INTERNAL AUDIT MANUAL SNIPS UTENSILS MANUFACTURING COMPANY

GROUP 3 CATLI, FELY JANE PUNZALAN, PRINCESS ANGELA RAMALES, MA. FIANNE REYES, VIRGINIA YAP, AVELINJHEE

INTERNAL AUDIT MANUAL

SECTION 10 Introduction 10.1 Organization of the Manual 1 10.2 Corporate Governance 2 Definition and Purpose 2 Code of Corporate Governance 2 Corporate Governance Manual 2 Role of the Board of Directors for Corporate Governance 4 10.3 Overview of the Internal Auditing Activity Definition of Internal Audit 4 Internal Auditing Activity Framework 6 10.4 Audit Committee 7 10.5 Internal Audit Department 8 10.6 Audit Staffing Position Description and Staffing Level 10 Staff Knowledge and Skills 10 Audit Staff Profession Certification 12 Continuing Professional Education 12 10.7 Internal Audit Professional Organization & Governing Bodies Institute of Internal Auditors 13 Institute of Internal Auditors Philippines 13 Information Systems Audit and Control Association 14

TABLE OF CONTENTS

20 Audit Concepts and Standards 20.1 Professional Practices Framework 14 20.2 Internal Auditing Code of Ethics 14 20.3 Standards for the Professional Practice of Internal Auditing 15 20.4 Overview of Internal Control Framework 15 Elements of Internal Control 15 Control environment 16 Risk assessment 16 Information and communication 16 Approved for implementation by: __________________________
Chairman, Audit and Compliance Committee

Effective Date: Sep 24 2010

Property of

INTERNAL AUDIT DIVISION

This Manual may not be photocopied or taken out of the Companys premises without prior written approval

INTERNAL AUDIT MANUAL

SECTION

TABLE OF CONTENTS

Monitoring and Control activities 17 20.5 Control Objective for Information and Related Technology Framework 19 Principles 19 20.6 Risks Framework Risks Consideration in Planning the Audit 21 20.7 Audit Objective Obtaining audit evidence 21

Sufficiency of audit evidence 22 Appropriateness of audit evidence 22 Nature 23 Timing 24 Techniques to obtain audit evidence 24 Inspection 25 Observation 26 Inquiry 27 External confirmation 28 Computation 29 30 Audit Planning 30.1 Introduction 30 30.2 Strategic Analysis 31 Data Requirements and Sources 31 30.3 Risk Assessment and Risk Management System Risk Management System 34 Risk Assessment 35 30.4 Performing analytical procedures in planning the audit 35 30.5 Setting the Audit Universe 35

Approved for implementation by: __________________________

Effective Date: Sep 24 2010

Property of

INTERNAL AUDIT DIVISION

Chairman, Audit and Compliance Committee

This Manual may not be photocopied or taken out of the Companys premises without prior written approval

INTERNAL AUDIT MANUAL

SECTION

TABLE OF CONTENTS

Establishing the audit universe 35 Defining the Risk Criteria 35 Ranking the Audit Universe 36 30.6 Engagement time and cost estimates 38 30.7 Audit Staffing and Logistical Plan 39 30.8 Approval and Communication of Audit Plan 40 40 Audit Process 40.1 Audit Engagement Plan 40.2 Opening Conference 61 40.3 Process Analysis 62

40.5. Exit Conference 62 84 40.6. Audit Reporting 62 40.7. Follow-up and Monitoring 62 50 Audit Documentation and Quality Reviews 50.1 Audit Work Documentation

Approved for implementation by: __________________________

Chairman, Audit and Compliance Committee

Effective Date: Sep 24 2010

Property of

INTERNAL AUDIT DIVISION

This Manual may not be photocopied or taken out of the Companys premises without prior written approval

INTERNAL AUDIT MANUAL

SECTION

TABLE OF CONTENTS

Managing working papers Standard working papers Documents obtained from Auditee Digital format working papers Working paper organization and indexing Ownership and access to working papers 50.2 Quality Assurance Program Objectives Scope and Approach Measuring the Internal Audit Activity performance 50 Appendices 1 Code of Corporate Governance 2 Corporate Governance Manual 3 Sample Audit Committee Charter 4 Sample Internal Audit Department Charter 5 Position Description of Audit Team Members 6 Internal Auditing Code of Ethics 7 Standards for Professional Practice of Internal Auditing 8 Business Risk Model

62 63 63 63 63 63 64 64 64

9 10 11 12 13

Pest Analysis Five Forces Analysis Audit Universe Risk Ranking Worksheet Sample Audit Engagement Plan Process Analysis Worksheet

Approved for implementation by: __________________________

Chairman, Audit and Compliance Committee

Effective Date: Sep 24 2010

Property of

INTERNAL AUDIT DIVISION

This Manual may not be photocopied or taken out of the Companys premises without prior written approval

INTRODUCTION

10.1 Organization of the Manual This INTERNAL AUDIT MANUAL was developed using as guide of the Professional Practice Framework issued by the Institute of Internal Auditors (IIA). It defines the policies, procedures and standards to be used by the Internal Audit Department of the company as guidelines in all engagements to be performed. This would provide the audit team with a tool to consistently provide quality audit services the board, senior management, and external third parties. In case there is a deviation to the standards set in this manual, the judgment of the Chief Audit Executive has to be used with the end in mind of providing better set of procedures in performing the audit service. Referenced to specific reference materials for more detailed discussions and examples about the subject matters or business practices, which are not within the scope of this manual, can be adopted.

10.2 Corporate Governance Definition and Purpose Corporate Governance refers to the framework of rules, systems and processes in the corporation that governs the performance by the Board of Directors and Management of their respective duties and responsibilities to the stockholders. It is the policy of the Company to adopt the above definition and setup a corporate governance system that institutes checks and balances designed to permit the appropriate scope of authority (power) and limit the abuse of that authority (accountability). For the corporate governance system to be effective, it should be based upon strong working relationships among four groups: management, the board, external auditors, and internal auditors. The board of directors is typically central to corporate governance. Its relationship to the other primary participants, typically shareholders and management, is critical. Additional participants include employees, customers, suppliers, and creditors. The corporate governance framework also depends on the legal, regulatory, institutional and ethical environment of the community.

Code of Corporate Governance In the year 2002, the Securities and Exchange Commission (SEC) of the Philippines in its Memorandum Circular No. 2, Series of 2002 promulgated the

Code of Corporate Governance. The Code specifies:

In accordance with the States policy to actively promote corporate governance reforms aimed to raise investor confidence, develop capital market and help achieve high sustained growth for the corporate sector and the economy, the Commission, in its Resolution No.135, Series of 2002 dated April 4, 2002, approved the promulgation and implementation of this Code, which shall be applicable to corporations whose securities are registered or listed, corporations which are grantees of permits/licenses and secondary franchise from the Commission and public companies. This Code also applies to branches or subsidiaries of foreign corporations operating in the Philippines whose securities are registered or listed. Corporate Governance Manual In connection with the SEC Memorandum Circular No.2, Series of 2002, the Internal Audit Department assisted in the setting up of the Corporate Governance manual. The Chief Audit Executive of the company is tasked to coordinate with the Companys management in the implementation of this Corporate Governance Manual. Role of the Board of Directors for corporate Governance The Companys Board of Directors is the first tier of the levels of elements of corporate governance. Through oversight, review, and counsel, the Board of Directors establishes and promotes the business and organization objectives.

The Board oversees the companys business affairs and integrity, works with management to determine the companys mission and long-term strategy, performs the annual CEO evaluation, oversees CEO succession planning, oversees internal controls over financial reporting, and assesses company risks and strategies for risk mitigation. In ensuring that the stakeholders interests are being protected, the board should adhere to the implementation of the code of corporate governance promulgated by the SEC of the Philippines and ensure that a corporate governance manual is used by the company.

10.3. Overview of Internal auditing activity This section outlines the Internal Auditors responsibilities with respect to the internal audit function. The internal auditor describes audit planning and scheduling, and discusses the scope and types of internal audits generally performed. Definition of Internal Audit Internal Auditing is an independent, objective assurance and consulting activity designed to add value an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance process. Internal Audit is an independent appraisal function. The Internal Audit Department examines and evaluates the company's business and administrative

activities. The independent and objective service provided by the Internal Audit includes the evaluating and promoting of the accomplishment of the vision and mission of the company. The Internal Audit Department assists all levels of management of the company in the effective discharge of their responsibilities. Internal auditing furnishes them with analyses, recommendations, counsel and information concerning the activities and records reviewed. The Office of Internal Audit reports to the board and to management. In carrying out their duties and responsibilities, the internal auditing office has full, free, unrestricted access to all of the Company's activity, records, personnel and property. Objective The Internal Audit department is committed to the highest professional standards for conducting audits in the company. The department will continue to provide assurance that the manufacturing company operates effectively, efficiently, provides outstanding requirements of the clients and implements best practices in carrying its operations and activities. Goal In executing the aim of the department, the Internal Audit will focus on the following goals: Perform all audits in compliance with International Standards for the Professional Practice of Internal Auditing (Standards) Develop annual reporting Perform audits within the assigned time budgets

Perform a post audit review Provide audit sufficient training to satisfy IPPF Continuing Education Requirements

Adhere to the Code of Ethics of the Institute of Internal Auditors

Internal Auditing Activity Framework The Internal Audit Activity of the Company has two major phases, namely Audit Planning and Audit Process. In Audit Planning, the audit plan for a year is set, detailing the strategic analysis and risk assessment, which becomes the basis for prioritizing the audit engagement to be done. The audit plan comprises the engagements to be performed; timing, staffing and other logistical aspects are set. In Audit Process, the activities performed in a specific audit engagement are presented. It starts with planning the work to be done in that audit engagement, the actual performance of the audit, reporting on the results of the audit and follow-up in subsequent period to determine if the recommendations are implemented.

10.4. Audit Committee The Audit Committee of the Board shall be responsible for overseeing; the reliability of financial reporting, the effectiveness of internal controls over financial reporting, the processes for monitoring compliance with regulatory requirements, and the processes for monitoring compliance with the organizations code of

conduct. The committee shall be responsible for overseeing the effectiveness of the organizations risk management and control processes. These responsibilities are intended to provide reasonable assurance that the Company will be able to achieve its objectives as they relate to the effectiveness and efficiency of operations; the reliability of financial and operational information; and the compliance with applicable laws and regulations. Audit Committee has the authority to appoint Chief Audit Executive. The Audit Committee appoints a Chief Audit Executive to manage the Audit department. Some of the more important roles of the Audit Committee are: Evaluate whether management is setting the appropriate tone at the top by communicating the importance of internal control and the management of risk, and that employees have an understanding of their roles and responsibilities. Inquire of management about the areas of greatest financial risk and how management is managing that risk. Review and approve the internal audit charter and ensure its compatibility with the audit committee charter. Review and approve the annual internal audit plan. Be involved in the hiring of external auditors, and in the evaluation of their performance. Be informed as to whether the internal control recommendations, made by either the internal and external auditors, are implemented by management.

Be made aware of significant accounting and reporting issues, including recent professional and regulatory pronouncements, and understand their impact on the organizations financial statements. Ensure that the internal auditing activity can independently plan audit projects and conduct and report the results objectively. Be involved in the hiring, replacement, reassignment, or termination of the CAE, and in the evaluation of his/her performance. Ensure that the internal audit activity has adequate staffing and budget resources to accomplish the plan. To document the functional roles of the Audit Committee of the Board, an audit committee charter has to be drawn up and submitted for approval by the Board to formalize the authority and responsibility being given to it.

10.5 Internal Audit Department The internal audit department, headed by the Chief Audit Executive (CAE) is tasked to perform the internal audit activity for the company. The Chief Audit Executive prepares an audit plan that identifies the individual audits to be conducted during the year to be approved or not by the Audit Committee. The approval or rejection of the audit plan prepared by the CAE is also the responsibility of the Audit Committee. Its function includes assessment of internal controls and the recommendation to implement measure to ensure adequate control. The major functions that the internal audit department performs are:

Develop and audit charter, approved by both senior management and the audit committee, for the internal auditing activity Develop, along with management, an organization model that can be used to map major processes/operations for the purpose of identifying the organizations auditable entities Develop a risk assessment methodology for the auditable entities identified in the model of major process/operations Develop an audit plan based on the risk assessment and request from management and get it approved by the board Work with senior management and the audit committee to establish a reporting relationship that will ensure that the audit recommendations receive appropriate attention Establish a quality assurance and improvement program for the internal auditing activity that provides assurance that the internal auditing activity: 1) performs in accordance with its charter, 2) adheres to the standard and code of ethics, 3) operates in an effective and efficient manner, and 4) is perceived by the board and management as adding value and improving an organization operation.

10.6 Audit Staffing The internal audit of the company obtains, develops and retail highly specialized and qualified staff to ensure that audit engagements are performed with proficiency and due professional care.

Position Description and Staffing Level The companys internal audit department shall maintain the qualification and level of staff to support the performance of audit engagement as planned. In this connection, the organization of the internal audit department would consist of the following team members: Chief audit Executive Audit managers Senior auditors Junior auditors IS audit specialist Staff Knowledge and Skills In order for the internal audit staff to carry out its work, the different knowledgeable and competency expected has to be maintained in the audit department staff membership. In case, there are competencies required for certain audit engagement, which are found within the staff membership, the Department is authorized to source such requirements from external

organizations providing such qualifications. To define the different knowledge and skills requirements of the department, below is a guideline, based on SPPIA, which may be used. Each internal auditor should possess certain knowledge skills and other competencies: Proficiency in applying internal auditing standards, procedures, and

techniques is required in performing internal audits. Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive resources to technical research and assistance

Proficiency in accounting principles and technique is required of auditors who work extensively within financial records and reports. An understanding of management principles is required to recognize and evaluate the materiality and significance of deviations from good business practices. An understanding means the ability to apply broad knowledge to situations likely to encountered, to recognize the significant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions. An appreciation is required of the fundamentals of such subjects as accounting, economics, commercial law, taxation, finance quantitative methods, and information technology. An appreciation means the ability to recognize the existence of problems or potential problems and to determine further research to be undertaken or the assistance to be obtained. Internal auditors should be skilled in dealing with people and in communicating effectively; internal auditors should understand human relations and maintain satisfactory relationships with engagement clients. Internal auditors should be skilled in oral and written communications so that they can clearly and effectively convey such matters as engagement objectives, evaluation, and

recommendation. The chief audit executive should establish suitable criteria of education and experience for filling internal audit positions, giving due consideration to scope of work and level of responsibility. Reasonable assurance should be obtained as to each prospective auditor s qualifications and proficiency. The internal audit staff should collectively possess the knowledge and skills essential to the practice of the profession within the organization. Audit Staff Processional Certification The internal audit department recognizes the different certification programs available for members of the internal auditing profession. The department places value on certification garnered by staff members of the department. Such certifications may include the following: Certified Public Accountant (CPA) Certified internal auditor (CIA) Certified information system auditors (CISA) Certification in Control Self-Assessment (CCSA) Continuing Professional Education To ensure the maintenance of sufficient qualification to service the audit engagement, the Internal Audit Department provides internal audit staff the opportunity to advance his/her level of skill and responsibility. The internal Audit department shall have a training program that will provide the staff with the means to learn new methods and develop new skills. Training program has as their main goal the achievement of both

individual staff goals and objectives of the internal audit activity. To achieve this training should be a continuing program, not just an occasional seminar. A continuing program should provide for senior auditors to be assigned for a period of time to supervisory positions, and for supervisors to be assigned a managers responsibilities. This promotes staff learning firsthand the skill and responsibilities required of the position above them. The continuing professional education objective may be implemented by: Budgeting an appropriate amount of money to be spent on training seminars and courses each year and spending the money. Ask staff members to document their plan to improve their skill and knowledge each year. Supporting and promoting opportunities for people who continue to improve and develop their knowledge and skill. Maintain catalogs of seminar and extension courses for both in-house and outside training. Developing recognition programs with incentives for the staffs who are working on or who have advanced degrees and professional certification.

10. 7 Internal Audit Professional Organization and Governing Bodies Institute of Internal Auditors (IIA) IIA is the primary international professional association, organized on a worldwide basis, dedicated to the promotion and development of the practice of internal auditing. The IIA are the recognized authority, chief educator, and

acknowledged leader in standards, education, certification, and research for the profession worldwide. For additional information about The Institute, refer to contacts below. The Institute of Internal Auditors 247 Maitland Avenue Altamonte Springs, Florida 32701-4201 USA+1-407-937-1100 Fax +1-407-937-1101 www.theiia.org Institute of Internal Auditors- Philippines (IIA-P) The Institute of Internal Auditors Philippines is the primary association of internal auditors in the Philippines dedicated to develop and promote the practice of internal auditing, it serves as the principal educator of internal auditors and provides professional guidance on emerging issues and trends that impacts the profession. We, the primary professional association of internal auditors in the Phils., are committed to develop and promote the practice of internal auditing, consistent with recognized professional standards. In the Philippines, the IIA-P handles the local function of the IIA, it being the Philippine affiliate. For additional information about IIA-P, refer to contacts below: Corporate Address: Unit 1803 & 1807 Cityland Herrera Tower, V.A. Rufino St. cor. Valero St., Makati City Contact Numbers: +632 813 2553, +632 812 2754, +632 753-3272, +632 753-3271

Fax Number: +632 325 0414 Email Address: secretariat@iia-p.org Website: http://www.iia-p.org

Information System Audit and Control Association (ISACA) ISACA is an international professional association that deals with IT Governance. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves. ISACA and its affiliated IT Governance Institute lead the information technology control community and serve its practitioners by providing the elements needed by IT professionals in an everchanging worldwide environment.

AUDIT CONCEPTS AND STANDARDS 20.1 Professional practice framework The Companys Internal Audit Staff, especially those members of the IIA and has Certified Internal Auditor (CIA) certification, adheres to the guidelines set by the Professional Practice Framework. The IPPF is intended to assist practitioners and stakeholders throughout the world in being responsive to the expanding market for high quality internal auditing (International Professional Practices Framework). The Professional Practice Framework consists of three types of instruction: 1.) Mandatory Guidance 2.) Practice Advisories, and 3.) Development and Practice Aids.

20.2 Internal Audit code of ethics The Spoon and Fork Manufacturing Company's Internal Audit department subscribes to the Code of Ethics of the Institute of Internal Auditors. The Institute of Internal Auditors (IIA) is the setting - body for the internal audit profession globally. The purpose of the Code of Ethics is to promote an ethical culture in the

profession of internal auditing. The Code of Ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk management, governance, and control. The Code of Ethics extends beyond the definition internal auditing to include two essential elements: 1. 2. Principles that is relevant to the profession and practice of internal auditing Rule of Conduct that describes behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors. The four core values or principles considered essential to the effective practice of internal auditing are Integrity, Objectivity, Confidentiality, and Competency. These rules are accompanied by 12 rules conduct describing specific behaviors expected of internal auditors. The rules serve as practical applications of their four principles and are intended to guide the ethical conduct of internal auditors. The purpose in the code is to promote an ethical culture in the profession of internal auditing.

20.3. Standards for the professional practice of Internal Auditing To provide assurance that the Spoon and Fork Manufacturing Company's Internal Audit Department operates at a high professional level, the department adhered to the Standards for the Professional Practice of Internal Auditing issued

by the IIA.

These standards are principles - focused, mandatory requirements consisting of: Statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance, which are internationally applicable at organizational and individual levels. Interpretations, which clarify terms or concepts within the Statements. The Standards consists of three components: 1. Attribute Standards address attribute of organizations and individuals performing internal auditing services. 2. Performance Standards described the nature of internal auditing services and provide quality criteria against which the performance of these services can be measured, and 3. Implementation Standards provide guidance applicable in specific types of engagements. These standards may be expanded to ultimately address industry-specific, regional, or specialty types of audit.

20.4. Internal control framework The company adopts the Commission on Sponsoring Organization (COSO) definition of internal control. Internal Control, under COSO definition, is a process affected by an entity's board of directors, management, and other

personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following category: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations. Elements of Internal Control Control Environment Control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control. Control environment factors include the integrity, ethical values, and competence of the entity's people; managements philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors. Risk Assessment Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Certain broad objectives include operational, financial reporting, and compliance objectives. Control Activities Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. Information and Communication

Pertinent information must be identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities. Information is only used when communicated appropriately. Monitoring Internal control systems need to be monitored- a process that assess the quality of the system's performance over time. Monitoring includes regular management and supervisory activities and other actions personnel take in performing truer duties.

20.5. Control objective for information and related technology The Internal Audit Department of the company adopts the control objectives of information and related technology released by the ISACA as the basis of its audit work relating to information system and related technology. Information Accurate and timely information must be available to those management representatives that need it at all levels of an organization to run the business effectively. Not only must be provided "to appropriate personnel so they can carry out their operating, financial, reporting and compliance responsibilities," but communication also must take place in a broader sense, dealing with expectations, responsibilities of individuals and groups, and other important matters. The access of information of the company must be monitored especially if unauthorized person can or maybe able to access confidential information.

Information Technology IT controls have not always been the default condition of new systems hardware or software. The development and implementation of controls typically lag behind the recognition of vulnerabilities in systems and the threats that exploit such vulnerabilities. Further, IT controls are not defined in any widely recognized standard applicable to all systems or to the organizations that use them. The compliance with applicable regulations and legislation, consistency without the organization's goals and objectives, and the use of releasable evidence are use to assess IT and to provide and document its own internal control framework to meet the organizations objectives.

20.6. Risk framework Risk in consideration in planning the Audit The Internal Audit Activity's audit plan shall be designed within the framework of the Company's risk strategy. In this regard, the risk-based approach to auditing shall be implemented and adopted by the Internal Audit Department. Also, the Department shall coordinate its audit approach with the overall Company's risk management system. The internal audit activity's audit plan should be designed based on an assessment of risk and exposures that may affect the organization. Ultimately, the audit objective is to provide management with information to mitigate the negative consequences associated with accomplishing the organization's objectives. The degree or materiality of exposure can be viewed as risk mitigated

by establishing control activities. The audit universe can include components from the organization's strategic plan. The audit universe can be influenced by the results of the risk management process. When developing audit plans the outcomes of the risk management process should be considered. Audit work schedules should be based on, among other factors, an assessment of risk priority and exposure. Prioritizing is needed to make decisions for applying relative resources based on the significance of risk and exposure. Change& in management direction, objectives, emphasis, and focus should be reflected in updates to the audit universe and related audit plan. In conducting audit engagements, methods and techniques for testing and validating exposures should be reflective of the risk materiality and likelihood of occurrence. Management reporting and communication should convey risk

management conclusions and recommendations to reduce exposures. For management to fully understand the degree of exposure, it is critical that audit reporting identify the criticality and consequence of the risk activity to achieving objectives. The chief audit executive should, at least annually, prepare a statement of the adequacy of internal controls to mitigate risks. This statement should also comment on the significance of unmitigated risk and management's acceptance of such risk.

20.7. Business Risk model and Risks definition Business Risk model Internal Audit Department considers the following risks in the planning the audit: -Strategic risks -Compliance risks -Reporting risks -Operational risks Risks Risk is the possibility that an event will occur and adversely affect the achievement of objectives. It is the possibility that the company may not attain its goal due to the threat. Audit Evidence Obtaining of Evidence The work of internal audit depends largely on documenting the audit procedures performed. These audit work and conclusions thereto are supported with audit evidence. The audit engagement team should obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the audit opinion and other reports thereto. If unable to obtain sufficient appropriate audit evidence, however, the audit

engagement team needs to state the reasons for such situation, and the limitations should be included in the audit report.

Sufficiency of Evidence Sufficiency is a measure of the quantity of audit evidence. Sufficiency is related to the extent of our audit work and the corresponding evidence to be gathered from such work. We judge the required extent of audit procedures by considering the required volume of audit evidence necessary to achieve the audit objectives. The use of inspection, observation, inquiry and interview,

confirmation, and computation are sufficient to conduct the audit is a sufficient means of evidence. Appropriateness of Audit Evidence Appropriateness is a measure of the quality of audit evidence, its relevance to an assertion and its reliability. Appropriateness is related to the nature and timing of our audit work. The evidence gather are in its reasonable time to add economic value to the objective of the organization. The use of manual audit procedure and computer - assisted audit techniques are used to tests the objectives of Spoon and Fork Manufacturing Company. The internal auditors time of testing the operating effectiveness of manual and computer - assisted audit techniques will be to the time that will cover the operations. Nature

We judge the nature of the required audit procedures by considering the following generalizations: Audit evidence obtained from outside the entity is more persuasive than that obtained from within the entity; Audit evidence obtained from or created by unrelated third parties is more persuasive than that obtained from related parties; Audit evidence obtained from inside the entity is more persuasive when related controls are effective; Audit evidence obtained directly through performing an inspection, observation or computation is more persuasive than that obtained indirectly by inquiry of others; Audit evidence in the form of documents and written representations is more persuasive than oral representations; Audit evidence obtained from several sources that suggest the same conclusion is more persuasive: than that obtained from only one source. Timing Some of the accounting data and corroborating information are available only manual form at a certain period in time, or date, or moment in time. We consider the time during which information exists or is available in determining the timing audit procedures applicable. Techniques to obtain audit evidence We obtain audit evidence by performing an appropriate mix of audit procedures, including tests of control, analytical procedures and tests of details.

Such audit work 'involves inspection, observation, inquiry, confirmation, and computation as the techniques used to obtain evidence for the audit. Inspection Inspection involves reading records or documents, either visually or electronically. Unlike observation, we do not need to be present at the time a process or procedure is performed to obtain audit evidence. Inspection also includes examining tangible items such as an item of equipment or inventory. We often use inspection techniques as part of our follow-up procedures for observations or enquiries.

Observation

Observation involves looking at the process or procedure performed by others. We often use observation techniques to obtain an understanding of, and test controls. In these situations we: Observe and evaluate the performance of the control. We observe the operation of the control and compare it to our understanding of what ought to happen. There is always a danger that when we observe a control it will be performed correctly just because we are present. We assess this risk. Ask what happens when breakdowns in control are found. An operations control operates by preventing or detecting and correcting a misstatement of theft.

Find instances where errors have occurred and review clearance. To assess the effectiveness of the operations control, we investigate occasions where the operations control has prevented, detected or corrected theft in the operations. Assess adequacy of procedures. For an operations control to be effective, any misstatement detected must be corrected. We assess both the operation of the operations controls in preventing / detecting a misstatement and the subsequent corrective action. Inquiry Inquiry technique consists of asking appropriate questions of knowledgeable persons inside or outside the entity, listening to and considering their responses, asking follow-up questions, corroborating information, as appropriate. Inquiry is an important technique both in obtaining knowledge of an entity's business and in performing tests of control. It is more than simply asking the entity's staff for information or to confirm that they perform specified activities. It involves:

External confirmation An external confirmation is a direct communication from a third party in response to an inquiry requesting information. The degree of our professional skepticism is heightened if we obtain information that leads to questions about the respondent's competence, knowledge, motivation, ability, or willingness to respond or about the

respondent's objectivity and freedom from bias. We usually apply alternative audit procedures when we do not receive responses to positive confirmation requests. Computation Computation involves checking the arithmetical accuracy of source documents and accounting records or performing independent calculations. Computer assisted audit techniques (CAATs) can remove much of the mechanical routine of audit work. They can be used in the performance of tests of control, analytical procedures and tests of details. Data interrogation, which refer to performing audit tests to client's data using CAATs, may allow us to apply audit procedures that would otherwise be very time consuming, because of the sheer volume of information to investigate or the complexity of the audit procedures, or a combination of both;

AUDITING PLANNING 30.1 Introduction Audit planning shall be done annually to reflect the most current strategies and direction of the Company. The Audit Plan should be prepared based on an assessment of risks and exposures that may affect the organization. There are three main benefits from planning audit. First, it helps the auditor obtain sufficient appropriate evidence for the circumstances. Second, it helps keep audit costs at a reasonable level. Third, helps avoid misunderstandings with the client. "Auditors should plan the audit work so that the engagement is performed in an effective manner. It is important to clarify what are meant by the terms overall audit strategy and audit plan as per ISA 300. The overall audit strategy describes in general terms how the audit is to be carried out and the audit plan details the specific procedures to be carried out to implement the strategy and complete the audit. It is also important for students to understand the precise meaning of the risk terms: audit risk and inherent risk as both risks influence how the audit is carried out and the costs involved. The best way to add value to an organization is to make sure the risk assessment and the plan developed from the assessment reflect the overall objectives of the organization. Risk assessments need to include input from management. To accomplish this, there is a need to study the Company's strategic plan and then discuss with management where the risks are in obtaining the objectives.

The overall objective of an internal audit activity is to provide management with information to lessen the negative consequences associated with accomplishing its objectives. Implementing control activities in areas where the risks are high can mitigate the risks of an organization not accomplishing its goals. A risk-based audit plan ensures that audit activities are effectively focused on those areas where the risks or materiality of exposure is greatest.

30.2 Strategic Analysis Strategic Analysis is performed to provide initial understanding of the business risks that can be linked to strategic objectives of the Company. This would pave way to the identification of the business risks that will be assessed in the succeeding part of the audit planning activity. In detail, the strategic analysis is undertaken to: Gain a high-level understanding of a Company's business, its markets and external forces; Understand and identify the Company's strategic objectives that provide for its business continuity and strategic vision; Understand how the Company reacts to these challenges; Provide foundation for the Annual Audit Plan; Assist in identifying the key business processes that address strategic risks and will be targeted for audit engagements.

Data Requirements and Sources In order for the Internal Audit Team to proceed to analyze strategies of the Company for audit planning purposes, it has to obtain the following information: Company's vision, mission, goals Objectives and strategies to achieving the objectives Business plans Organization charts Industry data and literature

Procedures -- Strategic Analysis The procedures for strategic analysis that are listed below may be performed concurrently to a certain extent and would normally overlap. In performing these activities, care should be exercised to determine that no duplication takes place and that the whole Strategic Analysis process is undertaken in the most efficient and cost effective manner. 1. Review Background Information The review of background information will enable the INTERNAL AUDIT team to understand the detailed operations of the Company and environment in which it operates. The background information may be obtained through in-house or external sources. It is recommended that the audit team obtain all relevant internal and external data relating the operations of the Company.

Sources of the required information include, among others, the following: Chief Executive Officer and other senior management; Chairperson of the Board and/or the Audit Committee and other Directors; Persons external to the organization who are knowledgeable about the Company, its operations, its prospects and the industry in general. These may include analysts, customers, lenders, suppliers, alliance partners, industry professionals, the external audit partner/manager, other consultants, etc. 2. Identify Business Objectives & Strategies We have focused on understanding the client, the industry in which it operates and the client's position in the industry. At this point we integrate this information with the business objectives and strategies the client management has chosen for achieving its business objectives. The identification and review of the client's business objectives and management's strategies/plans to meet these objectives is primarily achieved through: Discussions with Directors and senior management; Review of business and strategic plans prepared by management; Review of other relevant documentation (e.g., vision, mission and values statements, minutes of Board/executive committee meetings, special Board resolution, etc.) At the conclusion of this step we document the strategic objectives and the

strategies in place to achieve each objective. 3. Analyze Business Objectives & Strategies Having identified the client's business objectives and strategies, we objectively assess their reasonableness in light of our knowledge of the organization and the industry in which it operates. By combining the background information with Strategic Analysis tools and models, we perform an objective, balanced evaluation of the Company's organizational structures, processes and strategic plans. After performing the analysis, we document our analysis which will be the basis in discussing them with senior management of the Company. 4. Confirm the Results of Analysis with Management The INTERNAL AUDIT team presents the results of its analysis to management to get agreement and input on our understanding of their corporate objectives, market strategies, organizational structures and processes, and general risk areas that may threaten the achievement of objectives. At the end of this activity, the audit team should have the following already documented: A summary of the market issues identified; A list of the general risk areas 5. Periodically Revise/Update Strategic Analysis The Strategic Analysis performed, together with the related risk assessments, is regularly reviewed and updated to take account of changing circumstances, new management strategies and risks. This update takes place at least annually with a complete re-performance of the Strategic Analysis and

risk assessment occurring every three to five years, or more frequently as required.

30.3 Risk Assessment and Risk Management System Risk Management System It is the responsibility of the Company's Management to institute a risk management system to ensure that the Company is ready to face the business challenges. Management need to understand the major risks that the business faces, if they are to avoid being adversely affected by unexpected or uncontrolled events. They need to identify areas of risks, assess the likelihood of an adverse event arising and consider the potential effect of such an occurrence. Only then can they decide how to respond to the risk and take steps to minimize its effect. These activities, when institutionalized represent the risk management system of the Company. The risk management system may be considered effective if it achieves at least the following key objectives: Risks arising from business strategies and activities are identified and prioritized. Management and the board have determined the level of risks acceptable to the organization, including the acceptance of risks designed to accomplish the organization's strategic plans. Risk mitigation activities are designed and implemented to reduce, or otherwise manage, risk at levels that were determined to be acceptable to management and the board. Ongoing

monitoring activities are conducted to periodically reassess risk and the effectiveness of controls to manage risk. It should be stressed that the board and management receive periodic reports of the results of the risk management process. The corporate governance processes of the Company should provide periodic communication of risks, risk strategies, and controls to stakeholders. Risk Assessment As part of the annual audit planning to be done by the Internal Audit Department, considerable time has to be spent on establishing a good assessment of the risk position of the Company. The auditors main concern is the risk of material misstatement in the financial statements due to client business risk. It is important to note that not all business risks will turn into risks leading to material misstatement in the financial statements. In this regard, the Internal Audit Department has to undergo an annual assessment of the risk management system. The objectives of the assessment are: Focuses the internal audit effort on strategic risks identified by management that have the greatest potential effect on the Company; Provides a trial to demonstrate whether the Audit Plan is aligned with the Company's strategic risks; Provides risk awareness and education of the Management and stakeholders;

Assists compliance to corporate governance codes, reports and legislation; It provides access, exposure and relationship-building with senior management in the Company. Develop foundations that will assist in identifying the key business process that mitigate strategic risks and should be targeted for individual audit engagements (Audit Process)

In doing the risk assessment, the following activities have to be done: 1. Establish and Agree Criteria to Assess the Significance of Risks The INTERNAL AUDIT team assists management to develop criteria to be used in assessing the significance of risks identified in the Strategic Risk Assessment process. The significance of the risks identified can be determined by considering two factors: The potential IMPACT of the risks; The LIKELY HOOD that the risks will occur.

30.4 PERFORM PRELIMINARY ANALYTICAL PROCEDURES Analytical procedures applied at the planning stage can assist the auditor in gaining an understanding of the clients business and in assessing client business risk. ISA 520 states, The auditor should apply analytical procedures at the planning and overall review stages of the audit. ISA 520 Analytical Procedures states that analytical procedures include the consideration of

comparisons of the entitys financial information with, for example: Comparable information for prior periods Anticipated results of the entity, such as budgets or forecasts, or expectations of the auditor, such as an estimate for depreciation Similar industry information, such as comparison of the entitys ratio of sales to receivables with industry averages or with other entities of comparable size in the same industry

30.5 Setting the Audit Universe Defining the Risk Criteria For each risk unit identified and listed in the risk profile, assign weight to each risk by using points for each risk criteria defined below: Control Environment based on preliminary assessment Prior Audit Findings based on prior audit experience Management/Interest concern how much concern management put into it Comfort with Operations Management based on operating management experience Changes to system whether new system or new changes to system introduced Asset sensitivity whether related asset accounts are susceptible to

exposure Size/Amount relates to revenue, expenses, asset or liability impact Date last audited whether the area has not been audited for a while Using a worksheet to summarize the criteria for each risk identified and listed in the risk profile , assign to each criterion a weight of 1 to 5, 1 being the least impact or risk and 5, most impact. Get the sum of the points assigned to all the criteria for each risk item. After getting all the summary points, rank the risks based on these total points in the order of risk impact i.e. the highest total points to the lowest total. Ranking the Audit Universe An audit universe represents the potential range of all audit activities and is comprised of a number of auditable entities. These entities generally include a range of programs, activities, functions, structures and initiatives which collectively contribute to the achievement of the department's strategic objectives. The last step in constructing the risk model is ranking all the auditable items in the universe. Each auditable area should be evaluated using risk rating opposite the auditable area identified. The scale to be used is listed below: 1 = Low risk 2= Medium risk

3= High risk 4= Extreme risk Based on the assessment specified for each auditable area, these areas will have to be listed in the audit plan in the order of importance and assign a frequency or times the audit area will be performed.

Risk-based Audit Plan

Audit Universe Coverage 10 %

Audit Plan

Total

100%

10%

20%

50% Sampled

10%

40%

10% Sampled

4%

30%

5% Sampled

1%

100% Universe Cycle

25% of 4-Year

The sample risk-based audit plan presented above indicates the level of effort that has to be spent when planning for the audit of the areas included in the scope of the audit plan. Such is the case when not all or 100% of the auditable areas could be covered by the audit team or audit resources in a given period. A prioritization and allocation of the resources could be done by sampling the areas that need not be covered 100% in one period.

30.6 Engagement Time and Cost Estimates After compiling a list of major auditable units and subunits, identify a number for planning purposes that represents the hours that will be allocated for auditing each auditable unit. The hours estimated for each unit should include time for the following: Conducting the preliminary survey Developing the audit test work program Performing the fieldwork, and; Communicating the results of the review to management As the budget time and costs for the entire audit areas are identified and summarized, the audit team has to prepare the final audit plans budget. Below is a benchmark allocation of the total budget for each year.

Activity Developing the Audit Plan Administration and overall Engagement Management Reviews contained in the plan and deliverables Follow up Special projects Attendance at Audit Committee meetings

Percentage Allocation 10-20% 10-20% 50-80% 5-15% 0-30% 5-10%

The following points have to be considered also when preparing the audit budget: Administration and management of the overall engagement is a significant task and should not be underestimated. This however can appear significant to the client and hence can be blended by allocating this amongst the reviews in the plan. A separate allocation for special projects during the year may be required. The advantages of this approach are flexibility and ability to respond quickly without protracted negotiations and seeking of funding. The disadvantage of this approach is that the internal audit team could spend a significant amount of time on PREFERRED type reviews which could undermine the value to the Company if the reviews are not strategic or addressing significant risks. It is usually done to avoid allocating money for special projects unless specifically requested by Management.

30.7 Audit Staffing and Logistical Plan Based on the engagement time and cost estimates computed for each audit engagement planned during the year, the audit team has to determine how much audit staff quantity and quality could support such requirements as well as the other overhead costs to be incurred in servicing all the audit engagements. Using the required hours on the engagement (staff and supervisors time), compute the number of staff and supervisors that has to be working on the planned audit engagements for the year. If it appears that there is not enough staff to work on the engagement and there is limitation on the total peso budget allocated to staff costs for the department, the audit team may have to balance the factors by establishing a risk strategy or selection policy based on the following: Where the audit team may start to work on audit engagements from top of the list with the high-risk audits and proceed to the engagements with less risk as they complete those jobs from the top of the list. Coordinate with external auditor on the scope of the external audit work to be covered since the latters work may have some cost consideration and work duplication impact with the work of the internal audit team. Allow the assignment of certain staff to work at the same time on projects at the top of the list and succeeding jobs following such top priority audit job. When the second option is chosen, it may be necessary to develop

a strategic audit plan of 2-3 years to accommodate overflow of the estimated hours to be worked on by staff in projects that cannot be covered in one year. However, it should be assured by the team that the plan for 12 months be updated each year. The CAE has to finally decide on which approach will satisfy the objectives of the department and the Company as a whole.

30.8 Approval and Communication Audit Plan After completing all the data necessary to formulate the audit plan, a draft may already be prepared for presentation to the Audit Committee. This enables the Audit Committee to make an informed decision on whether the annual audit plan coverage is sufficient to meet their governance obligations. The draft audit plan should have the following elements or selections: Planning process and approach Business risk matrix Summary of reviews by strategic and significant risk Risk rating criteria Business Process Matrix Scopes of reviews Detailed list of risks which will not be addressed within the proposed plan Budget and indicative timing

Once the audit team is able to formulate the audit plan containing the above information, it may already present this to the Audit Committee. There is a negotiation process that may take place on the scope of work to be undertaken.

AUDITING PROCESS

40.1. Audit Engagement Plan Determine engagement objectives and scope In executing the aim of the department, the Internal Audit will focus on the

following goals: Perform all audits in compliance with International Standards for the Professional Practice of Internal Auditing (Standards) Adhere to the Code of Ethics of the Institute of Internal Auditors To ensure that annual reporting assigned time budgets Understand the auditee including the auditee objectives The SNIPS Utensils Manufacturing locates at Muoz, Quezon City has the goal to expand their company not only locally but international and be the number one supplier of Utensils in the Philippines Identify the assess risk There are a lot of known competitors in the market The Company is new to Market There are cheaper Utensils in the market. The process of establishing branch abroad is not easy. Identify key control activity Establish a strategy to override the competitors. Evaluate adequacy of control design The controls are adequate but added recommendation will be needed to improve the operations of the company by department. Develop a Work Program An audit program is a detailed plan of tasks to be performed during the audit in order to assess the quality of management systems and practices in the

organization. This will provide the auditor with sufficient evidence to support the audit conclusions. Key aspects of the audit plan include: 1. Understand the objective of the department 2. Determine whether the objective of the department being audited meet the objectives 3. Know the risks of the department for not attaining the set objectives 4. Know the problem in the department by interviewing, observing and inspecting the department need for the audit 5. Look for the records of the department 6. Assess the risks given the information gather 7. Identify the control activities to prevent those risks 8. Evaluate the adequacy of the controls given 9. Finalize the process 10. Prepare an Audit report 11. Communicate the Audit report 12. Follow - up and monitor the given recommendations if they are being implemented by the department being audited Allocate Resources to the Engagement The need of the ability of acquiring information about the auditee is needed in the engagement. The time allotted in auditing one department of the company is based on the time allotted given by the board in a time that could improve the operations of the company.

40.2. Opening Conference The opening conference should be held to gather information about the mission, critical processes, and control procedures of the unit. The auditor uses this information in the risk assessment process to determine an appropriate objective and scope for the audit. Under some conditions, the objective and scope may be predetermined. The auditor should prepare an opening conference e-mail confirming the appointment. The e-mail should briefly state the announcement of the audit; the date, time, and place of the opening conference; the purpose of the opening conference; and the desire to resolve any questions regarding the tentative draft objective and scope. Audits with a surprise component, such as investigative audits, cash counts, etc., may not have an opening conference. The opening conference is an important step in a regular audit. It is an opportunity to establish the proper tone and to begin building good relationships. Explain the "who, what, where, when, why, and how" for those who have not been exposed to the audit process. 40.3. Process Analysis Process Documentation 1. Marketing Department a. Objectives of Internal Audit -Ensure that marketing strategies are being met. -Determine whether the personnel in marketing department are doing their job well.

-Establishing and communicating of overall product or marketing strategy. b. Internal Audit Procedures -Evaluate the effectiveness of their marketing strategy like observation and survey. -Assessing the rules and regulation of marketing department of the personnel. -Evaluate customer research -Know market condition -Assessing the marketing plan changes as needed

2. Human Resource Department a. Objectives of Internal Audit -To determine the proper hiring of employees to audit the HR. -Appraise and develop internal personnel resources. -To ensure that HR is not hiring incompetent or suspicious applicant that might commit fraud or destruction to the company. b. Internal Audit Procedures -Make a surprise visit to HR department when there is a hiring session. -Ask a current report to the HR department whenever there is a new hire employee to the company. -Attend some of the training meetings and appraise the receptivity on part of the trainee. -Evaluate the procedures in terms of efficiency, economy and

effectiveness. 3. IT Department a. Objectives of Internal Audit -To determine whether the IT department is complying e- commerce policies and others computer supported systems law. b. Internal Audit Procedures -Examine the profile of the IT personnel to see his capacity and effectiveness of the company computer system 4. Production Department a. Objectives of Internal Audit -To evaluate production performance for a specific period of time to promote understanding of production related cost interdepartmentally and by upper management. -To set specific goals that will meet by future objectives.

b. Internal Audit Procedures -Check first the raw materials to be used in the product and must be supervised by the head supervisor as to what quality they want to be an output. 5. Warehouse Department a. Objectives of Internal Audit -To determine the accuracy of all the purchases that goes inside the

warehouse and the security as well. b. Internal Audit Procedures -There must have a security personnel example security guard to check all the reports and receipts of all the inventories that comes in and out in the warehouse. There should have verifiability. -By attaching cameras and lock in the warehouse. 6. Accounting Department a. Objectives of Internal Audit -Efficient processing of financial data. -Maintain adequate employee benefit program. -Effective reporting format. -Effective responsibility reporting. -To ensure that the Accounting Department is complying with the rules and regulations of a company and segregation of duties are implemented. b. Internal Audit Procedures -Discuss and observe whether they are follow. -Review frequency of errors. -Review supporting worksheets and sources of information. -There must have an often meetings by the board of directors to ensure that the said department is complying department. 7. Treasury Department a. Objectives of Internal Audit -To ensure the accuracy of daily transaction of the treasury department

b. Internal Audit Procedures -Receives collections from various sources. -Process payments of various disbursements and sees to it that funds are available for these. -Reports on a daily basis, the cash position of RCAM. -Acts as comptroller, exercising discretionary authority within certain clear limits. 8. Delivery department c. Objectives of Internal Audit
-

To assess the profile of the personnel in charge in delivering the product so that conflict of interest be avoided. To examining the time on scheduling on when delivering the product. d. Internal Audit Procedures -There should have Id requirements for every warehouse personnel who is in charge for the delivery. -Check the vendors voucher and the bulletin board to be able to deliver the product on time.

40.5. Exit Conference The exit meeting concludes the formal audit process. The final draft version of the audit report is presented to management. Once the report is

finalized, it is prepared for distribution to the Audit Committee.

40.6. Audit Reporting Audit Committee members are provided with the Executive Summary of all audit reports. A detailed audit report is provided to Audit Committee members upon request. In addition, the respective Vice-President is provided with an Executive Summary. Detailed audit reports are distributed to management of the areas or functions that were audited.

40.7. Follow-up and Monitoring In some instances, follow-up audits or monitoring may be part of the audit process. These projects are selected on an individual basis.

DOCUMENT &QUALITY REVIEW

50.1 Audit Work Documentation Audit working papers are used to document the engagement process. This documentation is the principal record of the procedures completed, evidence obtained, conclusions reached, and recommendations formulated by the internal audit team during the engagement. Working papers are records kept by the auditor of the procedures applied, and the tests performed, the information obtained and the pertinent conclusions reached.

Managing Work Papers Managing the working papers is important in providing evidence that the audit was performed appropriately (in relation to standards of auditing and other legal requirements). The internal auditors should prepare working papers which are sufficiently complete and detailed to provide an overall understanding of the audit. The internal auditor should record in the working papers information on planning the audit work, the nature, timing and extent of the audit procedures performed, and the results thereof. Standard audit working papers The internal auditor shall use standard working papers in documenting the audit plan. The auditors need to consider the size and complexity of the audit engagement when applying the use of standard working papers.

Document obtained from auditee To improve audit efficiency, the auditor may keep the records obtain during the audit for three years. In such circumstances, the auditor would need to be satisfied that those documents have been properly prepared or have not been tampered with. And the records are not already needed for the company. Digital format working papers Audit working papers may be printed or retained electronically. Working papers in digital format are maintained using the same methodologies and policies used SNIPS Utensils IT Department. To determine that electronic

documents have an owner who is conversant with the contents of the document and that extraneous information is not being retained, the following guidance applies to electric media. Working Papers Organization and Indexing Working paper files should be complete and well - organized. At the end of an engagement, the files should be cleared out so they contain only the final versions of the working papers completed during the engagement. Ownership and Access to Working Papers We should adopt appropriate procedures for maintaining the confidentiality and safe custody of the working papers and for retaining them for a period sufficient to meet the needs of internal audit and in accordance with legal and professional requirements or record retention. Audit working papers are the property of the Internal Audit Department. The CAE considers requests to provide working papers or other documents for inspection. We provide access to working papers only with the prior approval of the CAE. In considering a request, the CAE may decide to consult with the Audit Committee before deciding which working papers may be inspected.

50.2. Quality Assurance Program The Internal Audit Department shall maintain a quality assurance program to ensure consistent delivery of quality internal audits. Such quality assurance program shall be an ongoing program and shall be compliant with the proposed program by the IIA:

The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors is effectiveness. The program should be designed to help the internal audit activity add value and improve the internal audit activity is in conformity with the Standards and the Code of Ethics. (Standard 1300) Objectives The main objectives of the quality assurance program are to provide reasonable assurance to management and the board that it performs in accordance with the IIA Standards and the Code of Ethics perceived by all as adding value and improving the organizations operation; and operates in an effective and efficient manner. Scope and Approach The quality assurance program shall cover all aspects of the internal audit activity, continually monitor the internal audit activitys effectiveness, assure compliance with the Standards and Code of ethics, and include both periodic and ongoing internal assessments. Measuring the Internal Audit Activity Performance Internal assessment should include: Ongoing reviews of the performance of the internal audit activity. Periodic reviews performed through self-assessment or by other persons within the organizations who have knowledge of internal auditing practices and the Standards.

External Assessment should be concluded at least once every five years by a qualified, independent reviewer or review team from outside the organization. The potential need for more frequent external assessments as well as the qualifications and independence of the external reviewer or review team, including ant potential conflict of interest, should be discussed by the CAE with the board. Such discussions should also consider the size, complexity and industry of the organization in relation to the experience of the reviewer or review team.