Internal Audit Strategic Plan For FY 2021-2025: Ministry of Finance December 2019

Internal Audit Strategic Plan for
FY 2021-2025
Ministry of Finance
December 2019
Internal Audit Strategic Plan for
FY 2021-2025
Ministry of Finance
December 2019
Internal Audit Strategic Plan for FY 2021-2025
དངུལ་རྩིས་ལྷན་ཁག།
ROYAL GOVERNMENT OF BHUTAN
MINISTRY OF FINANCE
TASHICHHO DZONG
@CCA, Ministry of Finance, December 2019 Page i

Table of Contents
List of Abbreviations and Acronyms............................................................................................. v
Preface...................................................................................................................................................vii
Chapter 1: Executive Summary.....................................................................................................10
1.1. Strategic Outcomes and Key Performance Indicators......................................... 10
1.2. Implementation Arrangement....................................................................................... 12
Chapter 2: Introduction...................................................................................................................16
2.1. Background............................................................................................................................ 16
2.2. Internal Audit definition and Legal Mandate........................................................... 16
2.3. Internal Audit service operating structure in the country................................ 18
2.4. Stakeholders.......................................................................................................................... 19
2.5. Objectives of Strategic Plan............................................................................................ 19
2.6. Scope of Strategic Plan...................................................................................................... 19
2.7. Purpose of Strategic Plan................................................................................................. 20
Chapter 3: Strategic Planning Process........................................................................................22
3.1. Understand the Internal Audit Services objectives............................................... 22
3.2. Consider the International Professional Practices Framework (IPPF)........ 22
3.3. Understand stakeholder expectations........................................................................ 22
3.4. Update Internal Audit Vision and Mission................................................................ 23
3.5. Define the critical success factors................................................................................ 23
3.6. Perform SWOT analysis..................................................................................................... 24
3.7. Identify Key Initiatives...................................................................................................... 25
3.8. Way Forward......................................................................................................................... 25
Chapter 4: Key Strategic Focus Areas..........................................................................................28
Chapter 5: Strategic Risk Matrix...................................................................................................50
Chapter 6: References......................................................................................................................52
@CCA, Ministry of Finance, December 2019 Page iii

List of Abbreviations and Acronyms

Abbreviations Full Form
ACC Anti-Corruption Commission
AMS Audit Management Software
CAAT Computer Aided Audit Techniques
CIA Chief Internal Auditor
CCA Central Coordinating Agency
CGAP Certified Government Auditing Professional
CRM Corruption Risk Management
CRMA Certification in Risk Management Index
EQA External Quality Assessment
GNH Gross National Happiness
IA Internal Audit
IA&AD Indian Audit and Accounts Department
IAU Internal Audit Units
IAS Internal Audit Services
ICT Information and Communications Technology
IIA Institutions of Internal Auditors
IT Information Technology
IVR Integrity Vetting Report
MoF Ministry of Finance
MoG Major Occupational Group
PEFA Public Expenditure and Financial Accountability
PFM Public Financial Management
PFM-MDF Public Financial Management Multi Donor Fund
QAIP Quality Assurance and Improvement Plan
RCSC Royal Civil Service Commission
RBIA Risk Based Internal Audit
RGoB Royal Government of Bhutan
@CCA, Ministry of Finance, December 2019 Page v

Preface
As one of the good practices in internal audit, Central Coordinating Agency of Internal
Audit Service(CCA) in the Ministry of Finance, has developed the first Strategic Plan for
the Internal Audit Service covering the period 2021-2025 in technical consultation with
experts engaged under the PFM-MDF project “Strengthening the Effectiveness and Capacity
of Internal Audit in the Royal Government of Bhutan”. CCA has referred the Practice Guide
“Developing the Internal Audit Strategic Plan – Recommended Guidance” issued by Institute
of Internal Auditors and other international best practices to develop this Internal Audit
Strategic plan.
It is crucial for internal audit service to adapt to the changing expectations, remain relevant
and align with the organization’s objectives. An internal audit strategy is fundamental to
remaining relevant as it plays an important role in achieving the balance between cost and
value, while making meaningful contributions to the organization’s overall framework of
governance, risk management and internal controls. The strategic plan is the means by
which the internal audit vision and mission will be pursued.
The implementation of the key strategies made in this plan, will uphold transparency
and accountability in rendering effective internal audit services. It will also support in
improvement of PEFA score and improvement in levels of Internal Audit services as defined
by IIA - Internal Audit Capability Model. It will give direction to the organization’s purpose
and provide a pathway to achieve its objectives.
This Strategic Plan is developed for the period of 5 years and will be reviewed annually by
CCA, and updated appropriately in consultation with all stakeholders. The annual internal
audit operational plan will be developed in accordance with this strategic plan.
@CCA, Ministry of Finance, December 2019 Page vii

1 Executive
Summary
1. Executive Summary
Executive Summary
This Strategic Plan provides a roadmap for a medium-term direction of the Internal
Audi Service (IAS) in the Royal Government of Bhutan in improving service delivery to
its stakeholders. This plan covers the period 2021 to 2025. It is designed to be practical,
feasible, and easily implementable in view of the current status of strengths, weaknesses,
opportunities, and threats in the IAS of Bhutan. It delineates the priorities of the IAS to
continue providing adequate level of assurance to its stakeholders. The Strategic Plan
is flexible and would be updated at least annually to take into account the changes in
circumstances.
This Strategic Plan aims to ensure the effective performance of Internal Auditors (IAs) in
CCA and Internal Audit Units (IAUs). Further, this Strategic Plan shall ensure that the works
of IAs are conducted in consonance with the prevailing rules and regulations that conform
with Internal Auditing Standards. This would ensure that the works of IAs are carried out
in a consistent manner, and adequately recorded and documented. It is envisaged that
implementation of this Strategic Plan brings will also about required capacity development
of IAs of both CCA and IAUs in various agencies.
Therefore, various qualitative and quantitative key performance indicators have been
defined in the plan and the envisioned strategic outcome corresponding to the same have
been included as elaborated hereunder.
1.1 Strategic Outcomes and Key Performance Indicators
Key
S.
Performance Sub-Indicator Frequency/Timeline Outcome
No
Indicator
Updated knowledge of
Internal auditors on Internal
1.1 Training of
Semi Annually Audit fundamentals, ethics,
Internal Auditors
soft skills, technology,
sampling, and analysis
Annual IA operational
strategy developed based on
1.2 Internal Audit
Annually focus area in public sector and
Conference
common key risk parameter
for IAUs established
Capacity
A minimum of one
1 building of
1.3 Overseas batch annually IAs conversant with
staff
Exposure visits of IAs comprising of at least international best practices
3 Internal Auditors
1.4 International
Increased number of qualified
Certification in
At least two Internal IAs in relevant professional
Internal Audit or any
Auditors annually certification
area associated with
this function
1.5 Continuous At least 80 hours
Relevant knowledge and skills
Professional annually for each
updated
Development auditor
Page 10 @CCA, Ministry of Finance, December 2019

Key
S.
Executive Summary
Performance Sub-Indicator Frequency/Timeline Outcome
No
Indicator
Based on the need of
relevant stakeholders, Increased coverage of Internal
2.1 Increase IA
budgetary allocation, Audit services in government
coverage
and availability of Agencies
Resource human resource
2.
Management
2.2 Adequate
Reduce total vacancy
resource for
by at least 10% every IAUs are adequately staffed
additional IAUs & fill
year
vacant positions
2.3 Standardize Risk Risk based audits uniformly
For every engagement
Based Internal Audit practiced in all IAUs
Effective from the
3.1 Implementation
first financial year i.e. Effectiveness of IAS enhanced
of IAMS
FY2021-22
Before
Use of 3.2 Training of IA Implementation of
Effectiveness of IAS enhanced
Modern audit staff on the IAMS IAMS and refresher
3. techniques training as necessary.
and By the end of
technologies second year of
3.3 Use of Data implementation of Quality of IA delivery
Analytics in Audit IA strategic plan enhanced
followed by every IA
engagement
4.1 Random Periodically (in
Checks of Audit accordance with QAIP Errors in audit works
Engagements to guideline) minimized
ensure audit quality
Quality
Assurance & 4.2 Quality At least once at each
Improvement assurance/ IAU in every year (in IA process conforms to
4. Program assessment of IAU accordance with QAIP Internal Auditing standards
(QAIP) and by CCA guideline)
Performance 4.3 External Once in every five
monitoring IA-CM level improved
Assessment years.
4.4 Review and Within six months of
update Internal Audit implementation of IA function improved
Charter this strategic plan
5.1 Create platform
By end of second year
for effective Stakeholders well informed
Improve of the implementation
information sharing
interaction of this strategic plan
related to IA services
and
5. 5.2 Establish
coordination
with strategic Enhanced relationship with
stakeholders partnerships & Periodically stakeholders
coordination with
stakeholders
@CCA, Ministry of Finance, December 2019 Page 11

1.2 Implementation Arrangement

Executive Summary
Implementation of the Strategic Plan would be done under the guidance and supervision
of the CCA for which IUAs are required to provide full support and cooperation. Complete
execution of the plan will be subject to adequate funding support provided by RGoB. The
Strategic Plan will be periodically reviewed and updated by CCA. Factors influencing the
frequency of review may include:
Changes in the CCA’s strategy.
Degree of the host organization’s growth.
Degree to which the host organization and its senior management rely upon the
internal audit activity’s independent assessment and/or support regarding the
management of their risks.
Significant change in the availability of the internal audit activity’s resources.
Significant change in laws and/or significant changes to organizational policies
and procedures.
Degree of change in the host organization’s control environment.
Key changes in host organization’s leadership style.
Evaluation of how the internal audit activity has qualitatively or quantitatively
delivered on the strategic plan.
Results of internal/external assessments of the internal audit activity.
A workplan has been prepared aligning the strategies to be implemented in the year 2021-
2025. The detailed workplan is as follows.

Executive Summary
Work plan for Implementation of Strategic Plan 2021-2025:

2 Introduction
2. Introduction
2.1 Background
The Internal Audit service in the Royal Government of Bhutan was instituted in year 2000
across six out of the seven ministries then. The 86th National Assembly Session resolved
to establish IAUs in all Dzongkhags. With enactment of the Public Finance Act 2007, the
responsibility of administering the IAS was vested to the Ministry of Finance (MoF).
Accordingly, MoF established the CCA for IAS in the year 2010. While the government had
been establishing IAUs in different government agencies, specific strategy to streamline and
strengthen the Internal Audit System had not been pursued over the years. Some of the
Introduction
visible reforms in the Internal Audit Service were publication of National Internal Control
Framework, 2013, revised Internal Audit Charter signed by the Hon’ble Prime Minister on
4 December 2014, development of Internal Audit Manual, and Code of Ethics for Internal
Auditors in 2014 and Bhutan Government Internal Auditing Standards (BGIAS) in 2017.
Strengthening the effectiveness of the internal audit function in RGoB has become very
critical in the current scenario to achieve accountability and integrity, improve operations,
and build confidence among stakeholders. In addition to conventional compliance auditing
engagements undertaken by IAUs, CCA had initiated thematic auditing assignments by IAUs
in financial year 2015-16.
This Internal Audit Strategic Plan for FY 2021-2025 has been developed by CCA in
consultation with all stakeholders and serves as a channel to add value to the public internal
audit function in the country. Through various short to medium-term measures including
capacity building exercises, modernization in audit techniques and quality assurance
and improvement programmes, it aims to achieve RGoB’s long-term Public Financial
Management and good governance mission. This strategic plan has been prepared in
fulfilment of the mission of strengthening the Internal Audit Service of the RGoB.
This Strategic Plan would enable focus allocation of resources which would in turn
contribute to the achievement of CCA’s objectives. It prioritizes holistic development and
progress of Internal Auditors by setting up feasible and realistic goals. The strategic plan
aims to achieve accountability in the internal audit services and provides a roadmap for
strengthening the IAS and improving service delivery to its stakeholders over the next 5
years.
2.2 Internal Audit definition and Legal Mandate
2.2.1. Definition of Internal Audit

According to The IIA’s definition:
“Internal auditing is an independent, objective assurance and consulting activity designed

to add value and improve an organization’s operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control and governance processes.”

Based on the above IIA definition, the RGoB has accordingly defined the purpose of the
Internal Audit in the Internal Audit Charter as:
“The Internal Audit Units conduct internal audits, using a systematic and disciplined
approach, to provide the respective head of Ministries, Dzongkhags and Autonomous bodies
with:
Independent and objective assurance on the efficiency and effectiveness of their
respective Entity’s governance, risk management, control, and accountability
processes.
Proposals and recommendations for improving the efficiency and effectiveness of
Introduction
the Entity’s operations, achieving organizational objectives and proper stewardship
of resources.”
2.2.2. Legal Mandate

Under Section 23 (O) of the Public Finance Act, 2007, the MoF has the responsibility for
administering the Internal Audit Services and issuing guidelines. Accordingly, CCA was
established to administer the Internal Audit services in RGoB. CCA is the coordinating
agency for all Internal Audit Units across the nation.
The RGoB has established IAUs in all Ministries and in 20 Dzongkhags and in 6 Autonomous
bodies. Subject to the availability of adequate and appropriate resources, it is the policy of
the RGoB to establish IAUs in other budgetary bodies as well.
As a coordinating agency, CCA issues internal audit guidelines, coordinates function and
monitors and evaluates internal audit activities in government agencies. Internal Audit
is governed by Public Finance Act 2007, IA Charter, IA Code of ethics, IA Manual, and IA
Standards.
In order to ensure that the internal audit services are provided in a professional manner
and in accordance with best international practices, the MoF has adopted the International
Professional Practices Framework (IPPF), issued by the Institute of Internal Auditors to
regulate the work of the Internal Audit Service. The IPPF comprises the:
Definition of Internal Audit
Code of Ethics for Internal Auditors
Internal Auditing Standards

2.3 Internal Audit service operating structure in the country
The IA structure in Bhutan has significantly evolved over time. The RGoB formulated
an Internal Audit Charter to provide a framework within which the internal audit shall
function in the budgetary bodies. It defines roles and responsibilities, and authorizes access
to records, personnel, and physical properties relevant to the performance of engagements.
Further, uniformity and consistency in the Internal Audit function is ensured. Based on
current RGoB policy, the IAS consists of:
Central Coordinating Agency for Internal Audit Services, Ministry of Finance
(CCA) - Enables the MoF to fulfil its statutory responsibilities under Section 23
(o) of the Public Finance Act, 2007 for administering the IAS, issuing appropriate
Introduction
guidelines on internal auditing in the RGoB and coordinating the activities of the
IAS in enhancing the quality and reliability of the internal audit work. The CCA is
headed by Chief Internal Auditor reporting to the Secretary, Ministry of Finance.
Internal Audit Unit (IAU) - Established in all Ministries and Dzongkhags and
some autonomous bodies that receive government budgetary allocations. The IAU
is generally headed by a Chief Internal Auditor (CIA) / Senior Internal Auditor in
ministries, while IAUs in Dzongkhags and autonomous agencies have single internal
auditor. They are responsible for providing internal audit services in accordance
with the Internal Audit Charter and in compliance with the Code of Ethics for
Internal Auditors, Standards for Internal Auditing and other guidelines issued by
the Ministry of Finance. The IAUs report directly to the head of agency where the
IAU is established.
Figure 1: The following figure presents the organization structure of Internal Audit Service
in RGoB:

2.4 Stakeholders
Key Internal Audit Service stakeholders include

Finance Minister, Royal Government of Bhutan
Secretary Finance, Ministry of Finance
Central Coordinating Agency (CCA), Ministry of Finance
Internal Audit Units (IAUs)
Head of government agencies in Ministries, Autonomous Bodies and Dzongkhags.
Royal Audit Authority
Introduction
Anti-Corruption Commission of Bhutan
Royal Civil Service Commission
Development Partners
Other stakeholdersInternal
suchAudit
as Strategic
law enforcement agencies, review bodies and
Plan for FY 2021-2025
professional bodies.
Citizens of Bhutan
2.5 Objectives of Strategic Plan
2.5 Objectives of Strategic Plan
The implementation of the Plan is expected to further strengthen and contribute to the
The implementation of the Plan is expected to further strengthen and contribute to the
following objectives:
following objectives:
Uphold the transparency and accountability in rendering effective internal

audit services
Provide adequate level of assurance and contribute towards effective

implementation of policies and programmes in government agencies
Making contribution to organisation overall framework of governance,

risk management and internal control
Conducting Internal Audit following the International standards and best

practices
Strengthening the capacity of IAs of CCA and IAUs by utilising various IT tools
2.6 Scope of Strategic Plan

2.6 Scope of Strategic Plan
The scope broadly includes efforts to improve efficiency and effectiveness of internal audit
The scope
activity in broadly includes sector
the government effortsand
to improve efficiency
also includes and effectiveness
increase of internal
in internal audit audit
coverage,
establishment
activity in the of new internal
government audit
sector andunits in government
also includes increaseagencies like audit
in internal autonomous
coverage,
bodies, increase
establishment the internal
of new awareness
auditof units
internal audit activity
in government through
agencies various outreach
like autonomous bodies,
activities, coordination with other external agencies like RAA / ACC,
increase the awareness of internal audit activity through various outreach and develop sustained
activities,
professional capacity.
coordination with other external agencies like RAA / ACC, and develop sustained
professional capacity.
2.7 Purpose of Strategic Plan

The purpose is to enable the Internal Audit Function to meet the expectations of its key
stakeholders to achieve its strategic objectives. The strategic plan is the channel through
2.7 Purpose of Strategic Plan
The purpose is to enable the Internal Audit Function to meet the expectations of its key
stakeholders to achieve its strategic objectives. The strategic plan is the channel through
which the vision and mission of the CCA and RGoB will be pursued. This Strategic Plan
covers a five-year period from FY 2021-2025.
Introduction

3 Strategic
Planning
Process
3. Strategic Planning Process

The following systematic and structured process has been used in developing the Internal
Audit Strategic Plan:
Understand the Internal Audit Services objectives
Consider the International Professional Practices Framework (IPPF)
Understand stakeholder expectations
Update internal audit vision and mission
Perform a strengths, weaknesses, opportunities, and threats (SWOT) analysis
Define the critical success factors
Identify key initiatives
Way Forward
3.1 Understand the Internal Audit Services objectives
The starting point for developing the internal audit strategic plan should be obtaining a
Strategic Planning Process
thorough understanding of the organization’s1 objectives in which it operates. Strategic

objective for the internal audit activity is to add value. It is envisaged that it should
contribute to the achievement of the organization’s strategic, operational, reporting, and
compliance objectives through assurance and consulting services. This will assure that the
host organization maintains an ethical environment and culture of accountability.
3.2 Consider the International Professional Practices Framework (IPPF)
The CCA for internal audit services considered the IIA - IPPF while developing the internal
audit strategic plan for Bhutan. The values the internal audit activities personnel should
adopt are contained within the framework’s Standards and Code of Ethics. The Internal Audit
function in Bhutan has adopted International Professional Practices Framework (IPPF) of
the Institute of Internal Auditors (IIA). The CCA for internal audit services in the country
has developed Code of Ethics, Internal Audit Manual and Bhutan Government Internal
Audit Standards in accordance with IPPF framework. Accordingly, the Development of first
Internal Audit Strategic Plan is also done following the Recommended Guidance of IPPF
framework i.e. “Practice Guide on Developing the Internal Audit Strategic plan” as issued by
Institute of Internal Auditors.
3.3 Understand stakeholder expectations
Understanding stakeholder expectations and needs is a critical step in developing the

internal audit strategic plan. It is important to include the key internal and external
stakeholders (e.g., Internal Audit Units, head of government Agencies, external auditors,
and other regulators). Various consultations with key stakeholders such as CCA, IAUs, and
agencies were carried out to understand their expectations from internal audit activity.
Some of the key expectations are:
1. CCA aspires to strengthen the IAS by strategizing its objectives;
2. The IAUs desire to improve their performance through effective service delivery;
3. The agencies wish to receive reliable internal audit reports which would enable
them in taking timely decision.
1 The organization referred is CCA and IAUs at different government agencies.

This strategic plan has been developed based on feedback and suggestions received from
them. Consequently, this plan is expected to facilitate in achieving the organization’s
objectives and goals.
3.4 Update Internal Audit Vision and Mission
In the process of developing the strategic plan, series of consultations were held to develop
a new vision statement that encapsulate the entire essence of IAS. The strategic plan is
expected to ensure that internal audit activities pursue the IA Vision and Mission.
3.4.1. Vision Statement

The vision statement is described as follows: -
“A professional Internal Audit service provider to strengthen good governance in the
RGoB”.
The vision statement helps to articulate the internal audit activity’s philosophy and what
it hopes to contribute to the organization. It is based on stakeholder expectations and IIA

guidance.
The current internal audit charter issued in the year 2014 does not describe the vision
statement. Therefore, one of the key findings in the process of developing this strategic plan
is to update the existing internal audit charter.
3.4.2. Mission statement
“Enhance and protect organizational value by providing risk-based and independent

objective assurance, advice, and insight through professional practices to cope with
emerging challenges”
This strategic plan has been developed taking into account the above mission statement.
The RGoB and CCA envisaged that the IA shall extend their services to cover all aspect of
an agency’s operations and determine whether the agency’s network of risk management,
control, and government processes, as designed and represented by the management is
adequately functioning. Furthermore, the strategic plan will also contribute in having a
credible internal audit institution.
3.5 Define the critical success factors
Identifying the critical success factors (CSFs) allows the internal audit activity to understand
the limited number of elements that should go right for it to achieve its vision and mission.
Monitoring the progress of the critical success factors will ensure management is giving
them continuous attention. The following are the critical success factors are of critical
importance to the Internal Audit Function in Bhutan. These CSF are linked to the strategic
focus area of the strategic plan, in order to successfully implement its strategies and support
the organizational goals:

S.
Critical Success Factor Strategic Focus Area
No
1 Continuous Capacity building of Training of Internal Auditors
Internal Audit staff Internal Audit Conference
Overseas Exposure visits of IAs
International Certification in Internal Audit or any
area associated with this function
Continuous Professional Development
Training of IA staff on the IAMS
2 Provide Impactful Reporting to Create platform for effective information sharing
Stakeholders related to IA services
Establish strategic partnerships & coordination
with stakeholders
3 Focus on the organization’s highest Standardize Risk Based Internal Audit
risks and strategy
4 Policies, procedures, processes and Review and update Internal Audit Charter
systems adopted by CCA / IAUs are Increase IA coverage
Enabling and of Dynamic Nature in Adequate resource for additional IAUs & fill vacant
Meeting the organization Needs positions
5 Use of IT Tools Implementation of IAMS

Use of Data Analytics in Audit
6 Internal Audit Function Implements Random Checks of Audit Engagements to ensure
a Quality Assurance and audit quality
Improvement Program (QAIP) Quality assurance/assessment of IAU by CCA
External Assessment
3.6 Perform SWOT analysis
Performing the assessment of the current state of the internal audit activity helped to
identify what should be incorporated into a strategic plan. The aim of SWOT analysis is to
identify the key internal and external factors that are important to achieving the strategy.
Following is the result of current strengths, weaknesses, opportunities, and threats in the
internal audit system in Bhutan:

3.7 Identify Key Initiatives
Based on the results of the SWOT analysis, it is possible to identify and prioritize the key
initiatives (i.e. key strategic focus areas as detailed in chapter 4 of this strategic plan) that
will have a significant impact on achieving the internal audit activity’s critical success factors
and therefore its vision and mission statements. For each initiative, it is valuable to identify
a timeline for implementation, the desired objectives, the performance measurements
(qualitative and quantitative), and the associated SWOT elements.
3.8 Way Forward
The Hon’ble Minister of Finance has expressed his concerns over the challenges faced
by Internal Auditors and has emphasized the importance of the role of internal auditors.
The RGoB is endeavoring to further enhance the internal audit function through various
initiatives such as development of performance audit guidelines and implementation thereof,
and development of Quality Assurance and Improvement Program (QAIP) guidelines and its
implementation.
This Strategic Plan aims to address the challenges faced by the Internal Audit Units

in RGoB and provide effective solutions that can be successfully implemented. It shall
provide handholding support to CCA in order to achieve their mission as mentioned in
the mission statement. It is envisaged that this Strategic Plan would play a significant role
in strengthening the internal audit processes in Bhutan. The guidelines formulated here
would serve as a road map to build the capacity of internal auditors and sufficiently meet
the expectations of the stakeholders. The focus areas have been identified for Internal
Auditors in order to meet stakeholder expectations (see below) based on which the actions
required have been determined and included in the Strategic Plan in subsequent sections.
These are (1) capacity building of staff; (2) resource management; (3) use of modern audit
techniques; (4) quality assurance; and (5) improve coordination and collaboration with
other oversight bodies.

3.8.1. Internal Audit Capability Model

An EQA of internal audit services in Bhutan has been conducted by IIA Malaysia in year
2019. The review also includes benchmark of IAS against the Internal Audit Capability Model
(“IA-CM”) developed by the IIA Global. As per the assessment report the IAS is operating at
‘Level 1– Initial’ in 3 of 6 key elements of the maturity model. Three elements that assess
Infrastructure consisting of services and role of IA, professional practices and governance
structures were at ‘Level 2’. The overall rating of IAS in Bhutan was assessed in level 2. The
report further states that RGoB’s IAS has the potential to progress to the next capability
level rating of ‘Levels 3 – Integrated’ in the future. Therefore, through this strategic plan,
the internal audit services in Bhutan targets for achievement of “Level 3 – Integrated
in the future”. The key strategies as identified in this strategic plan are aligned with the
recommendations provided in the EQA and implementation thereof may lead to successful
achievement of “Level 3 – Integrated in the future” from “Level 2 – Infrastructure”.
3.8.2. Effectiveness of IAS as per PEFA assessment

The Public Finance Management Performance Report of Bhutan based on Public Expenditure
and Financial Accountability 2016 framework (PEFA) indicator PI-26 on internal audit
effectiveness was rated “C+” in the 2016 assessment. This is the same as in 2010 despite an
increase in coverage.
Indicator/Dimension Score Brief justification for the score
PI-26: internal audit C+ Scoring Method M1
26.1: Coverage of internal B Internal audit is operational for CG entities incurring most
audit expenditure and collecting most revenue.
26.2: Nature of audits and C Internal audit is primarily focused on financial compliance.
standards applied
26.3: Implementation of A All planned audits are completed and reports distributed
internal audits and reporting to the appropriate parties.
26.4: Response to internal C Management provides a partial response for the majority
audits of entities audited.
The focus area “2.1 Increase in Internal Audit Coverage” of the strategic plan is targeting to
increase the internal audit coverage in the other government agencies wherever the IAUs
are not established. This key focus area will lead to improvement of PEFA sub-indicator
“26.1 coverage of Internal Audit” score.
One of the important areas to strengthen the IA system is development of PA guideline and
training on PA guideline which is part of current project of “strengthening the effectiveness
of Internal Audit system in RGoB”. Further, the focus area “2.3 Standardize Risk Based
Internal Audit (RBIA)” gives emphasis of RBIA instead of transaction audit or compliance
audit. This key focus area of the strategic plan will lead to improvement of PEFA score of sub
indicators “26.2 Nature of audits and standards applied”.
Further, the strategic plan also set the key focus areas on ensuring audit quality through
implementation of QAIP in internal audit services, implementation of IAMS which will
improve the efficiency of IAs in Bhutan, regular performance monitoring, stakeholder
outreach activities, etc. These focus areas will lead overall improvement of PEFA score. The
successful implementation of these strategies will strengthen the internal audit functions
in the country.

4 Key Strategic
Focus Areas
4. Key Strategic Focus Areas
Internal auditors have to execute complex tasks and hence

require specialized skills, knowledge of audit standards and have
to continuously update themselves with recent developments
worldwide. It is important to stimulate knowledge sharing,
learning and ensure that competency is built up. The professional
capacity needs to be developed to tackle current and future risks
or challenges.
1.1. Training of Internal Auditors
Objective To increase the competency of Internal Auditors through trainings

No. of training conducted to update knowledge of Internal auditor and
Impact Indicator
no. of internal auditors trained
Frequency Semi Annually (once in every 6 month)
Updated knowledge of Internal auditors on Internal Audit
Outcome fundamentals, ethics, soft skills, technology, sampling, and analysis.
Key Strategic Focus Areas
The Standards 1200 require that engagements must be performed with proficiency and due
professional care. Standard 1210 emphasizes a lot on proficiency.
IIA Standard on Internal Audit 1210 – Proficiency:
Internal auditors must possess the knowledge, skills, and other competencies needed to
perform their individual responsibilities. The internal audit activity collectively must possess
or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.
The Royal Government of Bhutan’s requirement as per BGIAS:

As parent agency, CIA/Head of Central Coordinating Agency for IA Service is responsible to
equip all internal auditors in the Royal Government of Bhutan with appropriate knowledge,
skills and other competencies needed to perform their professional responsibilities.
Initiatives to obtain appropriate professional competencies at the agency level must be done
in consultation with CCA.
As per the EQA report 2019 on Internal Audit Services in Bhutan, there is a need to enhance
audit technical knowledge of the auditing staff. Trainings can help address the problem of
competency gaps to transform productivity, performance, and efficiency of internal auditors.
Capacity building can be achieved by providing trainings to the staff at all levels. It is
envisaged to conduct targeted trainings for internal auditors at all levels pertaining to their
work requirements every year for the next five years. Work specific training material shall be
thoughtfully designed such that it covers various aspects of internal audit and encompasses

the key responsibilities of staff at all positions. For e.g. some possible topics relating to audit
life cycle may be execution, reporting etc. Guest lectures may be arranged where experts in
the field of Internal audit can be called to provide valuable support and share information.
The key challenge of Internal audit is to keep up with ever-changing risk, while establishing
internal audit activity as a trusted advisor. Training and education play a critical role in
effectiveness of Internal Audit activity. The internal auditor needs practical, high-impact
training on topics like data analysis, communication, risk management, internal controls,
and more. Following is the illustrative list of trainings that can be provided to internal
auditors of RGoB:
S. Type of
For Level Description
No. Training
1 Audit New Basic Learn the basics of auditing at the new internal
Fundamentals Internal auditor level. The training should provide
Auditors an overview of the life cycle of an audit from
a new internal auditor’s perspective, while
examining the internal control environment
and audit governance. Following topics
included:
Defining the phases of an audit life cycle
Interviewing and communication skills
Developing documentation, including
audit reports
Performing an audit risk assessment and
walk-through of internal controls
Utilizing sampling and data analysis in
fieldwork

Developing audit observations and
findings
2 Audit Experience Intermediate Gain insight at the experience internal auditor
Fundamentals Internal level. The training should help IA to develop
Auditor the organizational, time management, and
problem-solving skills necessary to lead a
successful team while examining the life cycle
of an audit from a lead auditor’s perspective.
The training is for internal
auditors with 2–4 years of experience
who want to learn the concepts, tools, and
techniques to enhance their effectiveness and
transition into a lead auditor role. Following
topics included:
Communicating with audit staff
Defining audit scope, objectives, hours,
resources, and key activities
Prioritizing workload and managing
efficient use of resources
Reviewing audit evidence and
workpapers
Becoming an effective leader
Leading audit staff

S. Type of
No. Training
3 Audit Experienced Intermediate Learn the essential skills required at the audit
Fundamentals Internal manager level. The training should provide
Auditor managers with the tools needed to manage
(Chief IA / efficiently and effectively in an internal
Sr. IA) auditing environment, while examining the
life cycle of an audit from an audit manager’s
perspective. Following topics are included:
Communicating with the CIA, head of
government agency.
Preparing a value-added audit program
Developing a strategy for presenting
audit findings and recommendations
Developing management leadership skills
Understanding the difference between
managing and leading
Managing relationships
Managing conflict and change
Marketing internal audit
4 Audit All Internal Basic Ethics for IA: The primary focus of this training
Fundamentals Auditor should be to provide you with an overview of
– Ethics for ethics and how the Code of Ethics, Principles,
IA and Code and Rules of Conduct apply to internal audit.
of Ethics
Code of Ethics Conformance: The primary
Conformance
focus of this training course is to provide an
introduction to Code of Ethics conformance
for internal auditors.
5 Audit All Internal Intermediate Persuasive communication is an essential

Fundamentals Auditor skill to communicate effectively with the
– Audit Report stakeholders. Quality of internal audit depends
Writing upon quality of communication. High-quality
audit reports are a key communication tool.
The training on audit report writing should
focus on the content, organization, and
structure of audit reports, and uses case study
activities to apply the basics of audit report
writing.
6 Audit All Internal Intermediate Internal auditors are constantly searching
Fundamentals Auditor for better tools and techniques for business
– Analyzing process analysis. The training should provide
and Improving methods that can be used in any process
Business analysis engagement and opportunities to
Process apply these methods to real-world scenarios.
Learn to conduct analyses at a holistic level
— considering the customer and focusing
on the associated objectives and risks — to
find ways to create efficiencies, analyze work
being conducted, or provide better customer
service.

S. Type of
No. Training
7 Audit All Internal Intermediate The training provides the skills and techniques
Fundamentals Auditor necessary to embed project management
– Project methods into internal audit process. Formal
Management project management methodologies can help
Skills for reduce and alleviate many of the struggles
Internal with delays, prioritization, scope, and
Auditor timeliness that many audits routinely face.
There are various tools and systems which
can be immediately implemented, and real-
life examples of project management failures
and successes will be covered to enhance the
learning experience through multiple hands-
on exercises for practice of what IA learnt.
8 Audit All Internal Intermediate This training will provide IA with key root
Fundamentals Auditor cause analysis tools and techniques that can
– Root Cause be utilized in the planning, fieldwork, and
Analysis for IA reporting phases of an internal audit — to
enhance audit effectiveness, strengthen audit
observations reported, and facilitate deeper
discussions with management on issues
identified. IA will have the opportunity to
practice and apply the skills learned during
the course through a case study and exercises,
which should enable IA to integrate the tools
and techniques into IA audit engagement
activities.
9 Audit All Internal Intermediate Building an effective quality assurance and

Management– Auditor improvement program (QAIP) is similar to
Building a establishing a total quality management
Sustainable program, where products and services are
Quality analyzed to verify if they meet stakeholder
Program expectations, operations are evaluated to
determine their efficiency and effectiveness,
and practices are assessed to confirm their
conformance to standards. This training will
help IA to learn how to build and maintain an
effective QAIP, leading to a successful external
quality assessment.

S. Type of
No. Training
10 Audit Senior Intermediate An organization’s quality monitoring
Management– Internal must keep pace with its evolution as a
Performing Auditor whole. To ensure consistent quality in a
an effective dynamic environment, internal audit’s QAIP
Quality encompassing both internal and external
Assessment assessments, can provide evidence
to stakeholders that internal audit is efficient,
effective, and adding value. This training
will provide senior IA with the appropriate
knowledge and skills to plan, perform, and
evaluate the results of a quality assessment.
IA will also learn about the processes and
tools in the IIA Quality Assessment Manual
(QA Manual) that can help IA to identify
opportunities to improve internal audit
quality activities.
11 Fraud– Fraud All Internal Intermediate For many auditors, management’s anti-
Detection, Auditor fraud expectations exceed the audit team’s
Deterrence capability to deliver. Result: a challenging
and Incident gap to fill and difficult decisions to be made
response regarding the application of scarce resources
for Internal and management of stakeholder
Auditors
expectations. This training will help to learn
a comprehensive anti-fraud response that
will fit in any organizational setting, as well as
discover how to build a tailored battle plan for
fighting fraud. Step-by-step instructions will

allow IA to meet and exceed their professional
obligations to objectivity and independence
while leading management through what it
must do to foster an anti-fraud environment.
12 Governance All Internal Basic This training will provide IA the fundamental
Risk and Auditor knowledge needed to become effective
Control – in performing risk-based internal audits.
Fundamentals Foundational concepts such as the nature
of Risk based of risk, risk sources and categories, risk
Auditing appetite and tolerances, and risk frameworks
are provided to help you understand their
application to the audit engagement. This
Training is for internal auditor who want to
learn the principles and concepts of risk and
risk management, as well as the tools and
techniques used to perform a risk-based audit.

S. Type of
No. Training
13 Governance All Internal Intermediate This training provides participants with the
Risk and Auditor knowledge to develop an audit universe and
Control – risk-based internal audit plan. The training
Advanced Risk also addresses emerging and advanced risk
based Auditing management topics such as governance
risk, strategic risk, fraud risk, information
technology risk, and auditing the risk
management process. This training will
provide new concepts and tools to develop a
value-added, risk-based audit plan for your
organization. It is designed for senior internal
audit who want to build on their knowledge
and increase their value to the organization
by developing effective risk-based audit plans
that address emerging risks.
14 Soft Skills – All Internal Intermediate Internal Auditors need specific technical skills
The Effective Auditor to be successful in their jobs, but that’s only
Auditor: half the picture. They must be able to deal
Understanding with all kinds of people, too. In this training,
and applying IA will learn to improve IA effectiveness by
Emotional identifying the communication style of others,
Intelligence allowing IA to tailor delivery to their method
of receiving, use empathy to build engagement
with team members, improve IA listening
skills to uncover hidden information, and
enhance IA emotional intelligence to increase
communication effectiveness.

15 Soft Skills – All Internal Intermediate The ultimate goal of any internal auditor is to
Relationship Auditor become a trusted advisor — someone to whom
Interpersonal others look for counsel and advice, a trusted
Skills and confidante who will listen when times get
Auditing: difficult. During the training, IA will learn the
Becoming why and how of developing relationships that
a trusted will assist IA in becoming a trusted advisor.
Advisor Tips, techniques, and reference materials will
assist IA in personal and team development,
impacting effectiveness positively.
16 Soft Skills All Internal Intermediate This training demonstrates how critical
– Critical Auditor thinking can be weaved throughout key
Thinking elements of the audit process such as risk
assessment, interviewing, testing and analysis,
process documentation, and reporting.
Critical thinking is disciplined thinking that
is clear, rational, open-minded, and informed
by evidence, which makes it ideally suited for
application in an audit setting. The critical
thinking concepts and practices should be
presented and designed to enhance audit
effectiveness and deliver measurable value to
audit customers that win internal audit a seat
at the table for key business decisions.

S. Type of
No. Training
17 Technology– All Internal Basic Cyber security issues present grave risks
Cybersecurity Auditor beyond IT security. A severe breach can be
Auditing costly enough to sink an organization or
substantially impact its stakeholder value,
oust its leadership, potentially bury its
reputation, and worse. The training views
cybersecurity from preventive, detective, and
corrective angles, and applies audit processes
and protections to the cloud and today’s ever-
present mobile devices.
18 Technology– All Internal Basic The continued advent of technology means
Fundamental Auditor that to be fully effective and focused on the
to IT Auditing areas of greatest return, auditors can no
longer afford to ignore IT auditing. Auditors,
even those without a technical background,
can and should develop knowledge of basic IT
audit concepts that can be
used to facilitate integrated audits. After this
training, internal auditors will be able to
perform an audit of IT applications supporting
key business processes and perform a risk
assessment and evaluation of controls over
end-user computer applications.
19 Technology– All Internal Intermediate This training will explore the challenges in
Data Sampling Auditor selecting the most appropriate sampling
and Analysis methods, calculating and adjusting sample
size, and integrating this knowledge into audit

planning and reporting. It will also review
properly reducing large data sets down to
critical subsets based on risk or importance,
determining which sampling method is most
appropriate depending on the situation,
and estimating sample size to get the most
information at the lowest cost.
20 Technology– All Internal Intermediate Executing a cost-effective and value-add audit
Data Analysis Auditor requires an understanding of population
for Internal analysis. Without this knowledge, IA run
Auditor the risk of spreading your resources and
IA sampling over low-risk subsets of the
population. This could result in crucial
data not being collected. In this training, IA
will learn when and how to use population
analysis in the planning phase of the audit and
how to identify subsets of the population that
behave differently from a benchmark data set.

S. Type of
No. Training
21 Technology– All Internal Intermediate Data analytics programs can provide the
Implementing Auditor opportunity for an internal audit function
Data Analytics to add value to their organization, while
in Internal enhancing assurance for audits, fraud
Auditing detection, and testing. It is also an excellent
basis for fraud detection programs, allowing
audit and fraud teams to identify potential
fraud without having to “sample” large
quantities manually to detect fraud and fraud
patterns. However, implementing an effective
program can pose a significant challenge.
This training lays the groundwork of how to
develop a functional data analytics program.
All such trainings will be followed by a graded evaluation at the end for effective
participation. For this, assistance from senior internal auditors will be taken who possess a
good understanding of and application of International Standards so that they can provide
trainings or workshops as desired. A score card/ template may be used for evaluation. It is
important to note that adequate budget is required for developing the training modules,
pay the trainers, venue costs and miscellaneous costs. Therefore, it is important to carry out
appropriation of adequate funds to provide such trainings.
1.2. Internal Audit Conference
Focused on emerging Trends in internal auditing, to allow for networking

with peers, gaining greater understanding of leading practices, learn

from experiences
Update internal auditors on recent developments in the public sector
Objective
internal audit sphere, International Standards, international best
practices, etc.
Discussion on emerging risk in the country including Internal Audit
annual strategy and setting the common key risk parameters for IAUs.
Impact Discussion among Internal Auditors on the development in the RGoB and
Indicator Internal Audit practice in the country
Frequency Annually
Annual IA operational strategy developed based on focus area in public
Outcome sector and common key risk parameter for IAUs established.
The annual conference conducted should be with the view to provide an in-depth
understanding of internal audit methodologies. Representatives of RAA, ACC, RCSC,
development partners, all the internal auditors of IAUs, representatives of government
agencies and other stakeholders related to the internal audit process will be invited to
participate in the annual Internal Audit conference. The following are the illustrative list of
topics that may be covered in IA conference:
Innovating Use of Technology
Risk identification
Effectively Assessing Risk
Leading with Influence and Cultivating Talent

The Internal audit conference helps in networking with key stakeholders, understand the
expectations of the stakeholders from the IA activity, knowledge sharing by the senior
internal auditors, setting the tone for upcoming year internal audit plan, identifying the
prevailing key risk in the government agencies and accordingly prioritizing the audit based
on risk-based methodology. This conference will also provide roadmap for Internal Audit
operation plan and setting up the risk parameters for the risk assessment of the audit
universe.
1.3. Overseas Exposure visits of Internal Auditors
To Learn from the best practices followed by other countries and implement
Objective
the same in Bhutan
Impact Internal Auditors sent for overseas exposure visits to other countries
Indicator
Frequency A minimum of one batch annually comprising of at least 3 Internal Auditors.
Outcome IAs conversant with international best practices.
The overseas exposure visits for selected staff shall be arranged so that they can in-person
witness international practices in other countries and replicate the same in RGoB wherever
applicable. Nominations for the training shall be recommend by CCA in consultation with the
head of agencies of host originations of internal auditors based on performance evaluations.
1.4. International Certification in Internal Audit or any area associated with this
function
To encourage and support the internal auditors to acquire professional

Objective
certification that leads to continuous professional development
Impact The number of internal auditors certified
Indicator
Frequency At least two Internal Auditors Annually
Outcome Increased number of qualified IAs in relevant professional certification.
Interpretation of IIA Standard on Internal Audit 1210 as per BGIAS:

Proficiency is a collective term that refers to the knowledge, skills, and other competencies
required of internal auditors to effectively carry out their professional responsibilities. It
encompasses consideration of current activities, trends, and emerging issues, to enable
relevant advice and recommendations. Internal auditors are encouraged to demonstrate
their proficiency by obtaining appropriate professional certifications and qualifications,
such as the Certified Internal Auditor designation and other designations offered by The
Institute of Internal Auditors and other appropriate professional organizations.
Currently, there are only few internal auditors, who hold Certified Government Auditing
Professional (CGAP). Hence, CCA will encourage and support IAs to acquire professional
certification through sponsorship and provision of study facilities/ resources to attract and
retain internal auditors.

CCA can identify and encourage interested IAs to undertake certification programs. At least
two internal auditors are targeted to be nominated and provide necessary sponsorship
annually. For the execution of such a program, the CCA is required to develop a competency
assessment tool that details the knowledge areas, technical requirements and interpersonal
skills requirements that is essential for internal auditors. Such a tool may have to be
customized by CCA as per the requirements and should adopt the IIA’s Global Internal Audit
Competency Framework.
Following are the illustrative list of international certifications that can be provided to
internal auditors of RGoB:
Certified Internal Auditor (CIA) by Institute of Internal Auditors (IIA)
Certification in Control Self-Assessment (CCSA) by Institute of Internal Auditors
(IIA)
Certified Financial Services Auditor (CFSA) by Institute of Internal Auditors (IIA)
Certified Government Auditing Professional (CGAP) by Institute of Internal Auditors
(IIA)
Certification in Risk Management Assurance (CRMA) by Institute of Internal
Auditors (IIA)
Certified Fraud Examiner (CFE) by Association of Certified Fraud Examiner (ACFE)
Certified Information Systems Auditor (CISA) by ISACA (previously known as the
Information Systems Audit and Control Association)
Certified Information Technology Professional (CITP) by American Institute of
Certified Public Accountants (AICPA)
Chartered Internal Auditor (CMIIA) by Chartered Institute of Internal Auditors

(Chartered IIA)
Certified Public Accountant (CPA) by CPA Australia and other institutions.
Chartered Accountants (CA).
CIMA qualifications from Chartered Institute of Management Accountants.
1.5. Continuous Professional Development
To build the competence and capacity of the individual internal auditors

Objective
through continuous professional development
Impact No. of hours spent by each Internal Auditors in learning and Development
Indicator
Frequency At least 80 hours annually for each auditor
Outcome Relevant knowledge and skills updated

IIA Standard on Internal Audit 1230 - Continuing Professional Development

Internal auditors must enhance their knowledge, skills, and other competencies through
continuing professional development.
Interpretation
The internal auditors are expected and required to enhance their skills through continuous
professional development.
In accordance with the Internal Audit Manual 2014 issued by Ministry of Finance, RGoB,
the Auditors are required to maintain their professional competence through continuous
training. Training and staff development are a purposeful activity and helps build the
competence and capacity of the individuals and the IAUs. Subject to the composition of the
IAU staff, CIA should provide at least 80 hours annually per Auditor for training and staff
development. A training plan should be developed by CCA in coordination with IAUs.
As per the External Quality Assessment (EQA) 2019 Report, CCA should develop a competency
assessment tool that details the knowledge areas, technical requirements and interpersonal
skills requirements that is essential for internal auditors. It further recommends to customize
and adopt the model - “The IIA’s Global Internal Audit Competency Framework – Career
Map Alignment”. The competency gaps can also be addressed by providing internal training,
rotating internal audit staff and/or bringing in guest auditors (subject to applicability of law
of land).
In order to enhance efficiency & effectiveness of IA service, it is crucial for

RGoB to accord adequate resources for management of IAS in Bhutan.
To overcome the current gaps, the CCA intends to increase internal audit
coverage, manage resources to have adequate employees in all the IAUs and
have a uniformly practiced risk-based auditing procedure.
2.1. Increase in Internal Audit Coverage
To increase the coverage of Internal Audit in Autonomous Bodies and

Objective Dzongkhag
Impact No. IAU established against the available list of government entities where
Indicator IAU needs to be established.
Based on the need of relevant stakeholders, budgetary allocation and
Frequency availability of human resource.
Outcome Increased coverage of Internal Audit services in government Agencies.
The CCA is responsible for administering the IAS in all budgetary agencies under the RGoB.

While the IAUs are placed in the government agencies to ensure functional independence
of the Internal Auditors, the CCA coordinates overall internal audit functions as established
under different government agencies across country. Activities performed by internal
audit unit adds value to the organization and its stakeholders. The internal audit activity is
effectively managed when:
It achieves the purpose and responsibility included in the internal audit charter
It conforms with the Standards
Its individual members conform with the Code of Ethics and the Standards.
It considers trends and emerging issues that could impact the organization.
CCA manages Internal Audit Functions through 30 Internal Audit Units (10 Ministry, 6
Autonomous Body and 14 Dzongkhags) against the approved 36 Internal Audit Units. The
government agency wise detailed breakup is given in table below:
IAU IAU
IAUs IAU not
Total currently in sanctioned
Agencies Sanctioned Sanctioned
place but vacant
A B C D E=A-B
Ministries 10 10 10 0 0
Autonomous Bodies 38 6 3 3 32
Dzongkhags 20 20 14 6 0
Total 68 36 27 9 32
*The above data is as on January 2020.

As on 31st January 2020, the IAUs are not established in 32 budgetary bodies of the total 68
budgetary bodies. This is a very large gap that needs to be systematically filled depending
upon the requirement of IAUs in these agencies.
There is a need to increase the coverage of Internal Audit Units and ensure that all the
government agencies in Bhutan should have IAUs such that the stated objectives of Internal
Audit services can be achieved. The IAUs should be established in a phased manner
depending upon the budgetary allocation and availability of human resource.
2.2. Adequate resource for additional IAUs and fill all vacant positions
To have adequate human resource for sanctioned positions at all IAUs and
Objective
additional resource for additional IAUs in government agencies
Impact No. of vacant position filled during the year and no. of additional audit staff
Indicator approved and placed for internal audit service
Frequency Reduce total vacancy by at least 10% every year.
Outcome IAUs are adequately staffed.

The backbone of any organization is a competent, engaged, and motivated workforce. The
IAS as at January 2020 has 45 internal auditors. The approved headcount was 54. The
IAUs in 10 ministries and 6 autonomous agencies have internal auditors placed. However,
6 of the total 20 Dzongkhags have IAUs sanctioned but does not have internal auditors
due to vacancy. Therefore, additional resources will be required to achieve the objective
of enhanced coverage of Internal Audit services in the country. The vacant positions must
be systematically and gradually filled. Moreover, the possibility of contract employment,
either on outsourcing or co-sourcing basis (subject to applicability of law of land) may also
be explored to fill the requisite positions on short term basis. In particular, the CCA and
IAUs shall be encouraged to opt for co-sourcing of services within the same agency or from
other agencies by deploying different expertise as deemed required under specific tasks or
assignments.
2.3. Standardize Risk Based Internal Audit
Objective To carry out risk-based audit as a standard procedure at all the IAUs
Impact Have a standardized procedure for risk-based auditing. Conducting Risk
Indicator Assessment on audit universe every year.
Frequency For every engagement
Outcome Risk based audits uniformly practiced in all IAUs.
As per IIA Internal Audit Standard 2010- Planning

Risk Based Internal Audit (RBIA) is defined as “a methodology that links internal auditing
to the Ministry’s overall risk management framework”. This methodology allows internal
auditing to provide assurance to management that the risk management processes are
managing risk effectively; thereby increasing the likelihood of the entity meeting its
objectives.
Interpretation as per BGIAS:

To develop the risk-based plan, the chief audit executive consults with senior management
and the board and obtains an understanding of the organization’s strategies, key business
objectives, associated risks, and risk management processes. The chief audit executive
must review and adjust the plan, as necessary, in response to changes in the organization’s
business, risks, operations, programs, systems, and controls.
The Chief Internal Auditor must establish risk-based plans to determine the priorities of the
internal audit activity, consistently with the organization’s goals. At present, the Risk Based
Internal Audit (RBIA) is not being followed uniformly in Bhutan IA services. It is important
that from the outset of the implementation phase, risk-based auditing shall be carried out
for all the engagements.
Moreover, for internal auditors to implement RBIA, the system of internal control needs to
be strengthened in agencies through inclusion of good risk management practices.

Technology plays a very important role in Internal Audit functions. Increasing the use of
technology would help get closer to the goal of efficiency, optimization, accountability, and
transparency. CCA is keen to introduce Computer Assisted Auditing Tools (CAATs) and
implement an Internal Audit Management Software. The IAMS tool will facilitate analysis of
data and help to determine the scale of audit observations and, its compliance status which
will facilitate decision makers to mitigate the risks in the government agencies.
Evaluation of fraud and IT risks would strengthen and improve the overall performance
of audit engagements. However, the competency of the internal auditors in terms of using
modern day technology is limited. Thus, the technical knowledge of audit staff needs to be
enhanced to facilitate usage of CAAT and IAMS.
3.1. Implementation of IAMS
Objective To automate the manual system of Internal Audit by use of technology.

Impact
IAMS software used in all engagements across all IAUs.
Indicator
Frequency Effective from the first financial year i.e. FY 2021-2022.
Outcome Effectiveness of IAS enhanced.

The IT application such as IAMS will support Internal Auditors to automate all the Internal
audit activity currently being performed manually. This will help in increasing the efficiency
of internal audit activity. The IAMS is a software application which contains the entire life
cycle of the Internal Audit starting from Planning, Execution, Reporting to Monitoring.
Internal auditors of IAUs can also perform the ongoing monitoring with the use of IAMS.
The IAMS will create a database of audit conducted which could be used for the purpose of
analysis and decision making.
The IAMS shall be rolled out in the financial year 2021-2022. To implement IAMS,
infrastructure such as specialized equipment, ICT facilities and other technical backend
support should be in place.
3.2. Training to IA staff on the IAMS
Objective To provide user training to internal auditors in using the IAMS.

Impact
Number of internal auditors trained.
Indicator
Frequency Before Implementation of IAMS and refresher training as necessary.
Outcome Effectiveness of IAS enhanced.

For effective use of IAMS, a detailed user training manual should be provided by the vendor
who will provide or develop IAMS for Internal Audit services. To accustom the internal
auditors with the new software, a classroom training with practical case studies should be
provided to all the internal auditor by the concerned vendor who will provide or develop
IAMS. The training should also be provided on training of the trainers (ToT) to selected
internal auditors who will subsequently provide the refresher training to other internal
auditors. The training should be followed by a graded performance evaluation test.
3.3. Use of Data Analytics in Audit
Objective To modernize audit processes and initiate use of Data Analytics tools.
Impact
Data analytics used in audits
Indicator
By the end of second year of implementation of IA strategic plan followed by
Timeline
every IA engagement.
Outcome Quality of IA delivery enhanced.
Auditing is an iterative process that requires the auditor’s judgment to constantly evaluate
the evidence and determine when procedures are adequate to minimize audit risk. Usage
of data analytical tools & techniques is therefore almost required in technology disruptive
world where most of the data of government agencies are being exposed to technologies
such as Multi Year Rolling Budget (MYRB), e-procurement, Electronic Public Expenditure
Management System (ePEMS), Revenue Accounting and Management Information System
(RAMIS), e-government etc. Data analysis software provides better coverage and reduction
of risk.
Some of the benefits of Data Analysis Software are:

To gain an understanding of the systems and reporting environment.
To identify anomalies, errors and potential fraud with relative ease and less time.
To provide better coverage and facilitate reduction of risk in case any audit
transaction has to be referred to in the database.
Data analytics can be used to identify current and emerging future challenges. It can also
be used to detect and mitigate fraud. However, the current internal auditors do not have
the required expertise. To overcome this institutional bottleneck, individuals may be
trained initially in comparatively simpler and widely used software like Microsoft Excel and
subsequently encouraged to move to advanced software packages. The use of data analytics
should start by the end of first year of the implementation of this strategic plan.

Internal AuditAudit
Internal Strategic Plan
Strategic Planfor
forFY
FY2021-2025
2021-2025
The Auditing Standards require the implementation of a QAIP to ensure conformance with
the Auditing
The definitionStandards
of Internal Audit,the
require the Code of Ethicsoffor
implementation internal
a QAIP auditors
to ensure and the Auditing
conformance with
Standards.
the CCA
definition ofisInternal
required to follow
Audit, and implement
the Code QAIP,
of Ethics for and incorporate
internal thethe
auditors and best practices
Auditing
Standards.
followed by CCA
theisother
required to follow and implement QAIP, and incorporate the best practices
countries.
followed by the other countries.
Such programme
Such programme should
shouldinclude
includea comprehensive
a comprehensive ongoing monitoring
ongoing and periodic
monitoring internal
and periodic
assessment.
internal At present,
assessment. it wasit found
At present, thatthat
was found quality assurance
quality assuranceprocesses
processesininthe
the stages
stages of
planning,
of planning,fieldwork,
fieldwork,and
andreporting
reporting of of audit either absent
audit were either absentororweak.
weak.ToTo achieve
achieve
comprehensive coverage of all aspects of the internal audit activity, a QAIP must effectively
comprehensive coverage of all aspects of the internal audit activity, a QAIP must effectively
be
beapplied
appliedatatthree
threefundamental
fundamentallevelslevels(or
(orperspectives):
perspectives):
Internal Internal
Audit Audit External
Engagement Activity Perspective
Level Level

Independent external
Self-assessment at the Self-assessment at the
assessment of the entire
audit engagement, or internal audit activity or
internal audit activity
operational level organizational level including individual
engagements
The Standard 1320 states that the chief audit executive must communicate the results of the
The Standard 1320 states that the chief audit executive must communicate the results of the
quality assurance and improvement program to senior management and the board. It was
quality assurance and improvement program to senior management and the board. It was
observed that there was no communication of the QAIP results to the Secretary of Finance.
observed that there was no communication of the QAIP results to the Secretary of Finance.
At
Atleast
leastannually,
annually,the
theCCA
CCAmust
mustreport
reportthe
theresults ofof
results the internal
the assessment,
internal both
assessment, ongoing
both ongoing
and
and periodic monitoring, necessary action plans and their successful implementation the
periodic monitoring, necessary action plans and their successful implementation to to the
Secretary
SecretaryofofFinance.
Finance.
Regular performance monitoring is essential and performance goals can be introduced
Regular
to measureperformance monitoring
the progress of each is essential
internal and performance
auditor. goalsshould
Such indicators can becomprise
introduced
of to
quantitative as well as qualitative factors. Auditors’ work must be carefully
measure the progress of each internal auditor. Such indicators should comprise of directed,
supervised,
quantitativeand
as reviewed. There should
well as qualitative be provision
factors. Auditors’towork
systematically
must be review work
carefully for
directed,
quality assurance. Checks may be carried out at all important levels of the engagement.
supervised, and reviewed. There should be provision to systematically review work for
quality assurance. Checks may be carried out at all important levels of the engagement.
4.1 Random Checks of Audit Engagements to ensure audit quality
@CCA, Ministry of Finance, December 2019 43 36

PagePage
4.1. Random Checks of Audit Engagements to ensure audit quality
Objective To monitor/supervise internal audit engagements.

Impact Indicator No. of audit engagement checks.
Frequency Periodically (in accordance with QAIP guideline).
Outcome Errors in audit works minimized.
Timely performance evaluations would be very helpful in minimizing errors, providing

support in maintenance of performance standards, and in turn help in ensuring that audit
objectives are suitably met. The evaluations may be in the form of random checks that shall
be carried out at all levels of engagements by the seniors. An overall performance report
may be prepared based on analysis of assessments. Such performance reports should cover
all recent developments and should be submitted to the stakeholders. It should also include
feedbacks about the quality of IA work.
A brief stakeholder satisfaction survey should also be conducted as a part of the random
check of audit engagement to ensure the effectiveness of IA service provided. Such random
checks must be carried out periodically.
4.2. Quality assurance/ Assessment of IAU by CCA
Objective To ensure standard internal auditing practices in IAUs.

Impact
CCA conducts and reports on internal quality assessment.
Indicator
Frequency At least once at each IAU in every year (in accordance with QAIP guideline)
Outcome IA process conforms to Internal Auditing standards.
Performance Monitoring of internal audit services is essential to ensure the effectiveness of

internal audit services. CCA has mandate of monitoring and supervision of audit work. The
effectiveness of IA should be enhanced through regular monitoring and supervision. CCA
should perform periodic internal assessment of internal audit services once in a financial
year. CCA should prepare the report of internal assessment and submit to the respective
head of agency who will in turn evaluate the audit work based on the recommendations
given by CCA.
4.3. External Assessment
Objective To ensure quality of internal audit service.

Impact Indicator External assessment carried out periodically
Frequency Once in every five years (in accordance with QAIP guideline)
Outcome IA-CM level improved.

External quality assessment evaluates conformance of the internal audit function with the
Internal Audit Charter, Code of Ethics, Manual and BGIAS. It would be more effective and
efficient if a unified External Assessment of the overall function of the IAS within RGOB
encompassing all the IAUs are conducted. The CCA should coordinate with all IAUs and
arrange for a unified external assessment at least once every five years. The next External
Assessment is due in 2024.The CCA must propose and seek approval from MoF to hire
competent external assessor to perform external assessment.
4.4. Review and update Internal Audit Charter
Objective To review and update the Internal Audit Charter
Impact Indicator Updated Internal Audit Charter
Timeline Within six months of implementation of this strategic plan
Outcome An updated Internal Audit Charter with all relevant changes
The charter is an important document giving authority and defining the roles &
responsibilities of Internal Audit. The Internal Audit Charter issued by the RGoB needs
to be reviewed and updated to incorporate the recent changes to the IPPF (2017 Edition)
by including the mandatory elements of the IPPF specifically on the Core Principles and
Quality Assurance and Improvement Program as per the Supplementary Guidance - Internal
Audit Activity Model Charter 2017. The purpose of this Charter is to provide a framework
within which the internal audit shall function. The mandate of CCA would then depend on
the additional roles and responsibilities as per the updated Charter. The Charter will be
updated within six months of implementation of this Strategic Plan, and thereafter as and

when required.

The internal audit profession is strengthened by engaging stakeholders and providing

insight on risks impacting organizations. It is important to define stakeholders’ priority
targets, deploy appropriate messages, and leverage effective communication channels. To
achieve a high level of engagement with stakeholders for post reviewing and assessing the
current scenario, the following measures are envisioned to be followed:
5.1. Create platform for effective information sharing related to IA services

accessible by all stakeholders
Objective To improve interaction and coordination with stakeholders

Impact
Established communication channel with stakeholders
Indicator
Timeline By end of second financial year of the implementation of this strategic plan
Outcome Stakeholders well informed.
In an attempt to ease sharing of information related to IA processes, an effective

communication platform may have to be devised. It will help in disseminating information
and obtain input on specific issues that need to be dealt with. It is intended to also serve as a
platform to market the IA services of RGoB and relay audit related issues to its stakeholders.
This can be done through the following ways which can serve as outreach activities
An Internal Audit website can be created and /or
A quarterly newsletter may be published and /or
Establish a social media presence to both inform stakeholders on a timely basis (for
example, by highlighting key decisions made at meetings through podcasts), and to
enhance interaction with stakeholders (for example, by opening conversations on
various topics on social media and allowing stakeholders to respond directly with
comments). Moreover, they may serve as channels of two way communication.
Conducting outreach activity to various government agency through in person
meeting and presentation of IA services to management of government agencies.
This will also help in enhancment of trust of Internal Auditor in government
agencies. This wiil lead IA to become a trusted and valued advisor.
The above activities would institutionalize processes for partnering with stakeholders.

5.2. Establish strategic partnerships and coordination with stakeholders
Objective To establish partnerships with stakeholders and continue to retain it

Impact Number of MOUs signed, forums established, and meetings attended,
Indicator frequency of joint forums, ToR developed with ACC and RAA.
Timeline Periodically
Outcome Enhanced relationship with stakeholders
It is envisaged to enhance the existing partnerships and strive to develop new ones with
national and relevant international institutions on matters of common interests. This can
be done in the following ways:
Protocol with other control actors signed
Memorandum of Understanding (MoU) with peer Institution signed
Joint forum with public sector Internal Audit Functions and other control actors
established and sustained
Meetings of relevant professional bodies attended
Further, it is intended to extend outreach activties for alignment and coordination with
relevant stakeholders for implementation of its Strategic Plan. The outreach activities would
be built on the existing Terms of Reference (ToR) between ACC and MoF for implementation
of Corruption Risk Management (CRM) and other arrangements between ACC and MoF.
There is a tripartite collaboration between ACC, RAA and IAS of the past, which is still

relevant for internal control purpose. The ACC’s intention is to pursue on enhancing 3 Cs
(collaboration, coordination and consolidation) between ACC and IAS as desired under the
12 Five Year Plan (FYP) activities to promote good governance through reduced corruption.
In order to provide overall assurance on risk management and governance proceeses, CCA
should collaborate with RAA and develop working protocol. Further, following are the
possible key collaborations between CCA and ACC.
Collaborate on implementation of National Internal Control Framework (NICF)
across the agencies. This would help in changing the general perception that only
IAs are responsible to oversee implementation of NICF in agencies.
To implement CRM as per the ToR signed between the ACC and MoF.

5 Strategic
Risk Matrix
5. Strategic Risk Matrix

Following are the key risks in the implementation of the Strategic Plan for Internal Audit
Services in Bhutan along with likely cause & impact with possible mitigation measures. All
of these are addressed while strategizing the internal audit strategy for the period 2021-
2025 and each of these risks are mapped against the strategy as detailed in the Risk Matrix
table below:
S. Risk Description Mitigation Main linkage

No Event Cause Impact Measure with focus areas
1. Lack of Financial Failure to CCA to apprise Key focus
adequate constraints or implement the MoF to ensure area1,2,3,4
funding slow processing of strategic plan adequate funding
funds
2. Lack of Skill gap in audit Reduces Training to Key focus area 1,3
knowledge staff efficiency and staff; encourage
and skills to effectiveness professional
utilize tools certification
3. Staff shortages Hiring policy/ Inefficiency; Increase Key focus area 2
policies of RCSC persistent automation and
low staffing use of technology
may hinder to increase
implementation efficiency
of the plan
4. High staff Monetary and/ Reduces Attract and retain Key focus area 1,2
turnover or non-monetary efficiency and qualified audit
reasons effectiveness staff; Introduce
non-monetary
incentive
schemes
5. Limited Relatively new Inefficient and Expand and Key focus area 1,3
resources technology and ineffective of encourage use of
and lack of audit staff isn’t IAS delivery technology; train
knowledge of sufficiently audit staffs
Strategic Risk Matrix
data analytics familiar with the

same
6. Lack of Absence of a Lessons learned Have a proper Key focus area
effective proper feedback will not be mechanism for 4,5
feedback mechanism effectively performance
mechanism captured monitoring and
regular feedbacks

6 References
6. References
Malawi Strategic Plan for the Internal Audit Service in Central Government 2016-
2021, Republic of Malawi
IIA – “Practice Guide: Developing the Internal Audit Strategic Plan - Recommended
Guidance”
EQA 2019, IA Services, CCA, MoF, Royal Government of Bhutan
Internal Audit Manual 2012 issued by CCA for Internal Audit Services in Bhutan
Internal Audit Charter issued by Ministry of Finance for Internal Audit Services in
Bhutan
References

Central Coordinating Agency for Internal Audit Service
Ministry of Finance
Tashi Chhodzong, Thimphu, Bhutan
P.O.Box: 117
Tel: +975-02-339729/ 330173
Website: www.mof.gov.bt
Published by:
Central Coordinating Agency for Internal Audit Services
Ministry of Finance
Post box # 117
Contact: +975-02-330173
Designed at United Printing Press, [email protected]

Internal Audit Strategic Plan For FY 2021-2025: Ministry of Finance December 2019

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Audit Strategic Plan For FY 2021-2025: Ministry of Finance December 2019

Uploaded by

Copyright:

Available Formats

Internal Audit Strategic Plan for

@CCA, Ministry of Finance, December 2019 Page i

@CCA, Ministry of Finance, December 2019 Page iii

List of Abbreviations and Acronyms

@CCA, Ministry of Finance, December 2019 Page v

@CCA, Ministry of Finance, December 2019 Page vii

1.1 Strategic Outcomes and Key Performance Indicators

Page 10 @CCA, Ministry of Finance, December 2019

@CCA, Ministry of Finance, December 2019 Page 11

1.2 Implementation Arrangement

Page 12 @CCA, Ministry of Finance, December 2019

@CCA, Ministry of Finance, December 2019 Page 13

2.2 Internal Audit definition and Legal Mandate

2.2.1. Definition of Internal Audit

“Internal auditing is an independent, objective assurance and consulting activity designed

Page 16 @CCA, Ministry of Finance, December 2019

2.2.2. Legal Mandate

@CCA, Ministry of Finance, December 2019 Page 17

2.3 Internal Audit service operating structure in the country

Page 18 @CCA, Ministry of Finance, December 2019

Key Internal Audit Service stakeholders include

Uphold the transparency and accountability in rendering effective internal

Provide adequate level of assurance and contribute towards effective

Making contribution to organisation overall framework of governance,

Conducting Internal Audit following the International standards and best

2.6 Scope of Strategic Plan

2.7 Purpose of Strategic Plan

2.7 Purpose of Strategic Plan

Page 20 @CCA, Ministry of Finance, December 2019

3. Strategic Planning Process

3.1 Understand the Internal Audit Services objectives

thorough understanding of the organization’s1 objectives in which it operates. Strategic

3.2 Consider the International Professional Practices Framework (IPPF)

3.3 Understand stakeholder expectations

Understanding stakeholder expectations and needs is a critical step in developing the

Page 22 @CCA, Ministry of Finance, December 2019

3.4 Update Internal Audit Vision and Mission

3.4.1. Vision Statement

Strategic Planning Process

3.4.2. Mission statement

“Enhance and protect organizational value by providing risk-based and independent

3.5 Define the critical success factors

@CCA, Ministry of Finance, December 2019 Page 23

5 Use of IT Tools Implementation of IAMS

3.6 Perform SWOT analysis

Page 24 @CCA, Ministry of Finance, December 2019

3.7 Identify Key Initiatives

3.8 Way Forward

Strategic Planning Process

@CCA, Ministry of Finance, December 2019 Page 25

3.8.1. Internal Audit Capability Model

3.8.2. Effectiveness of IAS as per PEFA assessment

Page 26 @CCA, Ministry of Finance, December 2019

4. Key Strategic Focus Areas

Internal auditors have to execute complex tasks and hence

1.1. Training of Internal Auditors

Objective To increase the competency of Internal Auditors through trainings

The Royal Government of Bhutan’s requirement as per BGIAS:

Page 28 @CCA, Ministry of Finance, December 2019

Key Strategic Focus Areas

@CCA, Ministry of Finance, December 2019 Page 29

5 Audit All Internal Intermediate Persuasive communication is an essential