The Standard on Internal Audit (SIA) 140 clarifies the concept of Internal Controls (ICs), which are systemic and procedural steps an organization adopts to mitigate risks across financial reporting, operational processing, and compliance. ICs, as key risk mitigation measures, help prevent and detect errors, providing reasonable assurance that organizational goals will be achieved. The Standard defines various control types, including Internal Financial Controls (IFCs), Operational Controls (OCs), and IT General Controls (ITGCs). It emphasizes that the Board of Directors and Management hold the overall responsibility for designing, implementing, and maintaining effective ICs. The Standard’s primary objective is to provide common terminology, define ICs, and clarify the responsibilities of both management and Internal Auditors regarding these controls. For the Internal Auditor, SIA 140 reinforces the basic expectation—derived from the definition of Internal Audit and SIA 120—to provide independent assurance on the effectiveness of the Internal Controls System. The Internal Auditor must review the IC design, implementation, and operating effectiveness, ensuring audit procedures are sufficient and focused on addressing identified risks. When providing a formal opinion, the auditor should have a clear understanding of the IC Framework used as the assurance basis. The Standard applies to all internal audits where ICs are assessed, evaluated, and reported upon.
The Institute of Chartered Accountants of India
Standard on Internal Audit
(SIA) 140
Internal Controls
1. Introduction
1.1 Internal Controls are systemic and procedural steps adopted by an organisation to mitigate risks, primarily in the areas of financial accounting and reporting, operational processing and compliance with laws and regulations.
1.2 This Standard seeks to clarify the concept of internal controls and the responsibility of the Internal Auditor, Management and other stakeholders, with respect to Internal Controls, keeping in mind their legal, regulatory and professional obligations.
1.3 The definition of Internal Audit (Refer Para. 3.1 in the “Preface to Standards on Internal Audit”) and SIA 120, “Terms of Internal Audit Engagement” indicate providing independent assurance on the effectiveness of Internal Controls as a basic expectation from Internal Audit. The definition on Internal Audit elaborates on the term “Internal Controls” by clarifying how these are integral to the management function and business operations.
1.4 Scope : This Standard applies to all internal audits conducted where internal controls are subject of audit review and are being assessed, evaluated and reported upon.
2. Effective Date
2.1 This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.
3. Objectives
3.1 The purpose of this Standard is to:
(a) Provide a common terminology on Internal Controls to prevent ambiguity or confusion on the subject matter.
(b) Define Internal Controls, how they mitigate risks, and also how they are viewed from a legal perspective.
(c) Explain the responsibilities of management and auditors with regard to Internal Controls, as mandated by law and regulations, and
(d) Specify certain requirements which need to be met to be able to provide an independent assurance on Internal Controls in the organisation under review.
3.2 The overall objective of this Standard is to clarify the responsibilities of management and auditors over Internal Controls and how certain requirements need to be met to assess, evaluate, report and provide an independent assurance over Internal Controls.
4. Definition of Internal Controls
4.1 Internal Controls (ICs) are key risk mitigation measures undertaken to strengthen the organisation’s systems and processes. They help to prevent and detect errors and irregularities, thereby providing reasonable assurance that the organisational goals will be achieved.
4.2 Some key terminologies in Internal Controls are:
- Internal Controls Framework refers to a structured set of standards, guidelines, and practices designed to help organizations design, implement, monitor, and improve their internal control systems which can be used by management or auditors to assess the design, adequacy and operating effectiveness of the overall internal control system.
- Control Activities: specific policies, procedures, and practices that are put in place to help in mitigate risks and ensure that management directives are carried out effectively the actual steps of risk mitigation are part of control activities. (e.g., review, approval, physical count, segregation of duty, etc.)
- Internal Financial Controls (IFCs): Internal Controls designed to mitigate the risk of financial exposure are Internal Financial Controls.
- Operational Controls (OCs): Internal Controls that mitigate operational risks are referred to as Operational Controls.
- Application Controls: Internal Controls that check transaction processing at an application level (e.g., sequential numbering of invoices, etc) are Application Controls.
- IT General Controls: IT General Controls (ITGCs) are the foundational policies, procedures, and activities that govern the overall IT environment and ensure the confidentiality, reliability, integrity, and security of information systems. These controls support the effectiveness of application controls and protect data and systems from unauthorized access or changes. (e.g., access controls)
- Manual Controls: Internal Controls operating with human intervention are manual Controls.
4.3 Internal Controls can be broad-based covering the whole entity i.e. pervasive (e.g., Code of Conduct) or focused to a specific process or area (e.g., Order processing or Payroll, etc.). In the former case they are generally referred to as “Entity Level Controls (ELCs)” as part of the “Control Environment”. In the case of latter, they are also referred to as “Process Level Controls (PLCs)”.
4.4 In the Standard on Auditing (SA) 315, “Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment” issued by the ICAI, Internal Control is defined as follows:
“The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control”.
4.5 ICAI has issued a “Guidance Note on Audit of Internal Financial Controls over Financial Reporting” which defines internal financial controls over Financial Reporting as follows:
“A process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with Generally Accepted Accounting Principles. A company’s internal financial control over financial reporting includes those policies and procedures that
(i) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company,
(ii) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with Generally Accepted Accounting Principles, and that receipts and expenditures of the company are being made only in accordance with authorisations of management and directors of the company, and
(iii) provide reasonable assurance regarding prevention or timely detection of unauthorised acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.”
4.6 Section 134 (5) of Companies Act, 2013, (applicable to listed companies) concerning Directors’ Responsibility Statement vide clause (e) thereof, defines the term “Internal Financial Controls” as follows:
“The policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information”.
4.7 Internal Controls is a broader term of the legal definition of Internal Financial Controls (Refer Para. 4.5 and 4.6) and goes beyond the financial areas and also covers a wide range of operational areas of an entity. It includes all the policies and procedures, systems and processes adopted by the company to assist in achieving its objective of ensuring an orderly and efficient conduct of its business and operations, the safeguarding of assets, the prevention and detection of frauds and errors, but also covers the accuracy and completeness of the company records and the timely preparation of reliable financial and management information.
4.8 The term “Internal Controls System” is an all-encompassing term generally used to refer all types of controls put together, covering ELCs, IFCs and OCs. The Control Environment (ELCs) includes the overall culture, attitude, awareness and actions of Board of Directors and management regarding the internal controls and their importance to the organisation. The control environment has an influence on the effectiveness of the overall Internal Control System since it provides the basis for establishing and operating process level controls (such as IFC and OCs) in the organisation.
5. Responsibility of the Board and Management
5.1 The overall responsibility for designing, assessing the adequacy, implementing and maintaining the operating effectiveness of Internal Controls rests with the Board of Directors and the Management.
6. Responsibility of the Internal Auditor
6.1 As indicated in SIA 120, “Terms of Internal Audit Engagement”, the Internal Auditor derives the audit mandate from those charged with governance, which in the case of listed entities, is generally the Audit Committee. In line with the definition of internal audit and as per the objectives defined for internal audit, the Internal Auditor is required to review Internal Controls.
6.2 The Internal Auditor shall ensure that the entity has designed, implemented and maintains effective and efficient Internal Controls. The audit procedures shall be sufficient to allow the Internal Auditor to assess the design, proper implementation and operating effectiveness of the Internal Controls. Any shortcoming identified shall be reported with recommendations for improvement and suggestions to enhance the Internal Controls to meet organization’s objectives.
6.3 The Internal Auditor shall review the risk assessment exercise undertaken at the time of planning the audit assignment to establish a basis for evaluating whether adequate and appropriate Internal Controls are in place to address the identified risks. Audit procedures to be conducted would primarily be focused on high and medium risk Internal Controls and adequate documentation (e.g., a Risk Control Matrix) should be in place to confirm the linkage of the audit procedure with the respective risks.
6.4 Where the Internal Auditor is required to provide an independent opinion over the presence, design, implementation and/or operating effectiveness over Internal Controls, this shall be consistent with the requirements of SIA 120, Terms of Internal Audit Engagement especially with regard to the need to have a clear understanding of the Internal Controls Framework which shall form the basis of the assurance. Also, in such situations where a written assurance report is being issued, the Internal Auditor may consider the following to form his opinion:
(a) An evaluation of the system of Control Self-Assessment by owners of Internal Controls to support the CEO/CFO certification process.
(b) Availability of Compliance Certificates from owners of Key Controls to support a continuous system of compliance.
6.5 In situations where the Statutory Auditor is expected to rely on the work of the Internal Auditor as per Standard on Auditing (SA) 610, “Using the Work of Internal Auditors”, issued by ICAI, regarding their audit of Internal Financial Controls over Financial Reporting, the Internal Auditor shall document the objectives and agreed scope and approach of the internal audit, over which the reliance is to be placed by the Statutory Auditor.
6.6 The Internal Auditor shall evaluate the robustness of the process through which internal controls are periodically reviewed and updated by management, including the responsiveness of management to control failures or emerging risks.
6.7 Where the Internal Auditor identifies systemic control weaknesses that span multiple functions or locations, the reporting shall include a clear articulation of cross-functional impact and recommendations for governance-level remediation.
