Page 1
c.25014asz0mtr. CGAr'CoEfinspection / e .mb/
Controller General of Accounts
Department of Expenditure
Ministry of Finance
7“ Floor, Lok Nayak Bhawan, New Delhi.
Dated 31St August 2007.
OFFICE IWEMORANDUM
This is with reference to the CGA’s DO letters dated 18.6.0? and 18.7.07 to all
CCAsfCAs regarding the conducting of model internal audit of any two identified
schemes/Areas in their respective Ministries. It is expected that the CCAs would have
already taken steps in this direction and initiated measures for the identification of the
schemes and planning for carrying out the model risk based audits through an Audit Plan.
The Audit Plan must summarize thekey provisions of the scheme viz the aims, targets
methods and modalities (cg. relating to sanetionfimplernentation) etc along with the key
outputs of the scheme/“programme. It should also document the significant risks that have
been identified on the basis of preliminary assessment of the schemefprograrnme and the
key controls that are in place. A draft-testing outline (that may be subject to changes
during the process of audit) may also be included inlthis document to the extent possible.
The enclosed paper ehalks out a suggestive plan of action to aid the CCAs in the
planning, performing and reporting on risk based Internal audits. This is expected to
serve as a guidance note only and suitable changes! modifications as per requirements
and grounds of feasibility in the sehemesfprogrammes are expected to be carried out,
based on the judgements of the CCAs and as per the requirements within their own
Ministries.
it is requested that the CCAs may complete the task of Internal audit planning and
preparation of Audit Plan and Strategy initially for the two identified schemes in
consultation with the scheme administering authorities, wherever required. This may
late-fir on become the basis of the exercise of hiternal audit to be carried out.
It is also suggested that if considered appropriate the programme planners and
administrators could be co-opted with the audit teams to provide a more complete
perspective to the audit findings.
(Stat. Sonali Singh)
.It. CGA
0/0
v/All Pr. CCAs/CCAsfCAs.

Page 2
Guidance for Plagning, Performing and Reporting on Internal Audit Engagements
in the Government:
Pugpose:
The overall purpdse of this guidance note is to assist in providing a direction to the
internal Audit Wings of the Ministries in carrying out scheme audits through risk» based
assessments. Based on systematic risks and controls’ assessment the end objective of
scheme audits is to provide a positive assurance to the MinisuiesfDepartments that the
performance and implementation of the schemes’ are on course; that the controls and
checks laid down in the schemes are functioning well; and that the schemes are likely to
achieve their aims and targets as spelt out. The scheme audits will also help in throwing
up the potential risk areas, deficiencies or gaps in the laid down controls! checks or their
implementation mechanisms that may afiect the outputs that have been set out for the
schemes. Such systematic audits will also aid in identifying the causefs of
deficicnciesfgaps and recommend suitable corrective actions based on the objective
evidence based assessment of the schemes. '
This Note is intended to and internal auditors in the ofices of Chief Controllers’ of
Accounts with practical guidance on how to plan and carry out a proper and systematic
audit of Government schemes. The steps and procedures that are required to be follovved,
the mechanism and tools to be used for the purpose and the method of assessing risks in
the schemes have been broadly outlined towards this end in the document. This has also
bee framed with the purpose of providing a course of direction to the internal audit
Wings for a more uniform system of audit planning, performing and reporting on audit
engagements. However the differential positions and responsibilities of the Ministries and
the aims and objectives of various Government schemes“, which may require different
forms of audit engagement or professional judgement in the conduct of their work, needs
to be kept in view. This Guidance Note is not intended to he therefore prescriptive
though.
Mandate:
Every internal audit organization needs a mandate. In the case of internal Audit Wings of
the Civil Ministries, the mandate for risk based Assurance audit flows directly from the
revised charter of Financial Advisers issued by Secretary (Exp), wherein, risk based
internal audit has been indicated as a responsibility of the CCAs. It has been outlined that
internal auditfperformance audit has to move beyond the narrow myopic confines of
compliancefregularity audit to focus on:
- Assessment 0f adequacy and effectiveness of internal controls in general, and the
soundness of financial systems and reliability of financial and accounting reports
in particular;
I Identification and monitoring of risk factors (including those contained in the
Outcome Budget);
' Critical assessment of economy, efficiency, and effectiveness of service delivery
mechanism to ensure value for money; and

Page 3
- Providing an effective monitoring system to facilitate on course corrections.
The scheme audits performed by Internal Audit Wings must primarily focus on the above
mandate to determine whether the scheme fonnulationfdesign, risk management approach
and measures, controls and governance processes provide reasonable assurance that the
scheme objectives and targets will be achieved.
The Internal Auditing Process:
The LA process can be divided into three main phases of planning, performing and
reporting.
Planning:
As the starting point on Planning, the Internal Audit Wings may take steps to draw up the
list of entitiesfprogramntes and schemesl procedures etc that are required to be audited.
After updating and firming up of the audit universe, the internal audit sections are
required to do a risk assessment of each of such entitiesfschemes etc. Such risk _
assessment is generally done on the basis of the likelihood of significant or pervasive
risks/deficiencies for each process, entity or scheme and rated against the likely impact of
each of the risks. impact and Likelihood can be quantified on the basis of Risk Rating
Scale say on the scale of one to ten. in order to identify the programs and schemes with
higher risk ratings. This tool enables decisions relating to audit prioritization by the
internal audit Wings of the MinistryfDepartmen-t. Other factors like the duration since last
audit, nature and number of audit observations or issues outstanding may also be used
subsequently when suficient number of audits have been performed. At times the CCAs
or internal audit wings may require to rely on judgemental assessments based on domain
knowledge or on the basis of consultation with the Scheme implementing wings.
Since the Government schemes and programmes have either not been audited or they
have not been assessed oVer a long period of time, the assessment on risk rating and
judgemental decision is suggested, to arrive at the list of schemeslprocesses that need to
be audited on priority. On completion of this process the audit engagements that are
required to be undertaken are identified and decided upon. Since risk based audit is a new '
area, CGA has required CCAs CAs of each Ministry to identify two schemes to begin
with. '
After identification of the schemes/programrnesfprocesses that are to be audited, the
Chief Controller of AccountsfConttoller of Accounts may identify and appoint the
‘Auditor in charge’ (AJC) for each of the proposed audits as also the team members that
Will be a part of each of the audits- The Auditor in charge is expected to be in—charge of
the entire audit process, and he will take suitable guidaneefsupport from the Chief
Controller of Accountsftlontroller of Accounts as per requirements. It is suggested that

Page 4
_ the Chief Controllers of Accounts will closely monitor the audit process till its
completion, in View of the fact that the process of risk based audit is entirely different and
will require plenty of application when compared to compliance audits performed by the
internal audit wings till now. '
The AIC should start by preparing an Overview and Planning Memo. The Audit
Overview will be in the form of a brief note on the subject of audit (scheme that is to be
audited) bringing out the» audit objective, salient features of the scheme, its purpose and
mechanism of implementation, potential risk areas etc. AIC may also get a Planning
Memo approved by CCAJCA, summarizing the planning information, assumptions and
decisions made on the basis of initial study and assessment of the scheme, so as to ensure
that an effective audit is performed. These documents aid the audit team in demonstrating
its understanding of the subject of audit engagement before finalizing the objectives and
scope of the audit.
After getting the Overview and Planning Memo approved by CCAJ’CA, the Auditor in-
charge should take up the job of confirming the specific objectives of the audit
engagement, identify the detailed scope or the areas that are planned to be assessed
through audit, audit criteria or the basis (in the case of Schemes it will be the Government
proceduresfruleslorders etc that may apply), the approach that will be followed viz details
regarding sampling, field visits etc and the resource requirements (both funds and
manpower).
AIC should carefully consider the audit engagement ‘Objectives‘ since the audit is
expected to draw a conclusion with respect to each engagement objective identified. For
example, if audit objective includes an item on say to assess that the “scheme will meet
its objectives”- the audit observationsfparas should relate to this audit objective. There
may be a number of Audit objectives in a particular audit determining the areas of risks
that is planned to be assessed. AlC should therefore determine the objectives carefully
keeping in mind that the audit ohservationsfparas on the subject matter can be concluded
with sufficient evidence when the audit is completed. in most cases the internal audit of
schemes will focus on determining whether the Government‘s risk management, control
(checksfproceduresfrules etc), and governance processes provide reasonable assurance on
the achievement of scheme objectives. Audit objectives will primarily be a variation of
the following -
-- I the financial, managerial, and operating information provided for the scheme is largely
accurate, reliable, and timely;
' resources for the scheme are acquired economically and used efficiently;
' assets created under the scheme are safeguarded;
' actions of the scheme approving, managing and implementing organizations are in
compliance with policies, procedures, contracts, and applicable laws and regulations; and
' significant programs, plans, and objectives of the scheme are likely to be achieved.
During this phase when the Auditor In Charge is engaged in finalizing the audit
objectives and Terms of Reference in consultation with the CCA/CA, the other audit
team members must familiarize and develop a good working knowledge and

Page 5
to
understanding of the scheme- its objectives, processes, operations and associated risks, so
as to identify and document the significant risks and key controls (ruleslroles,
policiesfprocedures etc). The assessment in these aspects of both, entity that is to be
audited and the program/scheme is required to arrive at a more realistic assessment of the
scheme, efiectiveness of the controlsfchecks laid down for its implementation and the
implementing systems itself. The method of carrying out Risk Assessment is dealt later in
this Note.
In order to apprise the Minisny/Department about the plan of audit, a brief Terms of
Reference for the audit engagement is required to be prepared. This TOR should be
approved by the CCAfCA and sent to the concerned scheme implementing Wing of the
Ministry at a sufficiently high managaerial level. This serves both the purpose of
announcing the audit engagement, as well as apprising the concerned administrators of
the scheme on the audit objective and plan of action. The TOR includes at a minimum the
audit engagement’s objectives, scope, approach and details of the auditors along with the
proposed tinting of the audit. The scheme administering management in the Ministry may
have their own suggestions on the audit objectives, risk areas etc. The inputs of the
management on the scope of audit and TOR are also important and should form part of
the final TOR. Required amendments 'to the TOR can be agreed to by CCA keeping in
perspective the suggestion of the administrative wing and the revised TOR as finalized
issued to announce the commencement of audit.
Understand and Prepare on the Subject of Audit Engagement:
The AIC and the other audit team members should initiate a detailed and in depth study
of the scheme in order to develop a sound understanding of the scheme aims and targets,
scheme management and related business processes and practices e.g. relating to
approvalsfimplementation etc, policies and procedures, and external and internal
environment within the Mhiisny/‘Departrnent as well as the scheme implementing
agencies. It is important for the audit team to gather information on significant, recent or
proposed changes relating to scheme or its implementation or the issues that are of
concern to management, to have a better and updated perspective.
The Audit team will require to obtain detailed information pertaining to the scheme, its
operations, processes, performance etc through all the requisite sources in the
Ministryfimplementing agencies etc in the form of documents/data reports etc. For better _
access to information on the schemes the communication channels of all kinds may be ' '
used as per the requirements of the scheme under audit which may be in the form of
meetings, interviews, research or review of documents and records to gain sufficient
knowledge about the scheme. It may be useful to visit sites and observe operations for the
Purpose-
It is important that the auditors have regular dialogue with Ministryfimplementing
agencies and other sources of information as required during this review, in order to
confirm that their understanding of the subject of the engagement and of any emerging
issues is correct. Once the auditors and the audit team as a whole have gained a good
understanding of the subject of the audit engagementfscherne — its business processes and
its OVerall environment — they will be in a better position to identify the risks, document

Page 6
key controls and evaluate their design effectiveness at both the audit engagement entity
level and at the scheme level.
Identify Risks, Document Key Controls and Evaluate Design Effectiveness:
(Ar Entity (M'in isnjr/mmlemcnting agency/Scheme level)
The underlying premise of risk management in any scheme is that every entity
participating in the running and operating of the schemes exists to provide value for its
stakeholders. All entities and'operations face uncertainties, and the challenge for the
scheme-administering department is to determine how much uncertainty to accept as it
strives to grow value for the scheme operations. A proper risk management of the scheme
enables the scheme-administering department to efiectively deal with the uncertainties
and associated risks and opportunities, enhancing the capacity to build value for the
outputs. '
Any scheme will have broadly four obj ectives-
1. Strategic- the higher goals of the scheme aligned with and supporting the mission
of the scheme;
2. Operations ~ effective and efficient use of resources;
3. Reporting — reliability of reporting;
4. Compliance -- compliance with applicable laws and regulations.
The objectives relating to reliability of reporting and compliance with laws and
regulations are within the scheme administrator’s controls, and therefore risk
management on these can be expected to provide reasonable assurance of achieving these
objectives. However, the achievement of Strategic and Operations objectives are subject .
to external events and not always within Nfinistry’sfscheme administrator’s control. For
these objectives, the scheme risk management can provide reasonable assurance that the
MinistryfDepartrnent in its oversight role are made aware, in a timely manner, of the
extent to which the scheme is moving towards achievement of objectives.
Based on the Integrated Risk Management and Application Technique of COSO - ERM
Model (The Committee of Sponsoring Organizations of the Treadway Commission —
Enterprise Risk Management), there are eight components of any enterprise risk
management, which can be largely applied to the Government schemes also. These are
. derived from the way management runs an enterprise (Ministry runs a scheme) and are
integrated with the management process of the schemes. These components are-
l Internal Environment- The internal environment reflects the tone of an
organization, and sets the basis for how risk is viewed and addressed by the
entity’s people, their risk management philosophy and appetite, integrity and
ethical values, and the environment in which they operate.
I 0 Objective Sem'ng- Objectives of the scheme must exist before the
Ministryr‘administrators of the scheme can identify potential events affecting their
achievement. Scheme risk management will ensure that the Ministry has in place

Page 7
a process to set objectives and that the chosen objectives support and align with
the scheme’s mission and are consistent with the Government’s risk appetite.
0 Event Identification — internal and external events affecting achievement of the
scheme must be identified and distinguished between risks and opportunities.
0. Risk Assessment - Risks to the scheme should be analyzed, considering the
Likelihood and Impact, as a basis for determining how they should be dealt with
and managed.
l Risk Response - The Ministry/Department selects from the possible responses of
avoiding, accepting or reducing or sharing the risk, and thereafter develops a set
of actions to align. with the scheme’s decide risk policy.
II Control Activities- Policies and procedures for any scheme are established and
implemented to help ensure that the risk responses decided upon are effectively
carried out.
I information and Communication — Every scheme is required to ensure that the
relevant information are identified, captured and communicated in the form and
tirneframe that enables people to carry out their responsibilities.
I Monitoring — The totality of scheme risk management is monitored and
modifications made in the schemes or its policiesfprocedures etc as necessary.
Monitoring is achieved through ongoing supervision, evaluations etc.
Risk management for any scheme will not be strictly a serial process where one
component will affect only the next. It is a multi-directional and iterative process in
which almost any of the above components can and does influence others.
For a comprehensive risk based audit assessment of the Government schemes, the
Internal auditors should review the schemes and their operations to identify the most
significant risks to the achievement of the ohjectiVes of the scheme, and the key controls
that management needs to integrate into its management processes to mitigate the
identified risks. The results of the evaluation of the efiectiveness of the scheme design
and procedures againsteach of the 8 key components should be recorded in the working
papers of internal audit. I I In ' '
The auditors must next identify the actual checks in the form of rulesr’proceduresfpolicies
etc (key controls) that management has established to mitigate these risks. This can be
done through the review of relevant documentation as well as through interviews and
discussion with the scheme administrators and implementing agencies. The purpose is to
evaluate whether the laid down key controls are effective in ensuring safeguards for the
identified risks to the scheme. The results of the assessment of the elfectiveness of key
controls for the risks identified should be also recorded in the working papers. This
assessment would form one of the basis for reporting on the audit findings and

Page 8
recommending on further actions required by the Ministries for better risk management
of the scheme.
Develop Plans to Test the Operating Effectiveness of Key Controls at the
Audit Entity Engagement Level and Activity Level
Once the key risks and models of the scheme have been identified, the auditors are
required to develop detailed audit plans and procedures to test the operating effectiveness
of such key controls at the implementing agency and scheme administrator level. Effort
should be directed at those areas where significant risks exist and key controls have been
identified to be lacking or deficient. In most cases, the testing of key controls itself will
bring out the significant risks to the scheme. The internal auditors should be careful to
design the detailed testing outlines! questionnaire for examination of controls in a scheme
in a way, that would lead to sufficient evidence for drawing sound conclusions. The
auditors are required to exercise due diligence and use professional judgment in this
reSpect.
- Test the Operating Effectiveness of Key Controls and Document and Validate Audit
Engagement Observzifions
This constitutes the main fieldwork part of the internal audit which is taken up after all
the initial preparation and risk assessment. The testing of operating efiec'tiveness of key
controls of the scheme are done to verify the operating effectiveness of the key controls
that have been identified. Operating effectiveness refers to the effectiveness of the
Operation of an internal control activity at either the scheme implementing agency level
or activity/process level.
The results of the audit tests will form the basis for drawing up audit observationsfparas
on the performance and effectiveness of the Schemes, identifying the main risk areas. The
audit observations can then be summarized to form a conclusion with respect to one or
more audit objectives .that was decided upon. The results of each audit test and the
evidence gathered should be documented with reference to the supporting criteria of the
rulesfproceduresfpolicies etc against “what exists” (the audit evidence) against the laid
down criteria.
When there is a difference between “what exists” and “what should exist,” the audit team
should analyze the effect or the impact and the cause that is leading to such variance.
Each such case where there is a variance betWeen what exists and what should exist must
be documented as an audit observation. The analysis of all the audit observations arrived
at after the detailed testing outlined above, helps the audit team in firming up the scheme
audit conclusions and recommendations, audit rating and report. In formulating audit
observations and corresponding recommendations, the auditors must draft every audit
observation with the following components to bring out effectively the observations as
well as their causes and recomniendatory actions.

Page 9
as
- Audit objective: To which audit engagement objective does this observation relate?
' Criteria: What should exist? The standards, rules, procedures, benchmarks or
expectations out of the scheme that are identified as the basis against which audit
evidence is compared.
' Condition: What exists? The factual evidence found in the course of the audit reflecting
the ground position obtaining. The condition identifies the nature and the extent of
deviation from the condition or as it should exist. A clear and accurate statement of
condition evolves fiom the auditor’s comparison of actual evidence against appropriate
criteria.
' ConsequeneelEffectfImpact: What eflecr did it have? The risk or exposure to the
scheme or the organization as a result of the difference between the criteria and the
condition. The effect establishes the actual or potential impact of the condition. The
significance of a condition is usually judged by its effect. It can be expressed in
quantitative terms. To be fit enough for reporting, an effect. should be sufficiently serious
to justify the action recommended to correct the deficiency,
' Cause: Why did it happen? The'possible or likely reason for the difference between the
expected and actual condition. The cause may be obvious or may be identified by
deductive reasoning. The identification of similar causes for a number of observation
may highlight an underlying theme that requires corrective action and the audit
recommendation should appropriately address the issue. Identification of the cause of an
unsatisfactory condition is a prerequisite to making a rneanjngfill recommendation for
corrective action.
' Corrective ActionfRecommendation: What should be done? The actions suggested or
required to correct the situation and prevent firture occurrences. The relationship between
the audit recommendation and the underlying cause of the condition shorrld be clear and
logical. In developing sound recommendations, the internal auditors must ensure that the
' recommended action is within the scope of the client, addresses the cause and not just the
symptoms, and is at least intuitively viable. The cost of implementing and maintaining
the recommendations should always be compared to the existing risk of a scheme for a '
more meaningful decision on the corrective actions.
During the entire process of audit, the audit observations that are coming up should be
validated on an ongoing basis either orally or in writing with the concerned scheme
administratorsfimpiementmg agency. in this way, the auditor can gain additional
information and insight as well as get an opportunity to have a better understanding of
possible options to address the observations. As required the MC may interact formally
with client management to either confirm issues noted during the audit or seek additional
information.
On finalization of the audit observations, the audit team management (Chief Conn-olier of
$ccountsr’Controller of Accounts) should send a written communication. forwarding the
list of audit observations and requesting a written response from the Scheme

Page 10
a
('6,
administrator for their comments regarding the audit observations, as well as the required
corrective action that is being taken or planned to appropriately address each audit
observation. Ongoing communication with the client while performing the audit helps
ensure facts are properly interpreted and observations are fully validated, and may reduce -
the actual number of observations reported. It also contributes to the development of
reasonable and practical recommendations to address the audit observations.
Summarize Audit Engagement Results and Propose Rating
Once the audit observations have been fully validated with the management or the
scheme administrator, the audit team should complete the audit report. It must be ensured
that the draft audit report includes the observation, its impact and the proposed
recommendation. The draft audit report should be reviewed bydthe AIC and the relevant
Chief Controller of Accounts, and appropriate rating to the audit report of the scheme
may be decided.
The rating may be based upon the following criteria.
Satisfactory
. Risk management, control and governance. processes are adequate. and efiective to
provide reasonable assurance regarding the achievement of control andfor business
objectives of the scheme under review. Minor opportunities for imprOVement may exist.
Needs Improvement
Deficiencies exist in risk management, control or governance processes, such that
reasonable assurance regarding the achievement of controls andr’or business objectives of
the scheme under review may be at risk.
Unsatisfactory
Significant or pervasive deficiencies exist in risk management, control or governance
processes such that reasonable assurance regarding the achievement of control andfor
business objectives of the scheme under review cannot be provided.
Management Team Provides Input to Engagement Results and Clears the Proposed
Rating
The MC should prepare an Audit Report Presentation, for (with the audit team) the CCA
and the internal audit management on the Internal Audit Report of the scheme. The
presentation shall include the audit objectives and scope, recommended audit engagement
rating with the rationale, the engagement results a the key observations and
recommendations, the time and resources ~ planned and actual, and the lessons learned as
a result of the audit.
The relevant CCAi’audit management must review all applicable audit engagement
working papers. Once the CCAfaudit management have reviewed and concurred with the
engagement results, the audit reports can be issued.