Standard on Internal Audit (SIA-150)- Compliance with laws & regulations

Article on Internal Auditor’s Responsibility as per latest exposure draft – Standard on Internal Audit (SIA)- 150-‘Compliance with laws and regulations’

The Institute of Chartered Accountants of India (ICAI) has recently issued exposure draft on Standard of Internal Audit (SIA)- 150- ‘Compliance with laws and Regulations’. Here in this article we would briefly understand the Internal Auditor’s Responsibility with regard to Compliance with Laws and Regulations.

RESPONSIBILITY OF INTERNAL AUDITOR:

1.1 The nature and extent of internal audit procedures to be conducted in the area of compliance is dependent on the framework in place and the maturity of the processes. Where management has implemented a formal compliance framework, and unless specifically excluded from the audit scope (or technically not feasible), the Internal Auditor shall plan and perform internal audit procedures to evaluate the design, implementation and operating effectiveness of such framework so as to provide independent assurance to management and to those charged with governance. (For details refer Para 2.1)

1.2 Where no formal compliance framework exists, the Internal Auditor shall design and conduct audit procedures with a view to highlight any exposures arising from weak or absent compliance activities and processes, make recommendations to implement and strengthen those processes and thereby, improve compliance. (For details refer Para 2.2)

1.3 Where the independent assurance requires the issuance of an audit opinion over the design, implementation and operating effectiveness over compliance, this shall be undertaken in line with the requirements of SIA 110, “Nature of Assurance”, especially with regard to the need to have a formal compliance framework in place, which shall form the basis of such an assurance (For details refer Para 2.3).

1.4 While the primary objective of an internal audit is to strengthen the system and process of compliance, there may be instances where the Internal Auditor is asked to undertake compliance audit assignments with the primary objective of identifying any instances of non-compliances. In such situations, and where no formal compliance framework is in place, the Internal Auditor may not be able to provide a written opinion in line with requirements of SIA 110 “Nature of Assurance”. Never-the-less a Summary of Findings may be possible, listing any instances of non-compliance identified as a result of the internal audit procedures undertaken. These findings shall be reported along with the following:

• the scope, listing all the specific laws and regulations tested;
• audit procedures performed, sample selected, and population covered;
• summary of the work performed; and
• limitations, if any, on the responsibilities assumed by the internal Auditor, such as inherent limitations in sample selection, or that a court of law is the ultimate authority in establishing legal interpretation of non-compliance, etc.

1.5 The Internal Auditor shall not assume any responsibility to manage or operate the compliance framework (e.g., to act in the capacity of a chief compliance officer, to take ownership of the compliance tracking system, etc.) or to take compliance related decisions (e.g., to accept the risk of non-compliance). Neither is it the responsibility of the Internal Auditor to execute or resolve compliance related risks (e.g., engaging directly with regulators, etc.).

EXPLAINATIONS

2.1 Where there is a formal compliance framework in place, the work of the Internal Auditor shall be directed to ensure that:

• The framework designed is consistent with the best-in-class and globally recognised.
• The organization has implemented various mechanism, such as:

(i) Issued compliance policies and implemented supporting procedures;

(ii) Set the right “tone at the top” with supporting messages/ activities;

(iii) Designed compliance structure, appointed compliance officers and assigned each compliance to a specific “compliance owners”;

(iv) Identified all laws and regulations applicable to the entity , assessed risk assessed , and embedded them into the relevant processes;

(v) Regularly conduct training programs for compliance officers and owners;

(vi) Implemented robust compliance systems, deploying technology (where possible), to monitor their progress and track their status, to document timely completion with relevant proofs and artefacts and to support timely escalations in case of slippages;

 (vii) Continuously tracks performance against compliance targets and goals with sufficient reviews and oversight mechanisms

(viii) Established timely communication and periodic reporting systems and protocols, including issuance of self-assessment and compliance certificates.

• The compliance system and processes in place are operating in an effective and efficient manner.

2.2 Where management has not implemented any formal compliance framework, the Internal Auditor will conduct audit procedures over various compliance related activities which may be present, such as,

• Provide strategy, leadership and direction on compliances;
• Establish a culture of compliance throughout the organisation;
• Provide an organisation structure for assigning compliance resources and defining their responsibilities;
• Capture and maintain a comprehensive database of all compliance requirements;
• Encourage risk-based time prioritization and effective completion of all compliance requirements;
• Ensure expertise and competence in the area of compliances;
• Exercise continuous monitoring and oversight on compliance completion; and
• Periodic communication of compliance matters and formal reporting of compliance status to management and those charged with governance.

These activities may be supported by certain enabling systems and processes (similar to those indicated under Para 2.1, above) and which may be recommended as desirable actions to be undertaken to establish a formal framework.

2.3. In situations where a written assurance report is being issued, the Internal Auditor shall consider the following (as a basis for his opinion):

• The linkage of the compliance framework with other frameworks like the Risk, Governance, Fraud, or Information Technology frameworks which may exist.
• The process in place for self-assessment and certification from compliance owners as part of a continuous system of compliance.