Professional Documents
Culture Documents
2014
VERSION 1.0/2014
TABLE OF CONTENTS
Year 2014
CONTENTS
PAGE
1. Introduction... 01
2. Purpose of Internal Audit Plan.. 02
3. Internal Audit Approach.. 03
4. Internal Audit Process.. 03
5. Annual Enterprise Risk Assessment. 03
6. Development of Internal Audit Plan.. 06
7. Allocation of Internal Audit Resources. 07
8. Internal Audit Plan 2014 Matrix 08
9. Internal Audit Plan 2014 Timelines. 12
10. Pre-payment Audit (Pre-audit). 13
11. Auxiliary Internal Audit services. 13
12. Internal Audit Plan Revision. 13
13. Internal Audit Reports. 13
14. Internal Audit Follow-up.. 14
15. Coordination with External Auditors.. 14
16. Professional Standards.. 14
17. Appendices.. 15
Year 2014
1. Introduction
Urban Sector Planning & Management Services Unit (Pvt) Limited (hereinafter called the Urban Unit)
was incorporated under the Companies Ordinance 1984 on June 18, 2012.The core areas of operations
include Urban Planning, Urban Transport, Solid Waste Management, Urban Water & Sanitation, GIS &
Spatial Planning, and Municipal Finance etc. The support services activities comprised of human
resource, procurement, information technology, communication, financial management, internal audit
and administration etc. The organogram of the company splits up the human resources into three broad
categories namely Specialists, corporate and administrative positions.
The Board of Directors comprised of seven members. The authorized share capital of the company is
divided into 1000 shares of Rs.10,000 each. P&D Department Punjab is the majority shareholder.
The objectives of the company are articulated in the memorandum of association. The business of the
company is governed by its articles, policies & procedures, Companies Ordinance 1984 & subordinate
regulations and government laws & directives.
The accountability is ensured through external and internal assurance. The external audit is conducted
by a chartered accountant firm appointed by the BOD as well as by the auditors of the Auditor General
Department under the provisions of Auditor Generals Ordinance 2001.
The internal assurance is provided by the Internal Audit Department of the company which is
responsible to the Audit Committee of the BOD. The terms of reference for the Internal Audit of the
company are laid down in the Internal Audit Charter of the Company. The charter requires an annual
internal audit plan to be approved by the Audit Committee.
Year 2014
It is our intent to convey a current sense of the Company's internal control environment and the extent
to which institutional risk mitigation is being assessed by regular audit activities, addressed proactively
through advisory services, or investigated as a result of issues raised.
3. Internal Audit Approach
At the Urban Unit, Internal Audit Department is striving to dispel the notion of an audit as something
done to the management, in a stand-alone activity. Rather, we are promoting the concept that an audit
is something we accomplish with the management. This is what we call participatory auditing, and we
are convinced that the product of this approach will be far superior to any audit completed without
active involvement of the management and the process owner. Why are we so confident of this? The
answer is simple: nobody knows the process better than its owner.
A step forward to participatory audit, our audit approach is risk based and demand driven to provide
independent, objective assurance &review, aimed to add value to the Companys governance, risk
management and control processes.
4. Internal Audit Process
In all phases of the audit we not only welcoming, but requesting the managements active involvement
throughout the audit cycle, in all phases - starting before the entrance conference, and continuing
through planning, testing, and reporting. Following are the audit process steps we normally follow:
Planning - The Internal Auditor meets with the senior management, department heads and process
owners- the staff responsible for the function to be audited. This enables the auditor to understand the
process being audited and the control environment. The Internal Auditor develops an audit program to
outline the testing that will be performed to ensure controls are designed to function as management
expects. The Internal Auditor will often develop flowcharts to document the process of being audited.
Testing - The Internal Auditor will test a sample of transactions and processes during field audit and
express an opinion on the controlled environment. As a result of testing, the Internal Auditor will
recommend audit improvements when noted.
Communication and Reporting - An informal summary of findings is shared with department heads or
process owners directly involved in the audit for their comments. A draft audit report is prepared and
communicated with management and their response is incorporated. The final report is presented to
the Audit Committee for review and discussion. Afterwards, the final report is distributed to the Board
and management.
Follow-up - The Internal Auditor generally performs a follow-up on corrective action plans or
management response to address audit recommendations.
5. Annual Enterprise Risk Assessment
The Internal Audit department continues to utilize a formalized risk assessment methodology in
selecting functions/processes/units/systems for inclusion in the annual audit plan. Relative risk
Year 2014
assessment is necessary to provide a basis for the rational deployment of our limited resources for audit
engagements across the Company.
The risk assessment comprised of internal & external assessments of existing and emerging risks within
or outside the organization.
5.1 Internal Risk Assessment
As part of the annual risk assessment and audit planning process, we held risk discussions with the
senior management, sectoral heads and process owners to identify risks of concern at the functional and
organizational level. For internal risk assessment, a series of interviews & discussions with the functional
heads were conducted and a personally administered risk assessment questionnaire was shared and
response was recorded. On the basis of assessment, risks were rated. The risk areas & factors evaluated
during annual internal risk assessment include:
We also held discussions with heads from core and support services to solicit input on the Companys
institutional risks and any specific areas of concern. We also used these meetings as an opportunity to
obtain feedback on the priority & frequency of audit services we plan to provide.
Our internal risk assessment covered the assessment of 20 individual auditable functions/activities of
the company including 9 Core services and 11 support services as listed below.
Core Services
Support Services
Urban Planning
Solid Waste Management
Water & Sanitation
Urban Transport
Geographical Information Systems
Municipal & Local Government Finance
Urban Economic services
Program/Project Management (High value
projects)
Business Development services
Information Technology
Procurement management
Finance & Accounts
Human Resource Management
Admin & logistics
Communication Management
Monitoring & Evaluation
Office documentation & mail management
Corporate Compliance
Assets & inventory management (stores)
Year 2014
Our annual risk assessment 2014 resulted that out of the total 20 individual auditable functions/
activities of the company including 9 Core services and 11 support services (listed above), 6
functions/services are considered to be high risk, 7 moderate risk, and 7 low risk. A rating of high-risk
does not mean that the activity is perceived to have control problems, but rather reflects the criticality
or centrality of the activity to the Companys mission.
The overall risk assessments of the functions/services of the company is depicted in the following TL
diagram showing High Risk (red light), Medium Risk (blue light) and Low Risk (green light) bars listing
functions/activities of the company in each bar. The numbering of functions has nothing to do with risk
rankings.
Year 2014
1. Urban Planning
3. Project Management
3. Urban Transport
3. Communication Management
4. Corporate Compliance
4. HR management
5. Business Development
5. Procurement management
6. Information Technolgy
6. Library/LRC
management
It is again clarified that a rating of High-Risk does not mean that the activity/function is perceived to
have severe control weaknesses & problems prone to its failure, rather it reflects the criticality,
centrality or significance of the activity to the Companys mission bearing high risks.
Year 2014
5% has been reserved to accommodate requests from the Board, audit committee or executives
for audit investigations.
3% has been reserved for follow-up procedures performed on behalf of the Audit Committee.
7% has been set aside for internal administrative functions, annual reporting and trainings
including continuous improvement efforts.
These allocations are based on risk assessment findings, activities level & current scenario in the
company and are subject revision/modification as Audit plan is a living document and changes are
usually envisaged.
Resource Allocation
Pre-audit
12%
Consulting/a
dvisory
services
10%
Special
Audits/Invest
igations
5%
Support Serivces
48
19
Scheduled
Audits
63%
12
3
High Risk
Med Risk
Low Risk
The Internal Audit Department will be provided requisite budgetary resources and logistical support by
the management and a free access to all information, documents, records, properties and employees in
order to facilitate the implementation of the plan. The management will also provide additional human
resources, if so required by the Internal Audit Department during the year, for efficient discharging of its
responsibilities and execution of the plan.
Year 2014
Year 2014
Process Owner/
Functional Head
Type of audit
Quarterly
16
Functional
Process
& Compliance
Procurement
management
Procurement Manager
Quarterly
16
Functional
Process
& Compliance
Quarterly
36
Functional
Process
Core Services
Solid
management
assurance
Quarterly
Functional
Performance
& Compliance
Quarterly
Functional
Performance
& Compliance
32
Functional
Process
& Performance,
Performance
& Compliance
Performance
& Compliance
Performance
& Compliance
Governance, service
documentation
delivery,
Governance, service
documentation
delivery,
Governance, service
documentation
delivery,
Performance
& Compliance
Governance, service
documentation
delivery,
Geographic
information system
Program/Project
Management
Project
Leader
Annually
Functional
Annually
Functional
Urban Transport
Annually
Functional
Support services
Corporate Compliance
Company Secretary
Annually
Functional
Manager/Team Quarterly
Compliance &
assurance
Year 2014
Admin Manager
Auxiliary
Audit
activities
Consulting & advisory
services
Pre-audit
Annual Audit Report
Audit Follow-up
Special
Audit
Investigations
IA Management &
trainings
Annually
Annually
Annually
Library,
M&E, Annually
Communication,
Office
documentation & other
low risk functions
10
CIA
25
CIA
CIA
CIA
CIA
CIA
On
demand
Concurrent
Annual
Concurrent
On
demand
Concurrent
Functional
Process
Functional
Process
Functional
Process
&
Performance
& Compliance
&
Performance
& Compliance
&
Performance
& Compliance
Functional
Performance
& Compliance
30
5
8
12
8
10
Year 2014
Q1
Jan
Month
Week
Planned Audits
Annua l Ri s k
As s es s ment
Annua l Interna l
Audi t Pl a n
Q3
Q2
Feb
Mar
8
Apr
May
Jun
July
Q4
Aug
Sep
Oct
Nov
Dec
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
Cycle
Annual
Annual
Quarterly
Quarterly
Quarterly
Q1
Q1 Audi t Report
Core Servi ces
Sol i d wa s te
ma na gement
Geogra phi c
i nforma ti on s ys tem
Progra m/Project
Ma na gement
Quarterly
Quarterly
Quarterly
Q2
Q2 Audi t Report
Medi um Ri s k
Audi ts
Support s ervi ces
As s ets & i nventory
Ma na gement
Informa ti on
Technol ogy
Annual
Annual
Annual
Corpora te
Compl i a nce
Annual
Annual
Wa ter & Sa ni ta ti on
Annual
Annual
Q3
Q3 Audi t Report
Low Ri s k Audi ts
Annual
Annua l Audi t
Report
Q4
11
Year 2014
12
Year 2014
All financial transactions of above Rs.500,000/- (five hundred thousand) involving procurement
of goods, services or works.
Every financial transaction involving salary & salary supplements
All financial transactions of above Rs. 100,000 relating to operating expenses including repair &
maintenance, advances and all other expenses.
Vouchers & cheques along with all supporting documents of all the financial transactions which are
subject to pre-audit, shall invariably be presented to internal audit department before making payments
by allowing a reasonable time for pre-audit. The internal audit officer will signed and stamp the
vouchers or otherwise furnish his observations on the transaction(s) for management response.
13
Year 2014
14
Year 2014
17. Appendices
APPENDIX A
15
Year 2014
APPENDIX B
16