is the measure of adequacy of the evidence; the evidence shall be in logical relation
with that, for evidencing of which it is sought. Audit evidence may be physical, recognitive,
documentary and analytical.

6. Methods of Seeking of the Evidences

As a rule, for gaining the audit evidences various techniques and methods are used. Selection of the
evidence collection method is provided based on the characteristics of the methods and specific
purposes of audit. Methods of collection of the audit evidences differ significantly (e.g. the method
may be reliable, though requiring high costs; it may require greater technical knowledge and
experience etc.).

Widespread methods of collection of audit evidences include:

a) Interview this method is often used for collection of evidences. For conducting the
interview, adequate training and respective skills are required. Interview may identify the
problem, provide evidences for confirmation of the audit findings and the positions of the
auditor and audit object may be compared with respect of the breaches identified via
audit and recommendations;

b) Audit test testing means examination of the selected actions / measures or operations
doe identification their qualitative properties. Audit tests are of two types: compliance
testing and detailed inspection.
Purpose of compliance test is examination of the control adequacy and effectiveness.
Key procedures imply detailed examination of the selected operations/records.
In many cases the test serves for both purposes. E.g. examination of calculations may show, whether
internal control mechanisms operate properly (compliance test), as well as how accurately the
system provides the amount (this test, simultaneously, serves to the goals of detailed examination).
After selection of the test type the operations / records to be tested will be identified. The specific
object of testing may be selected on the basis of judgment (e.g. taking into consideration the scopes,
risks or other properties). Conclusions made in such case would be applicable to the given objects of
testing.
Test object may be selected so that the selected set was representative for the group/population of
certain operations/records. Conclusion made in such case would be applicable to the entire
population (group) and not only to the test objects.
c) Selection the process, by means of which the part of the population is selected for
determination of the characteristics and parameters of the population. This method
significantly reduces the costs and makes internal audit functioning more effective and
therefore, it is very widely used.
Though, selection has its weaknesses as well:

One of its weaknesses is the selection risk risk that the selection by the internal audit
entity may be not representative (selection scopes may not fully cover the field under
consideration) for the entire population, resulting in inadequate findings;

There is also the risk of non-selection e.g. the error may be not identified.

There are two basic types of selection:

Statistical selection, which relies upon the statistical science;

Selection through judgment, or non-statistical selection, where the auditors provide

selection on the basis of judgment and determine the scopes of the selected set.

Statistical selection has the following advantages:

Generally, reduced sizes of the selected sets mean that audit/inspection activities are more
effective;

Allows risks assessment;

Is better protected from biased approach and inadequate efforts;

d) Questioning structural approach to collection of information from the large population.

Example of use of monitoring is finding out of the opinions of the service beneficiaries
about quality and timeliness of the services. Its key element is tested, structured
questionnaire. Questioning could be conducted either via personal meetings, by phone,
internet or mail;
e) Inspection confirmation of presence of the records, documents or material resources.
Inspection of the material assets provides reliable information about presence of the
material assets and their condition. Inspection of records can confirm or reject existence
of the primary documentation of the accounting records;
f) Diagram graphical description of the process or system allowing analysis of the
complex operations/systems, examination of presence of the control mechanisms and
identification of the excessive/useless actions in the process;
g) Modeling method facilitating decision-making by simulation of the actual processes by
means of mathematical and statistical models. The models may be descriptive or
cognitive. Descriptive models provide classification of variables and clarification of their
interrelations between them. By means of the cognitive method the prognosis is
developed how the interrelation between variables would change, if one or more of
them changes;
h) Observation similar to the inspection. Observation implies personally examining the
processes and procedures. There are some cases, where evaluation of functioning of the
operations and internal control mechanisms is possible only via direct observations over
their operation;
i) Confirmation written request to the audit object or the third party to provide written
confirmation of one or another information;

j) Analysis study of the gained information and its use for conclusions, to compare with
the indicators of the results of the audit objects activities, past achievements or results of
similar operations in the other institution, or for finding out compliance with the
institution policies and effective legislation.

7. Planning of Internal Audit

Head of the internal audit entity, based on the requirements of the legislation, in agreement with the
head of the institution and the center, should develop the strategic plan of internal audit and annual
plan of internal audit.

Strategic plan of internal audit, similar to the annual plan of internal audit, should be developed on
the basis of audit risks assessments, taking into consideration of the experience of past audits,
available resources (time and human resources).

Process of development of the internal audit plan assists the head of audit entity to clarify such
issues as:

Allocation of human resources to the different spheres of audit assignment of the staff
based on their knowledge, skills and experience to the complex / high risk operations /
systems and audits requiring relatively limited technical knowledge;

How management and supervision of the audit process will be provided;

Development of the quality assurance program etc.

Upon development of the internal audit strategic plan the internal audit annual plan should be
developed. Internal audit strategic plan should be developed once and further reviewed (at least once
in two years). Annual plan of internal audit shall be developed in the end of each year, at least one
month before commencement of the new financial year. Head of the internal audit entity shall
submit strategic plan of internal audit, as well as annual plan of internal audit to the head of
institution.

Annual plan of internal audit provides more details, compared with the strategic plan of internal
audit. Internal audit annual plan, primarily, provides analysis of risks assessment results and further

 plans of implementation of the other procedures of audit. This includes both, the nature of audit
procedures and sphere of audit, as well as terms for each audit. Annual plan of internal audit should
provide for (based on the past experience) certain amount of free time (for conducting off-schedule
audit of the staff with different experience, knowledge and skills, on the basis of request of the head
of institution, or suspicion of alleged abuse).

8. Implementation of Internal Audit

First step in most internal audits is informing of the management of the respective structural
subdivision / body of the structure / institution, where audit is planned, about conducting of the
audit. This is done via formal letter, by which the management of the audit object is officially
notified about planned audit. The mentioned letter should provide information about when the audit
is scheduled; who is in charge of audit and why the audit is conducted (current, scheduled, upon the
managements request etc.). Mentioned official letter should be sent, in addition to the management
of the audit object, to the immediate manager and shall state the following information:

a) Audit purposes and scope;

b) Date of audit commencement and its duration;
c) Names and surnames of the persons (at least the team leader) bearing responsibility for the
audit.
From the audit object the financial statements, statistical reports and other reports corresponding to
the goals of specific audit should be requested in advance; this would assist the auditors to better
understand the situation and identify the trends.

There are some cases where no formal letter is sent to the audit object, e.g. where the audit is
conducted unexpectedly, in relation with the abuse and only administration of the institution may be
informed. Though, it should be taken into consideration that off-schedule audit breaks the normal
course of work of the audit object and causes complication of fulfillment of their duties properly.
Therefore, off-schedule audit should be conducted in the extremal situations. In addition, frequent
off-schedule audits may endanger implementation of the internal audits states in the annual internal
audit plan.

9. Study of the Object within the Internal Audit Scopes

These studies are of great significance for clarification of the direction of audit efforts, specific
spheres and scale; this is the first stage, which is implemented in the site of audit. Internal auditor
shall not commence audit of the documents or observation over some activities without specific goal
or objectives. Study at the object allows the auditor:

a) Familiarization with different systems;

b) Examine various system control structures and control risk in the spheres of audit.

If the audit group members do not know the location of audit object and its administration, it is
necessary to familiarize with them; in addition, any question in the letter about commencement of
the audit should be clarified. At the same time, team leader auditor shall develop the requirements
for the planned interviews and work schedule. For implementation of the typical study at the object
the team leader auditor and team members should take into consideration the following components:

Organization

In conducting study at the object the auditors shall cross-check the structure of institution, including,
whether the names and surnames of key staff members related to the specific audit operation are
provided correctly. Auditor shall get familiar with the functional responsibilities and key persons
participating in the activities.

In many cases, in the structures of the institutions, the titles of the positions do not adequately reflect
actual functions of specified position. The formal job descriptions shall be requested. If the given
structural subdivision (unit) and/or unit subordinated to the institution has no functional distribution,
the auditor shall prepare the brief sketch of the organizational structure and consider his/her
propositions with the administration of such structure, which is subject to audit.

Manuals and instructions

Copies of the respective policies and procedures manuals and required data, for the auditors work
documents could be obtained online, with special access authorities. The respective laws and
regulations should be studied, as well as the administrations directives, which shall be fulfilled.
Regarding common objectives of the audit, the copies of correspondence should be considered as
well, to familiarize with the respective materials.

Reports

Respective reports and records of the meetings related to the audit to be performed should be
analysed (submitted by the leader), like budgeting, operations, costs analysis and personnelrelated issues, as well as the results of any external audit or survey conducted by the administration
and implemented measures. The examples may include the feasibility reports or conclusions made
by the Chamber of Control of Georgia. Such reports may provide to the auditor some hints, as well
as the summaries of the existing problems, recommendations offered and results achieved via their
implementation.

Personal observations

Visual examination of the object allows the internal auditors to get familiar with the given structural
subdivision (unit) and/or unit subordinated to the institution, its key activities and staff. This also
allow audit group to put the questions and observe the activities of the unit. The auditors are often
criticized because they pend all their time in accounting or administrative office and perform audit
so that they have no clear idea of the activities in relation with which the audit is conducted. As the
final work of the auditor may lack some significant issues, impressions of the visual examination
should be stated in the auditors work documents. Compliance with the procedures of the audit
object should be observed and documented as well.

Discussion with the staff related to the specific audit

Arrangement of the discussion with the staff members engaged in the audited sphere is useful for
identification of the problematic issues, results of the activities of structural subdivision (unit) and/or
unit subordinated to the institution and planned changes or reorganization. Questions should be
stated on the basis of data considered in advance or findings of the visual examination.

Study of the object is the first step for the purpose of any type of survey in the audited entity; at this
point the management meets with the audit group and the auditors assigned for the given task have
the first contact with the audited structural subdivision (unit) and/or unit subordinated to the
institution. At this stage the problems or disagreements may arise. Though, it is desired that these
issues were resolved at a time of letter of the commencement of audit. Head of the structural
subdivision may be unaware of what the internal auditors are interested in, or the internal auditors
may have no proper awareness about the structural unit, irrespective of preliminary planning.

Consequently, it may become necessary to change the planned overview, audit procedures or even
the sphere of audit. In such case the audit official should contact the head of internal audit entity for
further instructions.

Regarding the number of the internal audit service staff and the contents of letter on commencement
of audit the overview may be conducted by one or more internal auditors. One of them shall be
always nominated by the head of internal audit group as the chief auditor of the audit group, whose
responsibilities include making of the auditors decisions in situ. Normally, responsibilities of the
chief auditor are imposed over the senior auditor in the composition of auditors, though these
responsibilities should be vested upon the other auditors as well, by the rotation, to allow the less
experienced auditors to gain the audit process management skills.

10. Documenting of the Studies over the Object within Internal Audit Scopes

Normally, survey of the object (territory of the internal audit object territory) takes one or two days.
In case of wider examination the survey may be conducted separately, at a time of preliminary visit,

before the auditor implements the key procedures and performs the analytical work. In both cases,
the implemented work, as well as the summaries of the data collected at the object, in the course of
survey, should be stated in the auditors work documents. The copies of the reports and available
written procedures should be collected, as well as summary of the records, documented observations
at a time of all interviews and visual examination of the object. In addition, for each system or
process the diagrams should be prepared.

Survey of the object is the means for identification of the new and innovative approaches to the
audit. Such new methods should be taken into consideration against the background of the changed
procedures or work conditions. For example, some function, which was previously performed
manually, now is automated (by means of certain technological innovations). The schemes should
be developed for description of the key processes, controlled risks and internal control mechanisms.
Via graphical expressions of the series of operations and data summaries the diagrams present the
complex systems, processes and control mechanisms.

There are many approaches for building of the diagrams, but diagrams should always depict
relations between different operation components and the control mechanisms in the processes.
Upon completion of work on them the diagrams will become the permanent part of the auditors
work document for given structural subdivision (unit) or unit subordinated to the institution. This is
also useful for meeting of the requirements according to which the institutions shall maintain the
documents and disclose the internal control mechanisms. In many cases the staff member of internal
audit entity has already prepared diagrams, from the previous surveys, which require only updating.
Sometimes the institutions, themselves have prepared internal diagrams for the purpose of process
documenting or any other purpose. Of course, these diagrams should be used, though the auditor
shall make sure that they are accurate and up-to-date.
11. Auditors Conclusions Resulting from Object Surveys

Within the scopes of internal audit, purpose of the object survey is cross-checking of the actual
nature of considerations developed in the course of preliminary planning of audit. In addition, the
key systems and processes should be studied as the information, upon which the preliminary
planning of audit rely is not complete in many cases. This is the important stage, where, the audit

group assigned for conducting of given audit can make changes to the scales and objectives of the
planned audit.

At a time of wider scale audits, in many cases, it is useful that the head of the audit entity visited the
group, which conducts field survey and consider the results. In this way all changes in the sphere of
audit requiring approval from the side of administration could be made. In result of the field visit
many potential questions, which would further arise, could be answered. Internal auditor may find
him/herself in the situation, where, based on the information resulting from the object survey the
audit group can make corrections to the audit sphere planned in advance, or even cancellation of the
audit work completely. In some cases, the audit group participating in the preliminary planning may
contact the remote object of audit and receive information about absence changes in the sphere of
interest. After visiting of the object some significant changes could be revealed in result of object
survey, e.g. introduction of the new information system, what completely changes the control
environment and internal audit group may need to assign one more specialist for work with the
project, leading to corrections both, in staffing and audit testing strategy. In the other cases the audit
group may establish that the changes are insignificant and planned audit should be cancelled or
postponed. Though, mostly, the field survey provides to the audit group additional data, assisting
them to make changes to the planned procedures. Survey at the object conducted within the scopes
of internal audit should be used for the purpose of documenting or for updating of the permanent
work file.

If at the object there is no administration of audit service the survey results should be summarized in
written and sent to the chief by e-mail, in which case it is deemed that the chief is familiar with the
given conclusion.

12. Use of the Audit Programs for Internal Audit

Internal audit shall be organized and implemented consistently, for the purpose of minimization of
the arbitrary or useless procedures.

Fir assistance and guidance the internal auditors shall use so called audit programs to perform audit
procedures consistently and effectively at a time of implementation of the similar audit. term
program denotes the number of audit procedures, which are similar to the computer programs and

contain instructions, which, each time, in the course of the process, pass one and the same program
instructions.

E.g. computer program, providing calculation of salaries, contain the instructions for reading of the
files of the cards recording the worked days, position benefits of the employed, seeking of the
information saved in the other file and calculation of the aggregate salaries. For each employee one
and the same stages are repeated, with the exclusion of cases where the program specifies the
overtime work.

Similarly, the audit program contains the set of predetermined stages to be

implemented by the internal auditor.

Audit program is the mean for planning, directing and controlling of the auditors work and outline
of the actions, which specifies the stages to be implemented for fulfillment of the audit objectives.
This is the set of the best methods of the auditor for conducting of audit and ensures documenting of
the performed stages. Entity of internal audit, desiring that its activities were evaluated as
effectiveand professional, shall have prepared the number of audit programs for performing of
the recurrent audit operations. Many such programs (e.g. one of them is observation over inventory)
are applied by number of years by many institutions only with minor changes. In the other case the
auditor may have to modify the standard program, to adjust it with the unique aspects of the specific
audit. And in some cases use of the standard audit program is not reasonable. For example, where
internal auditor desires to examine the structural subdivision (unit) or the unit subordinated to the
institution for special / unique control characteristics, or if the administration of the audit service
desires to apply different approach to overcome the problem identified in the previous survey.

Advantage of the standard programs that they contribute to perform the work in reasonable manner;
play the role of completed control questionnaire and ensure that all issues significant for the audit
are dealt with. Standard programs improve audit effectiveness and facilitate delegation of works and
control processes. Though, the standard programs have the weaknesses as well: if the decision on
their application is not reasonable, thi can suppress the professional judgment. In performing of
his/her work the auditor always needs professional judgment, as all audit operations are different
and thus, the tests shall be developed bearing in mind different conditions of each audit operation.

According to the planned audit objectives and base on the data collected at a time of preliminary and
field surveys the chief auditor can make decision on correction of the audit program. This may

include minor local changes or unique audit procedures based on the preliminary planning and field
survey results. To develop the program, the internal auditor, primarily, shall study the characteristics
comprising adequate audit program

13. Formats of Audit Programs and their Development

Audit program is the document describing the stages, procedures and tests to be performed by the
auditor at a time of actual implementation of audit. Development of the program shall be completed
before field survey and further, before implementation of actual auditor work in situ. It shall be
developed taking into consideration number of criteria, the most significant of which is that the
program identified the aspects of the sphere requiring further examination and sensitive spheres
(high risk spheres are implied), which require auditors attention.

One of the most significant purposes of audit program is that it provides guidance for both,
beginners and experienced auditors. For example, the administration can require from the audit
entity to observe over the annual inventory. Such survey consists of quite standard procedures.
Unexperienced auditor can be unaware in these procedural stages; even experienced professionals
can forget some of them. Audit program contains all necessary stages of audit.

Gradually entity of internal audit develops the library of programs with time for such tasks as
inventory observation or survey of long-term assets. In planning of such survey, for which the
developed programs are available, the administration of audit service will use given program, taking
into consideration the changed situation, which would become known to it at a time of preliminary
ot field survey. Audit programs are reviewed as required; changes shall be approved by the
administration of audit service, before commencement of the survey. Many entities of internal audit
may have no formulated audit programs for many years. This is caused by the fact that normally, the
internal auditors have to conduct audits in wide and versatile spheres, though they have no time or
resources to regularly survey each sphere. Audit programs developed on the basis of past audits
often become obsolete due to introduction of the new systems or changes to planning. Auditor
responsible for field survey or one of the audit service managers should update the available audit
programs, i.e. prepare the updated reviewed versions of the audit programs for the planned audit.
Regarding the type of planned audit, normally, on of the three general formats is used: set of general

audit procedures; audit procedures with the detailed instructions for the auditor and the checklist
(the latter is for the compliance audits).

Audit program containing detailed instructions or procedures implies that the auditor using such
program has no sufficient technical knowledge required for survey. In many cases such programs
are used for one-time surveys for certain specific spheres, developed by the audit service
administration so that the auditor with the adequate knowledge for planning of all procedures
detailed in the audit program, perform audit upon certain instructions. Application of such program
format is useful for the audit management group by audit entity, the auditors of which perform their
activities in the remote locations and it desires that its auditors implemented one and the same
general procedures.

The audit programs with the checklists were the most widespread format int he internal audit sphere.
It consisted of the long list of the questions and required answers yes, no, or N/A.
Implementation of such programs is provided via study of documents or the interviews.
Answers yes/no to the questions in the information collection context are acceptable in many
cases. Though, audit program in checklist format has two weaknesses. First, the experienced auditor,
at a time of yes/no type interviews can consider the problematic spheres or put the different
question, but the beginner can miss such nuances and he/she would simply complete the
questionnaire, without passing beyond the yes/no questions and would not provide in-depth study
of the problems pointed by thee questions. Procedures-oriented audit program is more conductive
with respect of the additional questions about the issues, to which the questions may arise based on
the collected information.

Questionnaire-type audit program, where the auditor puts the questions only, also leads to ignoring
of the issues requiring evidences by the auditor. Unexperienced auditor can simply tick yes
without finding out, whether such positive answer is based on the respective audit evidences or not.
For example, question about whether the significant documents are approved regularly or not. It is
easy to put the question and receive positive answer, but whether these documents were actually
approved or nor, will be never checked. Each format of the audit program is useful for different
types of survey, if the internal auditor takes some time to thoroughly understand the questions of the
program.

The main problem is that audits should be based on the audit program of certain type, which
provides documentation of the performed stages of survey. Such approach allows the audit service
administration to be aware in which procedures were conducted by the auditors and which were not
at a time of given survey. Good and consistent audit programs are very significant for improvement
of the internal audit quality.

Reliability of the evidences to be considered and other information should be also taken into
consideration in finalization of the audit program. There is no use in maintaining of the obsolete
systems and procedures in audit program.

In development of the audit program internal auditor shall select the significant stages which ensure
collection of the reliable audit evidences. For example, in many cases, it is necessary that the audit
program contained the key procedures in the high risk significant sphere, rather than
recommendations on collection of information via interviewing.

Contemporary audit methods also contain audit software, where this is practicable. For example, by
the computer-based audit methods (CAATS) some audit stages could be implemented similarly to
the procedure of up-to-date audit procedure (e.g. statistical selection procedures), to allow the
auditor embracing the wider range of issues. In preparation of such audit the consultations should be
provided by the staff members of audit service, who have experience in information systems audit or
other technical skills.

For the audit program no best format or one stated format exists, though, the program should be the
document, which could be studied by the auditors to direct their efforts for the purpose of
documentation of such activities. Audit program will be further attached to the audit work
documents and play the role of the table of contents for the activities described in such work
document.

14. Implementation of Internal Audit Procedures in Situ

Audit may result in delays in everyday operation of the institutions system bodies and cause
problems where the audit takes place.

Chief auditor and audit group members should commence their work at the audit object with the
meeting with the respective members of the audited object to present them the audit plan, identify
the spheres to be examined, as well as the special reports or required documentation and introduce
the staff members, who will participate in the interviews.

Internal audit processes could be summarized as follows:

Risk assessment for the purpose of identification of potential control risks;

On the basis of risk analysis, regarding available time and other resources, development of
internal audit strategic plan and internal audit annual plan and amendment thereof;

Audit planning and resources allocation;

Notification of the audit object on commencement of audit;

Conducting of the audit survey;

Preparation of the work documents;

Implementation of the audit procedures;

Study of the key control mechanisms and procedures documenting;

Summarization of the audit results and their consideration with the audit object management.

15. Internal Audit Work Documents

This section of the methodology contains instructions dealing with preparation, consideration and
maintenance of the audit work documents.
Necessity of maintenance of the work documents is caused by need of the linkage between
performed work and audit report.

15.1 Requirements Related to Work Documents

Work documents provide linkage between performed audit work and the audit report. Work
documents comprise organized system of records fully reflecting performed work and include all
documents and electronic information collected or generated by the auditor, including evidences
confirming auditors findings, auditors opinions and conclusions. Evidences stated in the work
documents should be adequate for confirming auditors findings and supporting the auditors report.
Work documents should be developed and considered in accordance with the generally recognized
audit standards.

15.2 Planning Creation and Organizing of Preparation of the Internal Audit Work Documents
Well systematized work documents are critical for conducting of audit at the professional level. For
creation and preparation of the professional work documents adequate planning is required. Before
preparation of the work documents the auditor shall gain clear understanding of the basic and
additional purposes of preparation of the work documents. In the process of creation, planning,
preparation and organizing of the work documents the following instructions shall be taken into
consideration:

15.3 Planning of Work Documents Preparation

Creation of the work documents shall be planned so that to disclose all data on all audit
aspects, in addition, the documents shall not contain data available from the other sources;

Each audit plan shall contain instructions on preparation of the audit documents, as well as
instructions dealing with the structure of files, procedures of assigning of indices, marks for
linking of the different documents. The instructions dealing with review of the work
documents shall be taken into consideration as well.

Respective work documents prepared in the course of audit shall be placed into the files and
kept;

Work documents shall contain supervisory directives, performed reviews/revisions and

comments. Of the decision dealing with auditing of any specific aspect was made, the work
document shall state the reasons thereof. Where any of the audit findings is not stated in the
final report the reasons of omitting of such finding shall be stated so that the person
considering/examining the audit was able to find the preliminary findings/results.

15.4 Preparation of the Work Documents

Work documents shall be complete and accurate to support audit findings, provide
judgments, bases for conclusions and demonstrate the nature and scale of performed audit
work;

For the readers aware in audit the work documents shall be understandable and shall not
require any additional verbal clarifications;

Work documents shall be clear and transparent;

Work documents shall state only information dealing with the substantial issues and fit to the
goals of given audit.

15.5 Organizing of the Work Documents

Files of the work documents are divided into two main groups: permanent and current ones.
Permanent files shall contain information, which is transferable and useful for the future
audits. For example, the permanent files shall provide the input data, results of the previous
audit and reports of inspecting;

Current files shall be organized in accordance with the files structure developed for the given
audit. Current files of the large-scale audits can consist of the following sections: one file for
each examined sphere; other files on general part of the entire audit and one file for the
issues of audit administration. Current file shall contain the following minimum information:
contents; survey pages; audit summary; audit program with cross-references, analysis,
calculations and other supplementary information.

15.6 Principle of Documenting of the Work Documents

a) Work documents shall be in proper order so that to be understandable for the aware reader and the
latter should make the conclusion similar to the one made by auditor, without any additional verbal
clarifications. Work documents shall provide complete, clear and laconically. Adequately prepared
work documents provide possibility of continuation of given audit by the other auditor at any time
(for example upon completion of the inspection stage);

b) As a rule, all work documents or closely linked packages of work documents shall contain certain
basic information. Exclusion may be, e.g. the files of correspondence, administrative files etc.,
where it would be reasonable to provide required information on the title page or the first page of
the file. Decision about said exclusions shall be made by the chief of audit or a person responsible
for given audit;

c) It is required that most work documents included the following information:

Title of the work document or heme;

Activity or function which is audited, names of the person who has prepared,
considered/inspected the work document;

Dates of preparation and consideration of the work document;

Explanation of the used marks, symbols or abbreviations;

Reference index of the work document, for placing into the respective file and reference.

Any other information shall be stated as well, so that to clarify purpose, source, sphere,
methodology, criteria and conclusions of the specific work document.

15.7 Summary of the work documents

Work documents shall contain brief description of each sphere prepared by the auditor, irrespective,
whether the violations were found or not. Information provided in the summary shall support audit
findings and specify the shortcomings. Summary shall also contain the recommendations by the
auditor.

15.8 Indexing of the Work Documents

System of indices shall be simple, but with the potential of extension. It shall be adjusted for the
specific audit, in accordance with the purpose, significant spheres in given case and audit plan.
Indexing of the work documents shall be provided in the process of developing of work documents,
or immediately upon their completion.

15.9 Cross-references of the Work Documents

Cross-references of work documents ensure taking into consideration of all relevant facts and
conclusions, which support auditors opinion (on the copy of draft auditors report the references are
made to the work documents). In the event of adding of new information to the final report this
information shall have the relevant reference as well.

15.10 Review of the Work Documents

Work documents shall be periodically reviewed to ensure compliance with the internal audit
standards. Frequent reviews allow evaluation of the quality of work documents, linkage between
audit goals and conducted work, as well as evaluation of completeness of the performed inspection.
In addition, review allows evaluation of audit conclusions and identification of any additional work,
if required.

The reviewer (person who provides review and who is assigned by the internal audit entity) shall
prepare the written notes upon completion of the review; and the auditor shall revise the work
documents as required and perform additional work. Reviewer and auditor shall agree upon the
comment and additional work scope. This process shall be documented.

For the purpose of securing accuracy of the supporting facts and figures of the audit report the copy
of the report with the references shall be considered by the independent reviewer. Independent
reviewer shall be the chief auditor, who does not participate in given audit operation. In addition, if
possible, the independent reviewer should not be the direct subordinate of the person responsible for
given audit. Documenting of the review shall be provided in the work documents, where the
comments of independent reviewer are stated, as well as the actions for addressing of the identified
problems (participation of the independent reviewer is not the mandatory component).
15.11 Maintenance and Security of the Work Documents Files
Work documents shall be maintained for at least 6 years from the date of publication of the final
report, unless maintenance of the work documents for longer period is required for the other reasons
(e.g. investigation). Materials collected in the audit process and are no more needed shall be
destroyed and not archived.
Files of the work documents shall be protected and only staff members with relevant authorities
shall have access to them.

16. Reporting of Internal Audit (Conclusion)

Internal audit report is the final result of the work performed by the internal auditor. There are
number of reasons or set of reasons for development of the internal audit report, in particular:
a) Development of the recommendations and initiation of the organization changes on the
basis of recommendations provided in the unbiased, independent report prepared by the
entity the institution can implement the fundamental organizational changes;
b) Study and consideration of the problems with respect of internal control internal control
report helps the administration in properly understanding and studying of the problems and
issues related to internal audit;
c) Taking of the facts revealed in result of audit and relevant recommendations and taking
respective measures by the management submission of the formal written

recommendations and further monitoring of the relevant response from the side of
management ensures implementation of the changes according to the recommendations in a
timely manner;
d) Documenting of the performed audit work internal audit report provides documentation of
the audit evidences. In addition, it shall specify the scope of performed work, issues
considered and basis for the conclusions, together with the issues, which were not studied
within the scopes of given audit;
e) Collection of the proper evidences by internal auditor for the administration and submission
of the respective information function of the internal audit is providing of the respective
evidences to the administration, what is implemented via official submission of the audit
report. In addition the report provides advices and information on risks and corporative
management developed by the independent party.

Before submission of the final, official report the internal auditor submits draft report to the
management of the audit object. Further the mentioned draft report is considered to ensure full
understanding of the report by the audit object management, open discussion of the issues and
recommendations provided in the report and conciliation of the positions, before submission of the
final report. In result of the mentioned discussion the draft report may be modified.

17. Contents of the Internal Audit Report

Internal audit report shall state the following key issues: title page of the report shall state the issue
of audit, names and positions of the persons to whom the report is sent and the dates of preparation
and submission of the report.
Body text of the report shall consist of two parts: I key audit findings and recommendations; II
detailed information about identified facts and agreed actions.
Before the body text of the report the summary is provided, stating the key results and consisting of
the following parts:

Brief overview of internal audit;

Introduction;

Sphere of internal audit;

Key risks;

Opinions of the internal auditor;

I part of the internal audit report considers the key findings, risks and their significance, as well as
the recommendations; II part provides more detailed consideration of the results of performed work.
Internal audit report provided below shall contain the following information:

Risks;

Agreed measures;

responsibilities;

Terms of implementation of the agreed measures.

Generally, internal audit report shall include the annex providing detailed clarifications and
respective analysis, providing basis for the recommendations and opinions stated in the report.

18. Internal Control

Definition of the internal control is provided in the international audit standards (International
Standard of Audit 400 Risk Assessment and Internal Control). According to the mentioned
international standard the internal control system is the set of control environment and control
procedures. Internal control system contains all directions and procedures set by the managers of the
respective units, within their capabilities, for achievement of the well organized and effective
activities, including consistent implementation of the policies set by the management, protection of
the assets, prevention of the breaches and errors and their identification, for ensuring completeness
and accuracy of the accounting records and timely preparation of the reliable financial information

19. Quality Control

Head of the internal audit entity shall develop the quality assurance program embracing all aspects
of internal audit function and ensuring effective performing the audit at high quality. In addition, the
head of internal audit entity shall perform program implementation monitoring and amendment
thereof, for the purpose of taking into consideration the changes in the rapidly developing profession
of the internal audit. Effectiveness and efficiency of internal audit shall be evaluated, as well as
opportunities for improvements shall be identified and used.
Quality assurance program, which shall be developed in each entity of internal audit, shall provide
for review of the audits performed by the staff members of internal audit entity, what implies

examination of the performed audit operations by an auditor, who has not participated in the audit
process. Review of the performed audit is of two types: a) internal review; b) external review. The
internal review is conducted with the participation of the staff members of the given internal audit
entity and external review are performed by the invited independent internal auditors.
Quality assurance program ensures compliance with the requirements of internal audit legislation
effective in the country, instructions by the LEPL National Center of State Internal Control, internal
audit standards, internal audit code of ethics, charter of internal audit entity.
Quality assurance program shall also include the program for improvement of the qualification of
internal audit entity staff. Each staff member of the internal audit entity shall have the certificate of
internal auditor, or, concurrently with employment, he/she shall study for obtaining of the
mentioned certificate.