Exposure Draft of Standard on Internal Audit (SIA) 390, Monitoring and Reporting of Prior Audit Issues (Comments to be received by September 14, 2019)
EXPOSURE DRAFT
STANDARD ON INTERNAL AUDIT (SIA) 390
MONITORING AND REPORTING OF PRIOR AUDIT ISSUES
The Internal Audit Standards Board of the Institute of Chartered Accountants of India (ICAI) invites comments on Standard on Internal Audit (SIA) 390, Monitoring and Reporting of Prior Audit Issues.
Comments are most helpful if they indicate a clear rationale and, where applicable, provide a suggestion for alternative wording.
Comments can be e-mailed either at cia@icai.in or iasb.program@icai.in
Last date for sending comments is September 14, 2019.
STANDARD ON INTERNAL AUDIT (SIA) 390
MONITORING AND REPORTING OF PRIOR AUDIT ISSUES
Contents
Introduction
Objectives
Requirements
Explanatory Comments
Effective Date
This Standard on Internal Audit (SIA) 390, “Monitoring & Reporting of Prior Audit Issues,”issued by the Council of the Institute of Chartered Accountants of India should be read in conjunction with the “Preface to the Standards on Internal Audit,”“Framework Governing Internal Audits”and “Basic Principles of Internal Audit”issued by the Institute.
1. Introduction
1.1 This Standard deals with the responsibility of the Internal Auditor in monitoring and reporting of prior audit issues, usually in the form of an “Action Taken Report (ATR) of previous audits”.
1.2 The term “Monitoring and Reporting”used in this Standard refers to a periodic tracking and evaluation of the corrective actions undertaken by the auditee to resolve the issues raised during prior audits in line with the audit recommendations made in previous internal audit reports and to report any open and pending matters to management and those charged with governance (the Audit Committee).
1.3 Scope: This Standard applies to all internal audits where prior audit issues remain open, pending the implementation of audit recommendations within pre-agreed timelines.
2. Objectives
2.1 The specific objectives of this standard are to ensure:
(a) Proper monitoring and closure of open issues from prior audits;
(b) Independent validation of corrective actions taken by the auditee;
(c) Escalation of any concerns in case of delays in closure of issues; and
(d) Timely reporting of status to those charged with governance.
2.2. The overall objective of this Standard is to ensure that the auditee mitigate the risks highlighted in the audit observations through timely corrective actions or that a conscious decision is taken to accept the risks, in case recommendations are delayed or not implemented.
3. Requirements
3.1 The Chief Internal Auditor is responsible to continuously monitor the closure of prior audit issues through a timely implementation of action plans included in past audits. This shall be done with a formal monitoring process, elements of which are pre-agreed with management (refer Para 4.1).
3.2 After receiving confirmation from the auditee regarding the implementation of corrective actions, additional audit procedures shall be performed by the Internal Auditor to confirm that the issues have been adequately addressed. Sufficient and appropriate audit evidences shall be obtained and the documentation shall be maintained to confirm either effective closure of the issue, or reasons
for its delay or deferral (refer Para 4.2).
3.3 In case of delays or ineffective implementation of the agreed corrective actions, the Internal Auditor shall escalate such delays and concerns to the appropriate levels of management. However, if new facts come to light justifying the ineffective or delayed implementation, the Internal Auditor may agree upon a new time-bound action plan. In such a situation, the follow-up timelines may be reset or the issue may be deferred to the next audit and a plan to carry-forward such audit recommendation(s) may be agreed with management (refer Para 4.3).
3.4 The internal auditor shall periodically report to the management, and the Audit Committee, the status of prior issues (generally in the form of an “Action Taken Report”), including providing a confirmation of closure based on additional procedures, ageing of issues pending closure and reasons for any delays.
4. Explanatory Comments
4.1 Monitoring of Prior Issues (refer Para 3.1): The management is responsible for timely implementing of corrective action plans to address prior audit issues as per agreed time-lines. The Chief Internal Auditor, or his designate, will undertake a follow-up with the auditee, after the lapse of agreed time schedule for implementing the recommendations, so as to evaluate the status of resolution. An automated process, which continuously alerts all parties, may be implemented to ensure an effective follow-up.
4.2 Closure of Prior Issues (refer Para 3.2): For important or sensitive issues (e.g., those rated high risk or with fraud risk), follow-up audit procedures shall be performed to ensure that the risk has been mitigated to an acceptable level. For medium risk issues, documentation proof of the implementation of the audit recommendations may be adequate. For low risk issues, a written note confirmation from management may be sufficient. However, the documentation for all the three categories shall be maintained as per the Standard on Internal Auditing (SIA) 330, “Documentation”.
NOTE: If on the basis of additional audit procedures and evidence collected, the corrective actions appear to be sufficient to address the issues, the Internal Auditor may close the observation and issue a closure report. However, in case of ineffective or non-implementation of the recommendations, the Internal Auditor shall communicate the same as per the escalation procedures (refer para 4.3). If despite the escalation, the recommendation remains pending, the Internal Auditor shall either obtain a written confirmation that the management accepts the risks, or issue a note of unaddressed risks, consequent to non-implementation of the audit recommendations.
4.3 Escalation Procedure (refer Para 3.3): When the Internal Auditor observes slippage in the agreed time schedule for implementation, the auditor shall alert the auditee and agree to a new time schedule. On further delays in timelines of implementation, the internal auditor shall escalate details of slippage to management as per a pre-agreed escalation protocol. Status updates, including aging of pending issues and delays in issue resolutions, should be shared periodically with management and the Audit Committee.
4.4 Documentation: The Internal Auditor shall document the working papers according to Standard on Internal Auditing on Documentation, which shall include:
(a) The monitoring plan agreed with management, including escalation procedures and protocol to be followed in case of delays.
(b) Auditee confirmations of implementation of audit recommendations, or reasons for nonimplementation and acceptance of risks.
(c) The documentary evidence and working papers to support additional audit procedures performed to confirm effective closure of prior issues.
(d) Escalation communication, with management responses.
(e) Periodic status reports (ATR) issued to the management and Audit Committee.
5. Effective Date
5.1 This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.
—————
