Functions of the Audit department
- To provide an independent assurance that council’s risk management, governance and internal control processes are operating effectively.
- To evaluate the availability of internal controls, their strengths and adherence by departments.
- To act as a consulting activity to departments with a view to add value to council operations in terms of efficiency, effectiveness and economic use of resources.
- To assess the reliability of financial records, reporting and compliance to accounting standards i.e. whether accounts are being prepared and reported in accordance with the generally accepted accounting standards, GAP etc..
- Do the evaluating and accessing council’s operations and come up with recommendations to management based of evaluations made.
- Our Mission and Charter
- Values Statement
- What is the role of Internal Audit?
- Organizational independence
- Role in internal control
- Role in corporate governance
- Internal audit execution
It is the policy of the Chitungwiza Municipality Audit Department to maintain an independent and objective internal audit function to provide the rate payers, management, and council with information and assurance on the governance, risk management and internal control processes of the Municipality. Further, it is the policy of the Municipality to provide the resources necessary to enable Internal Audit to achieve its mission and discharge its responsibilities under its charter. Internal Audit is established by the Council through 309 of the Constitution of Zimbabwe Act (amendment 20) sections 223,224 and 225 of the Zimbabwe Corporate Governance Code, section 97 of the Urban Councils Act [chapter 29:15] and section 80 of the Public Finance Management Act [chapter 22:19] and its responsibilities are defined by the IIA standards through an approved Audit Charter.
Integrity – We are committed to the highest degree of ethical conduct in the performance of our work. Our actions are consistent with our words.
Communication – We communicate openly, constructively, and with respect in all interactions with each other.
Accountability – We are responsible for our performance and results and can be relied upon to meet our obligations to each other.
Teamwork – We utilize our individual skills and abilities in a collaborative way to achieve departmental goals. We are committed to supporting each other to achieve individual and departmental success.
Personal Development – We are committed to helping each team member develop their skills and abilities to the maximum extent possible by providing education, training, and professional opportunities. We are each responsible for our personal growth.
Commitment to Quality – We will continuously improve the accuracy, reliability, usefulness, and timeliness of our services to ensure they are valuable to our clients.
It helps the Municipality accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance process. Consistent with its mission, the Internal Audit Department provides management with information, appraisals, recommendations, and counsel regarding the activities examined and other significant issues.
The Institute of Internal Auditors (IIA) defines Internal Auditing as:
“An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.
The department executes an approved audit plan and will perform the following tasks in accordance with its overall strategy:
- Verify the existence of assets and recommend proper safeguards for their protection;
- Evaluate the adequacy of the system of internal controls;
- Recommend improvements in controls;
- Assess compliance with policies and procedures and sound business practices;
- Assess compliance with statue (laws) and contractual obligations.
- Review operations/programs to ascertain whether results are consistent with established objectives and whether the operations/programs are being carried out as planned
- Investigate reported occurrences of fraud, embezzlement, theft and waste.
While internal auditors are not independent of the council that employ them, independence and objectivity are a cornerstone of the IIA professional standards; and are designed to ensure independence. Professional internal auditors are mandated by the IIA standards to be independent of the business activities they audit. This independence and objectivity are achieved through the organizational placement and reporting lines of the internal audit department.
The required organizational independence from management enables unrestricted evaluation of management activities and personnel and allows internal auditors to perform their role effectively. Although internal auditors are part of council management and paid by the council, the primary custom of internal audit activity is the charged with the oversight of management’s activities. This is typically the Audit Committee, a sub-committee of the Municipality’s Full Council. Organizational independence is effectively achieved when the Audit Manager reports functionally to Council. Examples of functional reporting to Council. (Approving the internal audit charter; Approving the risk based internal audit plan; Approving the internal audit budget and resource plan; Receiving communications from the Audit Manager on the internal audit activity’s performance relative to its plan and other matters; Approving decisions regarding the appointment and removal of the Audit Manager. Approving the remuneration of the Audit and Making appropriate inquiries of management and the Audit Manager to determine whether there is inappropriate scope or resource limitations).
Internal auditing activity is primarily directed at evaluating internal control. Under the COSO Framework, internal control is broadly defined as a process, effected by COUNCIL management, and other personnel, designed to provide reasonable assurance regarding the achievement of the following core objectives for which all businesses strive:
- Effectiveness and efficiency of operations.
- Reliability of financial and management reporting.
- Compliance with laws and regulations.
- Safeguarding of Assets
Management is responsible for internal control, which comprises of five critical components: the control environment; risk assessment; risk focused control activities; information and communication; and monitoring activities. Managers establish policies, processes, and practices in these five components of management control to help the Municipality achieve the four specific objectives listed above. Internal auditors perform audits to evaluate whether the five components of management control are present and operating effectively, and if not, provide recommendations for improvement.
internal auditing professional standards require the function to evaluate the effectiveness of the Council’s Risk management activities. Risk management is the process by which an organization identifies, analyzes, responds, gathers information about, and monitors strategic risks that could actually or potentially impact the Municipality’s ability to achieve its mission and objectives.
Under the COSO enterprise risk management (ERM) Framework, an organization’s strategy, operations, reporting, and compliance objectives all have associated strategic business risks – the negative outcomes resulting from internal and external events that inhibit the organization’s ability to achieve its objectives. Management assesses risk as part of the ordinary course of business activities such as strategic planning, public relations planning, capital planning, budgeting, hedging, incentive payout structure, credit/lending practices, strategic partnerships, legislative changes, conducting business abroad, etc regulations require extensive risk assessment of financial reporting processes. Corporate legal counsel often prepares comprehensive assessments of the current and potential litigation a council faces. Internal auditors may evaluate each of these activities, or focus on the overarching process used to manage risks entity-wide.
The internal audit function may help the Municipality address its risk of fraud via a fraud risk assessment, using principles of fraud deterrence. Internal auditors may help Council establish and maintain Enterprise Risk Management processes. This process is highly valued by many businesses for establishing and implementing effective management systems and ensuring quality is maintained and professional standards are met. Internal auditors also play an important role in helping council execute a top-down risk assessment. In these latter two areas, internal auditors typically are part of the risk assessment
Internal auditing activity as it relates to corporate governance has in the past been generally informal, accomplished primarily through participation in meetings and discussions with Council. According to COSO’s ERM framework, governance is the policies, processes and structures used by the Municipality’s leadership to direct activities, achieve objectives, and protect the interests of diverse stakeholder groups in a manner consistent with ethical standards. The internal auditor is often considered one of the “four pillars” of corporate governance, the other pillars being the Council, management, and the external auditor.
A primary focus area of internal auditing as it relates to corporate governance is helping the Audit Committee of the Council perform its responsibilities effectively. This may include reporting critical management control issues, suggesting questions or topics for the Audit Committee’s meeting agendas, and coordinating with the external auditor and management to ensure the Committee receives effective information. In recent years, the IIA has advocated more formal evaluation of corporate governance, particularly in the areas of Council oversight of enterprise risk, corporate ethics, and fraud.
Audit project selection or “annual planning”
Based on the risk assessment of the Audit Committee, internal auditors, management and Full Council determine where to focus internal auditing efforts. This focus or prioritization is part of the annual/multi-year Audit Planning. The audit plan is proposed by the Audit Manager for the review and approval of the Audit Committee or Full Council. Internal auditing activity is generally conducted as one or more discrete assignments
A typical internal audit assignment involves the following steps:
- Establish and communicate the scope and objectives for the audit to appropriate management.
- Develop an understanding of the business area under review. This includes objectives, measurements, and key transaction types. This involves review of documents and interviews. Flowcharts and narratives may be created if necessary.
- Describe the key risks facing the business activities within the scope of the audit.
- Identify management practices in the five components of control used to ensure each key risk is properly controlled and monitored. Internal Audit Checklist can be a helpful tool to identify common risks and desired controls in the specific process audited.
- Develop and execute a risk-based sampling and testing approach to determine whether the most important management controls are operating as intended.
- Report issues and challenges identified and negotiate action plans with management to address the problems.
- Follow-up on reported findings at appropriate intervals. Internal audit department maintain a follow-up database for this purpose.
Audit assignment length varies based on the complexity of the activity being audited and Internal Audit resources available. Many of the above steps are iterative and may not all occur in the sequence indicated.
Internal audit reports
Internal auditors typically issue reports at the end of each audit that summarize their findings, recommendations, and any responses or action plans from management. An audit report may have an executive summary—a body that includes the specific issues or findings identified and related recommendations or action plans, and appendix information such as detailed graphs and charts or process information. Each audit finding within the body of the report may contain five elements, sometimes called the “5 C’s”:
- Condition: What is the particular problem identified?
- Criteria: What is the standard that was not met? The standard may be a council/national policy or other benchmark (best practices).
- Cause: Why did the problem occur?
- Consequence: What is the risk/negative outcome (or opportunity foregone) because of the finding?
- Corrective action: What should management do about the finding? What have they agreed to do and by when?
The recommendations in an internal audit reports are designed to help Council in effective and efficient governance, risk and control processes associated with operations objectives, financial and management reporting objectives; and legal/regulatory compliance objectives.
Audit findings and recommendations may also relate to particular assertions about transactions, such as whether the transactions audited were valid or authorized, completely processed, accurately valued, processed in the correct time period, and properly disclosed in financial or operational reporting, among other elements.