Standard on Internal Audit (SIA) 2, Basic Principles Governing Internal Audit was, originally, issued by the Board in August, 2007 which was recommendatory in nature. The revised Basic Principles of Internal Audit is being issued as overarching document for all the Standards on Internal Audit, and shall become mandatory from such date as notified by the Council.
1.1 There are a set of core principles fundamental to the internal audit function and activities. These basic principles of internal audit are critical to achieve the desired objectives as set out in the Definition of Internal Audit.
1.2 Scope: All internal audits shall be performed based on these basic principles, and departures from these principles shall be appropriately disclosed in internal audit report or other similar communication.
2.1 The main objective of the basic principles is to ensure that:
(i) All internal audits are conducted with certain fundamental features designed to:
(ii) Outcome of internal audits is of quality and is in line with the set objectives.
The Internal Auditor shall be free from any undue influences which force him to deviate from the truth. This independence shall be not only in mind, but also in appearance. Also, the internal auditor shall resist any undue pressure or interference in establishing the scope of the assignments or the manner in which these are conducted and reported, in case these deviate from set objectives.
The independence of the internal audit function as a whole, and the Internal Auditor within the organisation, plays a large part in establishing the independence of the Internal Auditor. The overall organisation structure of key personnel, the position and reporting of the Chief Internal Auditor within this structure, along with the powers and authority which is derived from superiors further establishes the independence of the Internal Auditor.
The reporting of the Internal Auditor shall be to the Board of Directors, or the Audit Committee, who are responsible to appoint the Internal Auditors as per Rule 8 of “The Companies (Meetings of Board and its Powers) Rules, 2014”. Many times the Internal Auditor has a dual reporting responsibility, wherein the administrative reporting is to an executive officer (e.g., MD or CEO), but functional reporting to the Chairman of the Audit Committee, which is the acceptable norm. Therefore, the internal audit function shall be positioned outside the functions which are subject to internal audit (e.g., Finance and Accounts) and the Internal Auditor shall report directly to the highest governing body of the Company as stated above.
At times, the Internal Auditor is exposed to a different type of risk to independence, whereby management seeks active business support from the Internal Auditor. Apart from providing basic assurance and advisory inputs, the Internal Auditor is assigned certain operational responsibilities (such as risk management, compliance, system automation, process re-engineering, etc.). Although some limited operational role may be acceptable with due approvals, and for a short duration, the Internal Auditor shall do so only after communicating his limitations along the following lines:
(a) Unable to assume ownership or accountability of the process; and
(b) Inability to take operational decisions which may be subject to an internal audit later on.
The Internal Auditor shall be honest, truthful and be a person of high integrity. He shall operate in a highly professional manner and seen to be fair in all his dealings. He shall avoid all conflicts of interest and not seek to derive any undue personal benefit or advantage from his position.
The Internal Auditor shall conduct his work in a highly objective manner, especially in gathering and evaluation of facts and evidence. He shall not allow prejudice or bias to override his objectivity, especially in arriving at conclusions or reporting his opinion.
The Internal Auditor shall exercise due professional care and diligence while carrying out the internal audit. “Due professional care” signifies that the Internal Auditor exercises reasonable care in carrying out the work to ensure the achievement of planned objectives.
The Internal Auditor shall pay particular attention to certain key audit activities, such as establishing the scope of the engagement to prevent the omission of important aspects, recognizing the risks and materiality of the areas, having required skills to review complex matters, establishing the extent of testing required to achieve the objectives within specified deadlines, etc.
“Due Professional Care”, however, neither implies nor guarantees infallibility, nor does it require the Internal Auditor to go beyond the established scope of the engagement.
The Internal Auditor shall at all times, maintain utmost confidentiality of all information acquired during the course of the audit work. He shall not disclose any such information to a party outside the internal audit function and any disclosure shall be on a “need to know basis”.
The Internal Auditor shall keep confidential information secure from others. Under no circumstance any confidential information shall be shared with third parties outside the company, without the specific approval of the Management or Client or unless there is a legal or a professional responsibility to do so (e.g., to share information with Statutory Auditors). Internal audit reports shall be addressed to specified internal auditees and distributed to only those who appointed or engaged the Internal Auditor and as per their directions.
The Internal Auditor shall have sound knowledge, strong inter-personal skills, practical experience and professional expertise in certain areas and other competence required to conduct a quality audit. He shall undertake only those assignments for which he has the requisite competence.
The Internal Auditor shall either have, or shall obtain, such skills and competencies, as necessary for the purpose of discharging his responsibilities. Continuing Professional Education is a key part of this exercise. In addition to the basic technical skills, the Internal Auditor shall have the softer skills (such as interpersonal and communication skills) required to engage with a multitude of stake-holders.
Where the Internal Auditor lacks certain expertise, he shall procure the required skills either though in-house experts or through the services of an outside expert, provided independence is not compromised. The objective is to ensure that the audit team as a whole has all the expertise and knowledge required for the area under review.
The Internal Auditor shall identify the important audit areas through a risk assessment exercise and tailor the audit activities such that the detailed audit procedures are prioritised and conducted over high risk areas and issues, while less time is devoted to low risk areas through curtailed audit procedures. Additionally, this approach shall ensure that risks under consideration are more aligned to the overall strategic and company objectives rather than narrowly focused on process objectives.
A risk based audit shall ensure the following three fold objectives:
(a) Audit procedures need not cover the whole process and can be limited only to the important controls in the process;
(b) Establish linkage to the aspects relevant and connected with company and functional objectives; and
(c) Findings and issues highlighted are significant and important and time is not devoted to areas with low probability of significant observations.
An Internal Auditor shall adopt a system and process focused methodology in conducting audit procedures. This methodology is more sustainable than the one adopted to test transactions and balances as it goes beyond “error detection” to include “error prevention”. It requires a root cause analysis to be conducted on deviations to identify opportunities for system improvement or automation, to strengthen the process and prevent a repetition of such errors.
Deployment of Information Technology by companies is widely prevalent and should be understood for effective internal audits. This is a more sustainable approach as this helps the Internal Auditor to move away from “people to process” and from “detection to prevention”.
In conducting internal audit assignments, the Internal Auditor shall avoid passing any judgement or render an opinion on past management decisions. As part of his advisory role, the Internal Auditor shall avoid participation in operational decision making which may be subject of a subsequent audit.
The focus of the Internal Auditor shall remain with the quality and operating effectiveness of the decision making process and how best to strengthen it, such that the chance of flawed or erroneous decisions is minimised. However, the Internal Auditor is at full liberty to present the lessons which can be learnt from such past decisions.
The Internal Auditor shall evaluate the implications of his observations and recommendations on multiple stakeholders, especially where diverse interests may be conflicting in nature. In such situations, the Internal Auditor shall remain objective and present a balanced view. This would permit senior management to make a decision using all the information and balance the strategy and objectives of the company with the expectations and interests of its multiple stakeholders.
The quality of the internal audit work shall be paramount for the Internal Auditor since the credibility of the audit reports depends on the reliability of reported findings. The Internal Auditor shall have in place a process of quality control to:
(a) ensure factual accuracy of the observations;
(b) to validate the accuracy of all findings; and
(c) continuously improve the quality of the internal audit process and the internal audit reports.
The Internal Auditor shall ensure that a self-assessment mechanism is in place to monitor his own performance and also that of his subordinates and external experts on whom he is relying to complete some part of the audit work. A peer review mechanism for quality control shall be followed to adhere to all aspects of the pronouncements issued by the ICAI.
The Basic Principles of Internal Audit are applicable for all internal audits beginning on or after a date to be notified by the Council of the Institute.
* Issued in November, 2018.