Standards on Internal Audit: Codifying the Best Practices

What is Internal Audit?

Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Paragraph 3.1 of the Preface to the Standards on Internal Audit, issued by the Institute of Chartered Accountants of India defines internal audit as follows:

“Internal audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s risk management and internal control system.”

Objectives of Internal Audit:

1. To evaluate the internal control systems and integrity of financial and operational information produced by these systems.

2. To determine whether compliance exists in accordance with policies, procedures, laws and regulations.

3. To determine whether assets are safeguarded and verifying the existence of these assets.

4. To appraise the economy and efficiency of resource utilization.

5. To review the operations and programs for consistency with established management goals and objectives.

Standards on Internal Audit (SIA)

Meaning

In general terms, SIA are set of systematic guidelines used by internal auditors to ensure the accuracy, consistency and verifiability of their actions and reports.

Like any other standard, they provide the guidance in determining the nature, timing and extent of audit procedures that should be applied to fulfill the objective of Internal Audit.

They are the criteria or yardsticks against which the quality of the internal audit results is evaluated.

Framework of SIA:

The Framework on Standards on Internal Audit comprises four components viz,

· The Code of Conduct

· The Competence Framework

· The Body of Standards and

· The Technical Guidance

Purpose of SIA:

a.To provide a benchmark for quality of services during an internal audit.

b. To codify the best practices in internal audit services.

SIA issued by ICAI

ICAI has totally issued 17 SIA. The list of this is as under:

All these SIA are explained as under:

SIA 1- Planning an Internal Audit:

The basic objective of this SIA is to establish standards and provide guidance in respect of planning an Internal Audit and helping in achieving the objectives of an Internal Audit function.

The internal auditor should, in consultation with TCWG including the audit committee, develop and document a plan for each internal audit engagement to help him conduct the engagement in an efficient and timely manner.

Adequate planning ensures that appropriate attention is devoted to significant areas of audit, potential problems are identified and that the skills and time of the staff are appropriately utilised.

Knowledge of entity’s business helps to identify areas of special focus and priorities for smooth running of business. Ideally, such knowledge can be obtained from following resources:

· Past experience

· Understanding basic documents e.g. MOA, AOA, minutes of various meetings, etc.

· Discussion with staff and management 

· Policy and Procedure’s Manual

· Visit to entity’s Plant and Accounts department

The internal auditor should, in consultation with TCWG including the audit committee, develop and document a plan for each internal audit engagement to help him conduct the engagement in an efficient and timely manner. He should also assess the client expectations as to the assurance level on different aspect of entity’s operations and controls.

In addition, the internal audit plan should also reflect the risk management strategy of the entity.

SIA 2- Basic Principles Governing Internal Audit:

Internal auditor should adhere to the basic principles governing an internal audit. Such basic principles are as under:

a. Integrity

b. Objectivity

c. Independence

d. Confidentiality

e. Due Professional Care, Skills and Competence

f. Work Performed by others

g. Documentation

h. Planning

i. Evidence

j. Internal Control and Risk Management Systems

l. Reporting

The above two words Internal Control and Risk Management Systems are heart and brain of Internal Audit. Ergo, Internal Auditor should:

· Understand the IC and RM framework.

· Assess its adequacy.

· Review its adequacy periodically.

· Perform risk-based audit.

This Risk based audit adopts following flow cycle:

SIA 3: Documentation

Paragraph 10 of the Standard on Internal Audit (SIA) 2, Basic Principles Governing Internal Audit, states as follows:

“10. The internal auditor should document matters, which are important in providing evidence that the audit was carried out in accordance with the Standards on Internal Audit and support his findings or the report submitted by him.”

“Internal audit documentation” means the record of audit procedures performed, including audit planning as discussed in the Standard on Internal Audit (SIA) 1, Planning an Internal Audit, relevant audit evidence obtained, and conclusions the auditor reached.

Following should form part of Internal Audit documentation:

a. Internal audit charter

b. Internal audit plan

c. Nature, timing and extent of audit procedures performed

d. Conclusions drawn from the evidence obtained.

e. If internal audit is outsourced, the documentation should contain a copy of the internal audit engagement letter, containing the T&Cs of appointment.

To ensure the reliability and effectiveness of documentation, following requirements should be given adherence:

a. Internal audit documentation should be sufficiently complete and detailed for an internal auditor to obtain an overall understanding of the audit.

b. All the significant matters which require exercise of judgment, together with the internal auditor’s conclusion thereon should be included in the internal audit documentation.

c. The documentation prepared by the internal auditor should be such that enables an experienced internal auditor (or a reviewer), having no previous connection with the internal audit to understand the audit plan, terms of reference, scope and N,T & E of audit procedures, significant issues and conclusion.

d. The extent of documentation is a matter of professional judgment since it is neither practical nor possible to document every observation, finding or conclusion in the internal audit documentation.

e. The internal audit file should be assembled within sixty days after the signing of the internal audit report. Assembly of the internal audit documentation file is only an administrative process and does not involve performance of any new audit procedures or formulation of new conclusions. Changes may be made to the audit documentation file only if such changes are administrative in nature.

SIA 4: Reporting

This standard inter alia includes the following:

· To review and assess the analysis drawn from internal audit evidence obtained as the basis for his conclusion on the efficiency and effectiveness of systems, processes and controls including items of financial statements.

· Report should clearly express significant observations, suggestions/recommendations based on the policies, processes, risks, controls and transaction processing taken as a whole and managements’ responses.

· To facilitate communication and ensure that recommendations presented in final report are practical from the point of view of implementation, the internal auditor should discuss the draft with the entity’s management prior to issuing the final report.

· When there is a limitation on the scope of internal auditor’s work, the internal auditor’s report should describe the limitation.

SIA 5: Sampling

When using either statistical or non-statistical sampling methods, the internal auditor should design and select an audit sample, perform audit procedures thereon, and evaluate sample results so as to provide sufficient and appropriate audit evidence to meet the objectives of the internal audit engagement unless otherwise specified by the client.

Following catch note of SIA 5 is noteworthy:

a. When designing an audit sample, internal auditor should consider specific audit objectives, the population from which internal auditor wishes to sample and the sample size

b. When determining the sample size, internal auditor should consider sampling risk, tolerable error and the expected error

c. Sample items should be selected in such a way that the sample can be expected to be representative of the population. This requires that all items or sampling units in the population have an opportunity of being selected.

COMMONLY USED SAMPLING METHODS

Finally, the internal auditor should evaluate the sample results to determine whether the assessment of the relevant characteristics of the population is confirmed or whether it needs to be revised.

SIA 6: Analytical Procedures

The internal auditor should apply analytical procedures as the risk assessment procedures at the planning and overall review stages of the internal audit. It involves various comparisons as depicted below:

In determining the extent to which the analytical procedures should be used, the internal auditor should consider the following factors:

a. The significance of the area being examined.

b. The adequacy of the system of internal control.

c. The availability and reliability of financial and non-financial information.

d. The precision with which the results of analytical procedures can be predicted.

e. The availability and comparability of information regarding the industry in which the organization operates.

f. The extent to which other auditing procedures provide support for audit results.

SIA 7: Quality Assurance in Internal Audit

A system for assuring the quality in internal audit should provide reasonable assurance that the internal auditors comply with professional standards, regulatory and legal requirements so that the reports issued by them are appropriate in the circumstances. In the case of the in–house internal audit or a firm carrying out internal audit, the person entrusted with the responsibility for the quality in internal audit should ensure that the system of quality assurance include policies and procedures addressing each of the following elements:

1. Leadership Responsibilities for quality in internal audit

2. Ethical Requirements

3. Acceptance and continuance of client relationship and specific engagement, as may be applicable

4. Human Resources

5. Engagement Performance

6. Monitoring

This Standard also provides the extensive knowledge about the internal quality reviews, external quality reviews and communicating the results thereof.

SIA 8: Terms of Internal Audit Engagement

The internal auditor and the auditee should agree on the terms of the engagement before commencement.

The terms of the engagement should contain a statement in respect of the scope of the internal audit engagement. It should clearly delineate the broad areas of function of internal audit like evaluating internal controls, review of business process cycle controls, risk management and governance.

The terms of engagement should clearly mention that the internal auditor would not, ordinarily, be involved in the preparation of the financial statements of the auditee. It should also be made clear that the internal audit would not result in the expression, by the internal auditor, of an opinion, or any other form of assurance on the financial statements or any part thereof of the auditee.

The terms of the engagement should clearly mention the responsibility of the auditee vis-a-vis the internal auditor.

Ideally, terms of engagement should clearly define the scope, authority, responsibility, confidentiality, limitations, reporting requirements and compensation.

SIA 9: Communication with Management

· Internal auditor while performing audit should communicate clearly the responsibilities of internal auditor and an overview of the planned scope and timing of audit with the management.

· Communication regarding the planned scope and timing of internal audit may assist the management to understand better the objectives of internal auditor’s work, to discuss issues of risk and materiality with internal auditor and to identify any areas in which they may request the internal auditor to undertake additional procedures, assist the internal auditor to understand the entity and its environment better.

·  Different stages of communication and discussion should be: discussion of draft; exit meeting; formal draft; and final report.

· Clear communication of internal auditor’s responsibilities, planned scope and timing of internal audit and expected general content of communications helps establishing the basis for effective two–way communication.

· Appropriate timing for communications will vary with the circumstances of the engagement. Relevant circumstances include significance and nature of the matter, and the action expected to be taken by management.

· Where matters required by this SIA to be communicated, are orally communicated, internal auditor shall document them and when and to whom they were communicated. Where matters have been communicated in writing, the auditor shall retain a copy of the communication as part of internal audit documentation.

SIA 10: Internal Audit Evidence

Paragraph 14 of the SIA 2, Basic Principles Governing Internal Audit, states:

“14. The internal auditor should, based on his professional judgment, obtain sufficient appropriate evidence to enable him to draw reasonable conclusions therefrom on which to base his opinion or findings.”

Now let us discuss the concept of sufficiency and appropriateness:

Sufficiency – It refers to the quantity of audit evidence. It is affected by the auditor’s assessment of the risk of material misstatements and also by the quality of such audit evidence.

Appropriateness – It refers to the measure of the quality of such evidence i.e. its relevance and its reliability in providing support for the conclusions on which the auditor’s opinion is based.

Following are the general procedures used for obtaining internal audit evidence.

SIA 11: Consideration of Fraud in an Internal Audit

Fraud may be defined as an intentional act by one or more individuals among management, TCWG, employees or third parties, involving the use of deception to obtain an unjust or illegal advantage. Following are the possible sources of misstatements and their instances:

a) Misstatements arising from fraudulent financial reporting

·  Manipulation, falsification or alteration of accounting records or supporting documentation.

· Misrepresentation or intentional omission.

· Intentional misapplication of accounting principles.

b) Misstatements resulting from misappropriation of assets

· Embezzling receipts

· Stealing physical assets or intellectual property

· Causing an entity to pay for goods and services not received

· Using an entity’s assets for personal use

A system of internal control comprise of following five elements:

a. the control environment

b. entity’s risk assessment process

c. information system and communication

d. control activities

e. monitoring of controls

It is essential for the internal auditor to gain an understanding of the components of the system of internal control for consideration of fraud in an entity’s environment.

Normally, an internal auditor is not expected to possess skills and knowledge of a person expert in detecting and investigating frauds, he should, however, have reasonable knowledge of factors that might increase the risk of opportunities for frauds in an entity and exercise reasonable care and professional skepticism while carrying out internal audit.

SIA 12: Internal Control Evaluation

The purpose of this Standard on Internal Audit is to establish standards and provide guidance on the procedures to be followed by the internal auditor in evaluating the system of internal control in an entity and for communicating weaknesses therein to those charged with governance. The Standard also extensively deals with aspects such as meaning and inherent limitations of internal controls, control environment, risk assessment, tests of control and communication of weaknesses. The SIA also describes role of the internal auditor in evaluating internal controls.

SIA 13: Enterprise Risk Management

ERM is a structured, consistent and continuous process of measuring or assessing risk and developing strategies to manage risk within the risk appetite. It involves identification, assessment, mitigation, planning and implementation of risk and developing an appropriate risk response policy. Management is responsible for establishing and operating the risk management framework.

The ERM framework is deviced to achieve an entity’s objectives, set forth in the following 4 categories:

o Strategic: High level goals, aligned with and supporting its mission.

o Operations: Effective and efficient use of its resources.

o Reporting: Reliability of reporting.

o  Compliance: Compliance with applicable laws and regulations.

Process of ERM:

According to this SIA, an internal auditor should inter alia:

a. Review the maturity of an ERM structure by considering whether the framework so developed, protects the enterprise against surprises, stabilizes overall performance with less volatile earnings, operates within established risk appetite, protects ability of the enterprise to attend to its core business and creates a system to proactively manage risks.

b. Review whether the ERM coordinators in the entity report on the results of assessment of key risks at appropriate levels.

c. Submit his report to the Board or its relevant Committee as a result of the review, Tests conducted, Samples covered and Observations and recommendations.

SIA 14: Internal Audit in an Information Technology Environment

The overall objective and scope of an internal audit does not change in an IT environment. However, the use of a computer changes the processing, storage, retrieval and communication of financial information and the interplay of processes, systems and control procedures. This may affect the internal control systems employed by the entity. Accordingly, IT environment may affect the procedures followed by the internal auditor in obtaining a sufficient understanding of the processes, systems and internal control system and the auditor’s review of the entity’s risk management and continuity systems.

When the information technology systems are significant, the internal auditor should also obtain an understanding of IT environment and whether it influences the assessment of inherent and control risks. The nature of risks and internal control characteristics in IT environments include the Lack of transaction trails, Uniform processing of transactions, Lack of segregation of functions, Potential for errors and irregularities, Initiation or execution of transactions, Dependence of other controls over computer processing, Potential for increased management supervision, Potential for the use of computer–assisted audit techniques.

SIA 15: Knowledge of the Entity and its environment

a. To obtain knowledge of the economy, entity’s business and its operating environment, including its regulatory environment and the industry in which it operates, sufficient to enable him to review the key risks and entity–wide processes, systems, procedures and controls. To identify sufficient, appropriate, reliable and useful information to achieve the objectives of the engagement.

b. Prior to accepting an engagement, the internal auditor should obtain a preliminary knowledge of the industry and of the nature of ownership, management, regulatory environment and operations of the entity subjected to internal audit, and should consider whether a level of knowledge of the entity’s business adequate to perform the internal audit can be obtained.

c. Following the acceptance of the engagement, further and more detailed information should be obtained. To the extent practicable, the internal auditor should obtain the required knowledge at the commencement of the engagement. As the internal audit progresses, that information should be assessed, enhanced, updated, refined and validated as the internal auditor and the engagement team obtain more knowledge about the entity’s business.

d. In case of continuing engagements, internal auditor should update and re–evaluate information gathered previously, including information in the prior year’s working papers. The internal auditor should also perform procedures designed to identify significant changes that have taken place in the operations, control environment, technology and strategic processes since the last internal audit.

e. To obtain sufficient, appropriate information about the entity. An understanding of business risks facing the entity increases the likelihood of identifying risks of material misstatement in the information subject to internal audit.

f. Knowledge of the entity’s business is a frame of reference within which the internal auditor exercises professional judgment in reviewing the processes, controls and risk management procedures of the entity.

SIA 16: Using the work of an Expert

The purpose of this Standard is to establish standards and provide guidance where the internal auditor uses the work performed by an  expert. The Standard also explains situations in which the need for using the work of an expert might arise, factors to be considered when deciding whether to use the work of an expert or not, evaluating the skills and competence and objectivity of an expert, procedures for evaluating the work of an expert, references to an expert in the internal auditor’s report, etc.

Cases where auditor can use Expert’s work:

1. Valuation of complex financial instruments, fixed assets, etc.

2. Actuarial valuation of liabilities associated with insurance contracts or employee benefit plans.

3. Estimation of oil and gas reserves.

4. Valuation of environmental liabilities.

5. Interpretation of contracts, laws and regulations.

6. Analysis of complex or unusual tax compliance issues.

SIA 17: Consideration of Laws and Regulations in an Internal Audit

a. It is the primary responsibility of management, with the oversight of TCWG to ensure that the entity’s operations are conducted in accordance with the provisions of laws and regulations.

b. The objectives of the internal auditor are to obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations that have a direct effect on the determination of material amounts and disclosures in the financial statements.

c. The internal auditor shall request management and wherever appropriate to TCWG to provide written representations that all known instances of non–compliance or suspected non–compliance with laws and regulations which impact the functioning of the entity, have been disclosed to him.

d. If the internal auditor becomes aware of information concerning an instance of non-compliance or suspected non-compliance with laws and regulations, he shall obtain its understanding and also of the understanding in which it has occurred and shall evaluate its possible impact on the functioning of the entity.

e. If the internal auditor concludes that non–compliance has a significant impact on the functioning of an entity and has not been adequately dealt with by the management, the internal auditor shall report the same in accordance with SIA 4, "Reporting".

Cheers!

Prateek Loonkar