Standard Of Internal Audit : Basic Principles

BASIC PRINCIPLES GOVERNING INTERNAL AUDIT*

Introduction:

1. The purpose of this Standard on Internal Audit (SIA) is to establish

standards and provide guidance on the general principles governing

internal audit.

2. Paragraph 3.1 of the Preface to the Standards on Internal Audit, issued by

the Institute of Chartered Accountants of India defines internal audit as

follows:“Internal audit is an independent management function, which involves a

continuous and critical appraisal of the functioning of an entity with a view

to suggest improvements thereto and add value to and strengthen the

overall governance mechanism of the entity, including the entity’s risk

management and internal control system.”

3. The other Standards on Internal Audit to be issued by the Institute of

Chartered Accountants of India will elaborate the principles set out herein

to give guidance on internal auditing procedures and reporting practices.

Compliance with the basic principles requires the application of internal

auditing procedures and reporting practices appropriate to the particular

circumstances.

Integrity, Objectivity and Independence:

4. The internal auditor should be straightforward, honest and sincere in

his approach to his professional work. He must be fair and must not

allow prejudice or bias to override his objectivity. He should maintain an

impartial attitude. He should not only be independent in fact but

also appear to be independent. The internal auditor should not,

therefore, to the extent possible, undertake activities, which are or

might appear to be incompatible with his independence and

objectivity. For example, to avoid any conflict of interest, the internal

auditor should not review an activity for which he was previously

responsible. It is also expected from the management to take steps

necessary for providing an environment conducive to enable the internal

auditor to discharge his responsibilities independently and also report his

findings without any management interference. For example, in case of a

listed company, the internal auditor may be required to report directly to

those charged with governance, such as the Audit Committee instead of

the Chief Executive Officer or the Chief Financial Officer. The internal

auditor should immediately bring any actual or apparent conflict of

interest to the attention of the appropriate level of management so

that necessary corrective action may be taken.

Confidentiality:

5. The internal auditor should maintain the confidentiality of the

information acquired in the course of his work and should not

disclose any such information to a third party, including the

employees of the entity, without the specific authority of the

management/ client or unless there is a legal or a professional

responsibility to do so. The internal auditor, therefore, needs to ensure

that there are well laid out policies and controls to protect confidentiality of

the information.

Due Professional Care, Skills and Competence:

6. The internal auditor should exercise due professional care,

competence and diligence expected of him while carrying out the

internal audit. Due professional care signifies that the internal auditor

exercises reasonable care in carrying out the work entrusted to him in

terms of deciding on aspects such as the extent of work required to

achieve the objectives of the engagement, relative complexity and

materiality of the matters subjected to internal audit, assessment of risk

management, control and governance processes and cost benefit

analysis. Due professional care, however, neither implies nor guarantees

infallibility, nor does it require the internal auditor to travel beyond the

scope of his engagement.

7. The internal auditor should either have or obtain such skills and

competence, acquired through general education, technical

knowledge obtained through study and formal courses, as are

necessary for the purpose of discharging his responsibilities.

8. The internal auditor also has a continuing responsibility to maintain

professional knowledge and skills at a level required to ensure that the

client or the employer receives the advantage of competent professional

service based on the latest developments in the profession, the economy,

the relevant industry and legislation.

Work Performed by Others

9. The internal auditor would often need to delegate work to assistants. The

internal auditor should carefully direct, supervise and review the

work delegated to assistants. Similarly, the internal auditor may also

need to use the work performed by other auditors or experts. Though the

internal auditor will be entitled to rely on the work performed by other

auditors and experts, he should exercise adequate skill and care in

ascertaining their competence and skills and also in evaluating, analysing

and using the results of the work performed by the experts. He must also

look into the assumptions, if any, made by such other experts and obtain

reasonable assurance that the work performed by other auditors and

experts is adequate for his purposes. He should be satisfied that he

has no reasons to believe that he should not have relied on the work

of the expert. The reliance placed on the work done by the assistants

and/ or other auditors and experts notwithstanding, the internal auditor will

continue to be responsible for forming his opinion on the areas/ processes

being subject to internal audit or his findings.

Documentation

10. The internal auditor should document matters, which are important

in providing evidence that the audit was carried out in accordance

with the Standards on Internal Audit and support his findings or the

report submitted by him. In addition, the working papers also help in

planning and performing the internal audit, review and supervise the work

and most importantly, provide evidence of the work performed to support

his findings or the report(s).

Planning

11. The internal auditor should plan his work to enable him to conduct

an effective internal audit in a timely and efficient manner, ensuring

that appropriate attention is devoted to significant areas of audit,

identification of potential problems and appropriate utilisation of

skills and time of the staff.

12. The internal audit plan should be based on the knowledge of the

business of the entity. The internal audit plan would normally cover

aspects such as:

(i) obtaining the knowledge of the legal and regulatory framework

within which the entity operates;

(ii) obtaining the knowledge of the entity’s accounting and internal

control systems and policies;

(iii) determining the effectiveness of the internal control procedures

adopted by the entity;

(iv) identifying the activities warranting special focus based on the

materiality and criticality of such activities, and its overall effect on

presentation of the financial statements of the entity;

(v) identifying and allocating staff to each of the above activities;

(vi) determining the nature, timing and extent of procedures to be

performed;

(vii) setting the time budget for each of the above activities;

(viii) identifying the reporting responsibilities; and

(ix) benchmark against which the actual results of the activities, the

actual time spent, the cost incurred would be measured.

13. A plan once prepared should be continuously reviewed by the

internal auditor to identify any modifications to the plan required to

bring the same in line with the changes, if any, to the audit universe.

Audit universe comprises the activities, operations, units, etc., to be

subjected to audit during the planning period.

Evidence:

14. The internal auditor should, based on his professional judgment,

obtain sufficient appropriate evidence to enable him to draw

reasonable conclusions therefrom on which to base his opinion or

findings. Factors affecting the professional judgment include the activity

under audit, possible errors and their materiality and the risk of

occurrence of such errors.

Internal Control and Risk Management Systems:

15. While the management is responsible for establishment and maintenance

of appropriate internal control and risk management systems, the role of

the internal auditor is to suggest improvements to those systems. For

this purpose, the internal auditor should:

(i) Obtain an understanding of the risk management and internal

control framework established and implemented by the

management.

(ii) Perform steps for assessing the adequacy of the framework

developed in relation to the organisational set up and

structure.

(iii) Review the adequacy of the framework.

(iv) Perform risk-based audits on the basis of risk assessment

process.

Internal auditor may, however, also undertake work involving identification

of risks as well as recommend design of controls or gaps in existing

controls to address those risks.

Reporting:

16. The internal auditor should carefully review and assess the

conclusions drawn from the audit evidence obtained, as the basis

for his findings contained in his report and suggest remedial action.

However, in case the internal auditor comes across any actual or

suspected fraud or any other misappropriation of assets, it would be more

appropriate for him to bring the same immediately to the attention of the

management.

Effective Date

17. This Standard on Internal Audit is effective for all internal audits beginning

on or after…………………… Earlier application of the SIA is encouraged.