Standard on Internal Audit (SIA) 220, Conducting Overall Internal Audit Planning
This Standard on Internal Audit (SIA) 220, “Conducting Overall Internal Audit Planning,” issued by the Council of the Institute of Chartered Accountants of India should be read in conjunction with the “Preface to the Standards on Internal Audit,” “Framework Governing Internal Audits” and “Basic Principles of Internal Audit” issued by the Institute.
1.1 Internal audit planning is conducted at two levels:
(a) An overall internal audit plan for the entire entity is prepared for a given period of time (usually a year) and presented to the highest governing body responsible for internal audits, normally, the Board of Directors, or the Audit Committee.
(b) A number of specific internal audit plans are prepared for individual assignments to be undertaken covering some part of the entity and presented to the Chief Internal Auditor.
1.2 This Standard on Internal Audit (SIA) covers the first level of planning, “Conducting Overall Internal Audit Planning” for the entity as a whole. Standard on Internal Audit (SIA) 310, deals with “Planning of Internal Audit Assignments” for a particular part of the entity.
1.3 In the case of Companies under Companies Act, 2013, it is a legal requirement for the Audit Committee or its Board of Directors to formulate the overall internal audit plan of the company. Companies (Accounts) Rule 13(2) of Companies Act, 2013 provides as under:
“The Audit Committee of the company or the Board shall, in consultation with the Internal Auditor, formulate the scope, functioning, periodicity, and methodology for conducting the internal audit.”
The Audit Committee or the Board takes the active support of the Chief Internal Auditor, to develop the Overall Internal Audit Plan, in consultation with the Executive Management.
1.4 Conducting the Overall Internal Audit Planning involves the following key elements:
(a) It is undertaken prior to the beginning of the plan period (generally, the financial year).
(b) It is comprehensive in nature covering the entire entity.
(c) It is directional in nature and considers all the Auditable Units (i.e., locations, functions, business units and legal entities including third parties, where relevant), along with the periodicity of the assignments to be undertaken during the plan period.
(d) It is normally prepared by the Chief Internal Auditor (or the Engagement Partner, where an external service provider is appointed to conduct internal audits).
(e) The outcome of this exercise is an “Overall Internal Audit Plan” (or the “Audit Engagement Plan,” if outsourced).
1.5 Scope: This SIA deals with the Internal Auditor’s responsibility to prepare the Overall Internal Audit Plan, also referred to as the Annual Internal Audit (Engagement) Plan. Where only part of the internal audit activity is outsourced, this SIA shall apply to the extent the Internal Auditor needs to plan the activities of the outsourced part of the engagement only, as defined in their terms of engagement, which shall also clarify the extent of the planning responsibilities.
2.1 The objectives of an Overall Internal Audit (Engagement) Plan are to:
(a) ensure that the planned internal audits are in line with the objectives of the internal audit function, as per the internal audit charter of the entity (and terms of engagement, where it is an outsourced engagement) and also in line with the overall objectives of the organisation.
(b) align the organisation’s risk assessment with the effectiveness of the risk mitigation implemented through internal controls.
(c) confirm and agree with those charged with governance the broad scope, methodology and depth of coverage of the internal audit work to be undertaken in the defined time-period.
(d) ensure that overall resources are adequate, skilled and deployed with focus in areas of importance, complexity and sensitivity.
(e) ensure that the audits undertaken conform at all times with the applicable pronouncements of the Institute of Chartered Accountants of India.
3.1 The planning exercise shall follow a laid down process (Para. 4.1), the outcome of which shall be a written document (Para. 4.8) containing all the essential elements required to help achieve the objectives of the plan as outlined under Paragraph 2 above. Technology deployment (Para. 4.6) and resource allocation (Para. 4.7) shall form essential elements of the overall internal audit plan.
3.2 The overall internal audit plan shall be reviewed and approved by the highest governing body responsible for internal audits, normally, the Board of Directors, or the Audit Committee.
3.3 Knowledge of the entity, its business and operating environment shall be undertaken to determine the types of audit assignment which could be conducted (Para. 4.2). As part of the planning process, a discussion with management and other stakeholders shall be undertaken to understand the intricacies of each auditable unit subject to audit (Para. 4.3).
3.4 An Audit Universe shall be prepared prior to establishing the scope of the overall internal audit plan (Para. 4.4). The scope shall be consistent with the goals and objectives of the internal audit function (and terms of engagement, where it is an outsourced engagement) as listed in the internal audit charter. The scope shall also be in line with the nature and extent of the assurance to be provided.
3.5 A risk based planning exercise shall form the basis of the overall internal audit plan. The Internal Auditor shall undertake an independent risk assessment exercise to prioritise and focus the audit work on high risk areas, with due attention to matters of importance, complexity and sensitivity (Para. 4.5).
3.6 The Audit Universe and the overall internal audit plan shall be continuously monitored during the execution phase for achievement of the objective and to identify any deviations. Certain deviations may require to be notified to the stakeholders or even require a formal modification to the plan. However, any significant modification to the plan shall be done only after consultation with those who approved the original plan. Such changes shall be formally documented, including reasons for the change, and communicated to all impacted stakeholders.
4.1 The Planning Process (refer Para. 3.1): The Internal Auditor conducting the overall internal audit planning shall use professional judgement for the process to be followed in completing all essential planning activities. A documented planning process shall be in place which stipulates the essential inputs, steps to complete the planning and the nature of output required to conduct a comprehensive planning exercise.
4.2 Knowledge of the Business and its Environment (refer Para. 3.3): The Internal Auditor shall gather all the information required to fully understand the entity’s business environment, the risks it faces and its operational challenges.
The extent of information required shall be sufficient to enable the Internal Auditor to identify matters which have a significant effect on the organisation’s financials. Hence, there is a need to connect the financial aspects of the business with other business elements, such as industry dynamics, company’s business model, operational intricacies, legal and regulatory environment, and the system and processes in place to run its operations.
4.3 Discussion with Management and Stakeholders (refer Para. 3.3): A key element of planning involves extensive discussion and deliberation with all stakeholders, including executive management, risk owners, process owners, statutory auditors etc. Their inputs are critical in understanding the intricacies of each assignment under consideration, in identification of important matters of relevance and to align stakeholder expectations with audit objectives.
4.4 Audit Universe and Scope of Coverage (refer Para. 3.4): Prior to defining the scope of internal audit, a complete identification of all the Auditable Units (locations, functions, business units, legal entities, including third parties where relevant) of the organisation shall be made. This list of all the Auditable Units is, generally, referred to as the “Audit Universe”. It covers every conceivable audit assignment which could be taken up for review during the plan period. The audit universe helps to ensure that the audit scope does not overlook any Auditable Unit. It forms the basis from which the overall internal audit plan is derived by consciously excluding certain units or areas from the scope, for justifiable reasons, such as low risk.
The internal audit objectives and the nature of assurance to be provided will also help to establish the scope of internal audit. On certain occasions, especially in the case of outsourced engagements, the management may define or mandate the scope and may even restrict the coverage of certain areas or transactions. When finalising the scope, it is important to clearly highlight any scope limitations in the internal audit plan as part of the communication to approving body, such as, the Audit Committee.
4.5 Risk Assessment (refer Para. 3.5): The internal auditor shall undertake an independent risk assessment of all the Auditable Units identified in the Audit Universe and align this with the risk assessment conducted by the management and the statutory auditor. This is required to prioritise and focus audit work on high risk areas, with due attention to matters of importance, complexity and sensitivity.
The internal auditor may also plan to undertake a dedicated audit of the company’s Risk Management Framework and processes, as a separate review or assignment.
4.6 Technology Deployment (refer Para. 3.1): A key element of the overall internal audit planning exercise involves understanding the extent to which:
(a) the entity has deployed information technology (IT) in its business, operations and transaction processing, and
(b) the auditor needs to deploy IT tools, data mining and analytic procedures, and the expertise required for conducting the audit activities and testing procedures.
This helps to design and plan the audit more efficiently and effectively.
4.7 Resource Allocation (refer Para. 3.1): The Internal Auditor shall prepare a detailed work schedule to estimate the time required for each audit assignment depending on the audit attention it deserves (on the basis of risk assessment) and maps this with the competencies (knowledge, experience, expertise, etc.) of the resources available. The requirements are then matched with the limited resources available to:
(a) finalise the scope and depth of coverage of audit assignments;
(b) identify any critical skills/expertise gaps in audit team; and/or
(c) seek other means of acquiring additional resources required (internal or external sourcing).
4.8 Documentation: To confirm compliance of audit procedures with the SIA, all key steps undertaken in the planning process shall be adequately documented to confirm their proper completion.
Essential documentation shall be as follows:
(a) Information gathered about the business and its operations, systems and processes and past or known issues.
(b) Audit Universe and summary of Auditable Units.
(c) Summary of meetings and communication with key stakeholders, with a summary of their inputs.
(d) Risk assessment documentation.
(e) Summary of available resources, their competencies and the proper matching of their skills with the audit requirements.
(f) Final overall internal audit plan, duly approved by the competent authorities.
5.1 This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.
* Note: This Standard on Internal Audit (SIA) supersedes some part or all of the following current SIAs (recommendatory in nature):
Standard on Internal Audit (SIA) 1, Planning an Internal Audit, issued in August, 2006.
Standard on Internal Audit (SIA) 15, Knowledge of the Entity and its Environment, issued in March, 2009