Exposure Draft of Standard on Internal Audit (SIA) 230 Objectives of Internal Audit

Exposure Draft of Standard on Internal Audit (SIA) 230,Objectives of Internal Audit (Comments to be received by March 28, 2019) – (27-02-2019)

EXPOSURE DRAFT 

STANDARD ON INTERNAL AUDIT (SIA) 230

OBJECTIVES OF INTERNAL AUDIT^*

The Internal Audit Standards Board of The Institute of Chartered Accountants of India (ICAI) invites comments on Standard on Internal Audit (SIA) 230, Objectives of Internal Audit.

Comments are most helpful if they indicate a clear rationale and, where applicable, provide a suggestion for alternative wording.

Comments can be e-mailed either at [email protected]; or at [email protected].  Last date for sending comments is March 28, 2019.

This Standard on Internal Audit (SIA 230) seeks to revise and supersede Standard on Internal Audit (SIA) 8, Terms of Internal Audit Engagement, issued in December 2008 (as recommendatory in nature) as well as incorporate certain new aspects covering the subject matter. This SIA will be issued as a mandatory standard from its effective date.

STANDARD ON INTERNAL AUDIT (SIA) 230

OBJECTIVES OF INTERNAL AUDIT

Contents

Introduction

Objectives

Requirements

Explanatory Comments

Effective Date

Appendix

This Standard on Internal Audit (SIA) 230, Objectives of Internal Audit, issued by the Council of the Institute of Chartered Accountants of India (ICAI) should be read in conjunction with the “Preface to the Standards on Internal Audit”, “Framework governing Internal Audits” and “Basic Principles of Internal Audit” issued by the Institute.

1. INTRODUCTION

1.1 The objectives of internal audit vary widely and depend on the size, structure, and complexity of the entity subject to internal audit. These objectives are also influenced by specific requirements of management and, in most cases, defined by those charged with governance.

1.2 In the case of Companies required to appoint an Internal Auditor as per Section 138 of the Companies Act, 2013, Rule 13(2) of Companies (Accounts) Rules 2014, states:

“The Audit Committee of the company or the Board shall, in consultation with the Internal Auditor, formulate the scope, functioning, periodicity, and methodology for conducting the internal audit.”

Hence, in these class of companies, the Audit Committee or the Board, in conjunction with management and the Chief of Internal Audit, is expected to exercise the responsibility to formulate the objectives of internal audit.

1.3 In the case of other organisations not covered under Rule 13, those who appoint the Internal Auditor (e.g., the owners, the promoters, the Board of Trustees, etc.) would generally define the objectives of internal audit.

1.4 While the specific objectives of any internal audit may vary from company to company, these objectives are generally consistent with the overall definition of “Internal Audit”, which as defined under Para 3 of “Framework governing Internal Audit”, issued by the ICAI, states as follows:

“Internal audit provides independent assurance on the effectiveness of internal controls and risk management processes to enhance governance and achieve organisational objectives.

Para 3.2 of the Framework also indicates how the nature of internal audit services may go beyond assurance to include an advisory (consulting) role.

Appendix -1 to this Standard provides an indicative list of the Objectives of Internal Audit as noted in a previous Standard on Auditing (SA) – 610: “Using the work of an Internal Auditor”. Companies may choose some or all of these objectives, or even add something as per their requirements.

1.5 Scope: The current law in India permits internal audit to be performed either by an entity’s own employee (i.e., personnel on the payroll of the organization or its group company) or by a professional who is part of an external agency (e.g., a firm of practicing Chartered Accountants undertaking internal audit engagements). Hence the manner in which the objective of internal audit is defined in each situation may vary. This Standard applies to all ICAI members in both situations, irrespective of whether the internal audit is conducted by them in the capacity of an employee or as a representative of an external audit firm.

2. OBJECTIVES

2.1 The purpose of defining the Objectives of Internal Audit are to:

(a) Document the constitution and establishment of the Internal Audit function and the terms of the out-sourced internal audit arrangement;

(b) Provide clarity to the Internal Auditor and its stakeholders regarding the nature of the internal audit set-up and it’s working;

(c) Ensure linkage between what is expected of the Internal Auditor and how those expectation can be met within the Framework governing Internal Audits; and

(d) Promote better understanding on key operational areas such as accountability & authority, roles & responsibility, and such other functional matters.

2.2 Once the objectives of internal audit are defined, they help to establish the operating parameters within the overall internal audit agenda. These objectives and operating parameters are formally recorded in one of these two documents:

(a) An Internal Audit Charter, primarily designed for the in-house team of internal auditors and its stakeholders; and

(b) An Engagement Letter, a formal agreement signed with the out-sourced internal audit service provider.

In some cases, both the documents may exist, although where the complete internal audit function is out-sourced, the Engagement Letter covering the whole Internal Audit activity may be the only document in place.

3. REQUIREMENTS

3.1 Every Internal Auditor shall be guided by a document that defines the Objectives of Internal Audit. It is the duty of the Chief of Internal Audit to have in place a written Internal Audit Charter documenting the constitution and functioning of the internal audit function. (Para 4.1).

3.2 Where part of the internal audit activity is out-sourced, the Chief of Internal Audit shall have a formal Engagement Letter defining the terms of engagement and documenting the nature of the arrangement with the external internal audit service provider. If the internal audit activity is completely out-sourced, the Engagement Partner will be acting in the capacity of the Chief of Internal Audit, who shall ensure a formal Engagement Letter documenting the terms of engagement. (Para 4.2).

3.3 The Chief of Internal Audit shall ensure that the Internal Audit Charter is

reviewed and approved by those charged with governance (the Board of Directors, or the Audit Committee of the Board). In the case of the Engagement Letter, the Engagement Partner shall ensure that the formal agreement with the terms of engagement shall have the approval of the competent authority, as per the company’s Delegation of Powers. Where the complete internal audit activity is out-sourced, then this approval shall come from those charged with governance (the Board of Directors, or the Audit Committee of the Board).

3.4 It’s important that the governing body members and other stakeholders are aware of, and in agreement with, the Objectives of Internal Audit and other relevant portions of the Internal Audit Charter and Engagement Letter. This information shall be communicated to all stakeholders through formal channels of communication.

3.5 The Internal Audit Charter and the Engagement Letter shall be reviewed periodically by the Chief of Internal Audit and the Engagement Partner to ensure its relevance to the changing times. If found necessary, the proposed amendments to these documents shall be put up to the approving authority for their review and approval.

4. EXPLANATORY COMMENTS

4.1 Internal Audit Charter (Para 3.1): The constitution and establishment of the internal audit function within the organisation is noted in a formal document called the Internal Audit Charter. It defines the objectives of internal audit (in line with the definition of Internal Audit) and other important aspects of the functioning of the Internal Audit department. It also provides clarity to the Internal Auditor regarding the manner in which the internal audit work is undertaken and how the auditor’s responsibility is to be discharged.

4.1.1 An indicative list of areas covered in the Internal Audit Charter are as follows:

(a) Vision & Mission of the Internal Audit function

(b) Purpose & Objectives of Internal Audit

(c) Reporting Structure & Independence

(d) Scope & Approach

(e) Accountability & Authority

(f) Roles & Responsibility

(g) Quality Assurance & conformance with SIAs.

4.1.2 Further explanation of each of the above noted areas is given under Annexure – 2.

4.2 Engagement Letter (Para 3.2): The Objectives of Internal Audit and other terms of engagement of the external service provider are documented in a formal agreement referred to as the Engagement Letter. The Engagement Letter is signed by the Engagement Partner along with the appointing authority of the Company.

4.2.1 An indicative list of terms of engagement, covered in an Engagement Letter, are as follows:

(a) Purpose & Objectives of Internal Audit

(b) Independence & Objectivity

(c) Scope & Approach

(d) Accountability & Authority

(e) Roles & Responsibility

(f) Limitations & Confidentiality

(g) Quality Assurance & conformance with SIAs

(h) Reporting & Compensation

(i) Ownership of Working Papers.

4.2.2 Further explanation of above noted areas is given under Appendix – 3.

4.3 A signed Engagement Letter shall be obtained prior to commencement of any audit work.

5. EFFECTIVE DATE

5.1 This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.

Appendix – 1

OBJECTIVES OF INTERNAL AUDIT AS PER

SA – 610: “USING THE WORK OF AN INTERNAL AUDITOR”.

Scope and Objectives of the Internal Audit Function (Ref: Para. 3)

A3. The objectives of internal audit functions vary widely and depend on the size and structure of the entity and the requirements of management and, where applicable, those charged with governance. The activities of the internal audit function may include one or more of the following:

• Monitoring of internal control. The internal audit function may be assigned specific responsibility for reviewing controls, monitoring their operation and recommending improvements thereto.
• Examination of financial and operating information. The internal audit function may be assigned to review the means used to identify, measure, classify and report financial and operating information, and to make specific inquiry into individual items, including detailed testing of transactions, balances and procedures.
• Review of operating activities. The internal audit function may be assigned to review the economy, efficiency and effectiveness of operating activities, including non- financial activities of an entity.
• Review of compliance with laws and regulations. The internal audit function may be assigned to review compliance with laws, regulations and other external requirements, and with management policies and directives and other internal requirements.
• Risk management. The internal audit function may assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.
• Governance. The internal audit function may assess the governance process in its accomplishment of objectives on ethics and values, performance management and accountability, communicating risk and control information to appropriate areas of the organization and effectiveness of communication among those charged with governance, external and internal auditors, and management.

NOTE: The above is not a complete and exhaustive list and is presented only as an example of the nature of Objectives of Internal Audit.

Appendix – 2

COMPONANTS OF A TYPICAL INTERNAL AUDIT CHARTER

• Vision & Mission of the Internal Audit (IA) function:

This indicates the long-term view of the IA function, in line with its reason for existence.

• Purpose & Objectives of Internal Audit:

Explains what the Internal Audit function hopes to achieve in a certain period of time.

These objectives cover the internal audit definition and are usually in line with the

Objectives of the Organisation in a similar period of time.

Also see Annexure – 1, above.

• Reporting Structure & Independence:

This section explains where the Internal Audit function is placed within the overall Organisation Structure of the Company and whom it reports to (both functionally as well as administratively). Also clarifies how the independence of the function is assured through limitations on responsibilities which may be assigned (such as that seeking active business support) but might compromise on independence.

Also see Principle 1 in “Basic Principles of Internal Audit.”

• Scope & Approach:

The scope of the internal audits shall be consistent with the goals and objectives of the internal audit function and also in line with the nature and extent of assurance to be provided by the Internal Auditor. Any entities/units excluded from the scope shall be clearly noted. The approach is generally a risk-based audit approach, with a system and process focus.

Also see Principle 6 & 7 “Basic Principles of Internal Audit.”

• Accountability & Authority:

The Internal Auditor may be held accountable for certain deliverables beyond providing basic assurance, such as improving the control environment, reducing risk ratings or improving compliance percentage etc. These should be clearly spelt out. Along with accountability, come the authority and the powers required to conduct audits without any undue hindrances, engaging external experts and receiving all information and system access on time.

• Roles & Responsibility:

All the key job functions and activities are spelt out in this section, which are usually in line with the objectives of the Internal Audit function.

• Quality Assurance & conformance with SIAs:

This section indicates the importance of ensuring high quality audit work and procedures, including how the audit procedures will be conducted in conformance with ICAI pronouncements applicable at the time. It also notes the checks put in place to ensure reliability and credibility of the output.

Appendix – 3

COMPONANTS OF A TYPICAL ENGAGEMENT LETTER

• Purpose & Objectives of Internal Audit:

This section indicates what the Internal Audit engagement hopes to achieve in the set period of time. These objectives are mostly defined by those charges with governance and appointing the Internal Auditor.

Also see Annexure – 1, above.

• Independence & Objectivity:

This section defines the reporting structure and reporting protocol of the Internal Auditor. It also clarifies how the independence of the Internal Auditor is assured through assignments which don’t compromise on his independence.

Also see Principle 1 in “Basic Principles of Internal Audit”.

• Scope & Approach:

The scope of the internal audits shall be consistent with the goals and objectives of the internal audit and in line with the nature and extent of assurance to be provided. Any entities/units excluded from the scope shall be clearly noted. The approach is generally a risk-based audit approach, with a system and process focus.

Also see Principle 6 & 7 in “Basic Principles of Internal Audit.”

• Accountability & Authority:

The Internal Auditor is accountable to deliver the outcome of his work to the appointing authority or those changed with governance. Where the laws & regulations require, the internal auditor may also be required to report directly to external authorities. Along with accountability, come the authority and the powers required to conduct audits without any undue hindrances and to receive all information and system access on time.

• Roles & Responsibility:

All key job functions and activities get clearly spelt out in this section, which are usually in line with the objectives of the Internal Audit function.

• Limitations & Confidentiality:

Limitations on liabilities which the auditor is exposed to and the manner of determination of the same should be included in this section. Obligations on part of the Internal Auditor to maintain confidentiality of information collected and on part of the Company to keep the audit report confidential is also covered here.

• Quality assurance & conformance with SIAs:

This section indicates the importance of ensuring high quality audit work and procedures, including how the audit procedures will be conducted in conformance with ICAI pronouncements applicable at the time. It also notes the checks put in place to ensure reliability and credibility of the output.

• Reporting & Compensation:

All requirements with regards to the nature of reports to be issued, the type of assurance to be provided, the timing, or periodicity of reports and the recipients is clearly noted here.

The basis upon which the compensation is established, the manner of its review, the ancillary charges (cost reimbursements, taxes etc) and how these are to be determined are all covered here.

• Ownership of Working Papers:

This section clarifies the understanding regarding the ownership of working papers.

Where a formal internal audit report is issued (with or without assurance), the ownership

of the working papers should be retained by the Internal Auditor.

Also see “SIA 330: Internal Audit Documentation.”