University of Pretoria Logo
English |  Afrikaans |    
Risk Management and Internal Audit


1. Planning

The standards for the professional practice of internal auditing (hereafter called the Standards) address the internal auditing process. Standard 2200 states the following: “ Internal auditors should develop and record a plan for each engagement, including the scope, objectives, timing and resource allocations.”

We will take the following steps in order to properly plan for an engagement:

1.1   Obtain a comprehensive understanding of the Department and/or Faculty and/or functions to be audited.

1.2   Make contact with the appropriate Head of the department and/or Dean of the Faculty and inform him/her that an audit will be conducted in his/her department and/or faculty. A formal letter will be written by the Director of Risk Management and Internal Audit and sent to the Head of the Department and/or Dean of the Faculty at least two weeks in advance of the scheduled starting date.

1.3   Identify the focus areas, audit objectives and criteria.

1.4   Select the audit team and meet with them in order to discuss the audit programme and approach.

1.5   Conduct an entrance conference with the management of the department and/or faculty and discuss the scope, focus areas, objectives and due dates and ask management to provide us with the relevant contact names, policies and procedures and any other information to assist us in performing the engagement.

2. Performing the engagement

According to Standard 2300  “Internal auditors should identify, analyze, evaluate and record sufficient information to achieve the engagement’s objectives.”

2.1 Sufficient – Factual, adequate and convincing so that a prudent, informed person would reach the same conclusions as the auditor.

2.2 Competent – Reliable information best attainable through the use of appropriate engagement techniques.

2.3 Relevant – Supports engagement observations and recommendations and is consistent with the objectives for the engagement.

2.4 Useful – Helps the organization to meet its goals.

(Practice Advisory 2310-1)

Working papers must be prepared by the auditor and reviewed by the personnel member in charge of the engagement. 

3. Communicating the results

According to Standard 2400  “Internal auditors should communicate the engagement results.”

The following procedures will be followed in order to properly communicate the results:

3.1 A draft report is compiled by the internal audit staff member and approved for factual correctness by the Deputy Director: Internal Audit.

3.2 The draft report is approved by the Director of Risk Management and Internal Audit.

3.3 The draft report is provided to the management of the department/faculty for their comments and corrections if necessary.

3.4 An exit conference is held with the Dean/Director/Member of Executive and his/her management team to discuss the findings, conclusions and recommendations. Action plans and personnel responsible for such plans will also be discussed and incorporated into the report.

3.5 The report is amended after the discussion and the final report is compiled.

3.6 The final report is approved by the Director of Risk Management and Internal Audit.

3.7 The final report is distributed to stakeholders, together with an executive summary for relevant members of the Executive.

3.8 The Audit and Risk Management Committee is provided with bi-annual reports of significant audit findings, with access to summaries or full reports if requested.

4. Monitoring progress

According to Standard 2500  “The chief audit executive should establish and maintain a system to monitor the disposition of results to management.”

The internal auditor, at some stage after the report was distributed, will investigate whether the recommendations made and action plans agreed upon were implemented. A follow-up report will be generated and distributed to senior management, with high-level feedback to the Audit and Risk Management Committee.