Internal Audit Methodology and Process
Updated: 16 Mar 2020
Understanding and analysing the business
Internal Audit Department (IAD) has unrestricted access to all corporate operations, records, systems, property, and personnel to obtain a thorough understanding of the Group’s business and to carry out its work.
In order to preserve the independence of the internal audit function, the Group Head of IAD reports directly to the Audit Committee on audit matters and to the Chief Executive on administrative matters, and is authorised to communicate directly with the Chairman and other Board members.
Determining risk areas
A 3-year audit plan is formulated to ensure a systematic coverage of all the Group’s operations. The plan is reviewed and revised regularly to reflect organisational changes as well as new services and operations introduced during the year.
Using a risk based approach, IAD schedules its internal audit programmes annually based on the 3-year plan approved by the Audit Committee.
Independent reviews of different financial, IT, business and functional operations and activities are conducted with resources focusing on areas with higher risk. Ad hoc reviews are also conducted on areas of concern identified by the Audit Committee and the management.
Analysing the process and assessing controls
Audit procedures include examination of documents, analysis of trend data, and verification of assets.
Computer-assisted-audit-techniques are used for audit purposes including conducting interrogation tests on trade data processed by mission critical applications in order to verify the integrity and security of such data as well as the effectiveness of IT controls.
Communicating results and monitoring follow-up actions
Internal audit reports are issued to respective Division/Department Heads informing them of the identified control deficiencies together with recommendations for rectification.
Significant internal control weaknesses are brought to the attention of management and the Audit Committee on a timely basis and if necessary, to the Board and to the Management Committee. IAD activities are reported to the Audit Committee on a quarterly basis.
Regular review of the progress of management's rectification of control deficiencies is conducted by IAD and the results are reported to the Audit Committee to ensure adequacy of internal control system.