STANDARD ON INTERNAL AUDIT (SIA) 140
The Internal Audit Standards Board of the Institute of Chartered Accountants of India (ICAI) invites comments on Standard on Internal Audit (SIA) 140, Governance.
Comments are most helpful if they indicate a clear rationale and, where applicable, provide a suggestion for alternative wording.
Last date for sending comments is March 29, 2020.
1.1 Governance is a key concept in Internal Audit and this Standard seeks to clarify both, the concept and the responsibility of the Internal Auditor, Management, and other Stakeholders, with respect to governance, keeping in mind their legal, regulatory, and professional obligations.
1.2 Definition of Internal Audit in the “Framework Governing Internal Audits” (refer Para 3.1), indicates providing independent assurance on the effectiveness of internal controls and risk management processes to enhance governance and achieve organisational objectives as a key expectation from internal audit. This definition on internal audit elaborates on the term “Governance” by clarifying how this is a critical element of the company and its various stakeholders.
1.3 Scope: This Standard applies to all internal audits conducted where governance activities and framework is a subject matter of an audit, and is being assessed, evaluated and reported on by the Internal Auditor.
2.1 The purpose of this Standard is to:
(a) Provide a common terminology by defining governance terms to prevent ambiguity or confusion on the subject matter;
(b) Explain the responsibilities of the Board of Directors and management with regard to governance, as mandated by law and regulations; and
(c) Specify responsibilities of the Internal Auditor, especially when providing independent assurance on the governance framework.
2.2 The overall objective of this Standard is to clarify the responsibilities of management and auditors towards various governance stakeholders (both internal and external), and the requirements which need to be met to assess, evaluate, report and provide independent assurance over the governance framework.
3.1 Governance is defined as a set of relationships between the company and its various stakeholders (both internal and external), and provides the structure through which the company’s objectives are achieved. The relationship and structure help to guide the behaviour of individuals and groups in the right direction. The following are well accepted underpinnings of good governance:
3.2 Governance ensures that everyone is aligned to the best interest of the organisation, and does what they are supposed to do, to help achieve its objectives. Governance framework refers to the whole structure, systems and processes put in place to organise the various governance activities and to integrate them seamlessly into the organisation.
3.3 Governance activities, forming part of the framework, are designed to enhance the organisation’s ability to, amongst others:
(a) Provide strategy, leadership and direction;
(b) Nurture a culture of values and ethics;
(c) Sensitive to multiple stakeholder interests;
(d) Promote collaborative decision making;
(e) Provide structure and design to organisation resources and their deployment;
(f) Prevent undue concentration of power with few;
(g) Encourage risk-based prioritisation, consistency and efficiency in business processing;
(h) Support resource development in the area of good governance;
(i) Exercise judicious monitoring and oversight on business and individual performance; and
(j) Ensure full and transparent communication and reporting.
All these initiatives generally form part of the Entity Level Controls (ELCs) which are essential to the overall internal audit agenda.
4.1 The responsibility of the Board of Directors in the area of governance is generally established by the prevailing laws of the nation and that of the management, by both the prevailing laws and the oversight of the Board of Directors. These responsibilities, such as those prevailing in India, are presented below.
4.2 Companies Act, 2013 imposes overall responsibility on the Board of Directors with regard to governance and specifically towards the Company’s stakeholders. Section 166, Duties of Directors states,
(2) A director of a company shall act in good faith in order to promote the objects of the company for the benefit of its members as a whole, and in the best interests of the company, its employees, the shareholders, the community and for the protection of environment.
4.3 More specifically, Schedule IV of Companies Act, 2013 on “Code for Independent Directors”, Section I, Guidelines of Professional Conduct, requires them to,
(9) assist the company in implementing the best corporate governance practices.
4.4 For listed companies, as per The Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015 (“LODR”), the Board of Directors of the Company have additional responsibilities on governance. Chapter II, Regulation 4(2)(f) of LODR mandates the responsibilities of the Board of Directors, as:
(ii) Key functions of the board of directors –
(2) Monitoring the effectiveness of the listed entity’s governance practices and making changes as needed.
In addition, under the same regulation, it states,
(i) Other responsibilities –
(2) The board of directors shall set a corporate culture and the values by which executives throughout a group shall behave.
4.5 For listed companies, the LODR has an exhaustive list, as per Schedule II: Corporate Governance, which stipulates various requirements and good governance practices in this area. Without enumerating them here, it is pertinent to note a few provisions, which are most relevant to internal audit:
(a) Part C. Section A. The role of the audit committee shall include the following:
(12) reviewing, with the management, performance of statutory and internal auditors, adequacy of the internal control systems;
(13) reviewing the adequacy of internal audit function, if any, including the structure of the internal audit department, staffing and seniority of the official heading the department, reporting structure coverage and frequency of internal audit;
(14) discussion with internal auditors of any significant findings and follow up there on;
(15) reviewing the findings of any internal investigations by the internal auditors into matters where there is suspected fraud or irregularity or a failure of internal control systems of a material nature and reporting the matter to the board;
(b) Part C. Section B. The audit committee shall mandatorily review the following information:
(4) internal audit reports relating to internal control weaknesses; and
(5) the appointment, removal and terms of remuneration of the chief internal auditor shall be subject to review by the audit committee.
4.5 Hence, governance is seen as an essential element of business functioning, and internal audit as a key element of governance. Therefore, the overall responsibility for developing, implementing and monitoring the governance framework rests with the Board of Directors and management.
5.1. The nature and extent of internal audit procedures to be conducted in the area of governance is dependent on the framework in place and the maturity of the processes. Where management has implemented a formal governance framework, and unless specifically excluded from the audit scope (or technically not feasible), the Internal Auditor shall plan and perform internal audit procedures to evaluate the design, implementation and operating effectiveness of such framework so as to provide independent assurance to management and to those charged with governance (refer Para 6.1).
5.2. Where no formal governance framework exists, the Internal Auditor shall design and conduct audit procedures with a view to highlight any exposures arising from weak or absent governance activities and processes, make recommendations to implement and strengthen those processes and thereby, improve governance (refer Para 6.2).
5.3. Where the independent assurance requires the issuance of an audit opinion over the design, implementation and operating effectiveness over governance, this shall be undertaken in line with the requirements of SIA 110, “Nature of Assurance”, especially with regard to the need to have a formal governance framework in place, which shall form the basis of such an assurance (refer Para 6.3).
5.4. The Internal Auditor shall not assume any responsibility to manage or operate the Governance framework or to take governance related decisions. The focus of the audit procedures is on the process of governance and not the outcome of the process, such as second guessing or questioning the actions or decisions of the governing bodies. Neither is it the responsibility of the Internal Auditor to execute or resolve governance related risks.
6.1. Auditing the Governance Framework (refer Para 5.1): Where there is a formal governance framework in place, the work to be performed by the Internal Auditor shall be directed to ensure that, amongst others:
(a) The organisation has designed the framework consistent with best-in-class and globally recognised frameworks;
(b) The organisation has implemented various enabling mechanisms, such as:
(i) Shared organisation vision, mission, objectives, goals and targets;
(ii) Established a code of conduct or ethics and a whistleblower mechanism;
(iii) Acts to identify and address the concerns, and balance the needs, of various stakeholders (internal and external), through open communication and discussion;
(iv) Formed active and functioning governing bodies with defined agendas;
(v) Shared organisation design and structure with clearly defined roles and responsibilities of each position;
(vi) Delegated power and authority through a formal document, duly approved by the Board;
(vii) Deployed risk-based systems and processes deploying, where possible, technology as a foundation;
(viii) Conducts regular training programs to develop staff awareness and competency in the area of good governance;
(ix) Continuously tracks business performance against budgets and goals with adequate reviews and oversight mechanisms; and
(x) Undertakes active communication and periodic reporting of governance matters to those charged with governance and other stakeholders.
The Internal Auditor will review the governance system and processes in place to evaluate whether they are operating in an effective and efficient manner and help to ensure full compliance. Any shortcoming shall result in recommendations for improvement and suggestions on how to make the governance framework more efficient and effective in line with stated objectives.
6.2. Auditing Governance Activities and Processes (refer Para 5.2): Where management has not implemented any formal governance framework, the Internal Auditor will conduct audit procedures over the various governance related activities which may be present (similar to those indicated under Para 3.3, above). These activities may be supported by certain enabling systems and processes (similar to those indicated under Para 6.1, above) and which may be recommended as desirable actions to be undertaken to establish a formal framework.
6.3. Independent Assurance over Governance Framework (refer Para 5.3): In situations where a written assurance report is being issued, the Internal Auditor shall consider the following (as a basis for his opinion):
(a) The linkage of the governance framework with other frameworks such as the Risk, Compliance, Fraud, or Information Technology frameworks which may exist.
(b) The system of compliance certification on governance matters.
(c) The process in place for self-assessment and certification from governance owners as part of a continuous system of compliance.
7.1. This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.