Exposure Draft of Standard on Internal Audit (SIA) 120, Internal Controls (Comments to be received by September 14, 2019)
Exposure Draft of Standard on Internal Audit (SIA) 120, Internal Controls*
The Internal Audit Standards Board of the Institute of Chartered Accountants of India (ICAI) invites comments on Standard on Internal Audit (SIA) 120, Internal Controls.
Comments are most helpful if they indicate a clear rationale and, where applicable, provide a suggestion for alternative wording.
Comments can be e-mailed either at cia@icai.in or iasb.program@icai.in
Last date for sending comments is September 14, 2019.
*Note: This Standard on Internal Audit (SIA) 120 seeks to revise and supersede SIA 12 “Internal Control Evaluation”, issued in February 2009 (in recommendatory form by the Board). This SIA will become mandatory from its effective date.
STANDARD ON INTERNAL AUDIT (SIA) 120
INTERNAL CONTROLS
Contents
Introduction and Scope
Objectives
Definition of Internal Controls
Responsibility of the Board and Management
Responsibility of the Internal Auditor
Effective Date
This Standard on Internal Audit (SIA) 120, “Internal Controls,”issued by the Council of the Institute of Chartered Accountants of India (ICAI) should be read in conjunction with the “Preface to the Standards on Internal Audit”, “Framework Governing Internal Audits” and “Basic Principles of Internal Audit”issued by the Institute.
1. Introduction
1.1 Internal Controls is a key concept in Internal Audit and this Standard seeks to clarify the concept and the responsibility of the Internal Auditor, Management and other stakeholders, with respect to Internal Controls, keeping in mind their legal, regulatory and professional obligations.
1.2 Internal Controls are systemic and procedural steps taken by an organisation to mitigate risks, primarily in the areas of financial accounting and reporting, operational processing or compliance with laws and regulations.
1.3 As indicated in the definition of Internal Audit (Refer Para 3.2 of “Framework Governing Internal Audits”) and also under SIA 230, “Objectives of Internal Audit”, providing independent assurance on the effectiveness of Internal Controls is a basic expectation from Internal Audit. The definition on Internal Audit elaborates on the term “Internal Controls”by clarifying how these are an integral
part of management function and business operations.
1.4 Scope: This Standard applies to all internal audits conducted where internal controls are a subject of audit review, and are being assessed, evaluated and reported on.
2. Objectives
2.1 The purpose of this Standard is to:
(a) Provide a common terminology on Internal Controls to prevent ambiguity or confusion on the subject matter amongst stakeholders;
(b) Define Internal Controls, how they mitigate risk, and also how they are viewed from a legal perspective;
(c) Explain the responsibilities of management and auditors with regard to Internal Controls, as mandated by law and regulations; and
(d) Specify certain requirements which need to be satisfied to be able to provide assurance on Internal Controls.
2.2 The overall objective of this standard is to clarify the increasing responsibilities of management and auditors over Internal Controls, and how certain requirements need to be fulfilled to assess, evaluate, report and provide assurance over Internal Controls.
3. Definition of Internal Controls
3.1 Internal Controls (ICs) are essentially risk mitigation steps taken to strengthen the organisation’s systems and processes to help prevent and detect errors and irregularities. The actual step of mitigation (e.g., review, approval, physical count etc.) are referred to as “Control Activities”. When ICs reduce the risk of financial exposure, they are also referred to as Internal Financial Controls (IFC) and when they mitigate operational risks, they are also referred to as Operational Controls (OCs). ICs generally operate with human intervention (Manual Controls), but in an automated environment, computer controls are deployed to secure the systems, called IT
General Controls (e.g., access controls) or check transaction processing at an application level, called Application Controls (e.g., sequential numbering of invoices, etc.)
3.2 Internal Controls can be broad-based covering the whole entity (e.g., Code of Conduct), or focused to a specific process or area (e.g., Order processing or Payroll, etc.). In the former case they are generally referred to as “Entity Level Controls (ELCs)”as part of the “Control Environment”. In the case of latter, they are also referred to as “Process Level Controls”.
3.3 Internal Controls get defined in many different ways. In Standard on Auditing (SA) 315, “Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment”issued by the ICAI, Internal Control is defined as:
“The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets and compliance with applicable laws and regulations. The term “controls”refers to any aspects of one or more of the components of internal control”.
3.4 Section 134 (5) of Companies Act, 2013, concerning Directors’Responsibility Statement, clause (e) thereof, defines the term “Internal Financial Controls”as follows:
“the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information”.
3.5 Hence, Internal Controls is a broader term of the legal definition of Internal Financial Controls (refer para 3.4) and goes beyond the financial areas and also covers operational areas. It includes all the policies and procedures, systems and processes adopted by the company to assist in achieving its objective of ensuring the orderly and efficient conduct of its business and operations, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the company records, and the timely preparation of reliable financial and management information.
3.6 The term “Internal Controls System”is an all-encompassing term generally used to refer to all types of controls put together, covering ELCs, IFCs and OCs. The Control Environment (ELCs) includes the overall culture, attitude, awareness and actions of directors and management regarding the internal controls and their importance to the organisation. The control environment has an effect on the effectiveness of the overall Internal Control System since it provides the background against which process level controls (such as IFC and OCs) are operating.
3.7 “Internal Controls Framework”, is a pre-defined benchmark Internal Control System, based on suitable criteria, which can be used by management or auditors to assess the design, adequacy and operating effectiveness of the overall internal control system. In the Indian context, for example, Appendix 1 to Standard on Auditing (SA) 315, “Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment”issued by the ICAI, provides the necessary criterial for Internal Financial Controls over Financial Reporting as per Companies Act, 2013. Globally, there are similar frameworks, such as the COSO (Committee of Sponsoring Organisations) Internal Control –Integrated Framework which help to serve the same purpose.
4. Responsibility of the Board and Management
4.1 Companies Act, 2013 imposes overall responsibility on the Board of Directors with regard to Internal Financial Controls. Clause (e) of Section 134 (5) requires the Directors’Responsibility Statement to state that “the directors, in the case of a listed company, had laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively.”
4.2 In addition, Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 requires the Board of Directors’Report to include “the details in respect of adequacy of internal financial controls with reference to the Financial Statements”.
4.3 For listed companies, as per The Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015 (“LODR”), the Management of the Company has additional responsibilities on Internal Controls for Financial Reporting. Regulation 17(8) of LODR mandates a Compliance Certificate, signed by the CEO and CFO to indicate that “They accept responsibility for establishing and maintaining internal controls for financial reporting and that they have evaluated the effectiveness of internal control systems of the listed entity pertaining to financial reporting and they have disclosed to the auditors and the audit committee, deficiencies in the design or operation of such internal controls, if any, of which they are aware and the steps they have taken or propose to take to rectify these deficiencies”.
4.4 Also, Section 143(3)(i) of the Companies Act, 2013 requires the statutory auditor to report on “whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls”.
4.5 Hence, the overall responsibility for designing, assessing adequacy and maintaining the operating effectiveness of Internal Financial Controls rests with the Board and Management.
5. Responsibility of the Internal Auditor
5.1. As indicated in SIA 230, Objectives of Internal Audit, the Internal Auditor derives his mandate from those charged with governance, which in the case of listed entities, is generally the Audit Committee. In line with the definition of internal audit, and as per the objectives defined for internal audit, the Internal Auditor is expected to include Internal Controls as a key part of his
scope and approach.
5.2. Unless specifically excluded, the Internal Auditor, and the work he performs, shall be directed to ensure that the entity has designed, implemented and maintains effective and efficient Internal Controls. The audit procedures shall be sufficient to allow the Internal Auditor to check the design, proper implementation and operating effectiveness of the Internal Controls. Any shortcoming shall result in recommendations for improvement and suggestions on how to make the Internal Controls more efficient and effective in line with their objectives.
5.3. The Internal Auditor shall review the risk assessment exercise undertaken at time of planning the audit assignment to establish a basis of evaluating whether adequate and appropriate Internal Controls are in place to address the risks identified. Audit procedures to be conducted would primarily be directed over high and medium risk Internal Controls, and adequate documentation (e.g., a Risk Control Matrix) should be in place to confirm the linkage of the audit procedure with the respective risks.
5.4. Where the Internal Auditor is required to provide an independent opinion over the design, implementation or operating effectiveness over Internal Controls, this shall be undertaken in line with the requirements of SIA 110, “Nature of Assurance”, especially with regard to the need to have a clear understanding of the Internal Controls Framework which shall form the basis of the
assurance. Also, in such situations where a written assurance report is being issued, the Internal Auditor shall consider the following (as a basis for his opinion):
(a) An evaluation of the system of Control Self-Assessment by owners of Internal Controls to support the CEO/CFO certification process.
(b) Availability of Compliance Certificates from owners of Key Controls to support a continuous system of compliance.
5.5. In situations where the Statutory Auditor is expected to rely on the work of the Internal Auditor as per Standard on Auditing (SA) 610, Using the Work of the Internal Auditors, issued by ICAI, regarding their audit of Internal Financial Controls over Financial Reporting, the Internal Auditor shall document the objectives and agreed scope and approach of the internal audit, over which
reliance is to be placed by the Statutory Auditor.
6. Effective Date
6.1. This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.
—————
Also Read :-
Exposure Draft of SIA 390, Monitoring and Reporting of Prior Audit Issues
Exposure Draft of SIA 350, Review and Supervision of Audit Assignments
