Key procedures

This table presents the different types of engagements which Internal Audit may perform.  Clicking on the type of engagements will take you to the procedures that are specific to each.

 

Full audit

Analysis following investigation

Check of controls

Consultancy

Context

As part of the audit plan approved in January each year by DG.

Systematically following a fraud investigation.

Possible areas announced as part of the audit plan.

Exact topic decided during the year by Internal Audit.

Upon request from a service on a focused question. A formal consultancy agreement is established.

Objective

Add value to the Organization by contributing to improve its governance, risk management , and control processes.

Contribute to the prevention of fraud by reacting rapidly to weaknesses observed.

Get an assurance that controls are effective in a specific, focused process.

Provide expert advice and reference systems on the design and implementation of internal controls.

Basic principle

Review one or several processes, or a unit, a service , on  a risk based approach for governance, risk management and control aspects.

Determine which shortcomings in the internal control have contributed to make the fraud possible. First priority is given to this report, after completion of the fraud investigation.

Use audit methodology on a focused scope. May be conducted in parallel with an on-going full audit.

Agree with a client service on the scope of the consultancy required.

Scope

Objectives and scope determined after risk based analysis. The objectives and  scope may be enlarged  during the audit.

Facts established during the investigation – No extension of scope.

Scope is focused on a very specific process, with a few audit objectives established at the beginning of the audit.

Initially defined with the "client" service. Scope may be extended in agreement with this service.

Method

Audit methodology according to Internal Audit standards applying to risk analysis and establishment of facts.

Fraud investigation according to fraud investigation standards for the establishment of facts of fraud.

Audit methodology according to Internal Audit standards applying to risk analysis and establishment of facts.

Risk assessment of the area agreed upon and analysis of the corresponding controls requirements.  Research of existing systems of reference for controls specific to the process looked upon.

Duration

(excluding validation)

On average 60 person days.

On average 5 person days.

On average 15 person days.

On average 10 person days.

Validation

Bottom-up validation by all services concerned up to Directorate.

Shortened validation process since facts have been established, focuses on recommendations.

Bottom-up validation by all services. Level of validation in the hierarchy might depend on the nature of recommendations.

Validation by the client service.

Output

Audit reports:

Observations and recommendations addressing risks identified.

Internal Control shortcomings report:

Observations and recommendations addressing risks materialized as evidenced by the fraud investigation.

Report of checks on Internal Control:

Observations and recommendations addressing risks identified

Consultancy report:

Recommendations of appropriate internal controls.

Communication

To recommendation owners and their hierarchy.

Executive summary or full report to the Director-General.

To recommendation owners and their hierarchy.

Full report to the Director-General.

Confidential.

Individual copies.

To recommendation owners and their hierarchy.

Executive summary or full report to the Director-General.

To client services.

 

 

Follow-up

As part of the annual end of year follow-up

As part of the annual end of year follow-up

As part of the annual end of year follow-up

No follow-up, unless agreed with the client service.