PROPOSED REVISION TO
STANDARD ON INTERNAL AUDIT (SIA) 000
CONDUCTING OVERALL INTERNAL AUDIT PLANNING*
The Internal Audit Standards Board (IASB) of The Institute of Chartered Accountants of India (ICAI) invites comments on proposed revision of the Standard on Internal Audit (SIA) 000 – Conducting Overall Internal Audit Planning.
Comments are most helpful if they indicate a clear rationale and, where applicable, provide a suggestion for alternative wording.
NOTE (*): This Standard on Internal Audit (SIA 000) seeks to revise and supersede some part or all of the following current SIAs (issued in recommendatory form):
1) SIA 1: Planning an Internal Audit, issued in August 2006.
2) SIA 15: Knowledge of the Entity and its Environment, issued in March 2009.
This SIA will finally be issued as a mandatory standard from its effective date.
STANDARD ON INTERNAL AUDIT (SIA) 000
CONDUCTING OVERALL INTERNAL AUDIT PLANNING
This Standard on Internal Audit (SIA) 000, “Conducting Overall Internal Audit Planning”, issued by the Council of the Institute of Chartered Accountants of India should be read in conjunction with the “Preface to the Standards on Internal Audit”, “Framework governing Internal Audits” and “Basic Principles of Internal Audit” issued by the Institute.
1.1 Internal Audit Planning is conducted at two levels:
(a) An overall internal audit plan for the whole entity is prepared for a given period of time (usually a year) and presented to the highest governing body responsible for internal audits, normally the Board of Directors, or the Audit Committee.
(b) A number of specific internal audit plans are prepared for individual assignments to be undertaken covering parts of the entity or certain specific areas and functions of the entity and presented to the Chief Internal Auditor.
1.2 This Standard on Internal Audit (SIA) covers the first level of planning, Conducting Overall Internal Audit Planning for the entity as a whole. A separate SIA deals with the Planning of Internal Audit Assignments for a particular part of the entity or certain specific areas and functions of the entity.
1.3 In the case of Companies under Companies Act, 2013, it is a legal requirement for the Audit Committee or its Board of Directors to formulate the Overall Internal Audit Plan of the Company. As per Companies (Accounts) Rule 13(2) of Companies Act, 2013:
“The Audit Committee of the company or the Board shall, in consultation with the Internal Auditor, formulate the scope, functioning, periodicity, and methodology for conducting the internal audit.”
The Audit Committee or the Board, takes the active support of the Chief Internal Auditor, to develop the Audit Plan, in consultation with Executive Management.
1.4 Conducting the Overall Internal Audit Planning involves the following key elements:
(a) It is undertaken prior to the beginning of the plan period (generally the financial year);
(b) It is comprehensive in nature, usually covering the whole entity;
(c) It is directional in nature and considers all the functions, areas, business units and legal entities subject to internal audit, along with the periodicity of the assignments to be undertaken during the plan period;
(d) It is prepared by the Chief Internal Auditor (or the Engagement Partner, where an external service provider is appointed to conduct internal audits);
(e) The outcome of this exercise is an “Overall Internal Audit Plan” (or the “Audit Engagement Plan”, if outsourced).
1.5 Scope: This SIA deals with the internal auditor’s responsibility to prepare the Overall Internal Audit Plan, also referred to as the Annual Internal Audit (Engagement) Plan. Where only part of the internal audit activity is outsourced, this SIA shall apply to the extent the internal auditor need to plan the activities of the outsourced part of the engagement only, as defined in their terms of engagement, which shall also clarify the extent of the planning responsibilities.
2.1 The objectives of an Overall Internal Audit (Engagement) Plan are to:
(a) ensure that the planned internal audits are in line with the objectives of the internal audit function (and terms of engagement, where it is an outsourced engagement), as per the internal audit charter of the entity and also in line with the overall objectives of the organisation;
(b) align the organisation’s risk assessment with the effectiveness of the risk mitigation implemented through internal controls;
(c) confirm and agree with those charged with governance the broad scope, methodology and depth of coverage of the internal audit work to be undertaken in the defined time-period;
(d) ensure overall resources are adequate, skilled and deployed with focus in areas of importance, complexity and sensitivity; and
(e) ensure the audits undertaken conform at all times with the applicable pronouncements of the Institute of Chartered Accountants of India.
3.1 The planning exercise shall follow a laid down process (Para 4.1), the outcome of which shall be a written document (Para 4.8) containing all the essential elements required to help achieve the objectives of the plan as outlined under Section 2 above. Technology deployment (Para 4.6) and resource allocation (Para 4.7) shall form essential elements of the Overall Internal Audit Plan.
3.2 The Overall Internal Audit Plan shall be reviewed and approved by the highest governing body responsible for internal audits, normally the Board of Directors, or the Audit Committee.
3.3 A knowledge of the entity, its business and operating environment shall be undertaken to make a determination of the types of audit assignment which could be conducted (Para 4.2). As part of the planning process, a discussion with management shall be undertaken to understand intricacies of each auditable unit subject to audit (Para 4.3).
3.4 An Audit Universe shall be prepared prior to establishing the scope of the Overall Internal Audit Plan (Para 4.4). The scope shall be consistent with the goals and objectives of the internal audit function (and terms of engagement, where it is an outsourced engagement) as listed in the internal audit charter. The scope shall also be in line with the nature and extent of assurance to be provided.
3.5 A risk based planning exercise shall form the basis of the Overall Internal Audit Plan. The internal auditor shall undertake an independent risk assessment exercise to prioritise and focus the audit work on high risk areas, with due attention given to matters of importance, complexity and sensitivity (Para 4.5).
3.6 The Overall Internal Audit Plan shall be continuously monitored during the execution phase for achievement and to identify any deviations. Certain deviations may require to be notified to the stakeholders or even require a formal modification to the plan. However, any major modification to the plan shall be done only after consultation with those who approved the original plan. Such changes shall be formally documented including reasons for the change and communicated to all impacted stakeholders.
4.1 The Planning process (Para 3.1): The internal auditor conducting the Overall Internal Audit Planning shall use professional judgement for the process to be followed in completing all essential planning activities. A documented planning process shall be in place which stipulates the essential inputs, steps to complete the planning and the nature of output required to conduct a comprehensive planning exercise.
4.2 Knowledge of the Business and its Environment (Para 3.3): The internal auditor shall gather all the information required to fully understand the entity’s business environment, the risks it faces and its operational challenges.
The extent of information required shall be sufficient to enable the internal auditor to identify matters which have a significant effect on the organisation’s financials. Hence, there is a need to connect the financial aspects of the business with other business elements, such as industry dynamics, company’s business model, operational intricacies, legal and regulatory environment, and the system and processes in place to run its operations.
4.3 Discussion with management (Para 3.3): A key element of planning involves extensive discussion and deliberation with all stakeholders, including executive management, risk owners, process owners, etc. Their inputs are critical in understanding intricacies of each assignment under consideration, in identification of important matters of relevance and to align stakeholder expectations with audit objectives.
4.4 Audit Universe & Scope of coverage (Para 3.4): Prior to defining the scope of internal audit, a complete identification of all the auditable Units (areas, functions, activities, entities etc.) of the entity shall be made. This list is generally referred to as the “Audit Universe”. It covers every conceivable audit assignments which could be taken up for review during the plan period. The audit universe helps ensure the audit scope does not overlook any auditable unit. It forms the basis from which the Overall Internal Audit Plan is derived by consciously excluding certain Units or areas from the scope, for justifiable reasons, such as low risk.
Internal audit objectives and the nature of assurance to be provided will also help to establish the scope of internal audit. On certain occasions, especially in the case of outsourced engagements, management may define or mandate the scope and may even restrict coverage of certain areas or transactions. When finalising the scope, it’s important to clearly highlight any scope limitations included in the internal audit plan as part of the communication to the approving body, such as the Audit Committee.
4.5 Risk Assessment (Para 3.5): The internal auditor shall undertake an independent risk assessment of all the auditable units identified in the Audit Universe and align this with the risk assessment conducted by management. This is required to prioritise and focus audit work on high risk areas, with due attention given to matters of importance, complexity and sensitivity.
The internal auditor may also plan to undertake a dedicated audit of the company’s Risk Management Framework and processes, as a separate review or assignment.
4.6 Technology deployment (Para 3.1): A key element of the overall internal audit planning exercise involves understanding the extent to which:
(a) the entity has deployed Information Technology (IT) in its business, operations and transaction processing, and
(b) the auditor needs to deploy IT tools, data mining & analytic procedures, and the expertise required for its audit activities and testing purposes. This helps to design and plan the audit more efficiently and effectively.
4.7 Resource allocation (Para 3.1): The Internal Auditor shall prepare a detailed work schedule to estimate the time required for each audit assignment depending on the audit attention it deserves (on the basis of risk assessment) and maps this with the competencies (knowledge, experience, expertise etc.) of the resources available. Requirements are then matched with the limited resources available to:
(a) Finalise the scope and depth of coverage of audit assignments;
(b) Identify any critical skills/expertise gaps in audit team; and/or
(c) Seek other means of acquiring the additional resources required (internal or external sourcing).
4.8 Documentation: To confirm compliance of audit procedures with the SIA, all key steps undertaken in the planning process shall be adequately documented to confirm their proper completion.
Essential documentation to maintain is as follows:
(a) Information gathered about the business and its operations, systems and processes and past or known issues;
(b) Audit Universe and Summary of Auditable Units;
(c) Summary of meetings and communication with key stakeholders, with a summary of their inputs;
(d) Risk Assessment documentation;
(e) Summary of available resources, their competencies and the proper matching of their skills with the audit requirements; and
(f) The final Overall Internal Audit Plan, duly approved by the competent authorities.
5.1 This Standard is applicable for internal audits beginning on or after………..