Standard On Internal Audit (SIA) 310 Planning Internal Audit Assignment
This Standard on Internal Audit (SIA) 310, “Planning the Internal Audit Assignment”, issued by the Council of the Institute of Chartered Accountants of India should be read in conjunction with the “Preface to the Standards on Internal Audit”, “Framework Governing Internal Audits” and “Basic Principles of Internal Audit” issued by the Institute.
1.1 Internal Audit Planning is conducted at two levels:
(a) An overall internal audit plan for the entire entity is prepared for a given period of time (usually a year) and presented to the highest governing body responsible for internal audits, normally, the Board of Directors, or the Audit Committee.
(b) A number of specific internal audit plans are prepared for individual assignments to be undertaken covering some part of the entity and presented to the Chief Internal Auditor.
1.2 This Standard on Internal Audit (SIA) covers the second level, the “Planning the Internal Audit Assignment” for a particular part of the entity. Standard on Internal Audit (SIA) 220, covers the first level, “Conducting Overall Internal Audit Planning” of the entity as a whole.
Planning the Internal Audit Assignment involves the following key elements:
(a) It is a sub-set of the Overall Internal Audit Plan.
(b) It is undertaken prior to the beginning of a particular assignment during the plan period.
(c) Assignments are specific to a part of the entity, covering a particular Auditable Unit1(location, function, business unit or a legal entity, including third parties, where relevant).
(d) It is specific in nature, covers the manner in which a particular audit assignment will be conducted with details of the Auditable Unit, such as, the business activities or processes to be audited.
(e) Assignments are, generally, completed during a short period of time;
(f) It is prepared by the Internal Auditor responsible for the assignment (or the Engagement Staff where an external service provider is appointed to conduct internal audits).
(g) The outcome of this exercise is, generally, in the form of an “Internal Audit Assignment Plan”.
2.1 The objectives of an Internal Audit Assignment Plan are as follows:
(a) Ensure its alignment with the objectives of the Overall Internal Audit (Engagement) Plan and also in line with stakeholder expectations.
(b) Ensure that the scope, coverage and methodology of the audit procedures will form a sound basis for providing reasonable assurance.
(c) Allocate adequate time and resources to important aspects of the assignment and assign appropriate skills to complex areas and issues.
(d) Ensure audit procedures are conducted in an efficient and effective manner.
(e) Ensure the audit assignment will conform with the applicable pronouncements of the Institute of Chartered Accountants of India (ICAI).
3.1 The assignment planning exercise shall follow a laid down process (refer Para. 4.1), the outcome of which shall be a comprehensive written document (refer Para. 4.8) containing all the essential elements required to help achieve the objectives of assignment planning as outlined under Section 2 above. Technology deployment (refer Para. 4.6) and resource allocation (refer Para. 4.7) shall form essential features of the Internal Audit Assignment Plan.
3.2 The Internal Audit Assignment Plan shall be reviewed and approved by the Chief Internal Auditor (or Engagement Partner, in case of external service provider).
3.3 A comprehensive knowledge of the Auditable Unit under review, its business and operating environment, shall be undertaken to determine the nature of audit procedures and tests to be conducted (refer Para. 4.2). As part of the planning process, a discussion with management and process owners shall be undertaken to understand the intricacies of each process considered for review (refer Para. 4.3). In addition, the Internal Auditor shall exchange relevant information (such as outcome of risk assessment) with the Statutory Auditor to coordinate the audit work and procedures, as per Standard on Auditing (SA) 610, “Using the Work of Internal Auditors”.
3.4 A risk based planning exercise shall form the basis of the Internal Audit Assignment Plan. The Internal Auditor shall undertake an independent risk assessment exercise to prioritise and focus audit work on high risk areas and processes, with due attention given to matters of importance, complexity and sensitivity (refer Para. 4.4).
3.5 An audit methodology shall be established (refer Para. 4.5), together with the depth and nature of audit procedures to be conducted, both of which shall be documented in an Internal Audit Programme (IAP).
3.6 Certain elements of the Internal Audit Assignment Plan (especially, those relevant to its effective execution) shall be communicated to the Auditee and other stakeholders prior to the commencement of the audit procedures to ensure smooth conduct of the audit.
3.7 The Internal Audit Assignment Plan shall be continuously monitored during the execution phase for achievement of the objectives and to identify deviations, if any. Certain deviations may require to be notified to the stakeholders or even require a formal modification to the plan. However, any major modification to the plan shall be done only after consultation with those who approved the original plan. Such changes shall be formally documented and communicated to all impacted stakeholders.
4. Explanatory Comments
4.1 The Planning Process (refer Para. 3.1):
The Internal Auditor conducting the Internal Audit Assignment Planning shall use professional judgement for the process to be followed in completing all essential planning activities. A documented assignment planning process shall be in place which stipulates the essential inputs, steps to complete the planning and the nature of output required to conduct a comprehensive planning exercise.
4.2 Knowledge of the Business and its Environment (refer Para. 3.3):
The Internal Auditor shall gather all the information required to fully understand the Auditable Unit’s business environment, the risks it faces, the legal and regulatory requirements, the activities conducted and its day to day operational challenges.
The extent of information required should be sufficient to enable the internal auditor to identify matters which have a significant effect on the Auditable Unit’s financials and operations. Hence, there is a need to connect the financial aspects of the Auditable Unit’s business with the entity’s business elements, as well as external elements such as industry dynamics, business model, operational intricacies, legal and regulatory framework and the system and processes in place to run its operations.
4.3 Discussion with Management (refer Para. 3.3):
A key element of planning involves extensive discussion and deliberation with all stakeholders, including Auditable Unit’s executive management, risk owners, process owners, department heads etc. Their inputs are critical in understanding the intricacies of the assignment, in identification of matters of relevance and to align stakeholder expectations with audit objectives.
4.4 Risk Assessment (refer Para. 3.4):
An Internal Auditor shall undertake an independent risk assessment of all aspects of the Auditable Unit under review and align this with the risk assessment conducted by management. This is required to prioritise and focus audit work on high risk parts of the Auditable Unit, with due attention given to matters of importance, complexity and sensitivity. This exercise may involve site visits and preliminary surveys of the Auditable Unit. Based on this exercise, key risk mitigations (or internal controls) are identified for testing the effectiveness of operation. Absence of any risk mitigations (or missing controls) could point towards process design gaps which shall also be validated and reported.
4.5 Audit Methodology and Depth of Coverage (refer Para. 3.5):
The basic internal audit methodology, generally, undertaken involves the performance of compliance procedures over transactions and balances so as to identify deviations from the laid down policies and procedures.
However, the Framework governing Internal Audits, issued by the ICAI, requires the conduct of risk based audits with a system and process focus. Therefore, the depth of coverage shall go beyond basic compliance and could be expanded (for example) as follows:
(a) Application of a basic process review methodology which tests the design and operating efficiency of internal controls, questions the process design and explores better and more efficient ways of transaction processing.
(b) Deploying a risk based process review methodology which helps to link the internal controls to particular vulnerabilities, evaluate the effectiveness of internal controls, even question the process in place and help identify alternative mitigations.
(c) Entity level control review methodology can be deployed to provide a more holistic evaluation of governance processes such as organisation culture, organisation structure, oversight mechanisms and performance measurement.
The Internal Audit Assignment Plan shall align the audit methodology and depth of coverage (as indicated above) with the assurance to be provided. A detailed Internal Audit Programme (IAP) is required to document all the audit procedures to be conducted for each audit objective in line with the audit methodology adopted.
4.6 Technology Deployment (refer Para. 3.1):
A key element of the internal audit assignment planning exercise involves understanding the extent to which:
(a) the Auditable Unit has deployed Information Technology (IT) in its business, operations and transaction processing, especially if it is unique and different to the overall entity; and
(b) the auditor needs to deploy IT tools, data mining & analytic procedures, and the expertise required for conducting the audit activities and testing procedures.
This helps to design and plan the audit and testing procedures more efficiently and effectively.
4.7 Resource Allocation (refer Para. 3.1):
The Internal Auditor shall prepare a detailed work schedule to estimate the time required for each audit procedure depending on the audit attention it deserves (on the basis of risk assessment) and map this with the competencies (knowledge, experience, expertise etc.) of the resources available to ensure proper resource availability and allocation.
To confirm compliance of audit procedures with the SIA, all key steps undertaken in the planning process shall be adequately documented to confirm their proper completion.
Essential documentation shall be as follows:
(a) Planning Process documentation (or Checklists) and any tools used in the planning process.
(b) Documentation supporting the information gathered about the Auditable Unit’s business and operations, systems and processes and past or known issues.
(c) Summary of meetings and communication with key stakeholders, with a summary of their inputs.
(d) Risk Assessment documentation and a Summary of risk mitigating controls deployed.
(e) Summary of available resources, their competencies and the proper matching of their skills with the audit requirements.
(f) Detailed Internal Audit Programme (IAP) which lists the specific testing procedures to be conducted for each audit objective.
(g) The final Internal Audit Assignment Plan, duly approved by the Chief Internal Auditor.
5. Effective Date
5.1 This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.
Note: This Standard on Internal Audit (SIA) supersedes some part or all of the following current SIAs (recommendatory in nature):
1. Standard on Internal Audit (SIA) 1, Planning an Internal Audit, issued in August, 2006.
2. Standard on Internal Audit (SIA) 15, Knowledge of the Entity and its Environment, issued in March, 2009
1. The subject matter of an audit assignment is referred to as an Auditable Unit.