This is an HTML version of an attachment to the Freedom of Information request 'DG CNET: Anti-fraud policy, Internal Audit Manual, Bi-annual Management Reports to Commissioner, overriding public interest'.

Ref. Ares(2013)3133360 - 30/09/2013
CONNECT IAC Manual of Procedures – Info 01: 
Reason of existence of Manual of Procedures (MoP) 
•  MoP as light as possible, but that still meets CONNECT auditors' needs; 
•  Be a repository of knowledge (knowledge base!) and internal arrangements of IAC; 
•  Be a help for auditors at implementing their work; 
•  Be a help for newcomers to easily understand the way of proceeding; 
•  The writing exercise itself should help to clarify internal procedures and increase 
homogeneity in our practices, avoiding proliferation of templates and different 
•  Be compliant with ICS 8 – processes and procedures (beyond formal compliance with 
basic requirements) and IAS guidelines; 
•  Ambition: become a best practice in writing MoP; 
Ideas used in the design 

•  Use the subsidiarity principle! Don't redo what already exists and is satisfactory (in 
IAS, other IACs); 
•  Take into account models from ECA, IAS other IACs, etc.; 
•  Users needs: both enough detailed and flexible; both light and addressing all key 
activities; easy to be consulted and updated;  
•  Respect basic principles of ISO 9000: list of documents, naming and writing rules, rules 
for changing and updating; 
•  Ensure consistence of the MoP with "AMS" and IAS requirements is embedded in the 
MoP by avoiding repeating statements already established elsewhere. 
•  Include Charter, EMU and current forms/templates. 
•  Include current, updated practical examples 
•  Integrate existing elements of drive H: "toolkit" and internal procedures 
•  Vertical flowchart enriched by comments (or operational instructions) 
•  Consider to refer to standards/practice advisory (e.g. via a cross-check matrix) + IAS 
•  Consider a minimal practical glossary (e.g. "audit universe") per procedure if needed 
•  Benchmark, get ideas and examples/good practices from other groups (other IACs, 
Auditnet, ECA, Secgen, Documentum, speak with S2 MOP, etc.) 
Ideas used for realisation 

•  IAC session to confirm objectives and needs ("dream now!"), to enrich ideas for design 
and realisation, contributions, timing, commitment 
•  Establish principles for a "good" procedure (ideally 1 page, maximum 2 pages, only 
essential information, think to 1 year from now, etc.) 
•  Consider using a flowcharting tool 
•  Design and organisation of MoP taking into account: easy-to-use, possibility of quick 
view, uniform appearance of whole MoP;  
•  Include tips and tricks/alternatives. Think both to big and small audits. 

The key activities that the IAC is performing are:  
- Risk Assessment and Internal Audit Planning for DG CONNECT - Participating in key meetings 
in DG CONNECT: MT, ICT Directors Meetings, ITSC, AFUs and reviewing important 
documents which affect the DG (e.g. DAE) or are relevant for our Risk Analysis. 
 - Audit engagements 
 - Follow-up Audit engagements 
 - Reporting to IAS/ Commissioner and DG 
 - Opinion on the AAR 
 - Professional training for auditors 

EN    EN 

Brussels, 1.6.2010 
C(2010) 3734 final 
EN    EN 

An Internal Audit Capability (IAC) has been established in each Commission Directorate-
General (DG) or Service on the basis of the Communication on the conditions for the 
provision of an Internal Audit Capability in each Commission Service1. The role of the 
Internal Audit Capability in relation to other key actors in internal audit and internal control 
has been further defined by the Commission in the Communication on the clarification of the 
responsibilities of the key actors in the domain of internal audit and internal control in the 
This charter sets out the mission, objectives, reporting and working arrangements essential to 
the proper fulfilment of the IAC’s role in the interests both of their DG or Service and of the 
Commission as a whole. 
The Director-General or Head of Service may introduce some adjustments to reflect the 
DG/Service’s particular needs and circumstances, informing the SG, DG BUDG and the IAS. 
The  mission of the IAC is to provide independent, objective assurance and 
consulting services designed to add value and improve the operations of the DG. The 
IAC helps the DG accomplish its objectives by bringing a systematic, disciplined 
approach in order to evaluate and make recommendations for improving the 
effectiveness of risk management, control, and governance processes3. Thereby it 
promotes a culture of efficient and effective management within the DG or Service to 
which it belongs. 
Assurance is an objective examination of evidence for the purpose of providing an 
independent assessment of the effectiveness of governance, risk management and 
control processes. For its assurance services, the IAC will rely on risk-based 
planning, and an opinion should be included in each assurance audit report. 
Consulting services are advisory and management-requested activities, the nature 
and scope of which are agreed with the Director-General/Head of Service and which 
are intended to add value and improve the DG’s governance, risk management, and 
control processes without the internal auditor assuming management responsibility. 
The primary objective of the IAC is to provide the Director-General/Head of Service 
with assurance as to the effectiveness and efficiency of the governance, risk 
management and control processes in the DG, with special reference to the following 
1 SEC(2000) 
2 SEC(2003) 

The combination of processes and structures implemented by the senior management to inform, direct, 
manage, and monitor the activities of the DG or Service toward the achievement of its objectives. 

•  Risks are appropriately and continuously identified and managed, 
•  Significant financial, managerial, and operating information is accurate, reliable, and 
•  The Commission’s policies, procedures, and applicable laws and regulations are complied 
•  The objectives of the DG are achieved effectively and efficiently, 
•  The development and maintenance of high-quality control processes are promoted 
throughout the DG. 
The IAC is under the authority of the Director-General/Head of Service and shall be 
accountable to the Director-General/Head of Service to: 
•  Submit for approval an annual work plan founded on a risk-based approach as part of a 
multi-annual strategic plan. 
•  Report significant issues related to the processes for controlling the activities of the DG 
[and if applicable of its executive agencies4] as discovered during the course of the IAC’s 
audit work, including potential improvements to those processes. These issues should be 
incorporated in the twice-yearly report of the DG to the portfolio Commissioner. 
•  In accordance with the nature and the scope of the IAC work during the year in question, 
express an opinion on the state of control within the DG or Service. 
•  Take due account of reports by the European Court of Auditors (ECA) and share 
information with other internal and external providers of relevant assurance and consulting 
services, such as the IAS, ex-post audit units, Internal Control Coordinators, risk managers, 
local security officers and, if appropriate, other DGs, to ensure proper coverage and 
minimise the duplication of efforts. 
•  Report at least annually on the IAC’s mission, authority and responsibility, and 
performance in relation to the annual work plan5.  
No authority may interfere in the conduct of IAC work or ask the IAC to make any alterations 
to the content of audit reports. 
The Head of the IAC shall address any issue which in fact or appearance might impair his/her 
independence in determining the scope and planning of the audit activities, performing them 

Arrangements to account for those agencies with their own IAC. 

This refers to the activity report of the IAC. 

Refer to IIA standards on Independence and Objectivity 1100, 1110, 1110.A1 and 1111. 

and communicating their results, in his/her annual work plan, annual report and individual 
audit reports. 
In exceptional circumstances, when, on the basis of his/her formal assurance or consultancy 
work, the Head of the IAC concludes that the Director-General/Head of Service has accepted 
an unreasonably high risk, he/she may, after informing the Director-General/Head of Service, 
report his/her concerns to the Secretary-General. 
In order to ensure objectivity in their opinions and avoid conflicts of interest, IAC internal 
auditors must preserve their independence in relation to the activities and operations they 
The Head of the IAC will confirm to the Director-General/Head of Service, at least annually, 
the organisational independence of the internal audit activity. 
The Head of the IAC has a responsibility to the Director-General or Head of Service to: 
•  Develop and establish the IAC audit procedures, including a follow-up process. 
•  Implement the annual work plan, as approved, including as appropriate any special tasks or 
projects requested by the Director-General/Head of Service. 
•  Ensure that the IAC resources are appropriately and effectively deployed to meet the 
requirements of this Charter and the annual work plan. 
•  Develop and maintain a quality programme that covers all IAC audit activities and 
continuously monitors its effectiveness. This programme may include periodic internal and 
external quality assessments and ongoing internal monitoring and be adapted to the size of 
the IAC. 
•  Promptly validate his/her findings and related risks and discuss his/her recommendations 
with the auditee. The auditee’s position should be reflected in the final report, particularly 
in the case of disagreement. 
•  Finalise audit reports, under his/her own responsibility, without undue delay. 
•  Effectively and timely communicate results of audit engagements (assurance and 
consulting) to the Director-General/Head of Service and management directly concerned. 
•  Formally communicate in writing to the Director-General where he/she believes that the 
auditee has accepted an unreasonably high level of risk. 
•  Respect confidentiality with regard to information gathered from the audit and consultancy 
engagements performed. 

Refer to IIA standards 1120 on Individual Objectivity and 1130 on Impairments to Independence or 

•  Communicate to senior management on the quality assurance and improvement 
programme of the internal audit activity, including results of ongoing internal assessments 
and external assessments conducted at least every five years. 
•  Disclose and explain any failing or inability to meet and comply with the requirements of 
this charter in the annual work plan and/or annual activity report. 
In the context of relations with the Internal Audit Service (IAS): 
•  Provide the IAS with the annual work plan and annual activity report of the IAC. 
•  Collaborate closely with the IAS while defining the audit universe and performing the risk 
assessment, for the purpose of establishing a coordinated audit plan. 
•  Send final audit reports to the Director-General/Head of Service, with a copy to the IAS. 
In the context of relations with other services/institutions: 
•  Report any suspected fraudulent activities within the DG/Service to the Director-General 
or Head of Service and OLAF8 in accordance with the regulations in place. 
•  Ensure that the annual work plan and annual activity report of the IAC are sent to the Court 
of Auditors and take due account of control issues emanating from the Court’s reports in 
the risk analysis and audit planning. 
The Head of the IAC and his/her staff are authorised to: 
•  Have unrestricted access to all functions, information systems, records, property, 
and personnel within the DG, as considered necessary for the fulfilment of their 
•  Obtain the necessary assistance of staff in all the units of the DG. 
•  Allocate resources, select subjects, determine scopes of work, and apply the 
techniques required to accomplish audit objectives. 
•  Be informed at an early stage about the development of new systems and changes 
to existing systems that may substantially affect the DG’s internal control system. 
•  In accordance with the design of the financial circuits implemented within the 
DG, act as Authorising Officer by subdelegation for administrative expenses 
linked to the activity of the unit (missions, training, etc.). 
[If appropriate in the specific context of the DG, fulfil tasks other than assurance or 
consulting activities performed by the IAC (to be listed here).] 
The Head of the IAC and his/her staff are not authorised to: 

Decision of 2 June 1999 (OJ L 149, 16.6.1999, p. 57) and C(2002)845 of 5 March 2002. 

•  Perform any operational duties for the DG. 
•  Initiate or approve financial transactions external to the IAC. 
•  Direct the activities of any staff member not employed by the internal auditing capability, 
except to the extent such staff members have been appropriately assigned to auditing teams 
or to otherwise assist the internal auditors. 
The IAC will adhere to the mandatory guidance including the Definition of Internal Auditing, 
the Code of Ethics, and the International Standards for the Professional Practice of Internal 
 as drawn up by the Institute of Internal Auditors. Such professional standards and the 
Code of Ethics will be applied in accordance with regulations applicable to Commission staff. 
In the event of discrepancies, requirements originating from EU regulations and Commission 
decisions shall take precedence.  
Head of Internal Audit Capability   

CONNECT IAC Manual of Procedures: info 4 
Role (Mandate) of ACB committee  

Summary of the mandate  
The ACB is composed out of Director general (chair) and his deputies, Dir S, Dir R and the HoU of 
01,02 , R2 and S2. The Committee normally meets on the second Wednesday of the month. It mandate 
is : Discuss and coordinate all aspects of importance on Internal and External Audit, Internal Control 
and Budget,  
Full Mandate  
The Audit, Control and Budgetary Committee (The Committee) is composed of the Director General 
(DG), the Deputy Director Generals (DDG), the Internal Control Coordinator (ICC) (Dir. S), the 
Resources' Director (Dir. R) and the Heads of the External Audit (02) and Internal Audit (01) (IAC) 
units, Budget and Financial Unit (R2) and Management Support Unit (S2). The secretary of the 
Committee is the Head of the Internal Audit Unit and the Committee is normally chaired by the Director 
The Committee may also invite any other CONNECT Director and/or his/her representatives to attend 
the Committee, depending on the topics on the agenda. 
The Committee normally meets on the second Wednesday of the month. 
The Committee's mandate, in summary, is to  
Discuss and coordinate all aspects of importance on Internal and External Audit, Internal Control 
and Budget, which may have an impact on the activities of DG CONNECT. 
1) With regards to internal audits carried out by the IAC (preparatory work under the 
responsibility of the IAC) 
To take decisions or to prepare decisions to be taken by the whole management team on internal audit 
issues. Specifically, to 
(a) Give input to the IAC's risk assessment and to agree on what actions its findings imply for the 
DG. To propose taking actions addressing those findings and to agree on timetables and 
responsibilities for the actions. 
(b) Give input to the internal audit work programme based on the knowledge of additional potential 
risks in some specific areas. 
(c) Provide input to the Director General on his approval of the annual internal audit work 
programme submitted by the IAC to him, as well as on any changes to it. 
(d) Follow-up on the implementation of the annual audit work programme, 

(e) Follow-up the execution of the audit and consultancy assignments, reviews, and other tasks 
assigned by the Director General to the IAC, by 
•  giving input to the Director General for his approval of each Engagement Planning 
Memorandum (EPM),  
•  following-up the progress of each audit and consultancy assignment, 
•  commenting the final audit report and its recommendations, following the presentation of the 
report by the IAC, 
•  inviting the Directors responsible for the audited area to the Committee meeting to respond to 
the observations and recommendations of Internal Audit reports, 
•  accepting or not the eventual rejection of recommendations by the Directors responsible for 
the audited area, 
•  endorsing the Action Plan agreed between the auditees and the IAC as updated with the 
decisions made in the Committee and recording these decisions for each recommendation in 
the minutes of the meetings and 
•  informing the management team of these decisions as appropriate. 
(f) Monitor the implementation of the action plans in response to audit recommendations based on the 
follow-up work carried out by the IAC; advice auditees on finding solutions in cases where 
implementation has been delayed or has encountered difficulties; and ensure risks identified in the 
audit reports are mitigated to an acceptable level. 
(g) Ensure that the lessons learned and recommendations given have been considered on a DG 
CONNECT wide level, when feasible. 
2) Concerning internal audits carried out by the IAS (preparatory work under the responsibility 
of the Management Support Unit) 
Discuss the conclusions and recommendations of the IAS internal audit reports on DG CONNECT 
activities, and agree on drafting and implementing the related action plans regarding the 
Approve DG CONNECT's line to take in its participation to the Audit Progress Committee (APC). 
Endorse the twice annual CONNECT progress reporting for the IAS' AMS-system (cf. IAS progress 
report to the APC) and the CONNECT replies to the Commissioner's letters on overdue 
3) As regards reports of the European Court of Auditors (ECA) (preparatory work done by the 
Management Support Unit) 
Discuss the conclusions and recommendations of audit reports by the European Court of Auditors 
(ECA) resulting from their audits carried out on DG CONNECT activities and agree on drafting and 
implementing necessary action plans regarding the recommendations. 
4) With respect to on-the-spot external financial audits (ex-post controls) (preparatory work 
under the responsibility of the External Audit Unit) 

5) By reference to internal control & risk management coordination (ICC) (preparatory work 
done by the Management Support Unit) 
Discuss the annual ICS review and resulting ICC recommendations (cf. ICS-15 = CONNECT's "ICC 
Package"); decide on the DG's ICS priorities for the next year (cf. Management Plan). 
Monitor, on the basis of the results of the Internal Control Coordination Group (ICC Group), the 
progress to be made in order to increase the effectiveness of ICS implementation at DG CONNECT and 
in particular any ICS identified for attention in that year. 
Endorse the results of the annual High-Level Risk Assessment (HLRA) exercise, including the DG's 
"critical risks" (if any) to be included in the Management Plan. 
Monitor, on the basis of the results of the ICC Group, the progress to be made in order to reduce or 
contain the DG's risk exposure (action plan or reinforced monitoring). 
Discuss the progress made related to recommendations (from "all sources") addressed to DG 
CONNECT services and consider any resulting decisions/actions (if appropriate – e.g. to avoid 
recommendations becoming overdue). 
Discuss the information received, twice a year, through the AOSDs management reporting (Directorate 
Management Reports-DMRs) and consider any resulting decisions/actions (if appropriate). 
Endorse the "management reporting" in the draft BMR to the Commissioner and in the draft AAR. 
6) As regards the budget (preparatory work under the responsibility of the Budget and Financial 
Monitor the evolution of the budget implementation, considering commitments, payments and payment 
Analyse the monthly reporting presented by the Budget and Financial Unit. 
Discuss suggestions made by Resources Director on Budgetary Management and inform the 
management team as appropriate of these decisions. 
6) Regarding audit, control and budgetary aspects of external bodies (e.g. Agencies and JTIs) 
operating within DG CONNECT policy areas 


Review their Annual Audit Plans and their implementation, as well as the Internal Auditors' Reports and 
the Action Plans resulting from all audits carried out by the ECA, IAS, own Internal Auditor, ex-post 
Review their management reporting (e.g. AAR), with respect to the implementation of their Internal 
Control Framework. 
Be informed on the results of meetings of these external bodies as reported by the corresponding Audit 
Committee member(s). 
Monitor the follow-up of the implementation of conditions and/or recommendations made by the 
Commission when granting autonomy to the JTIs. 

Meeting organisation 
Obligations of a team leader: 
give the dates (best estimate at this moment) to the secretary of the unit 
always put in his/her calendar absences, training, etc…. 
specify to the secretariat of the unit if special needs for the meeting room are 
required (beamer, video conference, etc…) 
4.  send an e-mail with the persons (names) that will attend the 
meeting(specifying which ones are key-persons) and the text of the invitation, 
to the secretariat of the unit 
check    each  invitation  just  after  it  has  been  sent  (right  persons,  date  and 
venue, text of the invitation…) 
Obligations of a meeting organiser: 
1.  Check with team leader before sending an invitation 
2.  Send of invitation  
3.  Inform the team leader if one of key persons decline an invitation; 
4.  Two days before meeting – phone Directorates who have not responded yet; 
5.  Just before meeting – prepare a list of attendance. 

11. info for access to IPM 
•  at 19/09/2012 there are the following accesses individual accesses:  
•  every user can create access for another user 
•  in general the questionnaires created under one user cannot be seen or copied by 
another user. This is why it is strongly advised to use                         login 
•  Questionnaires can be shared by entering into the personal login and defining 
for each questionnaire which user can see (and copy) it 
•  Currently one questionnaire is shared with all current login: the satisfaction 
survey – see Minutes of IAC meeting of 19/12/2011 

Preliminary Note  info about IPM can be found via intracomm  :  
Operational Instruction nr 2: how to report on IAC 
The IAC reporting activities are stated in the Charter and refer to: 
1.  Contribution to DG CONNECT's report addressed to the Commissioner (BMR) 
2.  reporting to the Director General (DG) of DG CONNECT 
3.  Reporting to the IAS 
4.  Other reporting (OLAF…) 
5.  Additionally, the IAS may be assigned lead unit to provide the DG with LTT on audit 
related ISC or other documents (CIS-Net). 
6.  The IAC may also report in other fora where it is represented: those fora are 
AUDITNET, Mgt Team meetings, ICT Directors' meetings, OS/AFUs meeting and 
other eventual meetings/seminars, etc. 
An  appendix with timetable, unit requesting IAC reporting and relevant instructions is 
attached to the present procedure. The reports that are sent without any particular 
instruction and/or timetable, i.e. reports that will be sent uniquely if certain conditions are 
met (e.g. reports to OLAF on suspected fraudulent activities), are not included in the 
1.  Reporting to the Commissioner: 
As regards IAC's contribution to the report to the Commissioner, the Charter states 
that significant issues related to control processes of the activities of the DG and 
of its executive agencies as discovered during the course of the JAC’s audit work, 
including potential improvements to those processes, should be incorporated in the 
twice-yearly report of the DG to the portfolio Commissioner. 
The IAC send a copy of final audit reports to the Cabinet and, on request of the 
cabinet, copy of the Action Plans

2.  Reporting activities to the DG (as stated in the Charter): 
Submission for approval of an annual work plan founded on a risk-based approach 
as part of a multi-annual strategic plan
Reporting on significant issues related to control processes of the activities of the 
DG and of its executive agencies as discovered during the course of the IAC’s audit 
work, including potential improvements to those processes. 


CONNECT IAC Manual of Procedures: O.I. 3 
Key Actions in AMS  
1. The audit lead requests one AMS administrator, the creation of the AMS Engagement 
before the commencement of work. The Title of the engagement should be agreed with the 
HoU and the team in advance.  
2 The EPM AMS form is filled in as required by the IT tool, before the announcement letter is 
sent to the auditees. The time budget of the engagement is based on the Annual Work Plan, 
and the split between the phases is decided in agreement with the Audit Supervisor and the 
team, depending on the nature of the audit. 
3. When the EPM is agreed, an AMS checklist is created for the Preliminary Survey. Standard 
checklists are available in AMS. Key documents to base the Preliminary Survey on are filed 
in AMS timely together with relevant conclusions, including risks identified. 
4. The Risk Control Matrix (RCM) is the main deliverable of the Preliminary Survey (PS) 
together with the approved EWP, which is to be filed before fieldwork start in the 'Audit 
Program' section of the main Audit form. 
5. Based on the EWP, checklists are defined for the Fieldwork. The team member responsible 
for each checklist step is to be written in the comments box. 
6. The team leader reviews, changes and makes comments in AMS for the preparer. Main 
supporting evidence should be attached/ referred in work papers in Supporting Files and Links 
7. The audit reports are field in the 'Audit Reports' section of the main Audit form. 
8. After the Auditee Satisfaction Survey is discussed and documented, the AMS engagement 
is closed by the Audit Lead. 
General AMS rules:  
1. Each and every Work Paper (WP) must contain Objectives and Conclusions. 
2. Supporting documents attached to Work Papers should be followed up in Conclusions field. 
3. WPs are sent to the Audit Lead when ready for review.  
For a detailed structure of AMS filing, see the instructions from Audit Supervisor: 
Z:\Audit Reference\
Structure of the audit 

CNECT IAC Manual of Procedures - Procedure 01: 
How to write, approve and update docs 

•  Docs should be named according to table:  
Type of doc 
Naming Code 
Charter CNECT_IAC_charter 
Procedure CNECT_IAC_pro 
Operational Instruction 
List of documents, plans, roadmaps 
Practical examples don't need specific naming. 
•  Create the new draft document  
Versioning and approval 
•  Start with version 0.1, change version at each major change 
and/or after review (each procedure is reviewed by one reviewer) 

•  Put version 1.0 when it has been approved and update 
•  The version is considered to be approved when it is agreed 
between a reviewer and an author; charter and MoU should be 
approved by DG)  
•  If an author and a reviewer do not agree, a document should be 
discussed in the MoP/Unit meeting; both of them might raise any 
controversial issue that is worth to be discussed in MoP/Unit 
•  In updating/modifying an approved version, create a version x.1 
and write immediately on the top the main changes intended to be done 
•  Put version x+1.0 when approved 
•  Only approved version should be published (in the Intranet) 
•  Remember that printed versions could be obsolete 
Tips & tricks 

•  Better use vertical flowcharts with narratives aside 
•  Put only necessary information that remains reasonably  up-to-date with time 
•  Structure the information and use bullet points 
•  Add tips& tricks, memo, links and references to external documents and examples 
•  Try to stay in 1 page 
•  Kiss (keep it simple) 
•  Make peer reviews with colleagues in order to collect good practices and harmonise 

Commission rules and IIA standards 
IAS General  
Audit Manual 
IAC Manual of 
Operational Instructions 
Templates, examples 

CONNECT IAC Manual of Procedures: pro 04 
1. The themes of the engagements are based on the Annual Work Program. 
2. The audit lead requests one AMS administrator, the creation of the AMS Engagement 
before the commencement of work. The Title of the engagement should be agreed with the 
HoU and the team in advance, based on the Annual Work Programme.  
3. The EPM AMS form is filled in as required by the IT tool, before the Announcement Letter 
is sent to the auditees. The time budget of the engagement is based on the Annual Work Plan, 
and the split between the phases is decided in agreement with the Audit Supervisor and the 
team, depending on the nature of the audit. 
4. When the EPM is agreed, an AMS checklist is created for the Preliminary Survey. Standard 
checklists are available in AMS. Key documents to base the Preliminary Survey on are filed 
in AMS timely together with relevant conclusions, including risks identified. 
5. The Announcement Letter and the Appendix to Announcement Letter signed by the Head 
of Unit, is sent via ARES to the relevant Auditees. An example of an Announcement Letter 
and the Appendix to Announcement Letter is attached here: 
Appendix to the 
Announcement Letter 
6.  A reference ( to IAC's intranet) for the Mutual expectations paper and the note on  
Processing of personal data in the course of internal audits should be included in the 
Announcement Letter. 

CONNECT IAC Manual of Procedures: Pro 5 
Audit Risk Assessment (RA) – Risk Based Auditing 
1.- References: 
- IIA Standard 2200-Engagement Planning, 2201-Planning Considerations, 
- Practice Advisories: PA-2200-1: Engagement Planning,  
( ) 
- Auditnet web ( 
2.- Responsible: 
The responsible is the Lead Auditor together with the head of the IAC, with the help of the whole unit 
3.- Process: 
Based on all the information analysed in the Preliminary Survey (PS) (see Procedure No 6), a Risk 
Analysis (RA) is performed for the activity audited with the aim of focusing the audit work on most 
significant risks and prioritizing audit tasks. 
4.- Detailed audit risk assessment  
For each of the documents reviewed and interviews during the PS, a list of significant risks identified is 
included in the related WP's Conclusions. Objectives of the activity audited should be clearly identified 
by examination of relevant documentation and inquiry. A Risk Control Matrix (RCM) shall be used to 
organise the RA, collecting risks identified in all the WPs, listing: 
Organisational/Process/Control/Engagement Objectives, related main Risks of not achieving Objectives, 
corresponding mitigating Controls in place, and reference to the corresponding Audit Procedures.  
Explanation for the sequence: Objectives – Risks – Controls - Tests 
In order to provide reasonable assurance whether the internal control system in place leads to 
achievement of Objectives, the risk analysis process should consider the objectives of the organisation, 
specific process objectives, control objectives, compliance objectives and audit objectives. Based on the 
information available, inherent risks of not achieving those objectives are identified. Key controls in 
place that mitigate those risks are also documented based also on Process Descriptions. Audit tests 
planned may be added in the same document or separately and cross-referenced. 
The Control Risk is the risk that the controls in place are not mitigating the inherent risks. The Residual 
Risk is the risk that objectives are not achieved (or that the inherent risk triggers) even if those 
preventive/detective controls are in place to mitigate those risks. 
Risk Formula 
Residual Risk = Inherent Risk x Control Risk 
Risk-control matrix 
An example for an RCM header is attached: 

For Examples of RCMs used in 2 different audits and the corresponding EWPs, please refer to 
Procedure No 6. 
The main risks identified may be validated with the auditees. The 
risks should be rated based on their likelihood and impact. An 
Understand the 
Engagement Work Program (EWP) is drawn up based on the 
results of the RA. The EWP shall be approved by the Audit 
Supervisor prior to the Fieldwork start and it should cover the most 
significant risks identified in the RA. 
The RCM should be updated during the fieldwork with significant 
information, together with the EWP. Changes must be approved by 
the audit supervisor.  
Tips: for example, organise brainstorming with all the Unit  
With risk 
Focus on 
the most 
Draft audit 
Confirm the RA 
Send RCM for 
review and 

INFSO IAC Manual of Procedures: pro6 
Preliminary Survey (PS) and Engagement Work Program (EWP) 
•  IIA Performance Standard 2240-Engagement Work 
Program (
•  IIA Practice Advisory 2240-1 
Fix and conduct 
•  Follow the procedure set in the Mutual Expectations Paper 
(see pro02)  
Objectives of the preliminary survey: 
•  Understand the activity audited and indentify the 
objectives and the main risks associated, including financial 
risks and legal risks (compliance with the financial and legal 
rules and regulation applicable), operational risks (economy, 
controls (in 
efficiency and effectiveness of the operations being performed 
by the services audited) and reputational risks. This first 
week may also be useful to preliminary remark existing 
 on the risks being identified. 
Draft EWP 
•  To get a clear view of the main existing controls in 
place to mitigate the risk inherent to the activities audited. 
with tests 
•  To  document the processes being audited, showing 
) with tests 
objectives, main process steps, significant risks and key 
controls and to establish the agreed EWP (checklists), that 
will be performed during the field-work. 
The structure of preliminary survey: 
•  Read main documents related to the activities 
Select sample 
audited (description of procedures, former audit reports – 
IAC, IAS, ECA; etc) with the aim of getting a comprehensive 
overview and understanding of the processes being audited 
and the associated risks. The information gathered and 
Fix interviews 
analysed should cover objectives of the organisation in the 
for fieldwork 
areas audited, activities, processes, IT systems, legislation 
applicable, key actors 
and organisation chart. This first 
week should therefore allow for elaborating a preliminary risk 
analysis of the processes as well as eventual controls in place. 
As a practical and general guidance for recurrent documents 
to be included in the analysis, refer to the AMS standard 
'Preliminary Survey' checklist (e.g. SPP cycle documents, 
Permanent file of the audited activity, Mission Statements, 
Websites etc). 
•  Fix interviews (via secretaries) for the following week 

with the key operational, financial and IT actors (eventually also legal experts) and later 
conduct them, with the aim of acknowledging the main existing controls on the risks 
identified initially. Use the interviews to further check the impact and likelihood of the risks 
initially foreseen, to add new risks and to get a better understanding of the processes being 
•  Document the eventual lack of sufficient controls to mitigate one or some of the 
risks identified.  
Details on the Risk-Control Matrix (RCM) are described in Procedure No 5 "Audit Risk 
•  Draft a document describing the main processes audited (responsible, flow of 
information, risks identified, existing controls, etc.). Draft the Engagement Work Program 
 with all the tests to be performed on the different controls identified to address 
the results of the Audit Risk Assessment. Select the sample of transactions to be tested, by 
using either statistical or non-statistical sampling methods. Ensure yourself that the controls 
are functioning adequately and regularly during the period subject to the audit. 
IAC does not have a template of the EWP (checklists) – as an example workprogrammes of 
previous audits might be used: 
Example 1: EWP for Evaluation of Evaluation of Proposals 
Audit workplan - 
Evaluation of proposa 
Example 2: EWP for Evaluation of Programmes (GRC link) 
•  Fix interviews with the key actors involved in the activity audited who will provide 
with the necessary feed-back to complete the PS. 
Reporting steps: 
•  The last day of the first week (normally Friday), a written document with the main 
risks encountered will be submitted and discussed with the Head of Unit (HoU). 
•  The last day of the second week (normally Friday), a written document with the main 
existing controls addressing the risks identified will be submitted and discussed with the 
•  The last day of the third week (normally Friday), two written documents, one with the 
description of the processes being audited and the other one with the programmes / 
to be performed will be submitted for review and discussed with the HoU. 
•  The Audit Supervisor (HoU) approves the WP at the end of PS. 

INFSO IAC Manual of Procedures - Procedure 07: 
Fieldwork and Findings 
Objectives of the fieldwork: 
End of pre- 
•  To assess the effectiveness of governance, risk management 
liminary survey  
and control processes being audited.  
•  To conclude on the internal control system of those 
Perform the tests 
foreseen in the work 
•  To highlight/draw the observations and recommendations 
in case one or more of the controls are not functioning properly and 
are therefore not mitigating the risks. 
Agree on which 
•  To validate observations, recommendations and risks with 
findings will lead to 
obs/rec (with HoU) 
The structure of the fieldwork: (average duration: 6 weeks)  
During the first and second week of the fieldwork, perform 
the tests foreseen in the work-programmes/checklists on the 
Validate findings  
different controls identified. The tests must prove and provide 
evidence on the adequate and regular functioning of the 
Extra test to strengthen 
the observations  
controls in place during the period subject to audit.  
Evaluate the implications for the audit of the non-existence 
of controls to mitigate one or more identified risks
Unit team need to agree with the HoU on the findings to 
DOR table 
eventual observations and/or recommendations or any other 
of WP and  
practical consequence (e.g. being mentioned in the audit). 
DOR table 
Confirm/validate all factual elements (findings) with the 
auditees (by interview or email) or by testing.  If needed perform 
references ) 
extra test to strengthen some observations. This should lead to 
evidence which is sufficient, competent, relevant and useful.  
Prepare a summary of the tests (or working papers) that 
describes the significant matters identified during the audit, how 
they were addressed and the cross-references to the supporting 
audit documentation and to the Draft Observation and 
by HoU
Recommendations (DOR) table. Example. 
Draft the DOR table.  
Submit a first draft of DOR to the HoU.  
The eventual changes, following the review of the HoU 
Final DOR 
should be discussed and the DOR table redrafted.   
Final DOR 
The agreed draft DOR table has to be sent to all directors 
and Send to 
responsible for the activities being audited for a discussion that 
takes place in a validation meeting two weeks later. 
Audit evidence in AMS or any other eventual Audit Management 
tool used by the IAC must necessarily reflect this logic: RISKS-
RECOMMENDATIONS and must allow for an easy track of this 
path to any eventual audit supervisor/reviewer of the audit work. 

INFSO IAC Manual of Procedures: pro08 
Draft observations table, discussion meeting  
All findings
Group findings into observations 

•  Check ALL findings have been considered  
•  Consider also positive findings (strengths) and issues for 
•  Consider and discuss many different possible grouping solutions 
•  Map tests (or working papers) into observations, strengths and issues 
for consideration, if any. Example 
risks and 
Draft observations table, risks, recs 
•  Verify evidence of the  findings  (sufficient, relevant and reliable)  
•  If needed do extra tests in order to have findings which soundly 
support the observation 
•  verify finding info (condition=fact&figures, 
criteria=rule/standard/principle, effect= risk/impact, cause) 
•  recommendations should respect management responsibility for 
•  Objective 5C: reach a correct, concise, clear, consistent & complete 
version (in a reasonable time: apply 80/20 rule, it means that with 
Send draft 
20% of the effort you can get 80 % of the result
obs table 
•  Use iteratively track changes, discussions on B points, new versions 
•  In case of disagreement between auditors the Auditor in charge has 
the responsibility to conclude. 
Discussion/validation meeting  
•  Example of invitation for discussion meeting  
Meeting preparation (if you fail to prepare, prepare to fail) 
•  Example of ppt presentation for facilitating 
•  Make "dry run" of presentation 
•  Book meeting room, order coffee, test barco, PC and network 
•  No more than 2h, monitor average time for discussion 
Meeting output 
•  Take note of any major comments 
•  If judged necessary, some auditee can be invited to submit written 
comments within a given deadline (of few days). 


CONNECT IAC Manual of Procedures: pro9 
Contradictory phase and final report  
Start of the contradictory phase   
•  The formal contradictory procedure starts after the meeting where 
the draft observation table is discussed. Written  comments can be 
given by the auditees however the written comments may not 
written)  feedback 
delay the drafting report (so there is deadline for written 
Finalising draft 
comments of a few days)  
observations table  
•  Draft observations table +  eventual received written comments of 
Directorates  must be uploaded in AMS  
Prepare the draft report  

•  Auditors should include, as much as possible, the comments of 
template (see 
the auditees in the observations table. The HoU must approve the 
modifications  and the HoU  will also be informed he comments 
of the auditees which the auditors did not take into account and 
the reason why .  
•  On basis of the new observations table the auditors prepare the 
IAS template 
draft report (template on audit net)  
(tip : look also at recent audit reports for examples) 
•  Attention to the front page of the draft audit report:  
Prepare draft report 
o  addressed to the auditees (directorates)  
o  in copy to the DG, deputy DG and assistants  
•  Eventually, following the need, there can be a report review 
organised. It is an ad hoc decision of the HoU or audit lead.    
Review by peer
Sending out the draft report  
and HoU 
•  The draft audit report is sent out via ARES to the auditees 
(relevant Directorates) and to DG, deputy(ies) DG, assistants. 
In the note we ask for comments on the draft audit report 
including an indication of the acceptance of the 
Send draft report + note by HoU 
requesting for comments  
recommendations made. Deadline for comments is normally 2 
weeks (refer to Mutual expectations procedure). 
Prepare final report 
received from 
Note FSP to 
Directors - template.d 
•  The note + the Ares reference should be uploaded in AMS 
•  If no comments are received in the due timing, a reminder has 
to be sent  
•  The received comments should be uploaded in AMS  
Send final report + note by DG 
requesting for action plan 

Prepare the final report  
Auditors should include, if possible, the received comments in the audit report. 
Maybe we should add such a nice sentence to our reports as well (as per 'IAS report – 
executive summary') – to be discussed in Unit mtg for agreement to update MOP 
The fieldwork was finalised end of November 2012. All observations and 
recommendations relate to the situation as of that date. However, information provided 
during the validation phase was duly taken into account when finalising the audit 
The modified version of the audit report should be first agreed in the audit team and then 
discussed with the HoU. The HoU will approve the track changes and will also take note 
of the comments of the auditees which the auditors did not take into account.  
Discussions with the auditee will be pursued on the draft audit report until the auditee 
accepts that some comments are not taken into account, or in case of continuous 
disagreement, the auditee position will be annexed to the final audit report and a 
reference will be added to the executive summary. Discussion with the auditee in this 
phase will be mainly done by the HoU or the deputy HoU.  
Note : Front page of the final audit report: addressed to the DG  and in copy to the 
auditees (directorates), deputy(ies) DG and assistants  
Sending out the final report  
The final report with the template for an action plan will be sent to the auditees by our unit 
(for more details look at procedure CONNECT_IAC_pro11) 
action plan template
The note + link to Ares document should be uploaded in AMS  

INFSO IAC Manual of Procedures: pro10 
Action plan  
•  The final report has been sent with a note of the Director General 
to the audited directorates. In the note Director General asks to 
make an action plan. The deadline is normally three weeks.  
Auditees prepare 
Note DG 
Action plan   
action plan  
Note director 
action plan template
  General - Final Report        
Action plan 
Prepare the action plan  
•  The auditees prepare their action plan. 
•  If several directorates are involved in the preparation of the action 
plan the consolidation of the several action is by preference done 
by the auditees themselves. 
•  In some cases it is however the IAC who consolidates the action 
plans of the different directorates involved. 
Control of the adequacy of the action plan  

  The auditors examine the adequacy of the action plan and discuss 
Action plan  
it with HoU.   
Action plan   
•  At the next Audit, Internal Control and Budgetary Committee 
("the Committee") the action plan is discussed. Eventual 
contradictory views between auditors and auditees on the action 
plan are settled and then the action plan is formally endorsed.  
Control of 
Sending out accepted action plan (and final report)  
adequacy action
plan by the IAC
•  The accepted action plan is sent together with the final report 
to the Cabinet  
•  The notes + the Ares reference should be uploaded in AMS 
•  The file "IAC open audit recommendations" in J:\ is updated 
with the new recommendations and actions (J:\IAC open 
Control of 
adequacy action
plan by the IAC
Action plan + final report is sent 
to the Cabinet  

CONNECT  IAC Manual of Procedures: pro11 
Transmission of audit results 
Documents with audit results to be transmitted 
•  Draft observation table 
•  Draft audit report 
•  Final audit report 
Transmission of draft observation table 
•  Prepare a note to the draft observation table adapting the template (after getting final approval of the 
draft observation table from HoU 01) 
•  The deadline for sending comments should not be more than 10 working days after a meeting with 
auditees regarding findings in observation table 
•  Send note + draft observation table via ARES to: 
o  To: Auditees involved (directors of directorates that were part of the audit), HoU 02 
o  Cc: HoU 01, auditors performing audit 
•  Last date for sending a note + draft observation table is 2 days before a meeting with auditees 
regarding findings in observation table 
Transmission of draft audit report 
•  Prepare a note to the draft audit report adapting the template (after taking into consideration 
comments from auditees on draft observation table and getting final approval of the draft audit report 
from HoU 01) 
•  The deadline mentioned in the note for sending comments on draft audit report should not be more 
than 10 working days 
•  Send a note + draft audit report via ARES to: 
o  To: Auditees involved (directors of directorates that were part of the audit) 
o  Cc: DG, deputy directors, assistants of DG, HoU 02, HoU 01, auditors performing audit 
Transmission of final audit report 
•  Prepare a cover note to the final audit report adapting the template (after taking into consideration 
comments from auditees on draft audit report and getting final approval of the final audit report from 
HoU 01) 
 •  Send a cover note + final audit report + template of action plan via ARES to: 
o  To: DG, deputy directors, assistants of DG, HoU 01, auditors performing audit 
o  Cc: Auditees involved (directors of directorates that were part of the audit) 
o  Cc: IAS ("ve_ias.iacs reporting") 
o  Assign the same ARES document to Yves Motteu with a message/instructions "Please send 
this audit report to ECA" 
o  Check-list to be completed by the audit lead and the secretary (and included in GRC as 
evidence once signed by both of them) before sending a final report: 

H:\10 - Methodology\
o  7 - Manual of Procedu 
•  After AICB Committee discuss the action plan, prepare a note to CAB in ARES with the final audit 
report and the final action plan (check again who signs the note, it should be DG) 

by auditees for all recommendations considered to be implemented 
•  Arrange meetings with auditees to discuss implementation/testing of recommendations 
Validations of implementation assessment 
•  Assess the implementation of recommendations based on the supporting evidence provided by the 
auditees, interviews and tests performed for each recommendation, focusing on the Critical and Very 
Important Recommendations. 
•  Complete the reviewer sections in the recommendations in Issue Track (reviewer field and residual 
risk field) (if the case). 
•  Consider weather management has formally accepted the risk of not taking actions for certain 
Prepare draft follow up report 
•  Prepare draft follow up report using the template from a previous engagement where the parts to be 
H:\10 - Methodology\
changed are highlighted: 5 - Toolkit\3 - Reporti 
Send draft follow up report 
•  Prepare a note to draft follow up report adapting the template 
•  A note to draft follow up report is signed by HoU 
•  Send draft follow up report together with the note to Directors of Directorates who needs to 
implement recommendations according to audit report and a copy to DG, DDGs and assistants 
Prepare final follow up report 
•  Prepare final follow up report based on the draft report. 
Send final follow up report 
•  Prepare a note to final follow up report for directors adapting the template; a note is signed by DG 
•  Send final follow up report together with the note to Directors of Directorates who were responsible 
to implement recommendations from audit report and a copy to DDGs and assistants 
•  send a note and final follow up report also to IAS 
•  Prepare a note to final follow up report for cabinet adapting the template; a note is signed by DG 
•  Send final follow up report together with the note to commissioner and copy to cabinet, DDG, 
assistants and HoU 

CONNECT IAC Manual of Procedures: pro13 
Auditee satisfaction survey 
End of audit 
•  Follow the procedure set in the Mutual expectations paper 
•  Prepare survey while waiting for the action plan from the auditees 
Selection of the auditees 
•  Directly involved in audit – all levels of hierarchy and across all the 
Directorate-General (if possible all units and directorates taken into 
list to 
•  Preferably 5-10 auditees per audit 
•  In order to avoid duplication and overloading of auditees, a list of 
persons to which the survey was sent is kept (current file contains 
data from the beginning of 2013) 
•  General rule is max 1 survey per auditee in one year 
•  Propose to HoU the list of people to which survey will be sent  
Preparation of the questionnaire: 

•  Use IPM system: 
•  To log in:  
•  Use the questionnaire template available on the units' sharedrive or 
the last version of Satisfaction Survey from IPM 
•  Survey should stay opened 15 working days 
Communication of the questionnaire 

•  Send an e-mail to each auditees in Bcc adapting the message 
•  This e-mail should be sent to the auditees as soon as the Action Plan 
is approved by the AICB Committee, however not later than 2 weeks 
from the day of the AICB Committee meeting.  
Analysis of survey 

•  The collected answers to the auditee satisfaction survey will be 
saved in the Unit's share drive under the relevant audit and managed 
confidentially. Answers will be also saved in GRC. 
•  The survey results will be analysed and discussed at the Unit 
meeting. Any action for improving the internal audit process will be 
recorded in the Unit meeting minutes.  
•  Upon the request of the DG, the HoU will send the results to him/her 
•  Close the survey in IPM after expire date 

INFSO IAC Manual of Procedures: pro15 
Audit, Internal Control and Budgetary Committee (AICB Committee) 
1.- Information from previous meetings are in H:\08 - IAC functioning excluding staff matters\1 - 
2.- All e-mails related to the Committee should be sent in copy to HoU. 
3.- HoU decides who will attend the meeting in case he is absent. 

Wednesday week X-1 
Wednesday one week before the meeting - IAC sends an e-mail to 
participants (except DG), with a draft agenda already including points 
Sent out Email request 
from IAC, asking the participants for their points to be added to the 
for agenda point  
agenda, as well as supporting documents, by Thursday (the next day) 
at 4 pm am at the latest.  
Friday one week before the meeting - before 10 am IAC sends 
Friday week X-1 
the draft agenda to participants (except DG) asking for confirmation 
of correctness by the same day at 11:59 am, at the latest 
- sending draft agenda to 
participants before 10 AM  
Friday one week before the meeting - - before 12 am IAC sends 
-sending final agenda to the 
the agenda to the secretary of DG so that it is attached to the mgmt team 
agenda of following Monday 
secretary of DG before 12 AM
- sending final agenda and 
-  Friday one week before the meeting  - before 4 pm IAC sends 
supporting documents to 
the agenda and supporting documents to participants, including 
participant before 4 pm 
minutes of the latest meeting and follow-up table 
- sending list of confirmed 
participant before 4 pm 
 Friday one week before the meeting  - before 4 pm IAC sends a 
- order drinks (via Presto)  
list of participants having confirmed their presence at the meeting, to the 
DG (cc assistants). Always remind the assistants of DDG that "DDGs 
will appoint a director to attend the meeting in case they cannot attend it, 
in addition to their assistants". 
Thursday week X 
Friday one week before the meeting - send the final agenda to the 
secretary of DG and to the assistants mailbox so the paper file can be 
Day of the meeting  
- Friday one week before the meeting - order drinks in PRESTO 
Day of the meeting - (BU25 06/152) - AUDIT, INTERNAL CONTROL 
Friday week X 
Sending out draft minutes 
Day after the meeting -  IAC sends the draft minutes and the 
updated follow-up table to participants (except DG) asking for their 
comments by the next Monday at 5 pm, at the latest 

- Wednesday one week after the meeting - 
 IAC either incorporate 
Wednesday week X +1 
all comments from participants to the final minutes or convince the 
 - incorporating comments on 
participants to accept IAC's drafting 
draft minutes 
- Sending out final minutes  
Wednesday one week after the meeting - the final minutes are 
sent to all participants and DG via ARES 

CONNECT IAC Manual of Procedures - Procedure 16: 
Audit Supervision 
•  There are (at least) 2 levels of supervision to the audits: from the 
Auditor in charge and from the Head of Unit. 
Approval of audit 
Supervision from Auditor in charge 
title, scope, 
The auditor in charge supervises the audit work done by: 
•  Setting up and validating a global audit planning and task list for 
the audit (example) 
Review of RCM at 
•  Ensuring each audit working paper is timely reviewed by at least 
fieldwork start 
one different person. AMS gives formal evidence of reviews. 
•  Regularly and systematically discussing with auditors, during 
Weekly review of 
audit team meetings or in one-to-one contacts, any blocking or 
fieldwork status and 
controversial issue, unclear result, new information to be 
of any preliminary 
•  Reviewing with auditors the advancement of the audit work, at 
least weekly but increasing the frequency if critical to meet 
Track changes review of 
deadlines. The audit planning is updated. 
draft obs table, draft 
•  Escalating to Head of Unit any issue that could sensibly 
report and final report 
compromise the result of the audit or that requires manager 
Consensus sought 
Tips & tricks 
before sending 
•  Auditor in charge may propose, discuss and agree with auditors 
documents outside Unit  
on a "way of working" at the beginning of the audit to have a 
common understanding on the way to proceed and to relate to 

Final review of all 
each other. 
working papers in AMS, 
•  Keep distinct versions (0.1, 0.2, etc.) of documents that require 
addressing of all 
subsequent input reviews from many actors. Changes remain in 
comments and approval 
track changes until acceptance/discussion => new version is 
created with track changes accepted. 

•  Fieldwork planning and update example in sheet 2 and 3  
Supervision from Head of Unit 
•  As part of his/her supervisory activities, the Head of Unit (HoU) 
establishes policies and procedures to guide the internal audit 
activity (PA-2040.1) and monitors their effective implementation 
in individual audit engagements. 
•  The HoU designate auditors to engagements, who collectively 
possess the required knowledge, skills, and other competencies to 
carry out the engagement (PA-2340.1). 
•  He/she supervises the whole process from planning to 
communication of results and meets at least on a weekly basis 
with the whole team to provide appropriate instructions. 

•  He/she reviews and approves the engagement planning (PA-2200.1) and the engagement work 
programme (PA-2240.1). 
•  The HoU ensures that conclusions of engagement working papers adequately support 
engagement observations and recommendations. 
•  The HoU supervises engagement communications (audit reports), ensuring they are accurate, 
objective, clear, concise, constructive, and timely sent to the auditees, following the IAC's annual 
•  The HoU minimize the risk that internal auditors make professional judgments or take other 
actions that are inconsistent with the HoU's professional judgment and also resolves differences 
in professional judgment between the internal audit staff e.g. nature and extent of tests). 
•  The HoU ensures that working paper in AMS or any other filing system used in future include a 
clear and updated conclusion, with explicit reference to its repercussion on the audit report and 
ensures also that  working papers are always cross-referenced. Working papers should support 
the bases for the observations and recommendations to be reported and therefore their 
conclusions must be the same than the conclusions expressed in observations/recommendations. 
As stated in the practice advisories, working papers include the engagement s final 
communications and management's responses.  
•  When clearing review notes, the HoU takes care to ensure working papers provide adequate 
evidence that questions raised during the review are resolved. 

Document Outline