standards on internal audit - codifying the best practices verendra kalra fca,grad.cwa,disa...

Standards on Internal Audit - Codifying the Best Practices

Verendra KalraFCA,GRAD.CWA,DISA

Venue ICAI BRANCH

City Dehradun

On 19th May 2012

Introduction

Standards on Internal Audit (SIAs)-

Issued by the Council of the Institute of Chartered Accountants of IndiaTill date 17 SIAs issuedCodify best practices in areas of internal auditProvide a benchmark of the performance of the internal audit services

Standards on Internal Audits CA Verendra Kalra

Preface to the Standards on Internal Audit(Issued in January 2004)

Scope of the Standards on Internal Audit (SIAs)Scope of the Guidance Notes on Internal AuditImplications of the departures from SIAsProcedure for issuing the SIAs and Guidance Notes

Standards on Internal Audits CA Verendra KalraStandards on Internal Audits CA Verendra Kalra

Scope of the Standards on Internal Audit

SIAs apply whenever internal audit is carried out

Describes internal audit asA continuous and critical appraisal of functioning of an entity with a view:-to suggest improvements,-to add value and strengthen the overall governance mechanism -including the entity’s strategic risk management and internal control system


Why Internal Audit?

Internal audit helps in:Understanding and assessing the risks and evaluate the adequacies of the prevalent internal controls.Identifying areas for systems improvement and strengthening controls.Ensuring optimum utilisation of the resources of the entity, for example, human resources, physical resources etc.Ensuring proper and timely identification of liabilities, including contingent liabilities of the entity.Ensuring compliance with internal and external guidelines and policies of the entity as well as the applicable statutory and regulatory requirements.Safeguarding the assets of the entity.Reviewing and ensuring adequacy of information systems security and control.Reviewing and ensuring adequacy, relevance, reliability and timeliness of management information system.


Types of Internal audits -Few Examples

Internal audit requirements under Companies (Auditor’s Report) Order, 2003

(CARO, 2003)

Internal audit of Enterprise risk management process

Internal audit of corporate governance

Internal audit of transactions of Depository Participants

Internal audit in Banks

Internal audit of treasury operations

Internal audit of plastic money operations

Internal audit of Mutual funds

Internal audit of a Not -for- Profit Organisation

Risk based Internal Audit


Types of Internal audits -Few Examples (Contd…)Internal Audit of Intellectual property

Internal audit of stock and Inventories

Internal audit of adherence to competition Law

Internal Audit - Controls due Diligence Reviews

Internal Audit of ESOP Transactions

Internal Audit of NBFCs

Internal Audit of compliance with FEMA laws

Internal Audit of compliance with Labour Law

Internal Audit of Financial Instruments


Internal audit-some perspectives

Need not be mandated by law

Need not be an exclusive area for CA’s

Scope is very different as compared to statutory audit

The above factors impact the :

Approach and objective

Skills required


Framework for Standards on Internal Audit(Issued in August 2008)

Objective is to promote the professionalism in the internal audit activity.Provide a frame of reference for the SIAs being issued.

Components of Frame workThe Code of Conduct Establishes the essential principles of conduct and prescribes for the professionals in internal audit activity.The Competence Framework Describes the key characteristics that are required of persons performing internal audit.The Body of StandardsStandards specifies the basic principles and processes.Mandatory minimum requirementsThe Technical GuidanceProvide guidance to internal auditors in resolving professional issue arising while carrying out internal audit.


SIA 1, Planning Internal Audit(Issued in May 2006)

Gives an insight into the objectives of the planning

Provides knowledge about the factors affecting the planning process

Deals with scope of the planning and the planning process

Develop and document plan in consultation with those charged with governance,

including the Audit Committee

Internal audit plan should be based on :

the objectives of the activity

significant risks

risk management and internal control system

reflect the risk management strategy


SIA 1, Planning Internal AuditContd…..

A plan once prepared should be continuously reviewed by the internal auditor to

identify any modifications required to bring the same in line with the changes, if

any, in the audit environment.

The internal auditor should also assess the client expectations as to the assurance

level on different aspect of entity’s operations and controls.

The internal auditor should also prepare a formal internal audit programme listing

the procedures essential for meeting the objective of the internal audit plan.


SIA 2, Basic Principles Governing Internal Audit(Issued in August 2007)

Explains the principles which governs the internal auditor’s professional

responsibilities:

Integrity, objectivity and independence,

Confidentiality

Due professional care, skills and competence

Work performed by others

Documentation

Planning

Evidence

Internal Control and Risk Management

Reporting


SIA 2, Basic Principles Governing Internal Audit(Contd…)

Elaborate principles to give guidance on auditing procedure and reporting practices

Compliance with basic principles

Require application of procedures and practices appropriate to particular

circumstances


SIA 3, Documentation(Issued in August 2007)

Provide guidance on documentation requirements in internal audit

Describes form and content of documentation

Detention and retention of the documentation

Identification of the preparer and reviewer

Documentation may be on paper or on electronic or any other media

Documentation should record internal audit charter,

internal audit plan,

nature, timing and extent of audit procedures performed, and

conclusions drawn from the evidence obtained

Signed by the preparers and reviewers


SIA 4, Reporting (Issued in August 2008)

Establish standards on the form and content of internal auditor’s report.

Describes basic elements of an internal auditor’s report

Deals with different stages of communication and discussion of the report

Describes the reporting responsibilities of the internal auditor


SIA 4, Reporting (Contd…)Basic elements of Internal Audit Report

Title;Addressee;Report Distribution List;Period of coverage of the Report;Opening or introductory paragraph;Objectives paragraph;Scope paragraph;Executive Summary;Observations, findings and recommendations made by the internal auditor; Comments from the local management;Action Taken Report (Follow up report) ;Date of the report;Place of signature; andInternal auditor’s signature with Membership Number.


SIA 5, Sampling(Issued in August 2008)

Provide guidance regarding the design and selection of an audit sample

Guide on the use of audit sampling in the internal audit engagement

Deals with evaluation of sample results

Guidance on use of sample in risk assessment procedures and tests of controls

performed by the internal auditor


SIA 5, Sampling(Issued in August 2008)

Evaluation of sample results

The internal auditor should:

analyse the nature and cause of any errors detected in the sample;

project the errors found in the sample to the population;

reassess the sampling risk; and

consider their possible effect on the particular internal audit objective and on other

areas of the internal audit engagement


SIA 6, Analytical Procedures(Issued in August 2008)

Provide guidance regarding the application of analytical procedures during internal

audit

Deals with the aspects such as:

the nature and purpose of analytical procedures,

analytical procedures as risk assessment procedures and planning the internal audit

Analytical procedures as substantive procedures

Analytical procedures in the overall review at the end of the internal audit

Extent of reliance on analytical procedures


SIA 6, Analytical Procedures(Contd….)

Analytical Procedures as Risk Assessment Procedures and in Planning the Internal Audit to obtain an understanding of the business, the entity and its environment and in identifying areas of potential risk

Analytical Procedures as Substantive Procedures procedures to reduce detection risk relating to specific financial statement assertions and assertions relating to process, systems and controls

Analytical Procedures in the Overall Review at the End of the Internal Auditforming an overall conclusion as to whether the systems, processes and controls as a whole are robust, operating effectively and are consistent with the internal auditor's knowledge of the business


SIA 7, Quality Assurance in Internal Audit (Issued in August 2008)A system for assuring the quality in internal audit should provide reasonable assurance that the internal auditors comply with professional standards, regulatory and legal requirements so that the reports issued by them are appropriate in the circumstances.

provide the guidance to the person entrusted with the responsibility for the quality of the internal audit whether in-house internal audit or a firm carrying out internal audit.

This Standard also provide the extensive knowledge about the internal quality reviews, external quality reviews and communicating the results thereof.


SIA 7, Quality Assurance in Internal Audit (Contd…)

ObjectivesProvide assurance that internal auditor comply with professional standards, regulatory and legal requirements

Person within the entity should be entrusted with the responsibility for quality in the internal audit

Include policies and procedures addressing each of following elements:Leadership responsibilities for quality in internal audit Ethical requirements Acceptance and continuance of client relationship and specific engagement, as may be applicableHuman resources Engagement performanceMonitoring


SIA 8, Terms of Internal Audit Engagement (Issued in August 2008)Establish standards in respect of terms of engagement of the internal audit activity whether carried out in house or by an external agency.

Clarity on terms of internal audit engagement is essential for inculcating professionalism and avoiding misunderstanding as to any aspect of the engagement.

Elements of Terms of EngagementScope ResponsibilityAuthorityConfidentialityLimitationsReportingCompensationCompliance with Standards


SIA 9, Communication with Management (Issued in January 2009)

Provides a framework for internal auditor’s communication with management and identifies some specific matters to be communicated with management as described in the terms of the engagement.

Deals with the aspects such as: Matters to be communicated The communication process- Forms, Timing, Adequacy Documentation of Communication

Internal Auditor’s Responsibilities in Relation to the Terms of Engagement

Planned Scope and Timing of the Internal Audit

Significant Findings from the Internal Audit


SIA 9, Communication with Management (Contd…)

Communication to management includes the following steps:

Discussion draft - should be submitted to the entity management for their review before the

exit meeting

Exit meeting- internal auditor should discuss with the management of the entity regarding the

findings, observations, recommendations, and text of the discussion draft.

Formal Draft- prepare a formal draft, taking into account any revision or modification resulting

from the exit meeting and other discussions.

Final report- The internal auditor should submit the final report to the appointing authority or

such members of management, as directed.


SIA 10, Internal Audit Evidence (Issued in January 2009)


objective of the internal audit evidence,

sufficiency and appropriateness of internal audit evidence,

procedures for obtaining evidence

Internal audit evidence should enable internal auditor to form an opinion on scope

of terms of engagement


SIA 10, Internal Audit Evidence (Contd…)

Sufficient and Appropriate Internal Audit Evidence

Internal auditor’s judgement as to what is sufficient and appropriate internal audit

evidence is usually influenced by:

The materiality of the item.

The type of information available.

Degree of risk of misstatement which may be affected by factors such as :

-The nature of the item.

-The nature or size of the business carried on by the entity.

-Situation which may exert an unusual influence on management


SIA 11, Consideration of Fraud in an Internal Audit (Issued in January 2009)


what is fraud ?

concept of internal control system,

elements of internal control system,

responsibilities of the internal auditors,

to whom the internal auditors will communicate about the presence of fraud,

documentation of fraud risk factors when identified


SIA 11, Consideration of Fraud in an Internal Audit (Issued in January 2009)

Responsibilities of the Internal AuditorInternal auditor to help management fulfill the responsibilities relating to fraud detection and

prevention

Approach of internal auditor should include

Control Environment

Risk Assessment

Information System and Communication

Control Activities

Monitoring


SIA 12, Internal Control Evaluation (Issued in February 2009)

Deals with the aspects such as: Nature, Purpose and Types of Internal Controls

Inherent Limitations of Internal Controls

Role of Internal Auditor in Evaluating Internal Controls

Monitoring Internal Audit findings

Communication of Continuing Internal Control Weaknesses


SIA 12, Internal Control Evaluation (Contd….)

Role of Internal Auditor

Examine continued effectiveness of internal control system through evaluation and

make recommendations, if any, for improving effectiveness.

Focus towards improving internal control structure and promoting better corporate

governance.

Make management aware, as soon as practical and at an appropriate level, of

material weaknesses in design or operation of internal control systems


SIA 13, Enterprise Risk Management (Issued in February 2009)

Describes Risk and Enterprise Risk Management

Deals with the aspects such as: Process of ERM and Internal Audit

Role of Internal Auditor in Relation to ERM

Monitoring Internal Audit findings

Internal Audit Plan and Risk Assessment


SIA 13, Enterprise Risk Management (Contd….)

Role of Internal Auditor in Relation to ERM

Provide assurance to management on effectiveness of risk management

Review maturity of ERM structure by considering whether framework so

developed,:

Protects enterprise against surprises;

Stabilizes overall performance with less volatile earnings;

Operates within established risk appetite;

Protects ability of enterprise to attend to its core business

Creates system to proactively manage risks


SIA 14, Internal Audit in an Information Technology Environment (Issued in March 2009)

Describes:

Skills and competence to conduct internal audit in an IT environment

Factors to be consider while planning such an internal audit

Matters that may effect audit in an IT environment

Risk Assessment

Audit Procedures

Review of IT Environment

Outsourced Information Processing

Documentation


SIA 14, Internal Audit in an Information Technology Environment (Contd…)

Review of Information Technology Environment

Overall objective and scope of an internal audit does not change in an IT

environment

Consider IT environment in designing audit procedures to review systems,

processes, controls and risk management framework

Apply professional judgment and skill in reviewing IT environment and assessing

interface of such IT infrastructure with other business processes


SIA 15, Knowledge of the Entity and Its Environment (Issued in March 2009)

Establish standards to provide guidance on:

what constitutes knowledge of an entity’s business

its importance to various phases of internal audit engagement

techniques to be adopted by internal auditor in acquiring such knowledge about

entity and its environment

guidelines regarding application, usage and documentation of such knowledge by

internal auditor


SIA 15, Knowledge of the Entity and Its Environment (Contd…)

Using information appropriately assists internal auditor in :

Assessing risks and in identifying key focus areas

Planning and performing internal audit effectively and efficiently

Evaluating audit evidence

Providing better quality of service to client


SIA 16, Using the Work of an Expert (Issued in March 2009)

Provide guidance where the internal auditor uses the work performed by an expert

Explains situations in which need for using work of an expert might arise

Considering skills and competence and objectivity of the expert

Lays down procedures for evaluating the work of an expert


SIA 16, Using the Work of an Expert (Contd…)

Reference to an expert in Report

Should not, normally, refer to work of an expert in internal audit report

Reference may be useful in cases

Existence of material weaknesses or deficiencies in internal control system

Beneficial to the readers

Reference should outline assumptions, broad methodology and conclusions of

expert


SIA 17, Consideration of laws and regulations in an Internal Audit(Issued in 2010)

Objectives of internal auditor

To obtain sufficient appropriate audit evidence regarding compliance with the

provisions of those laws and regulations having direct effect on the financial

statements

identify instances of non compliance with other laws and regulations that may have

a significant impact on the functioning of the entity

To respond appropriately to non-compliance or suspected non-compliance

with laws and regulations identified during the internal audit.


SIA 17, Consideration of laws and regulations in an Internal Audit(Contd….)

Responsibility of the Internal Auditor

the identification of non-compliance with laws and regulations is also an inherent

part of his responsibilities.

The responsibilities of an internal auditor related to compliance with laws and

regulations are much wider than the statutory audit function. Even in the absence of an explicit mention in the terms of the engagement, the internal auditor has to verify compliance with laws and regulations within the overall objectives of an internal audit . This is in view of the following:paragraph 2 of the Standard on Internal Audit (SIA) 1,“Planning an Internal Audit”paragraph 8 & 10 of the Standard on Internal Audit (SIA) 12,“Interenal control Evaluation” paragraph 9 of the Standard on Internal Audit (SIA) 13,“Enterprise risk management”


SIA 17, Consideration of laws and regulations in an Internal Audit(Contd….)Responsibility of the Internal Auditor (contd…) Compliances are divided into two part a)Compliances that have a direct effect on the determination of material amounts and disclosures in the financial statements such as tax and laws regulating the reporting framework Auditors responsibility: to obtain sufficient appropriate audit evidence, in accordance with the Standard on Internal Audit (SIA) 10, “Internal Audit Evidence”, about compliance with the provisions of those laws and regulations.

b)Other laws and regulations that do not have a direct effect on the determination of the amounts and disclosures in the financial statements, but compliance with which may be fundamental to the operating aspects of the business, to an entity’s ability to continue its business, or to avoid material penalties Auditors responsibility: is limited to undertaking specified audit procedures to help identify non-compliance with those laws and regulations that may have a significant impact on the functioning of the entity



Reporting Non compliances

To those charged with governance the internal auditor shall communicate with those charged with governance (if all are not

part of management) matters involving non-compliance with laws and regulations that come to

the internal auditor’s attention during the course of the internal audit, other than when the

matters are clearly inconsequential.

If, in the internal auditor’s judgment, the non-compliance is believed to be intentional and

material, the internal auditor shall communicate the matter to those charged with governance

as soon as practicable



Reporting Non compliances (Contd….)

Reporting non compliance in Internal Audit report

If the internal auditor concludes that the non-compliance has a significant impact

on the functioning of an entity and has not been adequately dealt with by the

management, the internal auditor shall report the same in accordance with SIA 4,

“Reporting”.


THANK YOU

standards on internal audit - codifying the best practices verendra kalra fca,grad.cwa,disa...

Documents

internal audit siasscope

internal auditstandards

internal auditimplications

internal auditsias

internal auditissued

prevalent internal controls

areas of internal auditprovide

physical resources