Skip to Content

Internal Audit Methodology and Process

Updated: 25 Mar 2015
  • Understanding and analysing the business
    • Internal Audit Department (IAD) has unrestricted access to all corporate operations, records, data files, computer programmes, property, and personnel to obtain a thorough understanding of the Group’s business.
    • In order to preserve the independence of the internal audit function, the Head of IAD reports directly to the Audit Committee on audit matters and to the Chief Executive on administrative matters, and is authorised to communicate directly with the Chairman and other Board members.
  • Determining risk areas
    • A 3-year audit plan is formulated to ensure a systematic coverage of all the Group’s operations. The plan is revised annually to reflect organisational changes as well as new services and operations introduced during the year.
    • Using a risk ranking methodology, IAD schedules its internal audit programmes annually based on the 3-year plan approved by the Audit Committee.
    • Independent reviews of different financial, business and functional operations and activities are conducted with resources focusing on areas with higher risk. Ad hoc reviews are also conducted on areas of concern identified by the Audit Committee and the management.
  • Analysing the process and assessing controls
    • Audit procedures include examination of documents, analysis of trend data, and verification of assets.
    • Self-developed computer-assisted-audit-techniques are used for conducting interrogation tests on trade data processed by mission critical applications in order to verify the integrity and security of such data as well as the effectiveness of IT controls.
  • Communicating results and monitoring follow-up actions
    • Internal audit reports are issued to respective Division/Department Heads informing them of the identified control deficiencies together with recommendations for immediate rectification.
    • Significant internal control weaknesses are brought to the attention of the Audit Committee in the form of monthly updates and if necessary to the Board, and to the Management Committee with a view to seeking for directions on remedial action. Audit activities are reported to the Audit Committee on a quarterly basis.
    • Regular review of the progress of rectification is conducted by IAD and the results are reported to the Audit Committee to ensure adequacy of internal control system.
loading