The Institute of Chartered Accountants of India (ICAI) Standard on Internal Audit (SIA) 120 sets out requirements for formally defining the Terms of Internal Audit Engagement. These terms, which vary by the entity’s size and complexity, must be consistent with the core definition of internal audit: providing independent reasonable assurance on internal controls and risk management processes to enhance governance. For companies falling under Section 138 of the Companies Act, 2013, the Audit Committee or the Board holds the responsibility, in consultation with the Internal Auditor, to formulate the scope, functioning, periodicity, and methodology. For other entities, the appointing authority defines these terms. The primary objectives of SIA 120 are to document the scope, provide clarity to all stakeholders regarding the nature of the internal audit setup, ensure alignment with the overall Internal Audit Framework, and outline the conditions under which assurance (reasonable or limited) can be expressed. This Standard applies to all ICAI members, whether performing the audit as an in-house employee or as a representative of an external firm, whenever an assurance is to be provided. Advisory and consulting engagements are excluded from this Standard’s scope.
SIA 120 specifies two key documents used to formalize these operating parameters: the Internal Audit Charter for in-house teams, and the Engagement Letter for outsourced arrangements. It is mandatory for the Chief of Internal Audit or the Engagement Partner to ensure one of these written documents exists, is reviewed, and is approved by those charged with governance (typically the Board or Audit Committee). The Charter outlines the function’s vision, purpose, reporting structure, and approach, while the Engagement Letter also details compensation, ownership of working papers, and termination clauses. Both documents must clearly specify the list of deliverables (e.g., final reports, issue logs) and must ensure five prerequisite conditions are met before engagement commencement, including the establishment of pre-defined criteria and obtaining written agreement from the Assurance User on the type of assurance. Furthermore, the Standard mandates that internal audit reports must be submitted within 30 days of completing fieldwork, unless otherwise agreed, to ensure timely communication and facilitate prompt corrective action by management.
The Institute of Chartered Accountants of India
Standard on Internal Audit (SIA) 120
Terms of Internal Audit Engagement
1. Introduction
1.1 The terms of internal audit engagement vary widely and depend on the size, structure, and complexity of the entity subject to internal audit. These terms of internal audit engagement are also influenced by laws and regulations and specific requirements of management and, in most cases, defined by those charged with governance.
1.2 In the case of Companies required to appoint an Internal Auditor as per Section 138 of the Companies Act, 2013, Rule 13(2) of Companies (Accounts) Rules 2014, states:
“The Audit Committee of the company or the Board shal, in consultation with the Internal Auditor, formulate the scope, functioning, periodicity, and methodology for conducting the internal audit.”
Hence, in this class of companies, the Audit Committee or the Board, in conjunction with management and the Chief of Internal Audit/ External Service Provider, is expected to exercise the responsibility to formulate the terms of internal audit engagement.
1.3 In the case of other organisations not covered under Para 1.2 above, those who appoint the Internal Auditor (e.g., the owners, the promoters, the Board of Trustees, etc.) would generally define the terms of internal audit.
1.4 While the specific terms of any internal audit may vary from company to company, they should be consistent with the overall definition of “Internal Audit”, which as defined under Para 3 of “Preface to the Standards on Internal Audit”, issued by the ICAI, states as follows:
“Internal audit provides independent reasonable assurance on the effectiveness of internal controls and risk management processes to enhance governance and achieve organisational objectives.”
Annexure 1 to this Standard provides an indicative list of the terms of Internal Audit Engagement as mentioned in Standard on Auditing (SA) 610, “Using the Work of an Internal Auditor”, issued by Auditing & Assurance Standards Board, ICAI. Companies may choose some or all of these terms of internal audit engagement or even add something new as per their requirements or legal/ regulatory mandates.
1.5 Scope: The current law in India permits internal audit to be performed either by an entity’s own employee (i.e., personnel on the payroll of the organization or its group company) or by a professional who is part of an external agency (e.g., a firm of practicing Chartered Accountants undertaking internal audit engagements). Hence, the manner in which the terms of internal audit is defined in each situation may vary. This Standard applies to all ICAI members in both situations, irrespective of whether the internal audit is conducted by them in the capacity of an employee or as a representative of an external audit firm.
2. Effective Date
2.1 This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.
3. Objectives
3.1 The objective of defining the terms of Internal Audit engagement are to:
a. Document the scope of the Internal Audit activity and the terms of the out-sourced internal audit engagement.
b. Provide clarity to the Internal Auditor and its stakeholders regarding the nature of the internal audit set-up and its working.
c. Ensure linkage between what is expected of the Internal Auditor and how that expectation can be met within the Framework governing Internal Audits.
d. Promote better understanding on key operational areas, such as, accountability and authority, roles and responsibility, and such other functional matters.
e. To outline conditions under which assurance can be expressed
f. Timelines for submission of internal audit report.
g. Limitation on scope of internal audit considering aspects like confidentiality.
3.2 Once the terms of internal audit engagement are defined, they help to establish the operating parameters within the overall internal audit agenda. These objectives terms and operating parameters are formally recorded in one of these two documents:
a. An Internal Audit Charter, primarily designed for the in-house team of internal auditors and its stakeholders; and
b. An Engagement Letter is a formal agreement signed with the out-sourced internal audit service provider.
In some cases, both the documents may exist, although, where the complete internal audit function is out-sourced, the Engagement Letter covering the whole Internal Audit activity may be the only document in place.
3.3 This Standard applies to all internal audit engagement where an assurance is to be provided either as:
Reasonable assurance: An overall opinion over the whole subject matter.
Limited assurance: An opinion on part or a limited aspect of the subject matter.
Assignments not covered under this Standard include advisory roles, agreed-upon procedures, compliance reviews with opinion and consulting engagements.
4. Requirements
4.1 Internal Audit Charter (Refer Para. A1)
Every Internal Auditor shall be guided by a document that defines the terms of Internal Audit engagement. It is the duty of the Chief of Internal Audit to have in place a written Internal Audit Charter (refer Annexure 2) documenting the formation and functioning of the internal audit activity.
4.2 Engagement Letter (Refer Para. A2)
Where part of the internal audit activity is out-sourced, the Chief of Internal Audit shall have a formal Engagement Letter defining the terms of engagement and documenting the nature of the arrangement with the external internal audit service provider. If the internal audit activity is completely out-sourced, the Engagement Partner shall ensure a formal Engagement Letter documenting the terms of engagement.
4.3 The Chief of Internal Audit shall ensure that the Internal Audit Charter is reviewed and approved by those charged with governance (the Board of Directors, or the Audit Committee of the Board). In the case of the Engagement Letter, the Engagement Partner shall ensure that the formal agreement with the terms of engagement shall have the approval of the competent authority, as per the company’s Delegation of Powers. Where the complete internal audit activity is out-sourced, then this approval shall come from those charged with governance (the Board of Directors, or the Audit Committee of the Board).
It is important that the governing body members and other stakeholders are aware of, and in agreement with, the terms of internal audit engagements and other relevant portions of the Internal Audit Charter and Engagement Letter. This information shall be communicated to all stakeholders through formal channels of communication.
The Internal Audit Charter and the Engagement Letter shall be reviewed periodically by the Chief of Internal Auditor and the Engagement Partner to ensure its relevance to the changing times or circumstances (e.g. change in scope). If found necessary, the proposed amendments to these documents shall be put up to the
approving authority for their review and approval. A signed Engagement Letter shall be obtained prior to commencement of any audit work.
4.4 Deliverables of Internal Audit Engagement (Refer Para. A3)
The Internal Audit Charter and/or Engagement Letter shall clearly specify the list of deliverables to be provided by the Internal Auditor.
4.5 Assurance in Engagement Context (Refer Para. A4)
Before an Internal audit engagement begins, the following conditions must be met:
- There must be rational purpose for the engagement.
- The subject matter must be clearly defined and appropriate.
- Pre-defined criteria must be established to evaluate the subject matter.
- Sufficient and appropriate audit evidence must be available.
- The internal auditor must have access to relevant document and personnel.
It assurance has to be provided, the internal Auditor must obtain written agreement from the Assurance User on the type and scope of assurance, criteria to be used and form of report.
4.6 Time Limits for Reporting (Refer Para A5)
Internal audit reports must be submitted to management or those charged with governance within 30 days from the completion of fieldwork, unless otherwise agreed in writing.
*****
Application and Other Explanatory Material
A1. Internal Audit Charter (Refer Para. 4.1): The formation and functioning of the internal audit activity within the organization is noted in a formal document called the Internal Audit Charter. It defines the objectives of internal audit (in line with the definition of Internal Audit) and other important aspects of the functioning of the Internal Audit activity. It also provides clarity to the Internal Auditor regarding the manner in which the internal audit work is undertaken and how the auditor’s responsibility is to be discharged.
An indicative list of areas covered in the Internal Audit Charter is as follows:
a. Vision and Mission of the Internal Audit function
b. Purpose and Objectives of Internal Audit
c. Reporting Structure and Independence
d. Scope and Approach
e. Accountability and Authority
f. Roles and Responsibility
g. Quality Assurance and Conformance with SIAs.
Further explanation of each of the above-mentioned areas is given as Annexure 2.
A2. Engagement Letter (Refer Para. 4.2): The Objectives of Internal Audit and other terms of engagement of the external service provider are documented in a formal agreement referred to as the Engagement Letter. The Engagement Letter is signed by the Engagement Partner along with the appointing authority of the Company.
An indicative list of terms of engagement, covered in an Engagement Letter, is as follows:
a. Purpose and Objectives of Internal Audit
b. Independence and Objectivity
c. Scope and Approach
d. Accountability and Authority
e. Roles and Responsibility
f. Limitations and Confidentiality
g. Quality Assurance and Conformance with SIAs
h. Reporting and Compensation
i. Ownership of Working Papers
j. Termination of Arrangement
Further explanation of above-mentioned areas is given as Annexure 3.
A3. Deliverables of Internal Audit Engagement (Refer Para. 4.4): Typical deliverables would normally include but are not limited to:
- Internal Audit Plan and Risk Assessment.
- Draft and Final Audit Reports.
- Executive Summaries and Management Presentations.
- Issue Logs and Remediation Trackers.
- Periodic Progress Reports to Management/Audit Committee.
- Final Assurance Report specifying nature (reasonable or limited) of assurance.
These deliverables must be submitted in the format and timeline agreed upon in the Engagement Letter or Audit Charter.
A4. Assurance in Engagement Context (Refer Para. 4.5) Three-Party Relationship
1. Internal Auditor: Independent party conducting the audit.
2. Auditee: Entity or personnel responsible for the subject matter.
3. Assurance User: Stakeholders relying on the assurance report (e.g., Audit Committee, Board).
Subject Matter
Subject matters may be financial, non-financial, operational, compliance, or physical attributes. It must be:
- Clearly identifiable.
- Measurable against criteria.
- Capable of generating sufficient evidence.
Pre-defined Criteria
Pre-defined criteria for evaluation of the subject matter shall be:
- Relevant, complete, reliable, understandable, and measurable.
- Based on frameworks, policies, laws, SOPs, or mutually agreed benchmarks.
Conclusive Outcome
The opinion must reflect the audit findings, the inference drawn, and comparison with pre-defined criteria.
- Reasonable Assurance: Requires extensive procedures and evidence.
- Limited Assurance: Involves limited procedures; expressed with appropriate disclosure of limitations.
A5. Time Limits for Reporting (Refer Para. 4.6): According to SIA 310, Reporting and Conformance with Standards on Internal Audit, internal audit reports should be submitted within 30 days from the completion of fieldwork, unless a different timeframe is agreed upon in writing.
This ensures timely communication of audit observations and findings to the management or those charged with governance, enabling prompt corrective actions.
Annexure 1
Indicative List of terms of Internal Audit Engagement* (as per Standard on Auditing (SA) 610, “Using the Work of an Internal Auditor” issued by Auditing & Assurance Standards Board, ICAI).
Scope and Objectives of the Internal Audit Function (Refer Para. 3)
A3. The objectives of internal audit functions vary widely and depend on the size and structure of the entity and the requirements of management and, where applicable, those charged with governance. The activities of the internal audit function may include one or more of the following:
- Evaluation of internal control. The internal audit function may be assigned specific responsibility for reviewing controls, evaluation their operation and recommending improvements thereto.
- Examination of financial and operating information. The internal audit function may be assigned to review the means used to identify, measure, classify and report financial and operating information, and to make specific inquiry into individual items, including detailed testing of transactions, balances and procedures.
- Review of operating activities. The internal audit function may be assigned to review the economy, efficiency and effectiveness of operating activities, including non- financial activities of an entity.
- Review of compliance with laws and regulations. The internal audit function may be assigned to review compliance with laws, regulations and other external requirements, and with management policies and directives and other internal requirements.
- Risk management. The internal audit function may assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.
- Governance. The internal audit function may assess the governance process in its accomplishment of objectives on ethics and values, performance management and accountability, communicating risk and control information to appropriate areas of the organization and effectiveness of communication among those charged with governance, external and internal auditors, and management.
Annexure 2
Components of a Typical Internal Audit Charter
- Vision and Mission of the Internal Audit (IA) Function
This indicates the long-term view of the Internal Audit function, in line with its reason for existence.
- Purpose and Objectives of Internal Audit
Explain what the Internal Audit function has to achieve in a certain period of time. These objectives cover the internal audit definition and are usually in line with the Objectives of the Organisation in a similar period of time. (refer Annexure 1)
- Reporting Structure and Independence
This section explains where the Internal Audit function is placed within the overall Organisation Structure of the Company and whom it reports to (both functionally as well as administratively). It also clarifies how the independence of the function is assured in case of both in house and outsourced internal audit. (Refer Para. 3.1. of “Basic Principles of Internal Audit”).
- Scope and Approach
The scope of the internal audits shall be consistent with the goals and objectives of the internal audit function and also in line with the nature and extent of assurance to be provided by the Internal Auditor. Any entities/units excluded from the scope shall be clearly noted. The approach is generally a risk-based audit approach, with a system and process focus. (Refer Para. 3.6 and 3.7 of “Basic Principles of Internal Audit”)
- Accountability and Authority
The Internal Auditor may be held accountable for certain deliverables beyond providing basic assurance, such as, improving the control environment, reducing risk ratings or improving compliances level, etc. These should be clearly spelt out. Along with accountability, comes the authority and the powers required to conduct audits without any undue hindrances, engaging external experts and receiving all information and system access on time.
- Roles and Responsibility
All the key job functions and activities are spelt out in this section, which are usually in line with the objectives of the Internal Audit function.
- Quality Assurance and Conformance with SIAs
This section indicates the importance of ensuring high quality audit work and procedures, including how the audit procedures will be conducted in conformance with ICAI pronouncements applicable at the time. It also notes the checks put in place to ensure reliability and credibility of the output.
Annexure 3
Components of A Typical Engagement Letter
- Purpose and Objectives of Internal Audit
This section indicates what the Internal Audit engagement has to achieve in the set period of time. These objectives are mostly defined by those charged with governance and appointing the Internal Auditor. (refer Annexure 1)
- Independence
As independence of internal audit engagement is critical. This section defines the reporting structure and reporting protocol of the Internal Auditor. The internal auditor reports directly to audit committee and administratively May report to managing director/ chief executive officer. (Refer Para. 3.1 of “Basic Principles of Internal Audit”)
- Scope and Approach
The scope of the internal audits shall be consistent with the goals and objectives of the internal audit and in line with the nature and extent of assurance to be provided. Any entities/units excluded from the scope shall be clearly noted. The approach is generally a risk-based audit approach, with a system and process focus. (Refer Para. 3.6 and 3.7 in “Basic Principles of Internal Audit”)
- Accountability and Authority
The Internal Auditor is accountable to deliver the outcome of his work to the appointing authority or those changed with governance. Where the laws and regulations require, the internal auditor may also be required to report directly to external authorities. Along with accountability, comes the authority and the powers required to conduct audits without any undue hindrances and to receive all information and system access on time.
- Roles and Responsibility
All key job functions and activities get clearly spelt out in this section, which are usually in line with the objectives of the Internal Audit function.
- Limitations and Confidentiality
Limitations on liabilities which the auditor is exposed to and the manner of determination of the same should be included in this section. Obligations on part of the Internal Auditor to maintain confidentiality of information collected and on part of the Company to keep the audit report confidential are also covered here.
- Quality Assurance and Conformance with SIAs
This section indicates the importance of ensuring high quality audit work and procedures, including how the audit procedures will be conducted in conformance with ICAI pronouncements applicable at the time. It also notes the checks put in place to ensure reliability and credibility of the output.
- Reporting
All requirements with regard to the nature of reports to be issued, the type of assurance to be provided, the timing, or periodicity of reports and the recipients is clearly noted here.
- Compensation
The basis upon which the compensation is established, the manner of its review, the ancillary charges (cost reimbursements, taxes, etc.) and the time limit within which the compensation is to be paid should be mentioned here.
- Ownership of Working Papers
This section clarifies the understanding regarding the ownership of working papers. Where a formal internal audit report is issued (with or without assurance), the ownership of the working papers should be retained by the Internal Auditor. (refer SIA 250, “Internal Audit Documentation”)
- Termination of Arrangement
The time period of appointment, the timelines for completion of all assignments and the cessation of the arrangements should be covered in this section.
