Posts
Introduction
1. The purpose of this Standard on Internal Audit (SIA) is to establish
Standards and provide guidance on the documentation requirements in
an internal audit.
2. Paragraph 10 of the Standard on Internal Audit (SIA) 2, Basic Principles
Governing Internal Audit, states as follows:
“10. The internal auditor should document matters, which are
important in providing evidence that the audit was carried out in
accordance with the Standards on Internal Audit and support his
findings or the report submitted by him. In addition, the working
papers also help in planning and performing the internal audit, review and
supervise the work and most importantly, provide evidence of the work
performed to support his findings or report(s).”
Definitions
3. (a) “Internal audit documentation” means the record of audit
procedures performed, including audit planning as discussed in
the Standard on Internal Audit (SIA) 1, Planning an Internal Audit,
relevant audit evidence obtained, and conclusions the auditor
reached (terms such as “working papers” or “workpapers” are also
sometimes used). Thus, documentation refers to the working
papers prepared or obtained by the internal auditor and retained
by him in connection with the performance of his internal audit.
(b) “Experienced internal auditor” or “a reviewer” means an individual
(whether internal or external to the entity) who has:
(i) reasonable knowledge and experience of internal audit
processes;
(ii) reasonable knowledge of SIAs, other relevant
pronouncements of the Institute and applicable legal and
regulatory requirements;
(iii) reasonable understanding of the business environment in
which the entity operates; and
(iv) reasonable understanding of internal audit issues relevant
to the entity’s industry.
4. Internal audit documentation:
Aid in planning and performing the internal audit.
Aid in supervision and review of the internal audit work.
Provide evidence of the internal audit work performed to support
the internal auditor’s findings and opinion.
Aid in third party reviews, where so done.
Provide evidence of the fact that the internal audit was performed
in accordance with the scope of work as mentioned in the
engagement letter, SIAs and other relevant pronouncements
issued by the Institute of Chartered Accountants of India.
Form and Content
5. Internal audit documentation may be recorded on paper or on electronic
or other media. It includes, for example, audit programmes, analyses,
issues memoranda, summaries of significant matters, letters of
confirmation and representation, checklists, and correspondence
(including e-mail) concerning significant matters. Abstracts or copies of
the entity’s records, for example, significant and specific contracts and
agreements, may be included as part of internal audit documentation, if
considered appropriate. Internal audit documentation, however, is not a
substitute for the entity’s accounting records. The internal audit
documentation for a specific internal audit engagement is assembled in
an audit file.
6. Internal audit documentation should record the internal audit
charter, the internal audit plan, the nature, timing and extent of audit
procedures performed, and the conclusions drawn from the
evidence obtained. In case the internal audit is outsourced, the
documentation should include a copy of the internal audit
engagement letter, containing the terms and conditions of the
appointment.
7. Internal audit documentation should be designed and properly
organised to meet the requirements and circumstances of each audit
and the internal auditor’s needs in respect thereof. The internal
auditor should formulate policies that help in standardization of the
internal audit documentation. The standardization may be in the form
of checklists, specimen letters, questionnaires, etc.
8. Internal audit documentation should be sufficiently complete and
detailed for an internal auditor to obtain an overall understanding of
the audit. The extent of documentation is a matter of professional
judgment since it is neither practical nor possible to document every
observation, finding or conclusion in the internal audit documentation. All
the significant matters which require exercise of judgment, together
with the internal auditor’s conclusion thereon should be included in
the internal audit documentation. However, the documentation
prepared by the internal auditor should be such that enables an
experienced internal auditor (or a reviewer), having no previous
connection with the internal audit to understand:
(a) the nature, timing and extent of the audit procedures
performed to comply with SIAs and applicable legal and
regulatory requirements;
(b) the results of the audit procedures and the audit evidence
obtained;
(c) significant matters arising during the audit and the
conclusions reached thereon; and
(d) terms and conditions of an internal audit
engagement/requirements of the internal audit charter, scope
of work, reporting requirements, any other special conditions,
affecting the internal audit.
9. The form, extent and contents of the documentation would also be
affected by the nature and terms of the engagement, and any statutory or
regulatory requirements in that regard. The form, content and extent of
internal audit documentation depend on factors such as:
the nature and extent of the audit procedures to be performed;
the identified risks of material misstatement;
the extent of judgment required in performing the work and
evaluating the results;
the significance of the audit evidence obtained;
the nature and extent of exceptions identified;
the need to document a conclusion or the basis for a conclusion
not readily determinable from the documentation of the work
performed or audit evidence obtained; and
the audit methodology and tools used.
It is, however, neither necessary nor practicable to document every matter
the auditor considers during the audit.
10. The internal audit documentation should cover all the important
aspects of an engagement viz., engagement acceptance,
engagement planning, risk assessment and assessment of internal
controls, evidence obtained and examination/ evaluation carried out,
review of the findings, communication and reporting and follow up.
The internal audit documentation would, therefore, generally, include:
Engagement letter or the internal audit charter, as the case may
be.
Internal audit plan and programme.
Papers relating to the staff requirement and allocation.
Papers relating to requirements for technical experts, if any .
Time and cost budgets.
Copies of significant contracts and agreements or management
representations on terms and conditions of those contracts.
Internal review reports.
Evaluation questionnaires, checklists, flowcharts, etc.
Papers relating to discussions/ interviews with the various
personnel including legal experts, etc.
Chart of the organizational structure, job profile of the persons
listed in the chart and rules of delegation of powers.
Annual budget and development plan.
Progress report, MIS report.
Reconciliation statements.
Communication with the client personnel and third parties, if any.
Certification and representations obtained from management.
Copies of relevant circulars, extracts of legal provisions.
Results of risk and internal control assessments.
Analytical procedures performed and results thereof.
List of queries and resolution thereof.
Copy of draft audit report, along with the comments of the auditee
thereon and final report issued.
Records as to the follow up on the recommendations/ findings
contained in the report.
Identification of the Preparer and the Reviewer
11. It is also essential that the internal audit documentation identify the
following:
(i) who performed that task and the date such work was completed;
(ii) who reviewed the task performed and the date and extent of such
review;
(iii) reasons for creating the particular internal audit documentation;
(iv) source of the information contained in the internal audit
documentation; and
(v) any cross referencing to any other internal audit documentation.
The preparers and reviewers of the internal audit documentation
should also sign them.
12. The internal audit file should be assembled within sixty days after
the signing of the internal audit report. Assembly of the internal audit
documentation file is only an administrative process and does not involve
performance of any new audit procedures or formulation of newif such changes are administrative in nature. For example:
deleting or discarding superseded documentation;
sorting, collating and cross referencing internal audit
documentation;
signing off on completion checklists relating to file assembly
process;
documenting audit evidence that the internal auditor has obtained,
discussed and agreed with the relevant members of the internal
audit team before the date of the internal auditor’s report.
13. When exceptional circumstances arise after the date of the
submission of the internal audit report that require the internal
auditor to perform new or additional audit procedures or that lead
the internal auditor to reach new conclusions, the internal auditor
should document:
(i) the details of circumstances encountered along with the
documentary evidence, if any, thereof;
(ii) the new or additional audit procedures performed, audit
evidence obtained, and conclusions reached; and
(iii) when and by whom the resulting changes to the audit
documentation were made, and (where applicable) reviewed.
Document Retention and Access
14. The internal auditor should formulate policies as to the custody and
retention of the internal audit documentation within the framework of
the overall policy of the entity in relation to the retention of
documents. The internal auditor retains the ownership of the internal
audit documentation. While formulating the documentation retention
policy, any legal or regulatory requirements in this regard also need to be
taken into consideration. Management and other designated personnel
may seek access to the internal audit documentation of the internal auditdepartment subject to the approval of the internal auditor and client or
such other third party may seek access if there is any legal or regulatory
requirement or as may be permitted by the client.
15. After the assembly of the audit file, the internal auditor should not
delete or discard internal audit documentation before the end of the
retention period.
No comments:
Post a Comment