The Institute of Chartered Accountants of India (ICAI) has issued the Standard on Internal Audit (SIA) 110: Basic Principles of Internal Audit, which outlines the core ethical and performance requirements essential for all internal audit engagements. The primary objective is to ensure that internal audits are conducted with fundamental features that establish the credibility of the Internal Auditor and deliver a quality outcome aligned with organizational objectives. The Standard mandates adherence to ten principles, categorized into two groups: those focused on the auditor’s ethical conduct and persona, and those relating to the execution and quality of the audit work. Ethical principles include Independence (in mind and appearance, typically maintained through a dual reporting structure to the Audit Committee), Integrity and Objectivity (demanding honesty, fairness, and the avoidance of conflicts of interest), Confidentiality (securing information and disclosing only on a need-to-know basis), and Skills and Competence (requiring the audit team to possess relevant expertise and commit to continuous professional education). Any deviation from these principles must be appropriately documented and disclosed in the audit report.
The performance-related principles focus on methodology and output. These include exercising Due Professional Care and diligence in planning, scoping, and applying professional judgment regarding materiality; adopting a Risk-Based Audit approach where procedures are prioritized over high-risk areas connected to strategic objectives; employing a System and Process Focus that involves root-cause analysis to strengthen controls; being Sensitive to Multiple Stakeholder Interests by presenting a balanced view of observations; and maintaining Quality and Continuous Improvement through internal self-assessment and factual accuracy checks. The Standard clarifies that while auditors may provide advisory support, they must maintain a distinction by avoiding operational decision-making to prevent impairing their independence in future audits. Compliance with SIA 110 is mandatory for ICAI members, and the principle of documentation is stressed as objective evidence for both adherence and continuous assessment.
The Institute of Chartered Accountants of India
Standard on
Internal Audit (SIA) 110
Basic Principles of Internal Audit**
1. Introduction
1.1 These are a set of core principles fundamental to the internal audit function and activities. These basic principles of internal audit are critical to achieve the desired objectives as set out in the Definition of Internal Audit.
1.2 Scope: All internal audits shall be performed based on these basic principles, and departures from these principles shall be appropriately disclosed in internal audit report or other similar communication.
2. Effective Date
2.1 This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.
3. Objectives
3.1 The main objective of the basic principles is to ensure that:
(i) Internal audits are conducted with certain fundamental features designed to:
-
- establish the credibility of the Internal Auditor (principles mentioned under para. 4.1 to 4.5), and
- outline the elements essential for performance of internal audit function (principles mentioned under para. 4.6 to 4.10).
(ii) Outcome of internal audits is of quality and is in line with the set objectives.
(iii) To serve as a guide for evaluation of internal audit effectiveness, both by internal and external reviewers.
3.2 Basic principles of Internal audit are set out with the purpose of realising objectives of internal audit designed or expected by the appointing authority. The basic principles aim at ensuring:
a. Competence of internal audit team.
b. Objective of internal audit.
(c) Results are based on intelligent appreciation of facts noticed during audit.
4. Basic Principles
The core principles of internal audit are foundational guidelines that every internal auditor should follow to ensure the audit is effective, ethical, and reliable. These principles help in maintaining credibility, independence, and value of the internal audit function. Below are the key principles:
4.1 Independence (Refer Para. A1)
The Internal Auditor shall remain independent and objective, both in mind and in appearance, and shall be free from any influence direct or indirect that could impair professional judgment. Independence must be maintained throughout the planning, execution, and reporting phases of an internal audit assignment. The Internal Auditor shall firmly resist any undue influence or pressure that may alter the scope, methodology, or conclusions of the audit engagement in a manner inconsistent with approved objectives and professional standards.
4.2 Integrity and Objectivity (Refer Para. A2)
The Internal Auditor shall be honest, truthful and be a person of high integrity. He shall operate in a highly professional manner and seen to be fair in all his dealings. He shall avoid all conflicts of interest and not seek to derive any undue personal benefit or advantage from his position.
The Internal Auditor shall conduct his work in a highly objective manner, especially in gathering and evaluation of facts and evidence. He shall not allow prejudice or bias to override his objectivity, especially in arriving at conclusions or reporting his opinion. Any threats to objectivity, whether arising from personal, professional, or organizational relationships, shall be identified, assessed, and appropriately mitigated.
4.3 Due Professional Care
The Internal Auditor shall exercise due professional care and diligence while carrying out the internal audit. “Due professional care” signifies that the Internal Auditor exercises reasonable care in carrying out the work to ensure the achievement of planned objectives.
The Internal Auditor shall pay particular attention to key audit activities, such as establishing the scope of the engagement to prevent the omission of important aspects, recognizing the risks and materiality of the areas, having required skills to review complex matters, establishing the extent of testing required to achieve the objectives within specified deadlines, etc. Professional judgement shall be exercised in evaluating materiality and determining the extent of reliance to be placed on internal controls and other assurance providers.
“Due Professional Care”, however, neither implies nor guarantees infallibility, nor does it require the Internal Auditor to go beyond the established scope of the engagement.
4.4 Confidentiality
The Internal Auditor shall at all times, maintain utmost confidentiality of all information acquired during the course of the audit work. He shall not disclose any such information to a party outside the internal audit function and any disclosure shall be on a “need to know basis”.
The Internal Auditor shall keep confidential information secure from others. Under no circumstance any confidential information shall be shared with third parties outside the company, without the specific approval of the Management or Client or unless there is a legal or a professional responsibility to do so (e.g., to share information with Statutory Auditors). Internal audit reports shall be addressed to specified internal auditees and distributed to only those who appointed or engaged the Internal Auditor and as per their directions. The Internal Auditor shall also safeguard proprietary or sensitive information even after the termination of the engagement, unless legally obligated otherwise.
4.5 Skills and Competence (Refer Para. A3)
The Internal Auditor shall have sound knowledge, strong interpersonal skills, practical experience and professional expertise in areas covered under internal audit and other competence required to conduct a quality audit. He shall undertake only those assignments for which he has the requisite competence.
4.6 Risk Based Audit (Refer Para. A4)
The Internal Auditor shall either have, or shall obtain, such skills and competencies, as necessary for the purpose of discharging his responsibilities.
The Internal Auditor shall identify the important audit areas through a risk assessment exercise and tailor the audit activities such that the detailed audit procedures are prioritised and conducted over high-risk areas and issues, while less time is devoted to low-risk areas through curtailed audit procedures. Additionally, this approach shall ensure that risks under consideration are more aligned to the overall strategic and company objectives rather than narrowly focused on process objectives. Also, the risks should be reviewed periodically to reflect changing internal and external risk landscapes, and the audit plan shall be updated accordingly.
4.7 System and Process Focus
An Internal Auditor shall adopt a system and process focused methodology in conducting audit procedures. It requires a root cause analysis to be conducted on deviations to identify opportunities for system improvement or automation, to strengthen the process and prevent a repetition of such errors.
The Internal Auditor shall assess the adequacy of system-generated controls and interfaces, including system configuration and access controls.
4.8 Participation in Decision Making (Refer Para. A5)
The focus of the Internal Auditor shall remain with the quality and operating effectiveness of the decision-making process and how best to strengthen it, such that the chance of flawed or erroneous decisions is minimised. However, the Internal Auditor is at full liberty to present the lessons which can be learnt from such past decisions. Where the Internal Auditor is consulted for input in strategic or operational matters, a formal record shall be maintained to clarify advisory versus decision-making roles.
4.9 Sensitive to Multiple Stakeholder Interests
The Internal Auditor shall evaluate the implications of his observations and recommendations on multiple stakeholders, especially where diverse interests may be conflicting in nature. In such situations, the Internal Auditor shall remain objective and present a balanced view. This would permit senior management to make a decision using all the information and balance the strategy and objectives of the company with the expectations and interests of its multiple stakeholders.
4.10 Quality and Continuous Improvement
The quality of the internal audit work shall be paramount for the Internal Auditor since the credibility of the audit reports depends on the reliability of reported findings. The Internal Auditor shall have in place a process of quality control to:
a. ensure factual accuracy of the observations.
b. to validate the accuracy of all findings; and
c. continuously improve the quality of the internal audit processes and the internal audit reports.
The Internal Auditor shall ensure that a self-assessment mechanism is in place to monitor his own performance and also that of his subordinates and external experts on whom he is relying on to complete some part of the audit work.
5. Continuous Assessment
5.1 Internal Audit team should consciously observe the basic principles. Adherence to the basic principles go a long way in ensuring quality and in turn, utility of internal audit. There should be a process of review gaps in observing basic principles and overcoming the gaps observed through systematic procedures. Such an assessment is a continuous ongoing process.
6. Documentation
6.1 Internal Auditor should formulate a systematic procedure to document adherence to basic principles. Documentation should also cover procedures followed in continuous assessment of adherence to basic principles.
Documentation serves as an objective evidence to establish compliance of basic principles. It also serves as a guide to decision making in future.
*****
Application and Other Explanatory Material
A1. Independence (Refer Para. 4.1): Organizational independence of the internal audit function is critical. This is supported through an appropriate governance structure, wherein the Chief Internal Auditor (CIA) functionally reports directly to the Audit Committee of the Board and administratively may report to the Managing Director (MD)/ Chief Executive Officer (CEO). This dual reporting structure functional and administrative is a globally accepted norm and aligns with Rule 8 of the Companies (Meetings of Board and its Powers) Rules, 2014, which emphasizes the Audit Committee’s role in appointing and overseeing the Internal Auditor.
The internal audit function shall be positioned outside any function or business unit it audits, such as Finance, Operations, or Compliance. Where organizational structures limit the CIA’s independence, such constraints must be transparently disclosed in the Internal Audit Charter and Annual Audit Plan and appropriately escalated to the Audit Committee for resolution.
In some situations, the Internal Auditor may be called upon to provide consulting or advisory support (e.g., in risk management, compliance, or process improvement). While short-term, nonrecurring advisory roles may be accepted with prior approval of Audit Committee, these must not impair the auditor’s objectivity. In such cases, the Internal Auditor must:
a) Clearly communicate the boundaries of involvement and refrain from assuming ownership or accountability of business processes, and
b) Avoid decision-making authority over any operational area that may subsequently be subject to audit.
All such instances must be documented and disclosed in the Audit Plan, with safeguards implemented to preserve independence and objectivity of thein future audit engagements.
A2. Integrity and Objectivity (Refer Para. 4.2): This may involve disclosure to appropriate authorities (e.g., the Audit Committee), recusal from specific engagements, or application of safeguards to mitigate the threat. The Internal Auditor shall take responsibility to ensure that such risks do not compromise audit quality or stakeholder confidence.
A3. Skills and Competence (Refer Para. 4.5): Continuing Professional Education is a key part of this exercise. Emerging technologies, data analytics, ESG and regulatory developments should necessarily form part of the Internal Auditor’s learning and upskilling agenda. In addition to the basic technical skills, the Internal Auditor shall have the softer skills (such as interpersonal and communication skills) required to engage with a multitude of stakeholders.
Where the Internal Auditor lacks certain expertise, he shall procure the required skills either though in-house experts or through the services of an outside expert, provided independence is not compromised. The objective is to ensure that the audit team as a whole has all the expertise and knowledge required for the area under review.
Further, in the case of external/internal audit teams constituted from a third-party professional firm, it is essential that the engagement team is composed of members with the requisite technical expertise, industry knowledge, and professional competence relevant to the audit scope. The constitution of the audit team must ensure that the required skill sets such as financial audit expertise, process and controls understanding, forensic skills, data analytics capability, and IT audit knowledge are adequately represented.
Audit firms must ensure that:
- Team members are assigned based on qualifications, relevant experience, and capability to handle the specific complexities of the engagement.
- There is appropriate senior-level supervision and review mechanisms to ensure quality and independence throughout the engagement lifecycle.
- The team complies with ethical standards, including independence, confidentiality, and due professional care.
- Where specialized knowledge is required (e.g., valuation, taxation, systems audit), subject matter experts (SMEs) are included or consulted, and their inputs are documented as part of the audit file.
The engagement partner or signing auditor must take overall responsibility for the quality of the audit and ensure that the final report reflects accurate, fair, and evidence-based findings, free from conflict of interest or undue influence.
A4 Risk Based Audit (Refer Para. 4.6): A risk-based audit shall ensure the following three-fold objectives:
a. Audit procedures need not cover the whole process and can be limited only to the important controls in the process.
b. Establish linkage to the aspects relevant and connected with company and functional objectives; and
c. Findings and issues highlighted are significant and important and time is not devoted to areas with low probability of significant observations.
A5. Participation in Decision Making (Refer Para. 4.8): In conducting internal audit assignments, the Internal Auditor shall avoid passing any judgement or render an opinion on past management decisions. As part of his advisory role, the Internal Auditor shall avoid participation in operational decision making which may be subject of a subsequent audit.
