Internal Audit & Risk Department

 Background and History

  • The FRA business processes arise from the key mandate of Administering National Strategic Food Reserves, Management of Storage Facilities and Market Facilitation.


  • Audit and Risk department (ARD) is one of the five departments in the Agency. The department was established in the year 2006. Its functions are legitimized through the Public Finance Act 2004 and the Audit Charter which is approved by the Audit and Risk Committee of the board.


  • The Head of Audit and Risk in the Agency has two reporting lines to the Executive Director and the Audit and Risk Committee of the Board.



The functions of FRA Audit and Risk Department can typically be classified into three (3) categories namely; assurance services, consulting and risk management services. See the table below.


  Assurance Services Consulting Services
  i.)    Assurance services are concerned with objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes in the FRA business processes


i.)       Consulting services on the other hand are intended to add value and improve the FRA’s governance, risk management, and control processes without the internal auditor assuming management decision making responsibility.


  ii.)   This independent assessment and subsequent audit opinion is mainly provided for those charged with oversight over the various functions and the organization as a whole. Thus, three parties are involved in an assurance engagement; these are the internal auditor, the auditee and the user of the audit findings who are Management and the FRA Board through its Audit and Risk Committee ii.)      Consulting engagements are mainly advisory, perceiving internal business process owners as clients, the nature and scope of which are agreed with the auditee (internal client). Thus, whereas three parties are involved in an assurance engagement, only two are involved in a consulting engagement – the auditor and the internal client.


The FRA ARD endeavors to abide by the institute of internal auditors guidance on internal auditing which defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”



The FRA AR department has a total establishment of Seventeen (17) positions with offices in Lusaka and Copperbelt provinces. The structure of the department is depicted in the figure below;

Risk management

In the FRA, the anchor of Enterprise Risk Management function is the Internal Audit and Risk department. Some significant steps have already been taken by the Agency in this regard as follows;

  • The FRA 2014 – 2018 Strategic Plan outlines strategies regarding the implementation and realization of ERM in the Agency using internal audit as focal department.


  • A risk management policy which provides a framework for embedding enterprise risk management in the Agency is in place,


  • The Audit and Risk Committee of the board presides over Enterprise Risk Management of the Agency.

Common misconceptions about auditors

Myths can tell us how others see the world. But at times it seems that the most inaccurate myths are the most difficult to dispel. Listed below are some of the common myths about auditors.


  • Auditors are nitpickers and fault-finders
  • It’s best not to tell the auditors anything unless they specifically ask you.
  • Internal auditors are always out to create problems for others.
  • Internal audit is the corporate “police function”.

Example of Activities

Under Assurance, the department executes both planned and spot check reviews of operations or activities performed by various departments and units in the Agency and these reports are shared with management and ultimately the Audit and Risk Committee of the Board. One of the major reviews is the crop marketing business process audit reviews as depicted in figure 1 below.


FRA internal auditors conducting an assurance engagement at a remote location in North Western province.




Consulting services is one of the two services whose main purpose is to provide value and opportunity for business partnering. For instance auditors provide training and facilitation workshops on risk and controls as depicted in figure 2 below;


FRA internal auditor making a presentation on risks and controls to operations staff  as part of consulting engagement with the Food Reserve and Marketing department in Eastern Province.




Q1.    What role does Internal Audit play in the processing of payments in the Agency?

A1.     Payment vouchers (P.V) are reviewed by audit staff before final payment is made. The review takes the form of re-computing the figures on the P.V, checking supporting documents and also checking whether the necessary authorization or control procedures have been followed before payments are made.


Q2     We are made to understand that pre audit of payments compromise the independence and objectivity of the auditor?

A2.     In the Agency the pre audit of payments is being done as a consulting engagement and safe guards have been taken to ensure that erosion of independence and objectivity is minimized. Further, this engagement will be discontinued as soon as the Sage 300 ERP is fully implemented in the Agency and operationalized.


Q3.    Why don’t you want to meet the clients so that you can explain the queries in person?

A3.     We do not meet external clients, our role is to review whether controls are being adhered to in the payment process. Our clients are basically the members of staff involved in implementing the controls during the payment process.


Q4.    Why is it that in your audit reports you only highlight the negatives?

A4.     Because our aim is to ensure that the controls in the organization are working effectively; hence the need to identify and report on areas where the controls are weak to enable them to be strengthened. However, we do provide an audit opinion to indicate satisfactory performance in an area being audited and this is done in every report.


Q5.    Are Auditors looking for fraud when performing audits?

A5.     Auditors are not specifically searching for the existence of fraud when performing audits. We are more concerned with ensuring that adequate systems of internal control exist to reduce the risk of fraud. In situations where internal controls are weak, our testing is designed to determine if indications of fraud exist.