Pursuant to Article 38 paragraph 2 of the Law on Public Internal Financial Control System ("Official Gazette of MNE", No.

73/08, 20/11 and 30/12), the Ministry of Finance adopted: RULEBOOK ON METHODOLOGY FOR REVIEWING INTERNAL AUDIT QUALITY IN PUBLIC SECTOR Article 1 This Rulebook shall regulate the methodology for reviewing internal audit quality in the public sector (hereinafter: Methodology). Article 2 Methodology referred to article 1 of this rulebook reviews quality of organizational regulation in the internal audit unit and quality of individual audit files. Reviewing quality of organizational arrangements for internal audit unit is conducted with direct insight in: Internal Audit Charter, in order to determine the content and procedure of adopting and updating the charter Internal Audit Strategic Plan, in order to determine the scope and implemented methodology in process of strategic plan preparation, adoption and update Training plan of internal auditors, in order to determine training content for acquiring necessary skills for conducting internal audit Written requests of the head of organization for IA consulting services for special unplanned tasks which purpose is to create added value and improve processes of governance, risk management and controls. Reviewing quality of individual audit files is conducted with direct insight in documents in order to determine implemented methodology of conducting individual audits in following stages: Audit planning; Recording the system; Evaluating the system; Testing; Audit conclusions and audit reporting; Action plans and follow up. Article 3 Review of internal audit quality is conducted by Central Harmonization Unit of the Ministry of Finance (hereinafter: Central Harmonization Unit) using the Methodology from annexes 1 and 2, which are integral parts of this rulebook.

Article 4 Central Harmonization Unit Officer, who conducted the internal audit quality review based on Methodology, shall produce a report. Report from paragraph 1 of this article shall be submitted to the head of the internal audit unit, who ensures implementation of recommendations presented in the report. Article 5 This Rulebook shall enter into force on the eight day after its publication in the Official Gazette of Montenegro. No: 05-733/2 Podgorica, February 18th2013 Minister PhD Radoje ugi

ANNEX 1

Ministry/Organisation

Head of Internal Audit

Number of audit staff (total)

Date IA Unit established

CHU reviewer

Date of review

1.

Internal Audit Charter

Topic 1.1 Is there an audit charter and when was it prepared? Has the audit charter been discussed and approved with the Head of the Organisation? Does the audit charter include: The role of IA the scope of IA how to ensure the independence of IA the responsibilities of IA and the Head of the Organisation IA reporting arrangements IA relationships with the SAI and other review bodies?

Yes/No

Comments and observations

WP Ref

1.2

1.3

1.4

Does the Head of IA have any policy for review and update of the charter? For example, how often this is to be done; following organisational changes etc

2.

Strategic Planning

Topic 2.1 2.2 2.3 Is there a strategic internal audit plan? When was it prepared or updated? Has it been approved by the Head of the Organisation, and when? If not approved by the Head of Organisation who has approved it? Does the strategic plan cover the full range of activities of the organisation, including any agencies and administrations for which it is responsible? Does the strategic plan provide for appropriate audit coverage of EU Funds? Has the risk assessment process been carried out in a suitable way? Is the staffing of IA sufficient to meet the audit need identified in the strategic plan?

Yes/No

Comments and observations

WP Ref

2.4

2.5

2.6

2.7

2.8

2.

Strategic Planning (continued) Topic Yes/No Comments and observations WP

Ref 2.9 If more staff are needed are there any plans to recruit them? Did the head of IA prepare annual plan and when it was approved by head of entity? Does the Annual Plan reflect the strategic plan and take account of any audits not carried out in the previous year?

2.10

2.11

3.

Training for IA staff Topic Yes/No Comments and observations WP

Ref 3.1 Is there a training strategy and an annual training plan for IA staff? Do the training strategy and training plan provide for sufficient training in respect of the development of IA skills and certification? Does the plan include training in EU Funds auditing (where appropriate)? Has the plan been approved by the head of organisation? Does the IA unit have a training budget? Is that budget sufficient to achieve the training needs identified in the plan?

3.2

3.3

3.4

3.5 3.6

4.

Relationships with other bodies Topic Yes/No Comments and observations WP

Ref 4.1 Management Has IA received any requests from management for guidance and advice How many requests and how effectively were they dealt with? SAI Does the head of IA have regular meetings with the SAI? If so, when did the last meeting take place? Are notes prepared of these meetings? Are IA reports sent to the SAI after they have been endorsed by the head of organisation? CHU Is there regular contact between IA and the CHU? When was the last contact with CHU? What was the subject of that contact? Was the last Annual Report on IA activities received in CHU on time? Was the report content satisfactory?

4.2

4.3

4.4 4.5 4.6

4.7

4.8

4.9

4.10

External evaluator 4.11 Has external evaluation

of internal audit quality been conducted in last five years?

4.12 Has external evaluation been conducted by qualified, independent evaluator or by team of evaluators who are not employed in entity?

ANNEX 2

Name of Audit

Dates of audit from start of planning to approval by the Head of Organisation Audit title

Auditor(s) carrying out the audit

CHU reviewer

Date of review

1.

Planning the audit

Topic 1.1 Was notification of the audit sent out on time? 1.2 Were the initial discussions held with the appropriate people and suitably recorded in the working papers? 1.3 Did the terms of reference include details of the audit objectives and the scope of the audit? 1.4 Was a detailed audit plan prepared? 1.5 Was a letter of notification regarding the audit sent out? 1.6 Was an audit start-up meeting held and a record of that meeting prepared and placed on the audit file?

Yes/No

Comments and observations

WP ref

Recording the system Topic Yes/No Comments and observations WP

ref 2.1 Were the systems objectives set by management identified and recorded in the audit files? 2.2 Were suitable control objectives developed for the audit? 2.3 Whether the system is recorded in a way that really works? 2.4 Were the flowcharts/systems descriptions clear and easy to understand? 2.5 Were flowchart symbols used correctly? 2.6 Was an outline/overview of the description prepared? 2.7 Were controls identified clearly on the flowcharts/systems description? 2.8 Was there evidence of walk-through tests being used to validate the systems description?

3.

Evaluating the system Topic Yes/No Comments and observations WP ref

3.1

Has the Control Evaluation Record been completed properly for each control objective? Are the risks identified by the auditor appropriate and relevant to the control objectives? Have the actual controls been correctly identified? Does the assessment of the adequacy of control seem to be appropriate?

3.2

3.3

3.4

4.

Testing the system Topic Yes/No Comments and observations WP ref

4.1 Were suitable test programs prepared? 4.2 Was the basis of sampling (random, statistical, stratified etc) appropriate and were the sample sizes in line with the IA Manual guidance? 4.3 Were the details and results of the test recorded as appropriate on: Detailed working papers and The Control Evaluation Records?

4.4 Was there an appropriate conclusion on every working paper?

5.

Audit conclusions and audit reporting Topic Yes/No Comments and observations WP ref

5.1 Was the audit Findings Form completed properly? 5.2 Did the auditor arrange a wash-up meeting to discuss the findings and possible solutions? 5.3 Is the structure of the report in line with the guidance in the Audit Manual? 5.4 Does the executive summary state clearly and concisely the key audit findings and the key audit recommendations? 5.5 Was an exit meeting held to discuss the draft report?

6. Topic

Action plans and follow-ups Yes/No Comments and observations WP ref

6.1

Was a completed Action Plan returned to IA within eight working days of the report being issued? Was the Action Plan reviewed to ensure that all the audit recommendations are to be suitably implemented? Did the Head of entity ratify the report and the completed Action Plan within 30 days as required in the PIFC Law? Was a suitable date scheduled for a follow-up audit?

6.2

6.3

6.4

7. Audit files and audit management review of files Topic Yes/No Comments and observations WP ref

7.1. Were the current and permanent audit files set up and completed in accordance with the Internal Audit Manual? 7.2. Were all working papers suitably cross-referenced and signed by the person who prepared them? 7.3. Were the audit files reviewed by the Head of Internal Audit during the course of the audit?