EXPOSURE DRAFT
PROPOSED REVISION TO
STANDARD ON INTERNAL AUDIT (SIA) 000
PLANNING THE INTERNAL AUDIT ASSIGNMENT *
The Internal Audit Standards Board (IASB) of The Institute of Chartered Accountants of India (ICAI) invites comments on proposed revision of the Standard on Internal Audit (SIA) 000 – Planning the Internal Audit Assignment.
Comments are most helpful if they indicate a clear rationale and, where applicable, provide a suggestion for alternative wording.
Comments can be e-mailed either at cia@icai.in; or at iasb.program@icai.in Last date for sending comments is June 15, 2018.
NOTE (*): This Standard on Internal Audit (SIA 000) seeks to revise and supersede some part or all of the following current SIAs (issued in recommendatory form):
1) SIA 1: Planning an Internal Audit, issued in August 2006.
2) SIA 15: Knowledge of the Entity and its Environment, issued in March 2009.
This SIA will finally be issued as a mandatory standard from its effective date.
STANDARD ON INTERNAL AUDIT (SIA) 000
PLANNING THE INTERNAL AUDIT ASSIGNMENT
This Standard on Internal Audit (SIA) 000, “Planning the Internal Audit Assignment”, issued by the Council of the Institute of Chartered Accountants of India should be read in conjunction with the “Preface to the Standards on Internal Audit”, “Framework governing Internal Audits” and “Basic Principles of Internal Audit” issued by the Institute.
1. INTRODUCTION
1.1 Internal Audit Planning is conducted at two levels:
(a) An overall internal audit plan for the whole entity is prepared for a given period of time (usually a year) and presented to the highest governing body responsible for internal audits, normally, the Board of Directors, or the Audit Committee.
(b) A number of specific internal audit plans are prepared for individual assignments to be undertaken covering parts of the entity or certain specific areas and functions of the entity and presented to the Head of Internal Audit.
1.2 This Standard on Internal Audit (SIA) covers the second level, the Planning the Internal Audit Assignment for a particular part of the entity. A separate SIA covers the first level, Conducting Overall Internal Audit Planning of the entity as a whole.
1.3 Planning the Internal Audit Assignment involves the following key elements:
(a) It is a sub-set of the Overall Internal Audit Plan;
(b) It is undertaken prior to the beginning of a particular assignment during the course of the plan period;
(c) Assignments are specific to a part or unit of the entity, covering a particular area, function, business unit or a subsidiary of the entity;
(d) It is specific in nature, covers the manner in which a particular audit assignment will be conducted with details of the Unit under review, along with sub-areas or processes to be audited;
(e) Assignments are generally completed during a short period of time;
(f) It is prepared by the internal auditor responsible for the assignment (or the Engagement Staff where an external service provider is appointed to conduct internal audits).
(i) The outcome of this exercise is generally in the form of an “Internal Audit Assignment Plan”.
2. OBJECTIVES
2.1 The objectives of an Internal Audit Assignment Plan are to:
(a) ensure its alignment with the objectives of the Overall Internal Audit (Engagement) Plan and also in line with stakeholder expectations;
(b) ensure that the scope, coverage and methodology of the audit procedures will form a sound basis for providing reasonable assurance;
(c) allocate adequate time and resources to important aspects of the assignment and assign appropriate skills to complex areas and issues;
(d) ensure audit procedures are conducted in an efficient and effective manner; and
(e) ensure the audit assignment will conform with the applicable pronouncements of the Institute of Chartered Accountants of India (ICAI).
3. REQUIREMENTS
3.1 The assignment planning exercise shall follow a laid down process (Para 4.1), the outcome of which shall be a comprehensive written document (Para 4.8) containing all the essential elements required to help achieve the objectives of assignment planning as outlined under Section 2 above. Technology deployment (Para 4.6) and resource allocation (Para 4.7) shall form essential elements of the Internal Audit Assignment Plan.
3.2 The Internal Audit Assignment Plan shall be reviewed and approved by the Chief Internal Auditor (or Engagement Partner, in case of external service provider).
3.3 A comprehensive knowledge of the Unit under review, its business and operating environment shall be undertaken to make a determination of the nature of audit procedures and tests to be conducted (Para 4.2). As part of the planning process, a discussion with management and process owners shall be undertaken to understand intricacies of each process subject to review (Para 4.3).
3.4 A risk based planning exercise shall form the basis of the Internal Audit Assignment Plan. The Internal Auditor shall undertake an independent risk assessment exercise to prioritise and focus audit work on high risk areas and processes, with due attention given to matters of importance, complexity and sensitivity (Para 4.4).
3.5 An audit methodology shall be established (Para 4.5) together with the depth and nature of audit procedures to be conducted both of which shall be documented in an Internal Audit Programme (IAP). All audit procedures completed shall be evidenced in the IAP with at least one level of review and approval.
3.6 The Internal Audit Assignment Plan shall be continuously monitored during the execution phase for achievement and to identify any deviations. Certain deviations may require to be notified to the stakeholders or even require a formal modification to the plan. However, any major modification to the plan shall be done only after consultation with those who approved the original plan. Such changes shall be formally documented and communicated to all impacted stakeholders.
4. EXPLANATORY COMMENTS
4.1 The Planning process (Para 3.1): The internal auditor conducting the Internal Audit Assignment Planning shall use professional judgement for the process to be followed in completing all essential planning activities. A documented assignment planning process shall be in place which stipulates the essential inputs, steps to complete the planning and the nature of output required to conduct a comprehensive planning exercise.
4.2 Knowledge of the Business and its Environment (Para 3.3): The internal auditor shall gather all the information required to fully understand the Unit’s business environment, the risks it faces, the legal and regulatory requirements and its day to day operational challenges.
The extent of information required shall be sufficient to enable the internal auditor to identify matters which have a significant effect on the Unit’s financials and operations. Hence, there is a need to connect the financial aspects of the Unit’s business with the entity’s business elements, as well as external elements such as industry dynamics, business model, operational intricacies, legal and regulatory framework and the system and processes in place to run its operations.
4.3 Discussion with management (Para 3.3): A key element of planning involves extensive discussion and deliberation with all stakeholders, including Unit’s executive management, risk owners, process owners, department heads etc. Their inputs are critical in understanding intricacies of the assignment, in identification of matters of relevance and to align stakeholder expectations with audit objectives.
4.4 Risk Assessment (Para 3.4): An internal auditor shall undertake an independent risk assessment of all aspects of the Unit under review and align this with the risk assessment conducted by management. This is required to prioritise and focus audit work on high risk parts of the Unit, with due attention given to matters of importance, complexity and sensitivity. Basis this exercise, key risk mitigations (or internal controls) are identified for testing the effectiveness of operation. Absence of any risk mitigations (or missing controls) could point towards process design gaps which shall be validated and reported.
4.5 Audit methodology and depth of coverage (Para 3.5): The basic internal audit methodology generally undertaken involves the performance of Compliance procedures over transactions and balances so as to identify deviations from the laid down policies and procedures.
However, the Framework governing Internal Audits, issued by the ICAI, requires the conduct of risk based audits with a system and process focus. Therefore, the depth of coverage shall go beyond basic compliance and could be expanded (for example) as follows:
(a) Application of a basic process review methodology which tests the design and operating efficiency of internal controls, questions the process design and explores better and more efficient ways of transaction processing;
(b) Deploying a risk based process review methodology which helps to link the internal controls to particular vulnerabilities, evaluate the effectiveness of internal controls, even question the process in place and help identify alternative mitigations;
(c) Entity level control review methodology can be deployed to provide a more holistic evaluation of governance processes such as culture, organisation structure, oversight mechanisms and performance measurement.
The Internal Audit Assignment Plan shall align the audit methodology and depth of coverage (as indicated above) with the assurance to be provided. A detailed Internal Audit Programme (IAP) is required to document all the audit procedures to be conducted for each audit objective, in line with the audit methodology adopted
4.6 Technology deployment (Para 3.1): A key element of the internal audit assignment planning exercise involves understanding the extent to which:
(a) The Unit has deployed Information Technology (IT) in its business, operations and transaction processing, especially if it is unique and different to the overall entity; and
(b) The auditor needs to deploy IT tools, data mining & analytic procedures, and the expertise required for its audit activities and testing procedures.
This helps to design and plan the audit and testing procedures more efficiently and effectively.
4.7 Resource allocation (Para 3.1): The internal auditor shall prepare a detailed work schedule to estimate the time required for each audit procedure depending on the audit attention it deserves (on the basis of risk assessment) and map this with the competencies (knowledge, experience, expertise etc.) of the resources available to ensure proper resource availability and allocation.
4.8 Documentation: To confirm compliance of audit procedures with the SIA, all key steps undertaken in the planning process shall be adequately documented to confirm their proper completion.
Essential documentation to maintain is as follows:
(a) Planning Process documentation (or Checklists) and any tools used in the planning process;
(b) Documentation supporting the information gathered about the Unit’s business and operations, systems and processes and past or known issues;
(c) Summary of meetings and communication with key stakeholders, with a summary of their inputs;
(d) Risk Assessment documentation and a review of risk mitigating controls deployed;
(e) Summary of available resources, their competencies and the proper matching of their skills with the audit requirements;
(f) Detailed Internal Audit Programme (IAP) which lists the specific testing procedures to be conducted for each audit objective; and
(g) The final Internal Audit Assignment Plan, duly approved by the Head of Internal Audit.
5. EFFECTIVE DATE
5.1 This Standard is applicable for internal audits beginning on or after………..
