Standard on Internal Audit (SIA) 11 Consideration of Fraud in an Internal Audit
The following is the text of the Standard on Internal Audit (SIA) 11, Consideration of Fraud in an Internal Audit, issued by the Council of the Institute of Chartered Accountants of India. These Standards should be read in conjunction with the Preface to the Standards on Internal Audit, issued by the Institute.
In terms of the decision of the Council of the Institute of Chartered Accountants of India. of India taken at its 260th meeting held in June 2006, the following Standard on Internal Audit shall be recommendatory in nature in the initial period. The Standards shall become mandatory from such date as notified by the Council.
1. Fraud is defined as an intentional act by one or more individuals among management, those charged with governance, or third parties, involving the use of deception to obtain unjust or illegal advantage. A fraud could take form of misstatement of an information (financial or otherwise) or misappropriation of the assets of the entity.
2. The primary responsibility for prevention and detection of frauds rests with management and those charged with governance. They achieve this by designing, establishing and ensuring continuous operation of an effective system of internal controls.
3. Paragraph 6 of the Standard on Internal Audit (SIA) 2, Basic Principles Governing Internal Audit, states as follows:
“The internal auditor should exercise due professional care, competence and diligence expected of him while carrying out the internal audit. Due professional care signifies that the internal auditor exercises due professional care in carrying out the work entrusted to him in terms of deciding on aspects such as the extent of work required to achieve the objectives of the engagement, relative complexity and materiality of the matters subjected to internal audit, assessment of risk management, control and governance processes and cost benefit analysis. Due professional care, however, neither implies nor guarantees infallibility, nor does it require the internal auditor to travel beyond the scope of his engagement.”
An internal auditor should, therefore, use his knowledge and skills to reasonably enable him to identify indicators of frauds. However, the internal auditor cannot be expected to possess the expertise of a person with specialized knowledge and skills in detecting and investigating frauds.
Common Fraud Situations
4. A fraud normally occurs in situations where there is an incentive or a pressure to commit fraud, an opportunity to commit fraud or a rationalisation for committing fraud. Although, normally, an internal auditor is not expected to possess skills and knowledge of a person expert in detecting and investigating frauds, he should, however, have reasonable knowledge of factors that might increase the risk of opportunities for frauds in an entity and exercise reasonable care and professional skepticism while carrying out internal audit. In addition, the understanding of the design and implementation of the internal controls in an entity would also help the internal auditor to assess the risk of frauds.
Internal Control System
5. Internal control refers to the process designed, implemented and maintained by the management of the entity to ensure accomplishment of its following objectives:
- Reliability of financial reporting;
- Efficiency and effectiveness in operations;
- Compliance with applicable laws and regulations; and
- Safeguarding of assets.
The design and the manner of implementation and maintenance of internal controls varies with the size and complexity of the entity.
Internal controls can, however, provide only reasonable assurance to the entity with regard to accomplishments of its objectives stated in paragraph 5 above since any system of internal control is subject to inherent limitations such as faulty human judgment, ineffective use of the information generated for the purpose of internal controls, collusion among two or more persons, management override of controls, faulty design of controls, management judgments as to nature and extent of risks it wants to assume, etc.
Elements of Internal Control System
7. A system of internal control comprise of following five elements: the control environment;
- entity’s risk assessment process;
- information system and communication;
- control activities; and
- monitoring of controls.
It is essential for the internal auditor to gain an understanding of the components of the system of internal control. These components have been discussed in the following paragraphs.
8. The control environment sets the tone at the top in an entity and greatly impacts the effectiveness of internal controls. It includes the following:
- the policies and procedures established by the management to communicate and enforce the culture of integrity and ethical values in the entity.
- management’s commitment to competence.
- management’s philosophy and operating style.
- organizational structure.
- assignment of authority and responsibility.
- human resources policies and practices.
9. The entity’s risk assessment process includes the policies and procedures adopted by the management to identify risks that can affect the achievement of the objectives of the entity and to distinguish risks from opportunities. In the context of prevention of frauds, the entity’s risk assessment process would include the policies and procedures of the management to identify and assess the risk of frauds, including the possibility of fraudulent financial reporting and misappropriation of assets.
10. The information system and communication refers to the policies and procedures established by the management to identify, capture and communicate relevant information to the concerned persons in the entity to enable them to make timely and effective decisions and discharge their responsibilities efficiently. In the context of frauds, such policies and procedures could take form of whistleblower policies and mechanisms, ethics helplines and counseling, training of employees, etc.
11. The control activities refer to the policies and procedures established by the management to ensure that the risks identified are responded to as per the policy or the specific decision of the management, as the case may be. In the context of frauds, the control activities include actions taken by management to prevent or detect and correct the frauds or breach of internal controls.
12. Monitoring refers to continuous supervision and assessment of the internal controls to identify instances of any actual or possible breaches therein and to take corrective action on a timely basis.
Responsibilities of the Internal Auditor
13. As discussed in paragraph 2, the primary responsibility for prevention and detection of frauds is that of the management of the entity. The internal auditor should, however, help the management fulfill its responsibilities relating to fraud prevention and detection. The following paragraphs discuss the approach of the internal auditor regarding this.
14. The internal auditor should obtain an understanding of the various aspects of the control environment and evaluate the same as to the operating effectiveness.
15. The internal auditor should obtain an understanding of the policies and procedures adopted by the management to identify risks that
can affect the achievement of the objectives of the entity and to distinguish risks from opportunities and evaluate the effectiveness of these policies and procedures. In the context of prevention of frauds, the internal auditor should specifically evaluate the policies and procedures established by the management to identify and assess the risk of frauds, including the possibility of fraudulent financial reporting and misappropriation of assets.
Information System and Communication
16. The internal auditor should assess the operating effectiveness of the policies and procedures established by the management to identify, capture and communicate relevant information to the concerned persons in the entity to enable them to make timely and effective decisions and discharge their responsibilities efficiently.
17. The internal auditor should assess whether the controls implemented by the management to ensure that the risks identified are responded to as per the policy or the specific decision of the management, as the case may be, are in fact working effectively and whether they are effective in prevention or timely detection and correction of the frauds or breach of internal controls.
18. The internal auditor should evaluate the mechanism in place for supervision and assessment of the internal controls to identify instances of any actual or possible breaches therein and to take corrective action on a timely basis.
Communication of Fraud
19. The internal auditor should carefully review and assess the conclusions drawn from the audit evidence obtained, as the basis for his findings contained in his report and suggest remedial action. However, in case the internal auditor comes across any actual or suspected fraud or any other misappropriation of assets, he should immediately bring the same to the attention of the management.
20. The internal auditor should document fraud risk factors identified as being present during the internal auditor’s assessment process and document the internal auditor’s response to any other factors. If during the performance of the internal audit fraud risk factors are identified that cause the internal auditor to believe that additional internal audit procedures are necessary, the internal auditor should document the same.
21. This Standard on Internal Audit is effective for all internal audits beginning on or after __________Earlier application of the Standard is encouraged.
* Published in the January, 2009 issue of The Chartered Accountant.