Internal audit provides independent assurance on the effectiveness of internal controls and risk management processes to enhance governance and achieve organisational objectives
What is key terms/features of Internal Audit
Independence: Internal audit shall be an independent function, achieved through the position, organization structure and reporting of the internal auditor.
An internal auditor is expected to evaluate the design and operating effectiveness of internal controls and risk management processes as designed and implemented by the management
Organizational objectives incorporate the interests of all stakeholders and include the short and medium term goals.
What is the Framework for Internal Audit
The four components (forming the pillars) of the framework are:
(i) Basic Principles of Internal Audit: Independence, Integrity and Objectivity, Due Professional Care, Confidentiality, Skills and Competence, Risk Based Audit, Systems and Process Focus, Participation in Decision Making, Sensitive to Multiple Stakeholder Interests, Quality and Continuous Improvement
(ii) Key Concepts: are in nature of Internal Controls, Risk Management, Governance Processes, Compliance with Law and Nature of Assurance
(iii) Standards on Internal Audit (SIAs): These pronouncements are designed to help the internal auditor to discharge his responsibilities
(iv) Guidance Notes: These guidelines are important for implementation of the SIAs and provide clarification
Standards on Auditing highlights
Series 100 (Standards on Key Concepts)
SIA 110 – Nature of Assurance
This Standard covers only those assignments where an opinion is expressed through an internal audit report
To give findings of Internal Audit i.e. the effectiveness of internal controls (e.g., a process) after comparing it with a pre-defined criteria renders it to be an assurance assignment.
The objective of a reasonable assurance assignment is to provide an opinion over the whole subject matter after conducting an audit of the whole subject matter. The objective of a limited assurance assignment is to express an opinion over the whole or part of subject matter after conducting limited audit procedures over the subject matter.
Component of Assurance
(a) A three-party relationship, involving an Internal Auditor, An Auditee and Assurance User (e.g., the Audit Committee of the Board of Directors);
(b) Presence of three key elements, involving a Subject Matter, a Pre-defined criteria, and a Conclusive Outcome; and
(c) A written Assurance Report which expresses an opinion in a standard format.
Key Elements – Subject Matter for achieving stated objectives as outlined in the scope of the audit are the Subject matter of an assurance which may take many forms:
(a) Financial performance or conditions (for example, the financial position, financial performance and cash flows).
(b) Non-financial performance or conditions (for example, operational output of a factory)
(c) Physical characteristics (for example, capacity of a facility)
(d) Systems and processes (for example, an entity’s internal controls, or IT system)
(e) Procedural compliance (for example, corporate governance, compliance with regulation, human resource practices)
Pre-defined criteria are the benchmarks used to evaluate or measure the Subject matter including, where relevant, benchmarks for presentation and disclosure
Internal Auditor plans and performs an assignment in accordance with the Standards on Internal Audit to reach an outcome which allows a conclusion to be reached on whether the Subject matter meets the Pre-defined criteria
Undertaking an Assignment
An Internal Auditor may undertake an assurance assignment only preliminary knowledge of the assignment circumstances indicates that:
(a) Relevant ethical requirements, such as independence and professional competence will be satisfied, and
(b) The assignment exhibits all of the following characteristics:
(i) The Subject matter is appropriate
(ii) The Pre-defined criteria to be used are suitable
(iii) The Auditor has access to evidence to support the auditor’s opinion;
(iv) The Internal Auditor’s opinion, is to be contained in a written report; and (v) The Internal Auditor is satisfied that there is a rational purpose. Circumstances that may indicate an absence of rational purpose: Significant limitation on the scope of the internal auditor’s work; Assurance user intends to associate the auditor’s name with the Subject matter in an inappropriate manner.
SIA 120 – Internal Control
Internal Controls are systemic and procedural steps adopted by an organisation to mitigate risks, primarily in the areas of financial accounting and reporting, operational processing and compliance with laws and regulations. This Standard is to clarify the responsibilities of management and auditors over Internal Controls (IC’s) and how certain requirements need to be met to assess, evaluate, report and provide an independent assurance over Internal Controls. ICs mitigate the risk of financial exposure, they are also referred to as Internal Financial Controls (IFCs) and when they mitigate operational risks, they are also referred to as Operational Controls (OCs)
Internal Controls can be broad-based covering the whole entity (e.g., Code of Conduct), or focused to a specific process or area (e.g., Order processing or Payroll, etc.). In the former case they are generally referred to as “Entity Level Controls (ELCs)” as part of the “Control Environment” and in later referred to as “Process Level Controls (PLCs)”
Importance and Scope
Standard on Auditing (SA) 315, “Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment” Internal Control is defined as follows:
“The process designed, implemented and maintained by those charged with governance (CWG), management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control”
Guidance Note on Audit of Internal Financial Controls over Financial Reporting (ICoFR)” which defines internal financial controls over Financial Reporting quite narrowly as follows: “A process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with Generally Accepted Accounting Principles (GAAP)
Responsibility of the Board and Management
Section 134 (5) of Companies Act, 2013, (applicable to listed Companies) concerning Directors’ Responsibility Statement vide clause (e) thereof, defines the term “Internal Financial Controls” (IFC) as follows: “the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information
In short :- ICoFR + OC = IFC + ELC = IC
there are similar frameworks, such as the COSO (Committee of Sponsoring Organisations) Internal Control – Integrated Framework which help to serve the same purpose i.e. to assess the design, adequacy and operating effectiveness of the overall internal control system
Responsibility of the Board and Management
Clause (e) of Section 134 (5) of the Companies Act, 2013 imposes overall responsibility on the BoD with regard to IFC’s to state that “the directors, in the case of a listed company, had laid down IFC’s to be followed by the company and that such IFC’s are adequate and were operating effectively.” Further Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 (applicable to all companies) requires the BoD’ Report to include “the details in respect of adequacy of internal financial controls with reference to the Financial Statements”.
SEBI in (Listing Obligations and Disclosure Requirements) (“LODR”), has placed additional responsibilities on ICoFR and that the Management have evaluated the effectiveness of internal control systems of the listed entity pertaining to financial reporting and they have disclosed to the auditors and the audit committee, deficiencies in the design or operation of such internal controls Section 143(3)(i) (applicable to all companies) requires the statutory auditor to report on “whether the company has adequate internal financial controls system
Responsibility of the Internal Auditor (IA)
The IA shall ensure that the entity has designed, implemented and maintains effective and efficient Internal Controls. The IA shall review the risk assessment exercise to evaluate whether adequate and appropriate Internal Controls are in place to address the risks identified. Audit procedures to be conducted would primarily be directed over high and medium risk Internal Controls and adequate documentation (e.g., a Risk Control Matrix) should be in place procedure with the respective risks. The IA is required to provide an independent opinion over the presence, design, implementation and/or operating effectiveness over Internal Controls
Series 200 – Standards on Internal Audit Management
SIA 210 – Managing the Internal Audit Function
Introduction / Scope
(a) Define the overall plan, scope and methodology of the IA Function on a periodic basis. (b) proper planning, execution, reporting of findings and subsequent closure of reported observations.
(c) Plan, acquire, engage and review the performance, training and development of professional staff and other resources to achieve it’s objectives.
(d) Identify, source, engage and manage external experts and technical solutions, if required.
(e) Communicate with all key stakeholders regarding progress and achievement of objectives.
(f) Develop and maintain a quality evaluation and improvement program
(g) Quality of the work performed for reporting and is supported by evidence and documentation further work is conducted in conformance with the Standards on Internal Audit
SIA 220 – Conducting Overall Internal Audit Function
Introduction / Scope
This SIA deals with the Internal Auditor’s responsibility to prepare the Overall Internal Audit Plan, also referred to as the Annual Internal Audit (Engagement) Plan. Where only part of the internal audit activity is outsourced, this SIA shall apply to the extent the Internal Auditor needs to plan the activities of the outsourced part of the engagement only.
The overall IA plan is prepared for an individual assignement a period (usually a year) and presented to TCG (BoD or Audit Committee); The Audit Committee or the Board takes the active support of the Chief Internal Auditor (CIA), to develop the Overall Internal Audit Plan, in consultation with the Executive Management. Key elements – it covers entire entity (exception outsourced work) normally prepared by CIA
Outcome should be written planning document including technology deployment and resources alocation duly approved by the management (TCG) or Audit Committee or BoD etc. Further Risk based should be the basis of planning and work on high risk areas the same should be monitored continuosuly while conducting the internal audit (modification can be done only after approval of Management / BoD/ TCG/ Acommittee
1) Planning Process
2) Knowledge of Business Environment
3) Discussion with Management and Stakeholders
4) Audit universe and Coverage
5) Risk Assessment
6) Technology Deployment
7) Resource Allocation
SIA 230 – Objectives of Internal Audit
Introduction / Scope
Section 138 of the CA, 2013 states that in these class of companies, the Audit Committee or the Board, in conjunction with management and the Chief of Internal Audit, is expected to exercise the responsibility to formulate the objectives of internal audit.
For other class of companies usually those who appoint the Internal Auditor define the objective
The current law of India permits internal audit to be performed by entity’s own employee of the professionals
The purpose of defining the Objectives of Internal Audit are to:
(a) Document the formation and functioning of the Internal Audit activity and the terms of the outsourced internal audit arrangement; Record Internal Audit Charter and Engagement letter
(b) Provide clarity to the Internal Auditor and its stakeholders regarding the nature of the internal audit set-up and its working;
(c) Ensure linkage between what is expected of the Internal Auditor and how those expectation can be met within the Framework governing Internal Audits; and
(d) Promote better understanding on key operational areas, such as, accountability and authority, roles and responsibility, and such other functional matters.
An indicative list of areas covered in the Internal Audit Charter is as follows:
(a) Mission and Vision of the Internal Audit function
(b) Purpose and Objectives of Internal Audit
(c) Reporting Structure and Independence
(d) Scope and Approach
(e) Accountability and Authority
(f) Roles and Responsibility
(g) Quality Assurance and Conformance with SIAs.
An indicative list of terms of engagement, covered in an Engagement Letter, is as follows:
(a) Purpose and Objectives of Internal Audit
(b) Independence and Objectivity
(c) Scope and Approach
(d) Accountability and Authority
(e) Roles and Responsibility
(f) Limitations and Confidentiality
(g) Quality Assurance and Conformance with SIAs
(h) Reporting and Compensation
(i) Ownership of Working Papers
(j) Termination of Arrangement
SIA 240 – Using the work of an Expert
This Standard applies to all internal audit assignments where part of the internal audit work is completed by an Expert and relied upon by the Internal Auditor to provide an independent assurance. However, an external service provider with expertise in accounting and auditing, and engaged to provide regular internal audit services, is not treated as an Expert for this Standard. For such appointments, the Internal Auditor shall refer to another SIA 230 “Objectives of Internal Audit” to fulfil the requirements of engaging External Service Providers, such as ensuring an Engagement Letter to cover the terms and conditions of appointment.
The objectives of using the work of an Expert is to ensure that:
(a) Technical assistance and support from competent experts is obtained where the internal audit team does not possess the necessary knowledge and expertise;
(b) Internal audit procedures conducted in complex and specialised areas meet expected quality standards;
(c) Outcome of the internal audit work is credible and reliable; and
(d) Work performed is in conformance with the applicable pronouncements of the ICAI.
The overall objective of using the work of an Expert is to allow the Auditor to place reliance on the work completed so as to form an opinion and to add credibility and reliability to the audit findings .
The IA shall have the authority to select, appoint and engage the Expert. Where this authority rests with management, then the IA shall conduct procedures to validate the independence and objectivity of the Expert and share any concerns highlighted with management and those CWG
The IA shall retain ultimate responsibility for internal audit conclusions and opinions which are incorporated in his internal audit report, unless specifically mandated otherwise by the Assurance User. Hence, the IA shall not refer to the work of an Expert in his Internal Audit Report
Independence and Objectivity of the Expert
a) The Appointing and Supervisory Authority: In case the Expert is appointed by person other than IA than the Independence may be influenced
b) The Appointing and Supervisory Authority
c) Relationship of Expert
d) Personal Interests
Qualification & Credential of Expert
IA should validate Expert through –
(a) educational and professional qualifications if Expert;
(b) Background and reference checks of the experience (c) Details of instances and nature of similar past assignments undertaken; (d) Self Certification by the Expert regarding his qualifications, expertise, any conflict of interest or any pending disciplinary actions
Defining the Scope, Approach and Work of the Expert
Where the Internal Auditor plans to incorporate the findings of the work of the Expert as part of his Internal Audit Report, the Internal Auditor shall participate in defining the Plan and Procedures of the Expert by defining objective, subject matter of review, define specific requirement, source of information, assumptions, location of records and access, clarity on confidentiality
Evaluating the work of Expert
During and after completion of the work by the Expert, the Internal Auditor shall conduct an evaluation of the outcome of the findings of the Expert to make a determination of the quality of the work performed and to validate the reliability of the findings by – reviewing the detailed report; thoroughness of processes completed; any hurdles faced in completing the assignment, review the workpaper and the opinion formed
(a) Details of procedures conducted to validate the requirements of an Expert.
(b) Details of procedures conducted to validate the Independence and Objectivity of the Expert.
(c) Details of procedures conducted to verify the Qualifications and Credentials of the Expert.
(d) Details of procedures conducted to define the Scope, approach and work plan of the Expert.
(e) A summary of the review completed to evaluate the quality and reliability of the work completed