Posts
STANDARD ON INTERNAL AUDIT
The following is the text of the Standard on Internal Audit
Planning an Internal Audit , issued by the Council
of the Institute of Chartered Accountants of India.
The Standards shall become mandatory from such
date as notified by the Council.
1. The purpose of this Standard on Internal Audit is to establish
standards and provide guidance in respect of planning an internal
audit. An internal audit plan is a document defining the scope,
coverage and resources, including time, required for an internal audit
over a defined period. The internal auditor should, in consultation
with those charged with governance, including the audit
committee, develop and document a plan for each internal audit
engagement to help him conduct the engagement in an efficient
and timely manner. Adequate planning ensures that appropriate
attention is devoted to significant areas of audit, potential problems
are identified, and that the skills and time of the staff are appropriately
utilised. Planning also ensures that the work is carried out in
accordance with the applicable pronouncements of the Institute of
Chartered Accountants of India.
2. The overall objectives of an internal audit, as defined in the Preface to
the Standards on Internal Audit are:
to suggest improvements to the functioning of the entity; and
to strengthen the overall governance mechanism of the entity,
including its strategic risk management as well as internal
control system.
3. Internal audit, therefore, helps inter alia in:
(i) Understanding and assessing the risks and evaluate the
adequacies of the prevalent internal controls.
(ii) Identifying areas for systems improvement and strengthening
controls.
(iii) Ensuring optimum utilisation of the resources of the entity, for
example, human resources, physical resources etc.
(iv) Ensuring proper and timely identification of liabilities, including
contingent liabilities of the entity.
(v) Ensuring compliance with internal and external guidelines and
policies of the entity as well as the applicable statutory and
regulatory requirements.
(vi) Safeguarding the assets of the entity.
(vii) Reviewing and ensuring adequacy of information systems
security and control.
(viii) Reviewing and ensuring adequacy, relevance, reliability and
timeliness of management information system.
4. The internal audit plan should be comprehensive enough to
ensure that it helps in achieving of the above overall objectives of
an internal audit. The internal audit plan should, generally, also
be consistent with the goals and objectives of the internal audit
function as listed out in the internal audit charter as well as the
goals and objectives of the organisation. An internal audit charter
is an important document defining the position of the internal audit vis
a vis the organisation. The internal audit charter also outlines the
scope of internal audit as well as the duties, responsibilities and
powers of the internal auditor(s). In case the entire internal audit or
the particular internal audit engagement has been outsourced,
the internal auditor should also ensure that the plan is consistent
with the terms of the engagement.
5. Planning involves developing an overall plan for the expected scope
and conduct of audit and developing an audit programme showing the
nature, timing and extent of audit procedures. Planning is a
continuous exercise. A plan once prepared should be continuously
reviewed by the internal auditor to identify any modifications
required to bring the same in line with the changes, if any, in the
audit environment. However, any major modification to the
internal audit plan should be done in consultation with those
charged with governance. Further, the internal auditor should
also document the changes to the internal audit plan.
6. The internal auditor may also discuss the significant elements of his
overall plan, including important procedures, with those charged with
governance. This would help the internal auditor as well as the client
to assess whether the internal audit is directed to achieve the
objectives as set out in the terms of engagement. The discussion
would also help the internal auditor to gauge whether the client’s
perception of the role and responsibilities of the internal auditor is
appropriate. The internal auditor should also assess the client
expectations as to the assurance level on different aspect of
entity’s operations and controls. For instance, the client may feel
assured if inventories are verified once in a quarter, while for cash
verification, monthly interval may be specified. This will enable the
auditor to plan the frequency and extent of audit procedures to be
adopted.
7. The internal audit plan should be based on the knowledge of the
entity’s business. While developing the internal audit plan, the
internal auditor should have regard to the objectives of the
internal audit engagement as well as the time and resources
required for conducting the engagement. In addition, the internal
audit plan should also reflect the risk management strategy of the
entity. Planning an internal audit involves establishing the overall
strategy for the engagement so as to keep the risks associated with
the assignment at the acceptable level. Therefore, the planning
process is also influenced by the internal auditor’s understanding and
assessment of:
The objectives of the activity being subjected to internal audit.
The significant risks associated with the above activity.
The risk management and internal control system instituted in
the organisation to reduce the above risks to an acceptable
level.
The possible areas in which the internal audit can suggest
improvement to the risk management and/ or internal control
system associated with the concerned activity.
The selection of engagement team (including, where
necessary, the engagement team quality control reviewer) and
the assignment of audit work to the team members, including
the assignment of appropriately experienced team members.
Business developments affecting the entity, including changes
in information technology and business processes, changes in
key management, and acquisitions, mergers and divestments.
Industry developments such as changes in industry regulations
and new reporting requirements.
Changes in the financial reporting framework, such as changes
in accounting standards.
Other significant relevant developments, such as changes in
the legal environment affecting the entity.
8. Internal audit plan should cover areas such as:
Obtaining the knowledge of the legal and regulatory
framework within which the entity operates.
Obtaining the knowledge of the entity’s accounting and
internal control systems and policies.
Determining the effectiveness of the internal control
procedures adopted by the entity.
Determining the nature, timing and extent of procedures to
be performed.
Identifying the activities warranting special focus based on
the materiality and criticality of such activities, and their
overall effect on operations of the entity.
Identifying and allocating staff to the different activities to
be undertaken.
Setting the time budget for each of the activities.
Identifying the reporting responsibilities.
The internal audit plan should also identify the benchmarks
against which the actual results of the activities, the actual time
spent, the cost incurred would be measured.
9. The scope of an internal audit is normally affected by factors such as:
Terms of the engagement.
Nature of accounting system – manual or IT-based - and the
degree of reliance placed by the auditor on the same.
Accounting policies adopted by the entity.
Nature of information technology system used by the client in
the various business processes and the exception reports
generated by the system.
Authorization and delegation of authority in the systems
environment and data entry checks and data security measures
including generation of day end logs of security and
authorisation violations.
The nature of management information system in vogue and
the extent to which the management information system reports
are used by the client in establishing and reviewing internal
controls.
Expected audit coverage, including identification of areas of
audit requiring special attention, number and locations to be
included, nature of business segments to be audited and the
need, if any, for specialized knowledge.
Materiality thresholds established in respect of various areas of
audit especially, those areas requiring special attention.
Nature and extent of audit evidence to be obtained.
Experience and skills of the staff and the need for supervising,
directing, coordinating and reviewing their work.
Requirements of the applicable pronouncements of the Institute
of Chartered Accountants of India.
Statutory or regulatory framework in which the entity operates.
Planning Process
10. The internal auditor should obtain a level of knowledge of the
entity sufficient to enable him to identify events, transactions,
policies and practices that may have a significant effect on the
financial information. Following are some of the sources wherefrom
the internal auditor can obtain such knowledge:
Previous experience, if any, with the entity and the industry.
Legislation and regulations that significantly affect the entity.
Entity’s policy and procedures manual.
Minutes of the meetings of the shareholders, board of directors,
and important committees of the board such as the audit
committee, remuneration committee, shareholders’ grievances
committee.
Management reports/ internal audit reports of prior periods.
Newspaper/ industry journals.
Discussion with client’s management and staff.
Visits to entity’s plant facilities etc., to obtain first hand
information regarding the production processes of the entity.
Visits to the entity’s department where the accounting and other
documents are generated, maintained, and the administrative
procedures followed.
Other documents produced by the entity, for example, material
sent to the shareholders and the regulatory authorities,
management policy manuals, manuals relating to accounting
and internal controls, organizational charts, job description
charts, etc.
Knowledge of the entity’s business, among other things, helps the
internal auditor to identify areas requiring special focus, evaluate the
appropriateness of the accounting policies and disclosures,
accounting estimates and management representations. Knowledge
of the business would also help the auditor to identify the priorities of
the business, critical factors or constraints in the smooth running of
the business as also understand the trends in respect of various
financial and operating ratios, etc.
11. The next step in audit planning is establishment of the audit universe
or the audit territory. Audit universe comprises the activities,
operations, units etc., to be subjected to audit during the planning
period. The audit universe is designed to reflect the overall business
objectives and therefore includes components from the strategic plan
of the entity. Thus, the audit universe is affected by the risk
management process of the client. The audit universe and the
related audit plan should also reflect changes in the
management’s course of action, corporate objectives, etc.
12. As discussed in paragraph 4, planning is a continuous exercise. The
internal auditor should periodically, say half yearly, review the
audit universe to identify any changes therein and make
necessary amendments, to make the audit plan responsive to
those changes.
13. The next stage in planning is establishing the specific objectives of the
internal audit engagement. The establishment of such objectives
should be based on the auditor’s knowledge of the client’s
business, especially a preliminary understanding and review of
the risks and controls associated with the activities forming
subject matter of the internal audit engagement. The preliminary
understanding and review involves gathering necessary information by
means of a combination of the following procedures:
Observation of the activity being performed.
Inquiry of the staff associated with performing the activity.
Discussion with the client.
Reading through the internal audit reports, management
reports etc., of previous periods.
Performing analytical procedures.
Performing actual walk-through tests.
14. The internal auditor would use the information so gathered to
determine the objective(s) of the engagement as also to decide the
nature, timing and extent of his procedures. The internal auditor
should also document the results of his preliminary review so
conducted. The documented results would, normally, cover aspects
such as:
Preliminary assessment and understanding the risks and
controls associated with the activity, viz., sufficiency and
appropriateness of the controls, procedures for identification
and management of risks associated with the activity.
Significant issues thrown up by such a review, for example,
significant errors, non-compliance with any significant law.
Procedures proposed to be adopted by the internal auditor to
resolve the above issues.
Preliminary time budget for completing the engagement.
15. The next stage in planning an internal audit is establishing the scope
of the engagement. The scope of the engagement should be
sufficient in coverage so as to meet the objectives of the
engagement. The internal auditor should consider the information
gathered during the preliminary review stage to determine the
scope of his audit procedures. The nature and extent of the internal
auditor’s procedures would also be affected by the terms of the
engagement. In case the internal auditor is of the view that
circumstances exist which would restrict the auditor from
carrying out the procedures, including any alternative
procedures, considered necessary by him, he should discuss the
matter with the client to reach a conclusion whether or not to
continue the engagement. The scope of his engagement should
documented comprehensively to avoid misunderstanding on the
areas covered for audit. The internal auditors are often confronted
with a situation where client denies access to certain information or
has a negative list of areas where internal audit is not desired. There
are also situations where while the client requires internal audit
procedures to be carried but findings are not to form part of the report
but to be reported separately.
16. Further, in case of information technology based environment, the
scope of engagement would include the extent to which internal
auditor are permitted to access the system and reports which can be
viewed and those which can be exported. Further, system based
audit tools that an internal auditor can use to draw and analyze
the data should be clearly understood in the scope of his
engagement.
17. Once the scope of the internal audit procedures is established, the
next phase is that of deciding upon the resource allocation. Efficient
resource allocation is essential to achieve the desired objective, within
the constraints of time and cost as well as optimum utilization of
resources. For this purpose, the internal auditor should prepare
an audit work schedule, detailing aspects such as:
activities/ procedures to be performed;
engagement team responsible for performing these
activities/ procedures; and
time allocated to each of these activities/ procedures.
18. While preparing the work schedule, the internal auditor should
have regard to aspects such as:
any significant changes to the entity’s missions and
objectives, business processes, and management’s
strategies to counter these changes, for example, changes
in the entity’s controls structure or changes in the risk
assessment and management structures
any changes or proposed changes to the governance
structure of the entity
composition of the engagement team in terms of skills and
experience and any changes thereto
The engagement work schedule should, however, be flexible
enough to accommodate any unanticipated changes as well as
professional judgment of the engagement team in the
components of the audit universe as discussed above. The work
schedule should also reflect the internal auditor’s assessment of
risks associated with various areas covered by the particular
internal audit engagement and the priority attached thereto.
19. The internal auditor should also prepare a formal internal audit
programme listing the procedures essential for meeting the
objective of the internal audit plan. Though the form and content
of the audit programme and the extent of its details would vary
with the circumstances of each case, yet the internal audit
programme should be so designed as to achieve the objectives of
the engagement and also provide assurance that the internal
audit is carried out in accordance with the Standards on Internal
Audit. As a corollary, the audit plan developed by the internal auditor
would need to be a risk-based plans, appropriately reflecting and
addressing the priorities of the internal audit activity, consistent with
the organisation’s goals. The internal audit programme should also
be finalised in consultation with the appropriate authority before
the commencement of the work. The internal audit programme
identifies, in appropriate details, the objectives of the internal audit in
respect of each area, the procedures to be performed to achieve those
objectives, the staff responsible for carrying out the particular activity,
the time allocated to each activity as also the sufficiently detailed,
instructions to the staff as to how to carry out those procedures. The
internal audit programme may also have provision for information such
as the procedures actually performed, reasons for not performing the
originally identified procedures, actual time consumed in carrying out
the relevant procedure, reasons for deviations from budgeted time etc.
A well prepared, comprehensive audit programme helps proper
execution of the work as well as of the proper supervision, direction
and control of the performance of the engagement team.
20. This Standard on Internal Audit is applicable to all internal audits
commencing
No comments:
Post a Comment