Adaa Internal Audit Manual

File Name:Adaa Internal Audit Manual.pdf
Size:3007 KB
Type:PDF, ePub, eBook, fb2, mobi, txt, doc, rtf, djvu
Uploaded23 May 2020, 12:37 PM
Rating4.6/5 from 697 votes
Last checked17 Minutes ago!

Adaa Internal Audit Manual

In adopting this Internal Audit manual, the Abu DhabiAccountability Authority has ensured that the Internal Audit Functions within SubjectEntities will adopt the IIA definitions and standards in the performance of Internal Auditwork. They can be referred to as value for money ormanagement audits. Theapproval of the Committee should be however sought prior to implementation.The Head of the Internal Audit identifies the Function’s requirements in human resourcesincluding required qualifications and skills needed to execute the work, in addition to theidentification of the need to use experts from outside parties. It is mandated to obtainthe approval of the Committee for all these needs and requirements.The Internal Audit Function staffing model needs to be flexible to ensure the requiredskills are available to perform the work. Everyemployee of the Internal Audit Function should have a current JD including theknowledge, skills and abilities required to perform the duties of the position. It shouldalso reflect all the activities and expectations for that particular position.Appendix 4 presents sample job descriptions which can be used by Subject Entities asguidance to develop JDs for the various positions of the Internal Audit Function. JDsshould be approved by the Head of Internal Audit, while the latter’s is approved by theAudit Committee. The Head of Internal Audit establishes goals, performance standards andobjectives for subordinates. The Senior Internal Auditor identifiesand evaluates risks associated with the Subject Entity’s processes and prepares auditplans, including audit programs and budgets. Also, the Senior Internal Auditor performsdetailed reviews of the working papers and drafts the internal audit report.The Senior Internal Auditor ensures that duties are performed efficiently andprofessionally and in accordance with the Internal Audit Manual and the IIA Standards.He also performs ad hoc duties as and when requested by the Head of Internal Audit.4.1.

3 Internal AuditorThe role of the Internal Auditor is to conduct Internal Audit assignments as per theapproved Annual Audit Plan.4.1.4 Information Systems AuditorThe Information Systems Auditor facilitates the development of the IT componentsof the Annual Audit Plan to provide for the effective coverage of the Subject Entity’soperations and processes. The Information Systems Auditor leads, conducts andmanages complex Information System Audits and System Development Reviews.4.1.5 Internal Audit Support OfficerThe role of the Internal Audit Support Officer is to provide administrative support to theInternal Audit Function. Key ProcessesRisk Management is a critical function of the Subject Entity’s Industrymanagement. It is central to the rational allocation ofresources and the choice of action in the achievement of Risksobjectives. Executive Management is responsible for therisk assessment process, control systems and risk mitigation How do we enhancestrategies adopted by the Subject Entity.When risk assessments are not explicit Strategyor not documented, the Internal Audit team may work withmanagement to document them. Closure Leverage ActivityThe Internal Audit Function has the principal responsibility How do wefor assuring that the AAP is based on reliable, complete and monitor risk in ouraccurate information about the Subject Entity’s operations,activities and its risk profile. Integral to this is having adequate organisation?knowledge of the risks to which the Subject Entity is exposed. Responsible Control Self Continuous5.2 Subject Entity Level Risk Party Assessment Monitoring Assessment Periodic Loss EventSubject Entities should constantly assess their risks.

A Testing Trackingformal, strategy-based, entity-level risk assessment canhelp to significantly advance the Subject Entity’s ability tounderstand its key business risks and provides a structuredprocess that becomes the cornerstone for prioritizing risksand focusing attention on areas meriting managementreview and monitoring. Strategies Key Business Risks Key Business Processes Deliver Superior. RiskAchieve Superior Expand into New Markets. Risk Performance ? Risk Maximize Return on Capital. RiskDevelop the Best Maximize Benefits from. Risk Talent Technology Investments. Risk ? Risk Optimize Operating Efficiency. Risk Reward for Results. Risk ? Risk Retain Top Performers. Risk ? Risk ? Risk ? Risk ? Risk ? Risk ? Risk ? Risk ? Risk ? Risk ? Risk ? RiskSubject Entities deploy strategies and objectives to meet stakeholder demands, torespond to environmental conditions and to capitalize on market opportunities. Subject Entities should identify the processeswhich mitigate the key business risks identified. This analysis may cover the Subject Entity as a whole or the individualprocesses. The context should be agreed upon before initiating the risk managementprocess, so as to assist in the development of the assessment standards and the riskanalysis framework.Step 2 Identify RisksIdentify what, why and how events can arise, within the Subject Entity, and which canprevent, minimize, or delay achieving objectives.Step 3 Analyze RisksOnce risks have been identified, they will be analyzed in terms of consequence andlikelihood, in the context of the existing controls. The analysis considers the range ofpotential consequences and how those consequences might occur (i.e. scenarios).Consequence and likelihood is combined to produce an estimate of the level of potentialrisk to the Subject Entity.Step 4 Evaluate RisksCompare estimated levels of risk against risk criteria to provide basis for managementto identify risk management priorities.

If the levels of risk are assessed as low, then risksmay fall into acceptable tolerance levels and no further treatment may be required.Step 5 Treat RisksAccept and monitor low priority risks. For other risks identified, develop and implementspecific management plans including the resource allocated to mitigate the risks to anacceptable level. It alsodefines the relationship between the Subject Entity and its external environment. The starting point for riskidentification may be historical information about the Subject Entity (or the Governmentof Abu Dhabi in general), followed by discussions with a wide range of stakeholdersabout historical, current and evolving issues. For example, where less time is available, a smaller number of key elements may be considered at a higher level, or a checklist may be used.In many circumstances, multi-level risk identification is useful and efficient. It providesinput into decisions on whether risks need to be treated and subsequently the mostappropriate and cost-effective treatment strategies.Risk analysis involves the consideration of the sources of risk, their positive and negativeconsequences and the likelihood that those consequences may occur. Factors thataffect consequences and likelihood may be identified. Each consequence can be rated, in terms of itsseverity, from 1 to 5, whereas 1 is notable, 2 is minor, 3 is moderate, 4 is major and 5is catastrophic. No impact member X day policy failure or minimal impact Near miss incidentNote: The criteria and weights listed in the table above are not based on any assessmentof the Subject Entities’ risk appetite or risk tolerance levels. Before performing the riskassessment exercise, the criteria and any associated weights must be tailored to reflectthe risk tolerance levels of the concerned Subject Entity. These areas and weights should be reviewed and approved by the AuditCommittee and the Board of Directors.

The followingtable provides broad descriptions used to support likelihood ratings.Rating Likelihood Of OccurrenceAlmost Certain 5 The event will occur in most circumstancesLikely 4 The event will probably occur in most circumstancesPossible 3 The event should occur in some circumstancesUnlikely 2 The event could occur in some circumstancesRare 1 The event may occur in some exceptional circumstancesGuidance:To make an assessment of the likelihood or History Complexityprobability of a risk event occurring, it may beuseful to consider the factors listed below. Using qualitative analysis, risk is a function ofboth likelihood and a measure of consequence. Each risk identified isassessed in the same manner to produce a Risk Register. Inherent risk is important tothe Internal Audit process because it represents the potential impact of a breakdown inthe control environment within the Subject Entity.The combined ratings for likelihood and consequence for each risk are combined in thematrix below to determine the overall risk ranking. The legend to the right of the matrixdefines each level of risk. Extreme RiskConsequence 5 6 7 8 9 10 Extreme risk: Must complete control 456789 evalua1on. Senior Management review 345678 234567 Signi?cant risk: Must complete control 123456 evalua1on. Execu1ve Management review Moderate review: Management responsibility must be de?ned. Control evalua1on where appropriate. Management review Low risk: Monitor. Therefore a ratingof 5 or above should be applied. Systems and processes exist which manage the risk. MinorInadequate Poor 7 or 8 improvement opportunities have been identified but not yet actioned. Some systems and processes exist to manage the risk. Recent changes Unsatisfactory 9 or 10 in operations require confirmation that accountabilities are in place and understood and that the risk is being actively managed.

Systems and processes for managing the risk have been subject to major change or are in the process of being implemented and their effectiveness cannot be confirmed. Control is not strong but risk impact is not high. Options to improve control or monitor risk impact to ensure it does not increase over time. Click on “Saved Searches” for the search called “Core Search”3. Click the play icon next to “Residual Risk Ratings Report”4. Save the Excel file to your hard disk5. As much as possible, these audits should test systems rather than conditions. Click to create a new placeholder for Processes3. Enter a Name (e.g. ABC Company) and Description for your PCS and click4. Enter the name of the Process (if necessary, select the Parent Process) Did you Know. PCS (Process Classification Scheme): Create only 1 PCS which includes all the processes within your organization. For example: create the process “Finance”. Then create “Accounts Payable” and “Accounts Receivable” as child processes for the process “Finance” 6. ClickIn order to create the Organization Model in the e-Governance Portal, pleasefollow these steps:1. Click on the link “2. Organization and Process Structure” from the homepage dashboard2. Click to create a new Organization3. Enter the required fields on the Organization form4. Repeat the steps from 2 to 4 to complete the creation process. If you only have 1 location, just create 1 organization with the name of your entity. This prevents duplication between the Organization and Process model. In order to link the PCS with the Organization Model in the e-GovernancePortal, please follow these steps:1. Click on the link “Organization and Process Structure” from the homepage dashboard2. Click Did you Know? Reporting Entity: Create Reporting Entities via the homepage dashboard and tag your organizations in the organization model to these reporting entities.

This can be done by clicking on the name of the organization, editing the page, and selecting the field reporting entity. This will allow you to group your subsidiaries and subsequently enable consolidated reporting. A description of theinherent risk should be documented in the Risk Register. The description should be clearand concise.The existence of each risk should be confirmed with management through a directdiscussion or an arranged review. Management may disagree that a risk exists becausecontrols are in place to prevent the risk from arising. At the current stage, the basis ofthe risk assessment process is to first identify the risks without consideration of controls(i.e. inherent risks).In order to add Risks in the Subject Entity Portal, please follow these steps:1. On the homepage dashboard, click on “Organization and Process Structure”2. Click on the name of the Organization for whom you want to perform a Risk Assessment3. Click to create the risk register5. Click in the Risks section to create a risk6. Create all Risks for the Entity, then move on to adding Controls Did you know. Best Practice Library: Import risks and controls from the Library created and populated during the risk assessment phase. In order to perform this, the Internal Audit Functionneeds to identify and evaluate the controls in place and assess their design effectivenessin preventing or mitigating risks.As stated above, where Inherent Risks are rated as “Low Risk”, it is acceptable to focusscarce resources on higher inherent risk ratings; still, where resource availability is not aproblem, the identification and evaluation of one control is sufficient.When identifying controls, the Internal Audit team should link them directly to the risk inquestion. More often than not, there will be more than one control in place to mitigatea risk.

The task of the Internal Audit team is to evaluate the combination of controlsto determine if they are effective or, alternatively, if there may be inefficiencies createdby redundant controls over less important process activities (e.g., non-value addedactivities). It should be noted that not all controls will be significant controls that directlymitigate a risk.A diligent approach to link the controls to the risk is by preparing a flowchartdocumenting the process and the controls that are part of the process. The sectionbelow provides further details on the documentation and different types of control.6.6 Documentation of Controls6.6.1 Documenting ControlsInterviews or workshops are held with process owners and staff to document andconfirm the understanding of the process(es). A preventive control is a controldesigned to prevent an error from occurring. Preventive controls are usually applied toeach transaction during the normal flow of the process and are designed to prevent arisk from arising (e.g. “fire retardant carpeting”).Detective controls are devices, techniques, and procedures designed to identify andexpose undesirable events that elude preventive controls. Detective controls revealspecific types of errors by comparing actual occurrences to pre-established standards.When a detective control identifies a departure from a standard, it sounds an alarm toattract attention to the problem. In reality, a Subject Entity will implement a combinationof preventive and detective controls to mitigate risk. This is good practice, as anexcessive number of preventive controls can make a process overly bureaucratic andunwieldy.There is no optimal mix of preventive and detective controls within a process to mitigaterisks. Certain risks will lend themselves more to one form of control than another. IT controls on the other hand are controls that are hard-coded into ITsystems and will operate as designed until the program is changed.

Simply because a control is IT supported does not necessarily mean it is effective. Ifhowever it is deemed effective, we can feel greater comfort that it will continue tooperate effectively.This assumption is however subject to the adequacy of program change controls andsecurity within the IT production environment.In order to create controls for a certain risk in the e-Governance Portal, pleasefollow these steps:1. Click on the Risk Name to document the Controls for that Risk2. Click Add in the Controls section to create a control3. Click to link the controls to the risk5. Repeat the steps above until all relevant controls have been created Did you know. Dependent Controls: Use dependent controls if a risk is mitigated by a control in another Process (risk register). To link controls to risks in the e-Governance Portal, please follow these steps:1. Click on the Name of the Risk to which you want to link existing controls2. Click in the Control section of the Risk form. The pop-up screen shows theControls that are documented within the entity3. Select the check box next to the control that mitigates the given risk4. Click to link the controls to the risk. Any such controls should be brought tothe attention of the Head of Internal Audit by the team conducting the assessment andto the attention of management in the Risk Assessment report. Did you know? Custom Library: Create your own library to prevent duplicating efforts of identifying risks and controls. Based on the controls that are linked to the risk, rate the Controls Rating field on alevel from 1 to 10. See section 5.9 for more information about this rating3. ClickNote: Although the value for the Residual Risk Rating will be automatically calculatedby the system based on both the inherent risk and controls ratings, the control ratingcomment field should be used to clarify the selected controls rating.

Where thecontrol(s) applied by the Subject Entity is (are) different from the formally approvedpolicies and procedures, the Internal Auditor should consider if the control(s) appliedare more effective than the documented procedures. If yes, these control(s) should bedocumented in the Risk Register and a note included in the Audit Report to indicatethat the procedures should be amended and updated to align with the current appliedprocedures.If the actual control(s) applied are less effective than the documented procedures, theapproved procedures should be included in the Risk register and the matter raised in theAudit Report in terms of non compliance with the approved policies and procedures.Further testing may thus be required to be performed to assess the extent of the noncompliance. Saving Searches: Save your own searches to retrieve information in a format specified by yourself. After creating the search, click the dropdown arrow (next to the “Edit Search” button). Then click “Save as new search” 6.9 Gap AnalysisOnce residual risks have been assessed, a “Risk Assessment and Gap Analysis Report”may be prepared and issued highlighting to Senior Management high risk areas requiringimmediate action. The objectives of the review should be clearly established.The purpose of an AAP is to provide details on the testing to be performed, timing tobegin and complete the testing, and assignment of audit teams with the requisite skillsets.The selection of those risks which should be tested and the frequency of tests requireconsiderable skill and judgement. An AAP should cover all key risks and yet should notbe excessive or inefficient in terms of the amount of effort required. The Head of InternalAudit should set out criteria for the basis of selection and discuss this with the AuditCommittee.

It would be normal practice that all high residual risks be selected for testing on anannual basis, it would also be usual practice that all controls be tested at least onceevery three years. A time estimate to perform the AAP should be developed detailing thedifferent grades and skill sets and presented to the Audit Committee for their review andapproval. Favourites: Create favourites for the searches you created to allow quick access to valuable information. 6.10.1 Scheduling AuditsThe audit schedule determines the timing, template, and individuals who will be involvedin the audit. Additional attributes such as estimated effort (time and budget) and actualeffort will be recorded. Scheduling can be done in advance (e.g. 6 months or annualschedule) or just in time.In order to schedule an audit assignment in the e-Governance Portal, pleasefollow these steps:1. From the home page, select the Audit Schedule link2. Complete as many fields as possible including the Start Date and End DateThe fields that will show in the Audit Report are: -- Audit Name -- Scope and Objectives -- Summary of Audit Results4. In the Template Name field, select “General Audit” for a Compliance or Performance audit, or select “IT Audit” for an IT Audit5. After completing the relevant fields, click6.11 Resource AllocationSenior Internal Auditors should consider resource planning including human, technologyand travel requirements (if applicable) for all audits they lead.Personnel assigned to an audit should have the skills to perform the work allocated tothem. Most likely, you will have risks and controls documented at a process level. In this case, you need to pull a process into scope. If you have. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

If you wish to opt out, please close your SlideShare account. Learn more. You can change your ad preferences anytime. Check out, please ? ?Due to this service you'll save your time and get an essay without plagiarism.I have just registered with this site and straight away I was making money. It doesn't get any better than this.The President of the UAE. Abu Dhabi Accountability Authority - Accountability Report 2014Abu Dhabi Accountability Authority - Accountability Report 2014H.H General Sheikh Mohammed bin Zayed Al Nahyan. The Crown Prince of Abu Dhabi and Deputy Supreme. Commander of the UAE Armed ForcesAbout ADAAPart 2. ADAA Outputs Part 3Part 4To view the report on the website,His Highness Sheikh Khalifa bin Zayed Al Nahyan, the direction of His Highness. General Sheikh Mohammed bin Zayed Al Nahyan, Crown Prince of Abu Dhabi. Deputy Supreme Commander of the UAE Armed Forces and Chairman of the Abu. Dhabi Executive Council and the guidance of His Highness Sheikh Hazza bin Zayed. Al Nahyan, National Security Advisor and Vice Chairman of the Abu Dhabi Executive. Council. This issue of the annual report arrives at a time when the UAE, under its wiseThe Country ranked highest within the Middle EastInternational. The UAE occupied fifth place globally in the efficiency of governmentCompetitiveness Report issued by the World Economic Forum (Davos). In the secondThe Country was also ranked firstFinally, we mustWe take this opportunityDuring 2013, thanks to the cooperation of subject entities and the commitmentAccountability Report 2013 in addition to a number of further accomplishmentsStandards Board (IPSASB) in Abu Dhabi, for the first time in the Middle East.Institute of Chartered Accountants in England and Wales (ICAEW). In conclusion, I would like to invite you to learn more about ADAA and to getRiyad Al Mubarak. ADAA Chairman. His Excellency Riyad Al Mubarak. ChairmanPart 1.

About ADAAAbu Dhabi Accountability Authority (ADAA) was established under Law No. (1) for the year 1985 as anADAA began to exercise its powers since the issuance of Decree No. 8 of 1996 appointing His Excellency. Mohammed Al Marar as the first Chairman. In April 1997, the Law referred to above was amended to make. ADAA responsible for the post financial control instead of the pre-audit to strengthen its independence. In JulyIn December 2007, Decree No. 32 of 2007 was issued appointing His Excellency Riyad Al Mubarak as Acting. Chairman of ADAA as part of the restructuring of the Government of Abu Dhabi. In December 2008, Law No. 14 of 2008 (the Law) was issued to shift the role of ADAA from financial controlAccountability Authority”. On 31 December 2008, Emiri Decree No. (10) was issued appointing His Excellency. Riyad Al Mubarak as Chairman of ADAA.To enhance performance and to promote accountability and transparency by:Law number 14 of 2008 defines ADAA’s objectives as:Law number 14 of 2008 defines ADAA’s responsibilities as:Crown Prince. ADAA Chairman deems reasonable and appropriate.ADAA discharges its responsibilities through the outputs that have been developed during the past years (pleaseADAA has also defined a set of outcomes based on its objectives and responsibilities as follows:Our Vision Our Mission Government and Public Entities by providingEarning the trust of people we interact with. Collaborative and effective teamwork. Treating othersBeing passionate about the work we do. Being independent, objective andListening to other pointsInnovating and going beyond the current standardsThe following figure illustrates ADAA objectives, responsibilities, outputs and outcomes: 6 Subject Entities. ADAA Subject Entities comprise of local departments, councils, authorities and other similar entities. In additionOther entities may be subject to ADAA work basedSubject Entities Classification by Type.

ADAA classified Subject Entities into groups based on their types as shown in the following figure. DepartmentDevelopment. DepartmentAffairs. Department of. Transport. Health AuthorityAgency - AD. AD AuthorityCulture. AD Food Control. Authority. Media Zone. Authority - AD. AD Urban. Planning Council. AD Sports. Civil Service. AD Tawteen. AD Education. Ruler Court. Ruler. Representatives. Courts. Judicial. Department. Water. Electricity Bureau. Zones. Corporation. AD PoliceFinance. Crown Prince. Court. National. Consultative. Abu Dhabi. Accountability. AD Housing. AD CouncilDevelopment. Musanada. CourtsCentral. Government. Other Government Entities. State-Owned. Enterprises (SOE). SOEs SubsidiariesEtihad. SenaatEtihad Rail. Executive Council. Promote accountability andEntities. Ensure accuracy of the financial reportsEnsure public resources andResponsibilities. ObjectivesADAA Chairman deems reasonable and appropriate.Outputs. Financial Audit Examination, Performance Risk Assurance, Supporting Accountability. Outcomes. AD Center for. Technical. Vocational EducationDevelopment. Planning. EconomyEnergyTourism CultureSocial. Development. Justice 15- Judicial Department - Abu Dhabi. SecurityHealthFood. AgricultureSocial InclusionSpecial NeedsHumanitarian FoundationHousing 30- Abu Dhabi Housing Authority. Subject Entities Classification by Sector. ADAA has also classified Subject Entities by sector as shown in the list below (excluding subsidiaries of State. Owned Enterprises and Government Entities)Development. EducationResearchEducation and TrainingLabourSports 42- Abu Dhabi Sports Council. Infrastructure. Environment. Urban Planning. Municipal AffairsTransportEnvironmentSubject Entities Classification by SectorAdministration. AdministrationPublic. Investments. Public. InvestmentsSubject Entities Classification by Sector 7 Governance Report.

ADAA aims at earning the trust of its stakeholders and sustaining it through adopting and implementing theIn this report, ADAA follows a set of guiding principles, regulations, ideal fundamentals and processes that areLeadership. ADAA ensures that all its processes and operations adhere to the utmost principles of transparency wherebyInstitutionalization. ADAA developed a strategic planning framework based on its strategicADAA has also designed its organizational structure based on its operating modelADAA Mandate. ObOutputsADAA Chairman. Internal Audit. Financial Audit. Examination Group. Performance Risk. Assurance Group. Support Services. Group. Legal Affairs. Investigations Department. Deputy ChairmanADAA views its people as its primary asset as it includes top-tier professionals from multi-cultural backgrounds,ADAA is committed to develop and attract Emiratis to the Accounting and Audit profession. The Authority hasPerformance Management. ADAA’s performance is measured based on a set of internationally recognized performance metrics to ensure theADAA has developed three types of performance measures as shown below:ADAA implements a remuneration policy and procedure forADAA considers communication a crucial and indispensable approach to measure its performance and achieveADAA launched many initiatives toADAA seeks feedback from its Subject Entities on the review process executed after the issuance of each auditThe feedback received constitutes an important guide to the effectiveness of existingInternal Performance. Indicators. Output. Performance. Outcome. Performance Standards Sets. Control. Internal Control. ADAA annually reviews its internal controls, including financial, operational, compliance controls and riskADAA in 2010. ADAA also implemented a rigorous Code of Conduct safeguarding business and professional ethics and ensuringExternal Audit. ADAA’s financial statements are reviewed and audited by an external auditor.