The following is the text of the Standard on Internal Audit (SIA) 4, Reporting, issued by the Council of the Institute of Chartered Accountants of India. These Standards should be read in conjunction with the Preface to the Standards on Internal Audit, issued by the Institute.
In terms of the decision of the Council of the Institute of Chartered Accountants of India taken at its 260th meeting held in June 2006, the following Standard on Internal Audit shall be recommendatory in nature in the initial period. The Standards shall become mandatory from such date as notified by the Council.
1. The purpose of this Standard on Internal Audit (SIA) is to establish standards on the form and content of the internal auditor’s report issued as a result of an internal audit performed by an internal auditor of the systems, processes, controls including items of financial statements of an entity.
2. The internal auditor should review and assess the analysis drawn from the internal audit evidence obtained as the basis for his conclusion on the efficiency and effectiveness of systems, processes and controls including items of financial statements.
3. This review and assessment involves considering whether the systems, procedures and controls are in existence and are operating effectively.
4. The internal auditor’s report should contain a clear written expression of significant observations, suggestions/ recommendations based on the policies, processes, risks, controls and transaction processing taken as a whole and managements’ responses.
Basic Elements of the Internal Audit Report
5. The internal auditor’s report includes the following basic elements, ordinarily, in the following layout:
(c) Report Distribution List;
(d) Period of coverage of the Report;
(e) Opening or introductory paragraph;
(i) identification of the processes/functions and items of financial statements audited; and
(ii) a statement of the responsibility of the entity’s management and the responsibility of the internal auditor;
(f) Objectives paragraph – statement of the objectives and scope of the internal audit engagement;
(g) Scope paragraph (describing the nature of an internal audit):
(i) a reference to the generally accepted audit procedures in India, as applicable;
(ii) a description of the engagement background and the methodology of the internal audit together with procedures performed by the internal auditor; and
(iii) a description of the population and the sampling technique used.
(h) Executive Summary, highlighting the key material issues, observations, control weaknesses and exceptions;
(i) Observations, findings and recommendations made by the internal auditor;
(j) Comments from the local management;
(k) Action Taken Report – Action taken/ not taken pursuant to the observations made in the previous internal audit reports;
(l) Date of the report;
(m) Place of signature; and
(n) Internal auditor’s signature with Membership Number.
A measure of uniformity in the form and content of the internal auditor’s report is desirable because it helps to promote the reader’s understanding of the internal auditor’s report and to identify unusual circumstances when they occur.
6. The internal auditor should exercise due professional care to ensure that the internal audit report, inter alia, is:
(ii) factual – presents all significant matters with disclosure of material facts
(vii)complies with generally accepted audit procedures in India, as applicable.
7. The internal auditor’s report should have an appropriate title expressing the nature of the Report.
8. The internal auditor’s report should be appropriately addressed as required by the circumstances of the engagement. Ordinarily, the internal auditor’s report is addressed to the appointing authority or such other person as directed.
Report Distribution List, Coverage and Opening or Introductory Paragraph
9. There should be a mention of the recipients of the report in the section on Report Distribution List.
10. The internal auditor’s report should identify the systems, processes, functional lines or other items of the entity that have been audited, including the date of and period covered.
11. The report should include a statement that the operation of systems, procedures and controls are the responsibility of the entity’s management and a statement that the responsibility of the internal auditor is to express an opinion on the weaknesses in internal controls, risk management and governance (entity level controls) framework, highlighting any exceptions and cases of noncompliance and suggest or recommend improvements in the design and operations of controls based on the internal audit.
12. The internal auditor’s report should describe the scope of the internal audit by stating that the internal audit was conducted in accordance with generally accepted audit procedures as applicable. The management needs this as an assurance that the audit has been carried out in accordance with established Standards.
13. “Scope” refers to the internal auditor’s ability to perform internal audit procedures deemed necessary in the circumstances.
14. The report should include a statement that the internal audit was planned and performed to obtain reasonable assurance whether the systems, processes and controls operate efficiently and effectively and financial information is free of material misstatement.
15. The internal auditor’s report, in line with the terms of the engagement, should describe the internal audit as including:
(a) examining, on a test basis, evidence to support the amounts and disclosures in financial statements;
(b) assessing the strength, design and operating effectiveness of internal controls at process level and identifying areas of control weakness, business risks and vulnerability in the system and procedures adopted by the entity
(c) assessing the accounting principles and estimates used in the preparation of the financial statements; and
(d) evaluating the overall entity-wide risk management and governance framework.
16. The Report should include a description of the engagement background, internal audit methodology used and procedures performed by the internal auditor mentioning further that the internal audit provides a reasonable basis for his comments.
Executive Summary Paragraph
17. The Executive Summary paragraph of the internal auditor’s report should clearly indicate the highlights of the internal audit findings, key issues and observations of concern, significant controls lapses, failures or weaknesses in the systems or processes.
Observations (Main Report) Paragraph
18. The Observations paragraph should clearly mention the process name, significant observations, findings, analysis and comments of the internal auditor.
Comments from Local Management
19. The Comments from Local Management Paragraph should contain the observations and comments from the local management of the entity provided after giving due cognizance to the internal auditor’s comments. This should also include local management’s action plan for resolution of the issues and compliance to the internal auditor’s recommendations and suggestions on the areas of process and control weakness! deficiency. The management action plan, should contain, inter alia:
(a) the timeframe for taking appropriate corrective action;
(b) the person responsible; and
(c) resource requirements, if any, for ensuring such compliance.
20. Further comments from the internal auditor, in response to the auditee feedback, are to be clearly mentioned. This paragraph should also contain the internal auditor’s suggestions and recommendations to mitigate risks, strengthen controls and streamline processes with respect to each of the observations and comments made.
Action Taken Report Paragraph
21. The Action Taken Report paragraph should be appended after the observations and findings and should include:
(a) Status of compliance/corrective action already taken/being taken by the auditee with respect to previous internal audit observations;
(b) Status of compliance / corrective action not taken by the auditee with respect to previous internal audit observations and the reasons for non-compliance thereof; and
(c) Revised timelines for compliance of all open items in (b) above and fixation of the responsibility of the concerned process owner.
22. The date of an internal auditor’s report is the date on which the internal auditor signs the report expressing his comments and observations.
Place of Signature
23. The report should name the specific location, which is ordinarily the city where the internal audit report is signed.
Internal Auditor’s Signature
24. The report should be signed by the internal auditor in his personal name. The internal auditor should also mention the membership number assigned by the Institute of Chartered Accountants of India in the report so issued by him.
Communication to Management
25. The internal audit report contains the observations and comments of the internal auditor, presents the audit findings, and discusses recommendations for improvements. To facilitate communication and ensure that the recommendations presented in the final report are practical from the point of view of implementation, the internal auditor should discuss the draft with the entity’s management prior to issuing the final report. The different stages of communication and discussion should be as under:
(a) Discussion Draft – At the conclusion of fieldwork, the internal auditor should draft the report after thoroughly reviewing the his working papers and the discussion draft before it is presented to the entity’s management for auditee’s comments. This discussion draft should be submitted to the entity management for their review before the exit meeting.
(b) Exit Meeting – The internal auditor should discuss with the management of the entity regarding the findings, observations, recommendations, and text of the discussion draft. At this meeting, the entity’s management should comment on the draft and the internal audit team should work to achieve consensus and reach an agreement on the internal audit findings.
(c) Formal Draft – The internal auditor should then prepare a formal draft, taking into account any revision or modification resulting from the exit meeting and other discussions. When the changes have been reviewed by the internal auditor and the entity management, the final report should be issued.
(d) Final Report – The internal auditor should submit the final report to the appointing authority or such members of management, as directed. The periodicity of the Report should be as agreed in the scope of the internal audit engagement. The internal auditor should mention in the Report, the dates of discussion draft, exit meeting, Formal Draft and Final Report.
Limitation on Scope
26. When there is a limitation on the scope of the internal auditor’s work, the internal auditor’s report should describe the limitation.
Restriction on Usage and Report Circulation Otherwise Than to the List of Intended Recipients
27. The internal auditor should state in the Report that the same is to be used for the intended purpose only as agreed upon and the circulation of the Report should be limited to the recipients mentioned in the Report Distribution List.
28. This Standard on Internal Audit is applicable to all internal audits commencing on or after ______. Earlier application of the SIA is encouraged.
Published in the October 2008 issue of The Chartered Accountant.