The following is the text of the Standard on Internal Audit (SIA) 8, Terms of Internal Audit Engagement, issued by the Council of the Institute of Chartered Accountants of India. These Standards should be read in conjunction with the Preface to the Standards on Internal Audit, issued by the Institute.
In terms of the decision of the Council of the Institute of Chartered Accountants of India taken at its 260th meeting held in June 2006, the following Standard on Internal Audit shall be recommendatory in nature in the initial period. The Standards shall become mandatory from such date as notified by the Council.
1. The purpose of this Standard on Internal Audit is to establish standards and provide guidance in respect of terms of engagement of the internal audit activity whether carried out in house or by an external agency. A clarity on the terms of the internal audit engagement between the internal auditors and the users of their services (hitherto known as “auditee”) is essential for inculcating professionalism and avoiding misunderstanding as to any aspect of the engagement.
2. The internal auditor and the auditee should agree on the terms of the engagement before commencement. The agreed terms would need to be recorded in an engagement letter. Normally, it is the responsibility of the internal auditor to prepare the engagement letter and it is to be signed both by the internal auditors as well as the auditee.
Terms of Engagement
3. The terms of engagement of the internal audit, inter alia, define the scope, authority, responsibilities, confidentiality, limitation and compensation of the internal auditors. The terms of engagement should be approved by the Board of Directors1or a relevant Committee thereof such as the Audit Committee or such other person(s) as may be authorised by the Board in this regard. The terms should be reviewed by the internal auditor and the audit committee periodically and modified suitably, if required, to meet the changed circumstances.
Elements of Terms of Engagement
4. The following are the key elements of the terms of the internal audit engagement:
viii. Compliance with Standards
Each of these elements has been discussed in the following paragraphs.
5. Paragraph 3.1 of the Preface to the Standards on Internal Audit describes internal audit as “an independent function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overal governance mechanism of the entity, including the entity’s strategic risk management and internal control system.”
6. The terms of the engagement should contain a statement in respect of the scope of the internal audit engagement. It should clearly delineate the broad areas of function of internal audit like evaluating internal controls, review of business process cycle controls, risk management and governance.
7. It should indicate areas where internal auditors are expected to make their recommendations and value added comments.
8. The terms of engagement should clearly mention that the internal auditor would not, ordinarily, be involved in the preparation of the financial statements of the auditee. It should also be made clear that the internal audit would not result in the expression, by the internal auditor, of an opinion, or any other form of assurance on the financial statements or any part thereof of the auditee.
9. The scope of the terms of the engagement, after delineating the broad areas of function of internal audit, should clarify that any additional services that are not encompassed by the engagement letter shall be performed only on mutual agreement and with separate engagement letter.
10. The terms of the engagement should clearly mention the responsibility of the auditee vis a vis the internal auditor. The auditee is responsible for establishing, maintaining and ensuring operating effectiveness of a system of internal control. The auditee would also be responsible for timely communication of material weaknesses or other significant issues relating to internal controls, misstatements in the financial information or similar matters to its external auditors, the Audit Committee, the Board of Directors, regulators and to those to whom the auditee is required to so communicate.
11. The management of the auditee is responsible for providing timely and accurate data, information, records, personnel etc., and for extending cooperation to the audit team.
12. Similarly, where the internal auditor has a specific responsibility, say that arising out of a law or a regulation or a professional standard applicable to the internal auditor, to communicate directly, the above mentioned issues to an appropriate authority or someone within the entity or a regulator, the terms of the engagement should contain a clear mention of such responsibility.
13. The internal auditor has the responsibility to inform the management before commencement of the assignment about the engagement team and the audit plan.
14. The terms of engagement should provide the internal auditor with requisite authority, including unrestricted access to all departments, records, property and personnel and authority to call for information from concerned personnel in the organisation.
15. The internal auditor should have full authority on his technologies and
other properties like hardware and audit tools he may use in course of performing internal audit.
Confidentiality of Working Papers
16. The terms of engagement should be clear that the ownership of the working papers rests with the internal auditor and not the auditee. It should also be made clear that the internal auditor may, upon a request received in this regard from the auditee, provide copies of non proprietary working papers to the auditee. The terms should lay down the policy and the procedures to be followed regarding requests received for internal auditor’s working papers from third parties including external auditors.
17. The internal audit engagement may also be subject to a peer review by a regulator, requiring the internal auditor to disclose his working papers to the peer reviewer without the permission of the auditee. The engagement letter should bring out this fact clearly.
Confidentiality of the Report
18. The engagement letter should contain a condition that the report of the internal auditor should not be distributed or circulated by the auditee or the internal auditor to any party other than that mutually agreed between the internal auditor and the auditee unless there is a statutory or a regulatory requirement to do so.
19. The terms of engagement should specify clearly the limitations on scope, coverage and reporting requirement, if any. It may also mention that the internal auditor or any of his employees shall not be liable to the auditee for any claims, damages, liabilities or expenses relating to the engagement exceeding the aggregate amount of compensation agreed upon by both the parties.
20. The terms of the engagement should clearly lay down the requirements as to the manner frequency of reporting and the list of intended recipients of the internal audit report.
21. There should be a clear understanding among the internal auditor and the client as to the basis on which the internal auditor would be compensated, including any out of pocket expense, taxes etc., for the services performed by him.
Compliance with Standards
22. The terms of the internal audit engagement should contain a statement that the internal audit engagement would be carried out in accordance with the professional Standards applicable to such engagement as on the date of audit.
Withdrawal from the Engagement
23. In case the internal auditor is unable to agree to any change in the terms of the engagement and/ or is not permitted to continue as per the original terms, he should withdraw from the engagement and should consider whether there is an obligation, contractual or otherwise, to report the circumstances necessitating the withdrawal to other parties.
24. This Standard on Internal Audit is effective for all internal audits beginning on or after…………… Earlier application of the Standard is encouraged.
Published in the December, 2008 issue of The Chartered Accountant.
Or an equivalent authority where the entity is not in a corporate form. For example, the Board of Trustees in a cooperative society.