Article on Internal Auditor’s Responsibility as per latest exposure draft – Standard on Internal Audit (SIA)- 150-‘Compliance with laws and regulations’
The Institute of Chartered Accountants of India (ICAI) has recently issued exposure draft on Standard of Internal Audit (SIA)- 150- ‘Compliance with laws and Regulations’. Here in this article we would briefly understand the Internal Auditor’s Responsibility with regard to Compliance with Laws and Regulations.
RESPONSIBILITY OF INTERNAL AUDITOR:
1.1 The nature and extent of internal audit procedures to be conducted in the area of compliance is dependent on the framework in place and the maturity of the processes. Where management has implemented a formal compliance framework, and unless specifically excluded from the audit scope (or technically not feasible), the Internal Auditor shall plan and perform internal audit procedures to evaluate the design, implementation and operating effectiveness of such framework so as to provide independent assurance to management and to those charged with governance. (For details refer Para 2.1)
1.2 Where no formal compliance framework exists, the Internal Auditor shall design and conduct audit procedures with a view to highlight any exposures arising from weak or absent compliance activities and processes, make recommendations to implement and strengthen those processes and thereby, improve compliance. (For details refer Para 2.2)
1.3 Where the independent assurance requires the issuance of an audit opinion over the design, implementation and operating effectiveness over compliance, this shall be undertaken in line with the requirements of SIA 110, “Nature of Assurance”, especially with regard to the need to have a formal compliance framework in place, which shall form the basis of such an assurance (For details refer Para 2.3).
1.4 While the primary objective of an internal audit is to strengthen the system and process of compliance, there may be instances where the Internal Auditor is asked to undertake compliance audit assignments with the primary objective of identifying any instances of non-compliances. In such situations, and where no formal compliance framework is in place, the Internal Auditor may not be able to provide a written opinion in line with requirements of SIA 110 “Nature of Assurance”. Never-the-less a Summary of Findings may be possible, listing any instances of non-compliance identified as a result of the internal audit procedures undertaken. These findings shall be reported along with the following:
1.5 The Internal Auditor shall not assume any responsibility to manage or operate the compliance framework (e.g., to act in the capacity of a chief compliance officer, to take ownership of the compliance tracking system, etc.) or to take compliance related decisions (e.g., to accept the risk of non-compliance). Neither is it the responsibility of the Internal Auditor to execute or resolve compliance related risks (e.g., engaging directly with regulators, etc.).
2.1 Where there is a formal compliance framework in place, the work of the Internal Auditor shall be directed to ensure that:
(i) Issued compliance policies and implemented supporting procedures;
(ii) Set the right “tone at the top” with supporting messages/ activities;
(iii) Designed compliance structure, appointed compliance officers and assigned each compliance to a specific “compliance owners”;
(iv) Identified all laws and regulations applicable to the entity , assessed risk assessed , and embedded them into the relevant processes;
(v) Regularly conduct training programs for compliance officers and owners;
(vi) Implemented robust compliance systems, deploying technology (where possible), to monitor their progress and track their status, to document timely completion with relevant proofs and artefacts and to support timely escalations in case of slippages;
(vii) Continuously tracks performance against compliance targets and goals with sufficient reviews and oversight mechanisms
(viii) Established timely communication and periodic reporting systems and protocols, including issuance of self-assessment and compliance certificates.
2.2 Where management has not implemented any formal compliance framework, the Internal Auditor will conduct audit procedures over various compliance related activities which may be present, such as,
These activities may be supported by certain enabling systems and processes (similar to those indicated under Para 2.1, above) and which may be recommended as desirable actions to be undertaken to establish a formal framework.
2.3. In situations where a written assurance report is being issued, the Internal Auditor shall consider the following (as a basis for his opinion):