Rule 13(2) of Companies Act, 2013 requires the Audit Committee or its Board to formulate the overall internal audit plan of the company. In consultation with the Internal Auditor, they are required to formulate the scope, functioning, periodicity, and methodology for conducting the internal audit.
It ensures that the audit is in line with its objective and align the organization's risk assessment with the effectiveness of the risk mitigation implemented through various internal controls. Also, it confirms and agrees with those charged with governance the broad scope, methodology and depth of coverage of the internal audit work to be undertaken in the defined time period.
Engagement partner undertakes audit plan prior to the beginning of the financial year with a comprehensive nature covering the entire entity. It is directional in nature and considers all locations, functions, business units and legal entities including third parties along with periodicity of the assignments to be undertaken during the plan period by ensuring that overall resources are adequate, skilled and deployed with focus in areas of importance, complexity and sensitivity. In order to understand the intricacies of each auditable unit subject to audit internal auditor shall obtain Knowledge of the entity, its business and operating environment. The Internal Auditor shall undertake an independent risk assessment exercise to prioritize and focus the audit work on high risk areas, with due attention to matters of importance, complexity and sensitivity
There is a need to connect the financial aspects of the business with other business elements, such as industry dynamics, company's business model, operational intricacies, legal and regulatory environment, and the system and processes in place to run its operations since it has a significant effect on the organization's financials. It requires Internal auditor to use his professional judgment for the process to be followed in completing all essential planning activities.
This planning shall be documented and contain all the essential elements required to help achieve the objectives of the plan including technology deployment & resource allocation.
Auditor shall understand the IT deployed in business, operations and transaction processing, and plan accordingly IT tools, data mining and analytic procedures, and the expertise required for conducting the audit activities and testing procedures.
Auditor shall document detailed work schedule to estimate the time required for each audit area depending on the audit attention it deserves (based on risk assessment) & maps this with the competencies (knowledge, experience, expertise, etc.) of the staff
The highest governing body responsible for internal audits, normally, the Board of Directors, or the Audit Committee shall reviewed and approve it.
In addition, the Internal Auditor shall exchange relevant information with the Statutory Auditor to coordinate the audit work and procedures, as per Standard on Auditing (SA) 610, “Using the Work of Internal Auditors'.
Ref: STANDARD ON INTERNAL AUDIT (SIA) 220 "Conducting overall internal audit planning"