Embed Size (px)
Citation preview
18th August, 2017
CA Jignesh Thaker Partner
NMAH & Associates LLP
Slide # 2
The Internal Audit Standards Board of the Institute has issued Standards on Internal Audit which provide guidance to the members on all important aspects related to internal audit, so that they adopt the best practices and processes in carrying out internal audit. The Standards assist in providing confidence in the quality and consistency of the internal audit work conducted, help to deliver internal audit services in an effective and efficient way
Establish requirements and benchmarks against which the performance of internal audit can be measured. Since the issuance of the last edition in 2010, the Board has issued Standard on Internal Audit (SIA) 18, Related Parties which has been included in the updated edition of the Compendium.
Slide # 3
The SIAs are issued under the authority of the Council of the Institute.
The SIAs aim to codify the best practices in the area of internal audit and also serve to provide a benchmark of the performance of the internal audit services.
Standards, Guidance Notes and Clarifications are issued under the authority of the Council of the Institute.
Preface to the SIA, para 3 : Scope of the Standards on Internal Audit; states that “the Standards on Internal Audit shall apply whenever an internal audit is carried out.”
It further states that “Internal audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system”.
Slide # 4
Requirements: In consultation with those charged with Governance, audit committee - develop and document IA Plan.
IA plan should be comprehensive to help achieving overall objectives laid down in IA Charter.
Continuously review the plan to ensure staying on track or modifying plan on need basis. Any major change to be done in consultation with those charged with Governance. Formally document and communicate the changes / revised plan.
Assess client’s expectations on assurance levels on different aspects operations and controls.
Importance/ benefits: Conduct engagement in efficient and timely manner.
Alignment of Plan and in turn efforts with the IA Charter, meeting requirements of the Management/ Governing Body
Adopting appropriate type and frequency of audit procedures, e.g. balance confirmations/ physical verification of assets/ inventory/ cash based on Risk perceived by the Management and assessed by the Auditor.
Slide # 5
Comprehensive audit plan, calendar, meeting of minutes of meeting with management at planning & scoping stage, letter of engagement detailing scope of work, timelines and deliverables
Obtaining knowledge of business – sufficient to identify events, transactions having impact on financials.
Establishing audit universe – periodic changes Establishing objectives of engagement – to decide nature, timing and
extent of audit procedures Establishing scope of engagement – Sufficient to meet objectives of
engagement. Scope should be documented comprehensively to avoid misunderstanding on the areas covered in audit, any limitations need to be discussed with client to reach conclusion on whether or not to continue the engagement.
Deciding on resource allocation Preparation of audit schedule Preparation of audit program – listing procedures essential for meeting
objectives for respective area, team, time lines
Slide # 6
t.
Importance: Guidance on principles that govern internal audit – Integrity, objectivity and independence – Straightforward, honest, sincere in approach, impartial attitude, avoid activities that might be incompatible with independence and objectivity, e.g. audit and accounting of same entity, data entry and data validation, KYC audit and KYC documentation, ERP configuration designing and implementation review
Any issues affecting independence should be immediately escalated to appropriate authority
Confidentiality – with third parties and even employees not related with requirement to disclose e.g. mystery reviews/ sensitive assignments
Due professional care, skills and competence: Reasonable care in deciding on aspects related to extent of verification, frequency, sample size-type-period, materiality of the areas audited & discrepancies identified e.g. fraud prone areas of employee benefits in org with large workforce,
Adequate skill sets need to be obtained through formal education and study, continuing responsibility of enhancing professional knowledge related to industry, economy, technology and regulatory environment.
Work performed by others – direct, supervise and review assistants, can rely on experts -need to ascertain competence & skills, check assumptions should not have any reason to believe should not have relied on the work of exper
Slide # 7
Compliance: Documentation of matters to evidence that audit was carried out
diligently – Audit plan – Risk based approach Work allocation matrix - skill competency matrix, Audit Procedures – aligned with scope, team briefing meetings,
identification of key risk areas, Use of appropriate audit and sampling procedures – surprise checks, extended sampling where control failures observed, independent confirmations,
Risk Assessment -understand entity level and process level control framework
Reviewing work delegated to others, assessing completeness / coverage of scope
Periodic review meetings and escalations Formal communication of material issues related to planning, execution,
data/ records availability, access to systems and data, Reviewing reports for clarity, coverage, issuance in time to appropriate
authority and the assurance expressed for individual process/ unit or organization as a whole
Slide # 8
Importance: Evidence of efforts and conclusions on control environment Documentation would include scoping to closure of audit Work Papers/ Working Papers concept – Permanent File/ Working File Form and Content –hard/ soft copies Internal Audit Charter, Letter of Engagement, Scope, Audit Plan,
Checklists, RCM, Sampling Plan, Queries, Management Responses, Minutes of Meetings, Internal Review Records, Letters, Emails, Contracts, SLA, Confirmations, Draft & Final Reports
Compliance: Organized in easily retrievable and understandable manner Standardization to facilitate ease of compiling for all assignments Should facilitate ease of review by others/ experienced auditor not
connected with assignment Authentication on the documentations by preparer and reviewer Adequate retention and storage policy need to be defined and
implemented
Slide # 9
Importance: Audit reporting is a significant aspect of entire internal audit function Level of freedom, influence and independence the auditor enjoys is clearly visible
through reporting content, timing, management responses provided and the face time the auditor gets at Audit Committee.
Compliance: For each observations, report should state process background, clarity and factual
completeness of observation, total population of transactions and sample size reviewed, reference to specific legal provisions, quantification of issues/ value at stake, appropriate risk grading, informative recommendations and aligned Management Response are key to effective reporting on internal audit.
Section in report should be devoted on implementation effectiveness of previous recommendations and a section on Executive Summary of current audit findings
Specific mention of scope of audit, its coverage and any limitations on auditors’ efforts, access to any systems, data or records, scope exclusions
Specifically state Auditors’ assurance on overall internal controls design efficiency and operating effectiveness respective process/ function audited and organization as a whole.
Parameters for risk grading of individual observations and overall control assurance. Categorization of each observation and overall audit assurance is aligned to agreed upon parameters.
Flash report – prompt reporting on high risk observations that warrant immediate management action
Slide # 10
Importance: error in sampling activities would result in erroneous conclusion by the auditor on state of internal controls
Designing audit sample: Consider audit objectives, total population, sample size, expected error, tolerable error rate.
Sample size is arrived at based on nature of control – Key & Non Key, type of control – Manual & Automated, Control Frequency – Ongoing, Daily, weekly, monthly, quarterly, half yearly or annual, Management expectations as well as previous audit findings
SIA also provides guidance on expected sample size based on control frequency
Methods of sampling: Random selection, systematic selection, haphazard selection
Compliance: Documentation of sampling method, samples selected and results of
sample test for each of the test attribute, error rate identified in transactions audited, extrapolation of test results, , extended sampling and results of extended sampling, conclusions based on overall sample tests
Slide # 11
Importance: Works as a good tool for overall risk assessment and assessing
effectiveness of internal controls Must to examine large volume of transactions – procurement, financial
market trades, movement in inventories
Compliance: Planning stage: applying analytical procedures to understand business,
entity and its environment, identify potential areas of risk: e.g. summaries of key financial data/ indicators Value and volume of sales, purchases, inventories, movement in balances of assets, liabilities, inventories, fluctuations in EPS, Profits
This facilitates in devising risk based internal audit plan, devising sample size and criteria, extent of substantive test to be performed
Slide # 12
Importance: To ensure compliance with professional standards, regulatory and legal
requirements.
Compliance: Develop internal audit manual – Policies, Procedures, Roles and
responsibilities, Documentation requirements, skill set requirements, performance measurement
Training required to perform duties assigned Appropriate supervision and guidance Establish feedback process from the users of internal audit function
(client satisfaction survey – quality, timeliness, value add, efficiency, innovation, effective communication etc.)
Quality review framework: Internal / external - Performance measurement and benchmarking with industry – ongoing activity
Slide # 13
Importance: Provide guidance with respect to terms of engagement for internal audit Letter of engagement provides basis for engagement and first point of
reference for any matter related to engagement scope, responsibility etc. in dispute.
Compliance: Should be agreed by both the parties, LOE to be prepared by I A and
signed by both the parties
Scope - Broad areas like evaluation of internal controls, review of business process, Risk Management and Governance Controls
Mention exclusions: preparation of accounts/ financial statements, defining policy, procedures expression of opinion on financial statements etc.
Slide # 14
Responsibilities - Responsibilities of internal auditor as well as auditee, establishing and maintaining internal control framework, communicating material weakness to internal auditors, timely providing of data/ records for internal audit. Auditor responsible to communicate audit plan, audit team
Authority – Provide auditors access to records, data, systems, call for information Confidentiality – Not sharing unless required by law, confidentiality of client data,
working papers and audit report. Access by peer reviewer should be stated in engagement letter.
Limitations – Limitations on scope, coverage or reporting requirements, limitation on amount of liability towards damages, claims, expenses etc. by client not exceeding aggregate amount of compensation agreed upon by the client.
Reporting – Frequency and recipients of the report Compensation – Clear understanding on the basis of compensation, OPE, Taxes
etc. Compliance with standards - Statement to the effect that engagement would
be carried out in accordance with professional standards applicable to such engagement
To be approved by Board or its committee (ACB) or person so authorized by the BOD
Periodically reviewed and changed if required. Withdrawal from engagement:
Slide # 15
Importance: Framework for internal auditors communication with management and identifies specific matters
Compliance: Communicate clearly Responsibilities, overview of planned scope of work and timing of audit ◦ approach of internal auditor towards risk assessment, material items
and audit activities Obtain relevant information from management - required / necessary
for the purpose of audit, ELC, technology impacts, regulatory matters Provide timely observations that are significant Promote two way effective communication – ease of accessibility Form of communication: Formal, Structured presentations Timing of communication: Depends on the matter to be communicated:
Plan, Data requirements, queries, escalations on scope limitations, data non-availability, suspicious transactions, whistle blowing etc.
Documentation :– minutes of meetings – advisable to circulate to all stakeholders. Make these as part of audit working papers
Slide # 16
Importance: Sufficient, and Appropriate Evidence before reaching conclusion Sufficient – quantitative aspect Appropriate – Relevant and reliable - qualitative Relevant – has direct relation to control performance or failure Reliable – non-disputable, may be independent third party evidences Factors affecting determination of sufficiency and appropriateness of evidence: Materiality of the item being reviewed – Major expenditure/ petty cash voucher Type of information available – manual/ automated, rough workings / conclusive
transactions/ bills/ vouchers Situation that may exert unusual influence on the management – Related party
transaction – Transfer Pricing Certifications Compliance: Audit procedures that facilitates obtaining evidence: Inspection: examining documents/ records, inspection of premises Observation: of a process being performed – QC inspection process Inquiry and confirmation – Process walkthrough Computation – calculations of depreciation charge Analytical review – year on year/ q to q trends in items in P&L, PR To Invoicing
Transactions
Slide # 17
Basics of Fraud: Must present: Pressure - Opportunity – Rationalization for Act Intent to unlawful gain or cause loss/ damage to other person Form: Misstatement or Misappropriation Audit required to perform checks around internal controls design and operating
effectiveness aspects, addressing following objectives set by Management: ◦ Reliable Financial Reporting ◦ Efficiency and Effectiveness of Operations ◦ Compliance with Regulations ◦ Safeguarding of assets
Compliance: SIA 2 Basic Principles: Professional Care, Competence and Diligence Obtain Knowledge of Business and Control Environment Understand Risk Assessment Practices implemented by Management Test design and operating effectiveness of control activities and monitoring
controls Report all indictors and findings – clearly, completely and to appropriate
authorities in timely manner
Slide # 18
Guidance on procedures to be followed while evaluating internal controls and communicating the findings
Compliance: Obtain understanding of business and control environment Evaluate maturity of internal control framework – defining, documentation,
implementation, internal reviews and management reporting Narratives of process walkthrough Process flowcharts Control questionnaires Evaluate continued state of controls designed and implemented by the
Management. Report on evaluation conclusions - extent of deviations, impact of control
gaps and risk grading based on impact Assess whether deficiencies individually or collectively are significant
deficiency or reflect material weakness in control designed Recommend alternative/ better controls Additional/ compensating controls in place Discuss corrective measures – required and planned Use control frameworks like COSO/ COBIT
Slide # 19
Guidance on evaluation of entity’s risk management systems – where covered by scope of work - asked by the Management
ERM Defined Scope of Work Structured, consistent and continuous process
Assess maturity at overall organization as well as unit level Assess adequacy and adherence with risk management policy
Measuring, assessing the risk Assess efficiency and effectiveness of risk response Developing risk management
strategies Within risk appetite Assess whether residual risk
within accepted level – risk appetite
Compliance: Planning the work, Assessment of internal risk management approach and its effectiveness and reporting on results to the Management in appropriate manner.
Slide # 20
Importance: Establishes standards for procedures to be followed when audit is conducted in information technology environment
Compliance: Sufficient knowledge of IT environment at entity being audited Audit plan to cover special tasks that were non-existent in manual environment Audit checks around areas that require skills set exist with team member Risk assessment to cover: Lack of audit trail – test data processing controls, input – output controls, Re-performance tests, independent confirmations and reconciliations Uniform processing of transactions – filed level data validation controls, input –
output controls, exception reporting – Mandatory & Non-mandatory details, parameters configuration - PAN
Potential for errors and irregularities: Degree of human intervention to override systems, limit checks – hard limit and soft limits, period of credit or discount, investment criterion
System generated transaction initiation/ execution: ALGO Trading software, Purchase Requisition when stock reach re-order limits configured in system
Potential for enhanced management supervision as well as use of automated audit techniques – Computer scripts, query engines – online or concurrent monitoring of transactions – banks AML query engines
Audit report to clarify extent of verifications carried out, any limitations due to technology environment and assurance over effectiveness of IT controls
Slide # 21
Guidance on what constitutes knowledge of entity’s business, its importance and manner in which it is acquired
Knowledge of economic environment, industry, entity being audited, competition, regulations
Major risks to business, constraints to growth and best practices Re-evaluate the knowledge every year Knowledge of entity: Understanding of business model: Value
Proposition, Sources of funds, Resources at disposal, factors that generate demand, Channels of servicing client and Client base, regulatory environment
Facilitates risk assessment and aligning audit plan with the key risks, Identifying areas that require special audit skills Assessing the controls effectiveness and concluding on deviations
identified Evaluating management representations and estimates of expenses/
income etc.
Slide # 22
Guidance where internal auditor uses work performed by an expert Should obtain technical advice and assistance from competent expert if
the internal audit team does not possess necessary knowledge, skills, expertise or experience needed to perform all or part of the internal audit engagement.
Key areas to be considered by Internal Auditor Determine need for expert assistance – materiality of the areas audited. Satisfy about competence, objectivity and independence of expert Evaluate work done by an expert: Understand objective and scope of work Terms of engagement Access to records, personnel, property – source data used for audit, Extent of work papers available Understand assumptions made during audit and Results reported – details, authority to whom reported Cross check the report conclusions of expert and overall assessment of
own work
Slide # 23
Importance: Assists internal auditor in identifying significant impact of non- compliance with laws
Laws that have impact on determination of accounts and disclosures in financials Statements: Taxation and financial reporting laws and Other laws.
Compliance: Auditor need to obtain sufficient evidence about compliances with respect to first category of laws.
For second category, auditor’s responsibility is limited to undertaking specified audit procedures to help identify non-compliances that may have significant impact on functioning of the entity.
Terms of engagement, planning and reporting activities need to be aligned with the requirements related to compliances and non-compliance with laws.
Obtain sufficient knowledge of business Define legal universe Assess the global compliance monitoring framework devised by entity Study the process and controls with respect to legal compliances Refer other records like minutes of the meeting, special audit reports etc. Identify areas of non-compliances and report to management
Slide # 24
Parties have ability to control other party or exercise significant influence over other party in making financial or operating decisions
Internal auditor to evaluate internal controls around transactions with related parties to check for
Potential for material misstatement with related parties transactions Potential for related party relationships but not so considered while
executing transactions Importance given by management to identification, accounting for and
disclosures of related party transactions, Risks of management override on internal controls related to the same
Slide # 25
