Exposure Draft of Standard on Internal Audit (SIA) 370,Reporting Results to Management (Comments to be received by March 28, 2019) – (27-02-2019)
The Internal Audit Standards Board of The Institute of Chartered Accountants of India (ICAI) invites comments on Standard on Internal Audit (SIA) 370, Reporting Results to Management.
Comments are most helpful if they indicate a clear rationale and, where applicable, provide a suggestion for alternative wording.
STANDARD ON INTERNAL AUDIT (SIA) 370
REPORTING RESULTS TO MANAGEMENT
This Standard on Internal Audit (SIA) 370, Reporting Results to Management, issued by the Council of the Institute of Chartered Accountants of India should be read in conjunction with the “Preface to the Standards on Internal Audit,” “Framework governing Internal Audits” and “Basic Principles of Internal Audit” issued by the Institute.
1.1 Dissemination the results of internal audit and reporting the findings to management, and those charged with governance, is the most critical part of any internal audit. Reporting of results needs to be done with a certain level of uniformity and, both the Internal Auditor and the recipient of the reports, should have clarity with regard to the nature of assurance being provided through these reports.
1.2 Reporting of internal audit results is generally undertaken in two stages:
a. At the end of a particular audit assignment, an “Internal Audit Report” covering a specific area, function or part of the entity is prepared by the Internal Auditor highlighting key observations arising from those assignments. This report is generally issued with details of the manner in which the assignment was conducted and the key findings from the audit procedures undertaken. This report is issued to the auditee, with copies shared with local and executive management, as agreed during the planning phase.
b. On a periodic basis, at the close of a plan period, a comprehensive report of all the internal audit activities covering the whole entity and the plan period is prepared by the Chief Internal Auditor (or the Engagement Partner, in case of external service provider). Such reporting is normally done on a quarterly basis and submitted to the highest governing authority responsible for internal audits, generally the Audit Committee. Some part of the aforementioned Internal Audit Reports may form part of the periodic (Quarterly) report shared with the Audit Committee.
1.3 Scope: This Standard on Internal Audit (SIA) deals with the internal auditor’s responsibility to issue only the first type of reports, the Internal Audit Report pertaining to individual audit assignments and not to the periodic (Quarterly) reporting for the whole entity as per the Annual/Quarterly audit plan. Also, this SIA does not cover the form or content of the Internal Audit Report where an assurance is being provided, for which a separate Standard on Internal Audit (SIA) 380, Issuing Assurance Reports should be referred to.
2.1 The objectives of issuing Internal Audit Reports on individual internal audit assignments is to:
(a) Share with the auditee, details of all significant findings based on audit procedures undertaken;
(b) Permit management to understand the issues and take corrective actions in a methodical and comprehensive manner; and
(c) Provide a sound basis for any assurance being provided by the Internal Auditor.
2.2 The overall objective of Reporting Results to Management is to provide the receiver with a written outcome on the effectiveness of internal controls and risk management processes to enhance governance in line with the Internal Audit Charter (or Terms of Reference, in case of external service provider).
3.1 Basis the internal audit work completed, (Para 4.1) the Internal Auditor shall issue a clear, well documented Internal Audit Report which includes the following key elements:
(a) The fact that an internal audit has been conducted in accordance the Standards of Internal Audit (Para 4.2);
(b) A reference to the summary of key observations covering all important aspects, and specific to the scope of the assignment;
(c) A reference to the summary of corrective actions required (or agreed) by management; and
(d) Nature of assurance, if any, which can be derived from the observations.
3.2 The nature of assurance, if any, to be provided shall be in line with Standard on Internal Audit (SIA) 110, Nature of Assurance which should be pre-agreed with the auditee at the planning stage.
3.3 The content and form of the Internal Audit Report is to be established by the Internal Auditor based on his best professional judgement, in consultation with the auditee and, if necessary with inputs from other key stakeholders. No internal audit report shall be issued in final form unless a written draft of the report has previously been shared with the auditee. (Para 4.3).
3.4 The internal audit report shall be issued within a short time frame from the completion of the internal audit work, with the time period between completion of assignment to final report issuance not exceeding sixty days, unless mutually agreed with the auditee or those charged with governance.
4.0 EXPLANATORY COMMENTS
4.1 Basis of Internal Audit Report (Para 3.1): Each internal audit report is prepared on the basis of the audit procedures conducted and the analysis of the audit evidence gathered. Conclusions reached shall be based on all the findings and not only on a few deviations or issues noted. Controls operating effectively have their own importance while the risk and significance of observations noted have a role to play on the matters to report.
4.2 Conducted in accordance with SIAs (Para 3.1): Where the internal audit is conducted in compliance with the Standards of Internal Audit, (within the Framework governing Internal Audits), and the internal auditor can substantiate the same with supporting evidence and documentation, the internal audit report shall include a statement confirming that “the internal audit was conducted in accordance with the Standards of Internal Audit issued by the Institute of Chartered Accountants of India”.
4.3 Content and format of Internal Audit Reports (Para 3.3): The manner in which the internal audit report is drafted and presented is a matter of professional judgment and choice and could be influenced with preferences of the recipients. The SIA does not mandate any particular format or list of contents since the Internal Auditor is expected to exercise his best professional judgement on matters regarding how and what to report. Never the less, where some level of assurance is being provided, the form and content of the report shall be guided by SIA 380 “Issuing Assurance Reports”.
4.4 Documentation: To confirm compliance of audit procedures with this SIA, the list of documents required is as follows:
(a) Copies of draft and final internal audit reports to be maintained, appropriately cross referenced to individual observations.
(b) If appropriate, management action plans should be counter signed by respective management personnel.
5.0 EFFECTIVE DATE
5.1 This Standard is applicable for internal audits beginning on or after date to be notified by the Council of the Institute.