Scribd
Upload
39 views

Appendixes

Uploaded by

drhassanmudey
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
39 views

Appendixes

Uploaded by

drhassanmudey
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

Quarter Two Internal Audit Report 2024

Appendixes

Appendix 1: Simplified Explanation of Limitations and Responsibilities

1. Limitations of the Audit Work

The internal audit opinion is based only on the specific audit activities conducted from April to
June 2024. It is important to note that there might be other problems in the systems that were not
identified because they were not included in the internal audit plan or because they were not
reported. If the scope of the internal audit or the review parameters for individual assignments
had been expanded, or if more issues had been brought to the internal auditor's attention, the
conclusions might have been different.

2. Inherent Limitations of Internal Controls

No system designed to prevent mistakes or misconduct is perfect. Errors can occur due to human
mistakes, poor decisions, intentional bypassing of controls by staff, management's interference
with controls, or unexpected events. This means that even the best-designed controls can fail
under certain conditions.

3. Applicability of Findings to Future Periods

The internal audit findings reflect the state of controls during the second quarter of 2024 only.
Future conditions such as changes in the business environment, new regulations, or a reduction
in compliance with rules can make the past effectiveness of controls irrelevant. The specific
audits conducted during this period are detailed in another section of the report.

4. Responsibilities of Management and the Internal Auditor

The main responsibility for maintaining effective risk management, control, and governance
systems lies with management. These responsibilities include preventing and detecting fraud.
While the internal audit aims to identify significant weaknesses and investigate any related fraud
or irregularities, it should not be seen as a replacement for management's duty to maintain these
systems. Even comprehensive and well-executed audits by the internal auditor cannot detect
every instance of fraud or other issues.
Appendix 2
Types of Audit Opinions
The table below sets out the four types of opinion that we use, along with an indication of the
types of findings that may determine the opinion given. The Head of Internal Audit will apply
his/her judgment when determining the appropriate opinion so the guide given below is
indicative rather than definitive.

TYPE OF

OPINION INDICATION OF WHEN THIS TYPE OF OPINION MAY BE GIVEN

 A limited number of medium risk rated weaknesses may have been identified,
but generally only low risk rated weaknesses have been found in individual
assignments; and
Satisfactory

 None of the individual assignment reports have an overall report classification


of either high or critical risk.

 Medium risk rated weaknesses identified in individual assignments that are not
improvements required
Generally satisfactory

significant in aggregate to the system of internal control; and/or


 High risk rated weaknesses identified in individual assignments that are
isolated to specific systems or processes;
with some

 None of the individual assignment reports have an overall classification of


critical risk.
TYPE OF

OPINION INDICATION OF WHEN THIS TYPE OF OPINION MAY BE GIVEN

 Medium risk rated weaknesses identified in individual assignments that are


significant in aggregate but discrete parts of the system of internal control
remain unaffected; and/or
Major improvement required

 High risk rated weaknesses identified in individual assignments that are


significant in aggregate but discrete parts of the system of internal control
remain unaffected; and/or
 Critical risk rated weaknesses identified in individual assignments that are not
pervasive to the system of internal control;
 A minority of the individual assignment reports may have an overall report
classification of either high or critical risk.

 High risk rated weaknesses identified in individual assignments that in


aggregate are pervasive to the system of internal control; and/or
 Critical risk rated weaknesses identified in individual assignments that are
Unsatisfactory

pervasive to the system of internal control; and/or


 More than a minority of the individual assignment reports have an overall
report classification of either high or critical risk.

 An opinion cannot be issued because insufficient internal audit work has been
completed. This may be due to either:
 Restrictions in the audit programme agreed with the Audit Committee,
Disclaimer opinion

which meant that IA’s planned work would not allow him to gather
sufficient evidence to conclude on the adequacy and effectiveness of
governance, risk management, and control;
 The Internal Audit was unable to complete enough reviews and gather
sufficient information to conclude on the adequacy and effectiveness
of arrangements for governance, risk management, and control.
Appendix 3

Criteria for Classification of Audit Findings

This appendix outlines the criteria and scoring system used by the Internal Audit department to
classify audit findings based on their severity. Each finding is assessed on a 1-5 scale, and the
total score determines the overall risk classification of the audit.

Audit Finding Severity Scale:

The severity of each finding is quantified as follows:

Points Severity Level Description

1 Minor Issues with negligible impact requiring minimal corrective action.

Low-level concerns slightly affecting operations or compliance with non-critical


2 Low policies.

Noticeable inefficiencies or minor compliance issues with potential financial


3 Moderate implications.

Substantial risks to operations or compliance likely to result in financial loss or


4 Significant regulatory issues.

Immediate and severe threats to organizational integrity, substantial financial loss, or


5 Severe major legal non-compliance.

Classification of Audit Risk:


After scoring each finding, the total points are used to categorize the audit's overall risk level.

Total Points Risk Classification Implications

20-25 Critical Findings pose an immediate and severe threat, requiring urgent action.

15-19 High Significant challenges or risks that demand prompt attention and remediation.

10-14 Medium Moderate risks that should be managed to prevent escalation.

5-9 Low Minor issues that need standard corrective measures.

You might also like