Exposure Draft of Standard on Internal Audit (SIA) 110, Nature of Assurance (Comments to be received by March 28, 2019) – (27-02-2019)
The Internal Audit Standards Board of the Institute of Chartered Accountants of India (ICAI) invites comments on Standard on Internal Audit (SIA) 110, Nature of Assurance.
Comments are most helpful if they indicate a clear rationale and, where applicable, provide a suggestion for alternative wording.
Comments can be e-mailed either at firstname.lastname@example.org; or at email@example.com. Last date for sending comments is March 28, 2019.
This Standard on Internal Audit (SIA) 110, “Nature of Assurance,” issued by the Council of the Institute of Chartered Accountants of India (ICAI) should be read in conjunction with the “Preface to the Standards on Internal Audit”, “Framework governing Internal Audits” and “Basic Principles of Internal Audit” issued by the Institute.
1.1. This Standard titled “Nature of Assurance” deals with assurance assignments performed by internal auditors. An “Internal Audit Assurance Assignment” refers to an assignment in which the Internal Auditor expresses an opinion or provides certain ratings in order to enhance the confidence of the assurance users about the outcome of the internal audit. This assurance is provided by indicating how the Internal Auditor’s evaluation of the subject matter of audit, measures up against a certain pre-defined criterion. In such situations, the Internal Auditor is asked to provide assurance through either a formal internal audit report or through an overall rating of the subject matter.
1.2. This document provides a frame of reference for Internal Auditors and others involved with assurance assignments, specifically, the following:
(a) Members of the Institute of Chartered Accountants of India (ICAI) in public practice (practitioners) conducting internal audit engagements;
(b) Members of the ICAI in the public or private sector as part of the internal audit function of an organisation (industry members) conducting internal audit assignments;
(c) Members of other professional bodies conducting internal audit assignments – who are encouraged to adopt this Standard when conducting internal audit assignments;
(d) Others stakeholders involved with internal audits, such as the users of an assurance report, including executive management and those charged with governance; and
(e) The members of the Internal Audit Standards Board (IASB) in its development of SIAs.
Those conducting internal audits [(a) to (c) above] are collectively referred to as “Internal Auditors” for the purpose of this Standard.
1.3. Not all audit assignments performed by Internal Auditors are assurance assignments. Certain assignments that do not meet the assurance definition under Para 1.1 above (and therefore not covered by this document) include:
(a) Internal audit assignments where only a summary of observations, along with recommendations of the internal auditor, is presented (each observation may carry a separate rating);
(b) Assignments covered by other Standards issued by the ICAI, such as Standards for Related Services (e.g., agreed-upon procedures assignments);
(c) Reviews of tax returns and filings or compliance reports, where only a report of non-compliance is submitted; and
(d) Consulting (or advisory) assignments1, such as operational or technical reviews, due-diligence and other such assignments where no opinion conveying an assurance is expressed.
1.4. Scope: This Standard covers all assignments, including internal audit assignments (such as those indicated above) where no opinion is expressed through an internal audit report. An assurance assignment may be part of another project, for example, a Certification on Internal Controls over Financial Reporting. In such circumstances, this Standard is relevant only to the assurance portion of the assignment.
2.1. Audit findings identified after completing the internal audit procedures results in a certain outcome (e.g., the effectiveness of internal controls) which give an indication of the health of the subject matter (e.g., a process) and may involve an evaluation or measurement of the subject matter by applying some predefined criteria (e.g., a framework of internal controls or an overall rating methodology) to the subject matter.
2.2. Any internal audit assignment in which the internal auditor expresses an opinion or issues an overall rating on the outcome of the internal audit work to give an indication over the subject matter after comparing it with certain predefined criteria renders it to be an assurance assignment. All three key elements noted above have to be present to allow the internal auditor to express his opinion or provide an overall rating.
2.3. This Standard identifies the objectives of three types of assurance assignments an internal auditor is permitted to perform. This Standard refers to these three as follows:
2.4. The objective of a reasonable assurance assignment is to provide a positive form of opinion over the whole subject matter after conducting a thorough audit of the whole subject matter2. The objective of a limited assurance assignment is to express a negative form of opinion over the whole subject matter after conducting limited audit procedures over the whole or part of the subject matter. The objective of a no assurance assignment is to provide some type of evaluation or rating on individual findings (observations) noted during the audit, and/or an overall rating on the subject matter, but not to express an overall opinion over the whole subject matter.
2.5. This Standard explains important distinctions between the three types of assurance assignments.
2.6. The main objective of this Standard is to provide clarity on:
(a) Whether the internal auditor can provide any assurance at all (including no assurance assignments);
(b) Essential requirements which must be satisfied to be able to provide the assurance; and
(c) Nature of assurance that can be provided (Negative or Positive) and under what circumstances.
3.1. This Standard identifies three components that assurance assignments exhibit:
(a) A three party relationship, involving an Internal Auditor, An Auditee and Assurance User;
(b) Presence of three key elements, involving a Subject Matter, a Pre-defined criteria, and a Conclusive Outcome; and
(c) A written Assurance (or No Assurance) Report which expresses an opinion, or provides an overall rating, in a standard format.
3.2. Three Party Relationships: Assurance assignments involve three separate parties: an Internal Auditor, an Auditee and an Assurance User.
3.2.1. Internal Auditor is the person appointed by the organisation to conduct an Internal Audit (also see Para 1.2, above). In the case of Companies which are required to appoint an Internal Auditor under Companies Act, 2013, the individual notified by the Company to the government as the Internal Auditor as per Section 138 of the Companies Act 2013, is expected to act as the Internal Auditor in accordance with this Standard. In other cases, the person appointed by the organisation to head the Internal Audit Function is the Internal Auditor as per this Standard.
3.2.2. The Auditee is the person(s) who is responsible for the Subject matter irrespective of whether or not he provides a written representation (a self-certification) with respect to his evaluation of the Subject matter. The Auditee may or may not be the party who engages the Internal Auditor.
3.2.3. The Assurance User is the person, (or class of persons, e.g., the Audit Committee of the Board of Directors) for whom the Internal Auditor prepares the Assurance Report. The Auditee can also be one of the Assurance Users, but not the only one. Assurance Users may be identified in different ways, for example, by the Internal Audit Charter, through an Engagement Letter between the Internal Auditor and the engaging party, or by law.
3.2.4. The Auditee and the Assurance Users may be either from the same entity or from a different entity. For example, an entity’s senior management (an Assurance User) may engage an Internal Auditor to perform an assurance assignment on a particular aspect of the entity’s activities that is the immediate responsibility of a lower level of management (the Auditee), but for which senior management is ultimately responsible. Or the Audit Committee of the Parent Company may seek assurance about information provided by the Subsidiary’s management. Hence the relationship between the Auditee and the Assurance Users needs to be viewed within the context of a specific assignment and may differ under each circumstance.
3.3. Key elements – Subject Matter: Internal audit procedures and activities are conducted for achieving stated objectives, as outlined in the scope of the audit, which is also the Subject matter of the assurance assignment.
3.3.1. The Subject matter of an assurance assignment may take many forms:
(a) Financial performance or conditions (for example, the financial position, financial performance and cash flows) for which the Subject matter may be the recognition, measurement, presentation and disclosure represented in financial statements.
(b) Non-financial performance or conditions (for example, operational output of a factory) for which the Subject matter may be key indicators of efficiency and effectiveness.
(c) Physical characteristics (for example, capacity of a facility) for which the Subject matter may be a technical specifications document.
(d) Systems and processes (for example, an entity’s internal controls, or IT system) for which the Subject matter may be an assertion about its design or effectiveness.
(e) Behaviour (for example, corporate governance, compliance with regulation, human resource practices) for which the Subject matter may be a statement of compliance or a statement of design or effectiveness.
3.3.2. Subject matters have different characteristics, including the degree to which information about them is qualitative versus quantitative, objective versus subjective, historical versus prospective, and relates to a point in time or covers a period. Such characteristics affect the:
(a) Precision with which the Subject matter can be evaluated or measured against the Pre-defined criteria;
(b) The persuasiveness of available evidence and hence the ability of the Internal Auditor to draw conclusions and form an opinion; and
(c) The nature of Assurance Report which can be provided to the Assurance Users.
3.3.3. An appropriate subject matter is:
(a) Identifiable, and capable of consistent evaluation or measurement against the pre-defined criteria; and
(b) Such that the information about it can be subjected to procedures for gathering sufficient appropriate evidence to support a reasonable assurance or limited assurance conclusion, as appropriate.
3.4. Key elements – Pre-defined criteria: Pre-defined criteria stipulate the manner in which an evaluation or measurement of a Subject matter can be undertaken using an objective and consistent methodology and within the context of professional judgment.
3.4.1. Pre-defined criteria are the benchmarks used to evaluate or measure the Subject matter including, where relevant, benchmarks for presentation and disclosure. Pre-defined criteria can be in the nature of the following:
(a) Formal, for example in the audit of financial statements, the criteria may be the Accounting Standards issued by the Institute.
(b) A framework, for example, when reporting on internal controls, the criteria may be an established internal control framework or individual control objectives specifically designed for the assignment.
(c) A rating, for example, in evaluating individual observations, the criteria may be the severity of outcome/exposure, or a risk rating methodology.
(d) A mandate, for example, when reporting on compliance, the criteria may be the applicable Statue, law, regulation or contract.
(e) Informal criteria may be an internally developed code of conduct or an agreed level of performance (such as the number of work injuries reported).
3.4.2. Without the frame of reference provided by suitable criteria, any conclusion is open to individual interpretation and misunderstanding. Pre-defined criteria are context-sensitive, that is, relevant to the assignment circumstances. Even for the same Subject matter, there can be different criteria. For example, one Auditee might select the number of customer complaints resolved to the acknowledged satisfaction of the customer for the subject matter of customer satisfaction; another Auditee might select the number of repeat purchases in the three months following the initial purchase.
3.4.3. Pre-defined criteria exhibit the following characteristics:
(a) Relevance: relevant criteria contribute to conclusions that assist decision making by the Assurance Users.
(b) Completeness: criteria are sufficiently complete when relevant factors that could affect the conclusions (in the context of the assignment circumstances) are not omitted. Complete criteria may include benchmarks for presentation and disclosure.
(c) Reliability: reliable criteria allow reasonably consistent evaluation or measurement of the subject matter including, where relevant, presentation and disclosure, when used in similar circumstances by similarly qualified Internal Auditors.
(d) Neutrality: neutral criteria contribute to conclusions that are free from bias.
(e) Comprehensive: easy to understand criteria contribute to conclusions that are simple, clear, and not subject to significantly different interpretations.
The evaluation or measurement of a Subject matter on the basis of the Internal Auditor’s own expectations, judgments and individual experience would not constitute suitable Pre-defined criteria, unless it has been pre-agreed with the Assurance Users.
3.4.4. The Internal Auditor assesses the suitability of Pre-defined criteria for a particular assignment by considering whether they reflect the above characteristics. The relative importance of each characteristic to a particular assignment is a matter of judgment. Pre-defined criteria can either be established or specifically developed. Established criteria are those embodied in laws or regulations, or issued by authorized or recognized bodies of experts that follow a transparent due process. Specifically developed criteria are those designed for the purpose of the specific assignment. Whether criteria are established or specifically developed affects the work that the Internal Auditor carries out to assess their suitability for a particular assignment.
3.5. Key elements – Conclusive Outcome: Following the completion of the audit activities and audit procedures, the Internal Auditor is in a position to deliver an outcome which may or may not be conclusive in nature.
3.5.1. For an assurance assignment, the Internal Auditor plans and performs an assignment in accordance with the stipulated Standards on Internal Audit to reach an outcome which allows a conclusion to be reached on whether the Subject matter meets the Pre-defined criteria. The Internal Auditor considers assurance assignment risk, materiality, the quantity and quality of available evidence when planning and performing the assignment, in particular when determining the nature, timing and extent of evidence-gathering procedures.
3.5.2. “Reasonable assurance” is a concept relating to accumulating evidence necessary for the Internal Auditor to conclude in relation to the Subject matter taken as a whole. To be in a position to express an opinion in the positive form required in a reasonable assurance assignment, it is necessary for the Internal Auditor to obtain sufficient and appropriate evidence as part of an iterative, systematic assignment process based on his professional judgement and guided by Standards on Internal Audit and other pronouncement issued by the ICAI.
3.5.3. “Reasonable assurance” is less than absolute assurance. Reducing assurance assignment risk to zero is very rarely attainable or cost beneficial as a result of factors such as the following:
3.5.4. In a “Limited assurance” assignment, the nature, timing and extent of procedures for gathering sufficient appropriate evidence are, however, deliberately limited relative to a reasonable assurance assignment.
3.5.5. In a “No assurance” assignment, since the focus is more on the specific observations and not to provide an overall opinion on the whole subject matter, the nature, timing and extent of procedures for gathering sufficient appropriate evidence are the least, compared to the other two assurance assignments.
3.6. The Assurance Report: The Internal Auditor provides a written report expressing an opinion that conveys the assurance obtained about the Subject matter information.
3.6.1. Another Standard on Internal Audit (SIA 380, “Issuing Assurance Reports”) establish the basic elements, form and content of assurance reports. In addition, the Internal Auditor considers other reporting responsibilities, including communicating with those charged with governance (SIA 250) when it is appropriate to do so.
3.6.2. In a “reasonable assurance” assignment, the Internal Auditor expresses the opinion in the positive form, for example: “In our opinion internal control is effective, in all material respects, based on XYZ criteria”. This form of expression conveys “reasonable assurance”. Having performed evidence-gathering procedures of a nature, timing and extent that were reasonable given the characteristics of the Subject matter and other relevant assignment circumstances described in the assurance report, the Internal Auditor has obtained sufficient and appropriate evidence to reduce assurance assignment risk to an acceptably low level.
3.6.3. In a “limited assurance” assignment, the Internal Auditor expresses the opinion in the negative form, for example, “based on our work described in this report, nothing has come to our attention that causes us to believe that internal control is not effective, in all material respects, based on XYZ criteria”. This form of expression conveys a level of “limited assurance” that is proportional to the level of the Internal Auditor’s evidence-gathering procedures given the characteristics of the subject matter and other assignment circumstances described in the assurance report.
3.6.4. In a “no assurance” assignment, the Internal Auditor will only present an evaluation or rating of the individual observations in the form of a predefined rating mechanism which is widely understood and not express an overall opinion on the subject matter. At most, an overall rating of the Subject matter, based on the individual ratings of all the observations, may be presented if the pre-defined rating criteria provides the guidance for overall rating. Based on the limited audit procedures, the Internal Auditor will not be able to reduce the level of risk to a low level to allow for an expression of an overall opinion.
4.1. An Internal Auditor may undertake an assurance assignment only where the auditor’s preliminary knowledge of the assignment circumstances indicates that:
(a) Relevant ethical requirements, such as independence and professional competence will be satisfied, and
(b) The assignment exhibits all of the following characteristics:
(i) The Subject matter is appropriate, as noted under Para 3.3.3;
(ii) The Pre-defined criteria to be used are suitable and available to the assurance users;
(iii) The Internal Auditor has access to sufficient appropriate evidence to support the auditor’s opinion;
(iv) The Internal Auditor’s opinion, in the form appropriate to either a reasonable assurance assignment or a limited assurance assignment, is to be contained in a written report; and
(v) The Internal Auditor is satisfied that there is a rational purpose for the assignment. Circumstances, such as the following may indicate an absence of rational purpose:
♦ Significant limitation on the scope of the internal auditor’s work;
♦ Engaging party intends to associate the auditor’s name with the Subject matter in an inappropriate manner.
4.2. When a potential assignment cannot be accepted as an assurance assignment because it does not exhibit all the characteristics in the previous paragraph, the engaging party may be able to identify a different assignment that will meet the needs of intended users. For example:
(a) If the original criteria were not suitable, an assurance assignment may still be performed if:
(i) the engaging party can identify an aspect of the original Subject matter for which those criteria are suitable, and the Internal Auditor could perform an assurance assignment with respect to that aspect as a Subject matter in its own right. In such cases, the Assurance Report makes it clear that it does not relate to the original Subject matter in its entirety; or
(ii) alternative criteria suitable for the original subject matter can be selected or developed.
(b) The engaging party may request an assignment with no assurance or that is not an assurance assignment, such as a consulting or an agreed-upon procedures assignment.
4.3. Having accepted an assurance assignment, an Internal Auditor may not change that assignment to a non-assurance assignment, or from a reasonable assurance assignment to a limited assurance assignment without reasonable justification. A change in circumstances that affects the Assurance Users’ requirements, or a misunderstanding concerning the nature of the assignment, ordinarily will justify a request for a change in the assignment. If such a change is made, the Internal Auditor does not disregard evidence that was obtained prior to the change.
5.1 This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.
1 Consulting assignments employ an internal auditor’s varied skills in an analytical process that typically involves some combination of activities relating to: objective setting, fact-finding, definition of problems or opportunities, evaluation of alternatives, development of recommendations including actions, communication of results and sometimes implementation and follow-up. It is a two party arrangement and the nature and scope of work is determined by an agreement (or understanding) between the internal auditor and the client (user of service).
2 Assignment circumstances include the objectives or terms of the assignment, including whether it is a reasonable assurance assignment or a limited assurance assignment, the characteristics of the subject matter, the pre-defined criteria to be used, the needs of the assurance users, relevant characteristics of the auditee, and other matters, for example events, transactions, conditions and practices, that may have a significant effect on the assignment.