EXPOSURE DRAFT
STANDARD ON INTERNAL AUDIT (SIA) 150
COMPLIANCE WITH LAWS AND REGULATIONS*
The Internal Audit Standards Board of the Institute of Chartered Accountants of India (ICAI) invites comments on Standard on Internal Audit (SIA) 150, Compliance with Laws and Regulations.
Comments are most helpful if they indicate a clear rationale and, where applicable, provide a suggestion for alternative wording.
Comments can be e-mailed either at cia@icai.in or iasb.program@icai.in
Last date for sending comments is March 29, 2020.
*Note: This Standard on Internal Audit (SIA) 150 seeks to revise and supersede Standard on Internal Audit (SIA) 17, Consideration of Laws and Regulations in an Internal Audit, issued in January 2010 (in recommendatory form by the Board). This SIA will become mandatory from its effective date.
Page Contents
1. Introduction
1.1 Compliance is a key concept in Internal Audit and this Standard seeks to clarify both, the concept and the responsibility of the Internal Auditor, Management and other Stakeholders, with respect to Compliance with Laws and Regulations (CLR), in line with their professional obligations.
1.2 Definition of Internal Audit in the “Framework Governing Internal Audits” (refer Para 3.1), indicates providing independent assurance on the effectiveness of internal controls and risk management processes to enhance governance and achieve organisational objectives as a key expectation from internal audit. This definition elaborates on the term Governance by clarifying how it includes “compliance with laws and regulations”.
1.3 Scope: This Standard applies to all internal audits conducted where compliance activities and framework is a subject matter of an audit, and is being assessed, evaluated and reported on by the Internal Auditor.
2. Objectives
2.1 The purpose of this Standard is to:
(a) Provide a common terminology by defining compliance terms to prevent ambiguity or confusion on the subject matter;
(b) Explain the responsibilities of the Board of Directors and management with regard to compliance, as mandated by law and regulations; and
(c) Specify responsibilities of the Internal Auditor, especially when providing independent assurance on the compliance framework.
2.2 The overall objective of this Standard is to clarify the responsibilities of management and auditors over CLR, and the requirements which need to be met to assess, evaluate, report and provide independent assurance over the compliance framework.
3. Definition
3.1 Compliance is a term used to describe the process of following, in letter and spirit, the applicable laws and regulations. Any act contrary to the laid down laws and regulations, either through omission or commission and performed intentionally or unintentionally is a Non-Compliance (or violation) and may result in fines, penalties, litigation or other such consequences.
3.2 Compliance framework refers to the whole structure, systems and processes put in place to organise the various compliance activities and to integrate them seamlessly into the organisation.
3.3 Compliance activities, forming part of the framework, are designed to enhance the organisation’s ability to, amongst others:
(a) Provide strategy, leadership and direction on compliances;
(b) Establish a culture of compliance throughout the organisation;
(c) Provide an organisation structure for assigning compliance resources and defining their responsibilities;
(d) Capture and maintain a comprehensive database of all compliance requirements;
(e) Encourage risk-based time prioritisation and effective completion of all compliance requirements;
(f) Ensure expertise and competence in the area of compliances;
(g) Exercise continuous monitoring and oversight on compliance completion; and
(h) Periodic communication of compliance matters and formal reporting of compliance status to management and those charged with governance.
4. Responsibility of the Board and Management
4.1 The responsibility of the Board of Directors in the area of compliance is generally established by the prevailing laws of the nation and that of the management, by both the prevailing laws and the oversight of the Board of Directors. These responsibilities, such as those prevailing in India, are presented below.
4.2 Companies Act, 2013, imposes overall responsibility on the Board of Directors with regard to Compliance. Section 134 (5) concerning Directors’ Responsibility Statement, clause (f) thereof, stipulates the compliance requirements as follows:
“the directors had devised proper systems to ensure compliance with the provisions of all applicable laws and that such systems were adequate and operating effectively”.
4.3 Similarly, Section 205 of Companies Act, 2013 on “Functions of company secretary”, states:
(1) The functions of the company secretary shall include, –
(a) to report to the Board about compliance with the provisions of this Act, the rules made thereunder and other laws applicable to the company;
4.4 For listed companies, as per The Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015 (“LODR”), the Board of Directors of the Company have additional responsibilities on Governance. Chapter II, Regulation 4(2)(f) of LODR mandates the responsibilities of the Board of Directors, as:
(ii) Key functions of the board of directors –
(7) Ensuring the integrity of the listed entity’s accounting and financial reporting systems, including the independent audit, and that appropriate systems of control are in place, in particular, systems for risk management, financial and operational control, and compliance with the law and relevant standards.
In addition, under Chapter III, Section 6, it states,
(1) A listed entity shall appoint a qualified company secretary as the compliance officer.
Finally, under Chapter IV, Section (17), it states,
(3) The board of directors shall periodically review compliance reports pertaining to all laws applicable to the listed entity, prepared by the listed entity as well as steps taken by the listed entity to rectify instances of non-compliances.
(8) The chief executive officer and the chief financial officer shall provide the compliance certificate to the board of directors as specified in Part B of Schedule II.
4.5 Hence, compliance is seen as an essential element of business functioning, with severe consequences and penalties for non-compliance. Therefore, the overall responsibility for developing, implementing and monitoring the compliance framework rests with the Board of Directors and Management.
5. Responsibility of the Internal Auditor
5.1. The nature and extent of internal audit procedures to be conducted in the area of compliance is dependent on the framework in place and the maturity of the processes. Where management has implemented a formal compliance framework, and unless specifically excluded from the audit scope (or technically not feasible), the Internal Auditor shall plan and perform internal audit procedures to evaluate the design, implementation and operating effectiveness of such framework so as to provide independent assurance to management and to those charged with governance (refer Para 6.1).
5.2. Where no formal compliance framework exists, the Internal Auditor shall design and conduct audit procedures with a view to highlight any exposures arising from weak or absent compliance activities and processes, make recommendations to implement and strengthen those processes and thereby, improve compliance (refer Para 6.2).
5.3. Where the independent assurance requires the issuance of an audit opinion over the design, implementation and operating effectiveness over compliance, this shall be undertaken in line with the requirements of SIA 110, “Nature of Assurance”, especially with regard to the need to have a formal compliance framework in place, which shall form the basis of such an assurance (refer Para 6.3).
5.4. While the primary objective of an internal audit is to strengthen the system and process of compliance, there may be instances where the Internal Auditor is asked to undertake compliance audit assignments with the primary objective of identifying any instances of non-compliances. In such situations, and where no formal compliance framework is in place, the Internal Auditor may not be able to provide a written opinion in line with requirements of SIA 110 “Nature of Assurance”. Nevertheless a Summary of Findings may be possible, listing any instances of non-compliance identified as a result of the internal audit procedures undertaken. These findings shall be reported along with the following:
- the scope, listing all the specific laws and regulations tested;
- audit procedures performed, sample selected, and population covered;
- summary of the work performed; and
- limitations, if any, on the responsibilities assumed by the internal Auditor, such as inherent limitations in sample selection, or that a court of law is the ultimate authority in establishing legal interpretation of non-compliance, etc.
5.5. The Internal Auditor shall not assume any responsibility to manage or operate the compliance framework (e.g., to act in the capacity of a chief compliance officer, to take ownership of the compliance tracking system, etc.) or to take compliance related decisions (e.g., to accept the risk of non-compliance). Neither is it the responsibility of the Internal Auditor to execute or resolve compliance related risks (e.g., engaging directly with regulators, etc.).
6. Explanatory Comments
6.1. Auditing the Compliance Framework (refer Para 5.1): Where there is a formal compliance framework in place, the work of the Internal Auditor shall be directed to ensure that, amongst others:
(a) The organisation has designed the framework consistent with best-in-class and globally recognised frameworks;
(b) The organisation has implemented various enabling mechanisms, such as:
(i) Issued compliance policies and implemented supporting procedures;
(ii) Set the right “tone at the top” with supporting messages/ activities;
(iii) Designed compliance structure, appointed compliance officers and assigned each compliance to a specific “compliance owners”;
(iv) Identified all laws and regulations applicable to the entity (created a database of compliances), risk assessed each for importance and priority, and embedded them into the relevant processes;
(v) Regularly conduct training programs for compliance officers and owners, covering knowledge and competency for effective compliance;
(vi) Implemented robust compliance systems, deploying technology (where possible), to monitor their progress and track their status, to document timely completion with relevant proofs and artefacts and to support timely escalations in case of slippages;
(vii) Continuously tracks performance against compliance targets and goals with sufficient reviews and oversight mechanisms;
(viii) Established timely communication and periodic reporting systems and protocols, including issuance of self-assessment and compliance certificates.
(c) The compliance system and processes in place are operating in an effective and efficient manner and help to ensure full compliance.
Any shortcoming shall result in recommendations for improvement and suggestions on how to make the compliance framework more efficient and effective in line with stated objectives.
6.2. Auditing Compliance Activities and Processes (refer Para 5.2): Where management has not implemented any formal compliance framework, the Internal Auditor will conduct audit procedures over various compliance related activities which may be present (similar to those indicated under Para 3.3, above). These activities may be supported by certain enabling systems and processes (similar to those indicated under Para 6.1, above) and which may be recommended as desirable actions to be undertaken to establish a formal framework.
6.3. Independent Assurance over Compliance Framework (refer Para 5.3): In situations where a written assurance report is being issued, the Internal Auditor shall consider the following (as a basis for his opinion):
(a) The linkage of the compliance framework with other frameworks like the Risk, Governance, Fraud, or Information Technology frameworks which may exist.
(b) The process in place for self-assessment and certification from compliance owners as part of a continuous system of compliance.
7. Effective Date
7.1. This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.
