Office of the New York State Comptroller  
      Home || Press Releases || Audits || Retirement || State Finances || Local Government || Reports || NYC Oversight || Pension Fund

New York State Accounting System User Procedures Manual

Volume Name
Section Name
Internal Controls - Internal Auditing

     The purpose of this section is to assist State agencies in the development of an effective and responsive independent internal audit function. This function will indicate to management how well its financial and administrative controls, policies and procedures are working by examining and evaluating every facet of the agency's operation.

          Essential characteristics of the internal audit function are presented in this section with emphasis on its operational aspects. There is also a discussion of how the agency internal audit program complements the audits performed by OSC.


          The Standards For The Professional Practice of Internal Auditing  revised by the institute of Internal Auditors in 1981 describes internal auditing as "an independent appraisal function established within an organization for the purpose of serving the organization by examining and evaluating activities and communicating audit results". It may be concerned with any activity of the organization, consequently, the practice of professional internal auditing goes beyond examining accounting controls, records, and financial statements and reports.


          The objective of internal auditing is to assist top management in effectively carrying out their responsibilities. To be of maximum usefulness, the scope of the internal auditor's activity should not be restricted. Since the purpose of the internal auditing activity is to provide management with independent, objective and constructive appraisals of the effectiveness and efficiency of the agency's operations, the duties and scope of work to be performed by the internal audit organization should be clearly stated by the head of the agency. The nature of the internal audit function should be disseminated throughout the agency so as to assure the cooperation of agency operating personnel.

The scope of internal auditing includes:

Reviewing the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information

Reviewing the systems established to ensure the compliance with those policies, operations and reports, and determining whether the agency is in compliance.

Reviewing the means of safeguarding assets and, as appropriate, verifying the existence of such assets. 

Appraising the economy and efficiency with which resources are employed.

Reviewing operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being implemented as planned. 

Examining controls over any other matter bearing on the effectiveness of operations, including the reliability of management data developed within the organization.


          The director of internal auditing is responsible for managing the internal audit organization so that:

          Audit work accomplishes the general purposes and fulfills the
          responsibilities approved and accepted by the head of the

          Resources of the internal audit function are efficiently and
          effectively employed.
          Audit work conforms to the Standards for the Professional
          Practice of Internal Auditing.

     This includes :1)obtaining a statement of purpose, authority and responsibility; 2) planning; 3) establishing and implementing policies and procedures; 4) managing and developing human resources; 5) establishing a quality assurance program.

1. Obtaining a Statement of Purpose, Authority and Responsibility

     The director of internal auditing is responsible for seeking the approval of management and where applicable, the acceptance by the board of this statement.

2. Planning

     The director of internal auditing should develop plans to fulfill the responsibilities of the internal audit organization.  These plans should be consistent with the internal audit group's statement of purpose, authority , and responsibility, and with the goals of the organization.  The planning process involves establishing:

                                      Operating Plans
                                      Staffing plans and financial budgets
                                      Status Reporting

3. Establishing and Implementing Policies and Procedures

     The director of internal auditing should provide written policies and procedures to guide the audit staff.   The form and content of written policies and procedures should  be appropriate to the size and structure of the internal audit organization.  The manual should include: the internal audit objectives; the policies to be followed;  the general scope of work to be performed and the standards of performance.  Formal administrative and technical audit manuals may not be needed in all internal audit groups.

4. Managing and Developing Human Resources

     A program should be established for managing and developing the human resources of the internal audit department.  The program should provide for:
           Developing written job descriptions of each level of the audit
           Selecting qualified and competent individuals.
           Training and providing continuing educational opportunities.

5.  Quality Assurance

     A quality assurance program should be established and maintained.  The purpose of this program is to provide reasonable assurance that the audit work conforms with these standards;  the internal audit department's statement of purpose, authority ,and responsibility; and the applicable auditing standards such as those set by the American Institute of Certified Public Accountants, the Institute of Internal Auditors, and the United States General Accounting Office.  A quality assurance program should consist of three major parts: supervision, internal reviews and external reviews. 


     The internal auditor should report to an official at a sufficiently high level i.e., the agency commissioner or an assistant commissioner, to promote independence and to ensure broad audit coverage, adequate consideration of audit reports and appropriate action on audit recommendations.   The internal auditor should not report to any official who is directly responsible for the operations to be reviewed.  If the person designated to receive the internal auditor's report is not independent, that person cannot be expected to implement internal audit recommendations in a manner sufficiently objective and impartial as to best serve the needs of top management. 


      The standards of internal auditing are established by management and set forth clearly in directives, job instructions, specifications or laws.  The Statement of Responsibilities of the Internal Auditor, published by the Institute of Internal Auditors, states that internal auditing " a managerial control which functions by measuring and evaluating the effectiveness of other controls'. Internal audit looks at operations in terms of units of measurement and standards.  The units of measurement are the discrete elements that apply to the operation-the dollars, days, people, documents,  or other quantifiable items by which success or failure can be objectively gauged.  The standards are those qualities of acceptability with which the measured items will be compared.

     For government entities, the United States General Accounting Office (GAO) has developed standards applicable to audit of all government organizations, programs, activities, and functions, whether performed by internal auditors, independent public accountants or others.  The 1981 GAO  publication, Standards for Audit of Governmental Organizations, Programs, Activities and Functions (commonly called GAO Standards incorporate the generally accepted auditing standards of he American Institute of Certified Public Accountants AICPA) for financial audits, but go further to include standards of compliance and programmatic review  unique to government.

     Internal audits must be approached with the thought of meeting generally accepted auditing standards for the profession.  These standards are to apply whether audits are preformed by or for a governmental entity.  The GAO standards conform to the AICPA  standards  for financial audits which are summarized as follows:


1. AICPA standards include the following general standards, standards of field work and standards of reporting:

     a. General Standards
          The examination is to be preformed by a person or persons having adequate        
           technical training and proficiency as an auditor. 

           In all matters relating to the assignment, an independence in mental attitude is to 
           be maintained by the auditor or auditors.

           Due professional care is to be exercised in the performance of the examination 
           and the preparation of the report.

           (1) Training and Proficiency- The attainment of proficiency in the audit is a continuing process.  Audit is a tool of management and, as modern government seeks new ways of coping with its problems, the audit profession must grow if it is to be of maximum  benefit to management. Thus  in addition to basic technical training and experience, the proficient auditor will bring to the work a continuing interest in the current professional literature, a working knowledge of relatively new audit techniques such as statistical sampling, and the literature of public administration, management, and the field of the agency where employed.  Membership in professional organizations (e.g., the Institute of Internal Auditors and the American Society for Public Administration ) and reading of professional periodicals is, therefore strongly encouraged.

          (2) Independence and Objectivity-Independence, objectivity, integrity - both in personal attitudes and in organizations relationships with personnel whose operations are being audited are essential qualities in the conduct of any audit. Those standards are in consonance not only with the demands of the profession, but also with the demands of public service.  It is recognized, of course, that audit conclusions based upon an appraisal of program performance frequently relate to matters of judgment.  Even in these cases, the maintenance of high standards of field work and audit reporting, coupled with these personal standards, will serve to place such appraisals within an objective framework.

          (3) Due Care and Diligence - With regard to the subject of "due care and diligence", the following quotation from Cooley on Torts will serve to place this standard in perspective:

"Every man who offers his services to another and is employed assumes the duty to exercise in the employment such skill as he possesses with reasonable care and diligence.   In all those employments where peculiar skill is prerequisite, if on offers his services, he is understood as holding himself out to the public as possessing the  degree of skill commonly possessed by others in the same employment and, if his pretensions are unfounded, he commits a species of fraud upon every man who whether skilled or unskilled, undertakes that the task he assumes shall be performed successfully, and without fault or error.  He undertakes for good faith and integrity,  but not infallibility, and he is liable to his employer for negligence, bad faith, or dishonesty, but not for losses consequent upon mere errors of judgment".

          Due care imposes a strong responsibility upon the auditor for the performance of all audit steps necessary to assure sound, objective conclusions in all auditable areas having a significant impact on the accounting aspects of the agency.

     b. Standards of Field Work

         The work is to be adequately planned and assistants, if any, are
          to be properly supervised.

         There is to be a proper study and evaluation of the existing
          internal control system as a basis for reliance thereon and
          for the determination of the resultant extent of the tests to
          which auditing procedures are to be applied.

         Sufficient competent evidential matter is to be obtained
         through inspection, observation , inquiries and confirmations
         to afford  a reasonable basis for an opinion regarding the
         financial statements under examination.         

          (1)Planning and Supervision - It is exceedingly important that individual audits will be well planned and controlled.   Examination of working papers and audit reports on prior audits, development of knowledge of operating controls at the developmental level, development of knowledge of pertinent laws, regulations, and other authorities, examination of reports prepared by other reviewing authorities (e.g., legislative committees, special committees, etc.), couples, of course, with an evaluation of internal and operating controls are all essential to the planning of the audit where inventories are a material factor, consideration should also be given to the examination of inventory-taking if it should occur at a time other than during the normal course of an audit.

     Effective control and supervision of the audit also involves a number of other elements.  Estimated time requirements for the individual audit should be established prior to commencement of the audit, re-evaluated shortly after the audit begins, and continuously re-examined during the course of the audit in the light of actual time spent.  Much responsibility for effective supervision rests with the director of the internal audit organization whose experience and judgment must be brought to bear in outlining the audit scope and in critically reviewing the work done and judgment exercised by those under him.

          (2) Internal and Operating Controls - The auditor must exercise professional judgment in determining the scope of examination and in deciding whether the agency's interests justify the time and expense involved in pursuing a particular line of inquiry.  To a considerable extent, the areas of audit inquiry and extent of audit tests will be influenced by the internal and operating controls of the agency.

      The AICPA notes that " a function of internal control, from the viewpoint of the independent auditor, is to provide assurance that errors and irregularities may be discovered with reasonable promptness, thus assuring the reliability and integrity of the financial records."  The AICPA also points out the assurance that internal control is functioning as planned need not be determined by making a separate task of evaluating the internal control as a whole, rather, it is suggested that reviews of controls applicable to the various activities be made while the related accounts are being audited.  This approach is particularly suitable for internal audits, where development of a preliminary survey of governing statutes and controls may be immediately followed with a correlated approach to the evaluation of the controls  and related practices, reports and accounts.

     Operating or management controls at a particular agency include all the policies, programs, procedures, methods, organizations, performance standards, reports and other measures by which management may ascertain whether prescribed objectives are carried out efficiently, economically and effectively.  Certain of these controls are established by related organizations such as OSC; while still others are established at the level of the agency  Many of these controls take the form of financial reports or other reports having quantitative significance; some take the form of standards ( such as inventory stock age objectives or equipment authorizations); and others take the form of procedural requirements (such as State Finance Law for the letting of contracts).  The nature of these controls must be understood and evaluated so that the auditor may establish the degree to which he may rely upon them for assuring the efficiency, economy, and effectiveness of the operations performed.

          (3) Competence of Evidential Matter - Evidential matter consists of the underlying accounting data and all corroborating information available to the auditor.  The AICPA points out the accounting data, by itself, cannot be considered as sufficient support for financial statements. Hence, the auditor must make effective use of such corroborating data as checks, contracts, and minutes of meetings; confirmations and other written  representations by knowledgeable people; information obtained from inquiry, observation, inspection and physical examination; and any other information which enables the auditor to reach conclusions.

     Audits performed by the internal audit organization lead to objective analyses, appraisals, recommendations, and comments on the accounting, financial, and operating controls and practices of the activities reviewed.  The auditor is, therefore, charged with examining sufficient competent-evidential matter to enable the rendering of informed audit conclusions and opinions in these areas.

     Evidential matter may be obtained either within the agency or from external sources.  Internal evidence embraces such data as books of account and related supporting documents, financial reports and other documents having quantitative significance, procedural manuals, management reports and other correspondence, files or documents that have bearing upon the operations of the agency.  External evidence embraces whatever evidence the auditor obtains to supplement the internal evidence; it includes confirmations requested from various sources, inspection and observation  of resources and operations, inquiries directed at officials and data obtained at the departmental level.

      In the examination of assets, physical contact with an asset would normally constitute more reliable evidence that would examination of a document purporting to evidence the existence of the asset.  Documentary evidence is of greatly varying reliability. If documents prepared by third parties are sent directly to the auditor, they ordinarily constitute evidence of a degree of reliability approaching that of physical evidence.  However, due precaution must be used in securing such evidence. 

     Wherever appropriate, evidential matter (whether it be in the form of documents to be reviewed, confirmations to be solicited or some other form) should be obtained and evaluated by means of scientific statistical sampling.  The use of statistical sampling will in no way reduce the requirement for audit judgment; on the contrary, the size and nature of the sample and the interpretation of sampling results call for a very high degree of audit judgment.

     The standards for obtaining sufficient competent evidential matter to support an audit conclusion in operating areas are similar to those for supporting an audit conclusion on financial statement.  In fact, it may be said that the work of the auditor concerned with evaluating whether operation policies are being followed and procedures are adequate, is founded upon the audit techniques developed by the public accounting profession.  The auditor concerned with operating efficiency, however, will tend to place grater emphasis on evidence which will assist him in analyzing the results of an operation. this frequently take the form of comparisons between standards and actual performance.  The standard may be a budget, the department's standard, policy, unit-cost, or perhaps an average (or standard) established by the auditor by examining like operations.  The gathering of data to establish the extent of deviation from the standard, and the caused for deviations will then be based upon the usual audit methods for accumulating evidence.

     The data accumulated by the auditor should be set forth in working papers which will clearly establish the source of the data obtained, the scope of the audit performed, the purpose of performing the particular audit step, and the audit conclusions reached.  Working papers should be reviewed by the auditor in charge of the examination and by the director of the internal audit organization.  Working papers should bear evidence of this review in the form of supervisory notes, initialing of work papers, or other means.

          (4) Cost of Audit Performance - The AICPA states that an auditor typically works within economic limits; his opinion, to be economically useful, must be formulated within a reasonable length of time and at a reasonable cost.  The auditor must decide, again exercising professional judgment, whether the evidential matter available to him within the limits of time and cost is sufficient to justify formulation and expression of an opinion. As a guiding rule, there should be a rational relationship between the cost of obtaining evidence and the usefulness of the information obtained.  In determining the usefulness of evidence, relative risk may be properly given consideration. the matter of difficulty and expense involved in testing a particular item is not in itself a valid basis for omitting the test.

    Obviously, many factors must be considered in arriving at the nature of the audit steps to be performed and at the extent to which they are performed. Certainly, the system of internal control is a major factor.  The AICPA states there is to be a proper study and evaluation of the existing internal control as a basis for reliance thereon and for the determination of the resultant extent of the tests to which auditing procedures are  to be restricted.  Hence, the auditor must  have both a knowledge of the internal procedures used by the organization under audit, and a reasonable degree of assurance that the planned procedures are actually in use.  As the audit progresses and the auditor learns whether the intended procedures are actually being practiced there may be either an extension of audit tests or the shifting of emphasis or timing of the audit procedures.  In any event, the auditor must recognize that the system of internal control must be evaluated in fixing the audit scope.

     The cost of audit performance depends heavily on both the nature and the audit steps selected and the extent to which particular audit steps will be performed.  The auditor must carefully weight what he expects to achieve with each audit step and determine whether there may be a less costly alternative audit step; whether the audit step will yield a reliable conclusion in the light of alternative audit steps; whether a lower confidence level (in fixing the extent of the sample) might not be justified in the light of the indicated internal control system; whether a stratified statistical sample would yield a greater degree of confidence in the audit conclusion; whether the step is necessary (or whether so extensive a test is necessary ) in the light of materiality of the item or the relative risk involved.

     The purpose of raising these questions is not to unduly restrict the audit scope, but rather to call attention to the need for considering the cost of performing an audit step in fixing the audit scope.  In short, there should be conscious measuring at all levels of auditor and supervisor of the relationship between audit costs and the value of the benefit or protection derived from the audit step.  

     c. Standards of Reporting

          The report shall state whether the financial statements are presented in 
          accordance with generally accepted accounting principles or in conformity with 
          the comprehensive basis of accounting used. 

          The report should state whether such principles have been consistently observed 
           in the current period in relation to the preceding period. 

          Informative disclosures in the financial statements are to be regarded as 
          reasonably adequate unless otherwise stated on the  report. 

          The report shall either contain an expression of opinion regarding the financial statements, taken as a whole , or an assertion to the effect that an opinion cannot be expressed.  When an overall opinion cannot be expressed, the reasons therefore should be stated. In all cases where an auditor's name is associated with financial statements, the report should contain a clear-cut indication of the character of the auditor's examination, if any, and the degree of responsibility he is taking.

          External auditors are generally more concerned with an expression of opinion regarding the financial statements.  The AICPA Standards of Reporting may therefore have limited applicability in internal auditing.  However, internal auditors should be aware of agency adherence to generally accepted accounting principles and the impact these principles have on the presentation of financial statements and the treatment of accounting transactions.

          A restatement of the AICPA Standards of Reporting to reflect the basic concerns of internal audit follows:

     Audit reports should be prepared on an "exception" basis; however,  the report 
     should point out evidence of effective financial management and program 
     accomplishment as well as areas of ineffective performance. 

     To the extent that reports contain critical comments, they should
     contain a clear statement of the facts underlying the condition
     reported, the causes of the condition, illustrations and other date
     supporting the audit conclusion, and the meaningful
     recommendations. The facts should be presented in their proper
     perspective so that unjustified inferences will not be drawn.

     The facts, conclusions, and recommendations should be expressed
     in a tone of quiet conviction and objectivity; motivated by a sense of
     responsibility and desire to be constructive.

     Where the report contains an expression of opinion on the financial
     statements of the agency, the opinion should be expressed in
     accordance with generally accepted standards of reporting as
     developed by the AICPA.

          (1) Disclosure in Depth and Perspective -Audit reports should contain facts, conclusions and recommendations, rather that descriptions of audit steps.  A meaningful audit "finding" must be supported by a statement of all relevant, significant information surrounding the condition reported (including illustrations and effects) so that management will clearly understand the problem and the basis for the audit conclusion.  The conclusions contained in the audit report should be discussed with appropriate personnel of the facts may be verified, reactions may be obtained, and corrective actions taken during the course of the audit may be noted in the report.

          Above all, facts must be presented in their proper perspective so that the reader will not draw unjustified conclusion.  Percentages of line items of inventory, dollar amount of contracts affected by a particular weakness, or other statistical or descriptive data will be used to place the condition reported in perspective.

          (2) Narrative Tone - Audit reports are of value only insofar as they result in honest, objective disclosure and effective corrective action and conditions reported.  Accordingly, they must be prepared in a manner which will create a climate of confidence in an acceptance of audit conclusions and recommendations.  Sharp, critical and inflammatory expressions often create resentment as well as an atmosphere where challenging and debating the auditor's conclusion are considered necessary to defend those responsible for or involved in the conditions reported.  The responsible, independent professional auditor will best achieve his objectives by reporting in a tactful, tempered manner. 

2. General Comments about the AICPA Standards - Based on the preceding AICPA standard, the following general comments can be made,

     Auditing standards differ from auditing procedures.  Procedures are acts performed  during the audit, Standards guide the auditor in selecting and performing procedures to ensure quality and that objectives are fulfilled.

     Individual standards should not be considered in isolation, since they are interrelated and interdependent.

     "Materiality" and "relative risk" must be considered in applying these standards, not only when planning audits but also when determining audit steps to be done for each audit.


     Internal audit finding, observations, conclusions and recommendations are reported to the agency's management.  As previously stated, the internal auditor should report to a management level high enough to assure adequate consideration of his findings.  The interest of tip management in the work of the internal auditor can contribute much to the acceptance of such work by all management levels.

     Internal audit reports should be submitted to management officials who are responsible for the operations reviewed as well as the official to whom the audit function is responsible.  Copies of reports should be retained on file for use by other organizations.

     Primary responsibility for action and follow up on audit recommendations rests with management, but reporting of a finding, observation, or recommendation does not end the internal auditor's concern with the matter.  As part of his continuing review of agency operations, the internal auditor should ascertain whether recommendations have received management consideration, whether corrective action has been taken, and whether the results were satisfactory.  Regular status reports should be prepared for the information of management officials as to actions taken on audit recommendations.

     Where operating officials disagree with the internal auditor's recommendations and the differences cannot be reconciled, the  final decision should be made at a higher level.


     The internal audit function is not in lieu of or supplementary to OSC's audit. Rather, it is established primarily as an aid to management in discharging its responsibilities. The effectiveness of the agency's internal auditing function is recognized in setting the scope of OSC's audit.  Actions taken by the agency on internal audit recommendations are reviewed by OSC's auditors. 

     OSC will evaluate the agency's internal auditing to determine what reliance can be placed upon it in discharging OSC's auditing and report and reporting responsibilities. Free and unrestricted access to internal audit working papers and reports is essential if OSC's auditors are to effectively review and evaluate them. 

     Agency internal auditors should concern themselves with audit findings and recommendations of OSC's auditors.  Periodic status reports on the recommendations should be prepared.  After review by management, a copy of the status reports should be submitted to OSC.


     Internal auditing is a staff function independent of line operations. Therefore, internal audit review and appraisal does not relieve other persons in the agency of the primary responsibilities for compliance with prescribed policies and procedures, for proper protection and use of the agency resources, and for appropriate action in the correction of deficiencies or unsatisfactory conditions reported by the auditor.  An internal audit organization should not replace established lines of operating authority and responsibility, and does not eliminate the need for continuing functional supervision. 

     Some agencies have established other internal review activities, such as inspection, appraisal and investigation.  These activities are often in the nature of  management services, and assist management in supervising and reviewing designated functions. Maximum cooperation and common understanding among them and with the internal audit organization are essential to prevent duplication of effort. The internal auditor should communicate to such groups any observations he may have which are related t their responsibilities.  He should also receive copies of their reports. 

     The internal auditors objectivity is not adversely affected when the auditor recommends standards of control for system or reviews procedures before they are implemented. The internal auditor's role is to call attention to problem areas and possible improvements.  However, designing, installing and operating systems are not audit functions. Also, the drafting of procedures for systems is not an audit function. Performing such activities is presumed to impair audit objectivity.