MAKING INTERNAL AUDIT COUNT: RISING TO THE EXPECTATIONS?

A CURTAIN RAISER

Bombay Chartered Accountants Society

CA. T.N.MANOHARAN

CURRENT ENVIRONMENT

• Corporate frauds beginning with Satyam

• Banking frauds such as PNB- Nirav Modi

• Rotation of auditors – Reporting of fraud

• Unmodified or modified reports or resignation?

• National Financial Reporting Authority

• Internal Financial Controls

• Vigil mechanism with direct access to AC chairperson

• RMC - Cyber security – SEBI guidelines

STATUTORY AUDIT FUNCTION

• True & Fair view of the Financial statements

• Adherence to Standards on Auditing

• Management representation not a substitution for verification

• Brand & reputation of auditee- relevance?

• Professional skepticism – Questioning mind

• Audit plan, risk assessment, Sampling, materiality, execution, check

list, standard procedure, queries, dive deep if required, gathering

evidence, documentation and reporting

• Working papers to support attestation

SELECT STANDARDS ON AUDITING (SA) BY ICAI

• SA 240, “The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial

Statements”,

• SA 315,(Revised) “Identifying and Assessing the Risks of Material Misstatement Through

Understanding the Entity and Its Environment”

• SA 330, “The Auditor’s Responses to Assessed Risks”

• SA 700 (Revised), “Forming an Opinion and Reporting on Financial Statements”

• SA 701 , “Communicating Key Audit Matters in the Independent Auditors Report”

• SA 705 (Revised), “Modifications to the Opinion in the Independent Auditor’s Report”

• SA 706 (Revised), “Emphasis of Matter Paragraph and Other Matter Paragraph in the

Independent Auditor’s Report” that deal with how to form an audit opinion, reach audit

conclusions and issue different types of auditor’s reports

• ICAI Implementation guide on Risk Based Audit - Auditors’ role in assessing risk factors

that could result in financial statement fraud and misappropriation of assets

INTERNAL AUDIT - RELEVANCE & GUIDANCE

• Companies Act,2013- Sec.138

• IIA Standards – (IPPF)

• ICAI Standards on Internal Audit (SIA) – 18

• ICAI –Industry specific Technical Guide on Internal Audit -23

• Standard on Auditing (SA) 610- Using work of Internal Auditors

• Code of conduct & Ethics applicability on Members of ICAI

• Documentation-Working papers critical

• Statutory Audit vs Internal Audit mutually exclusive

• COSO Internal Control Framework

Definition of “Internal Auditing” by IIA

“Internal Auditing is an independent, objective assurance and consulting activity designed to add

value and improve an organization's operations. It helps an organization accomplish its objectives by

bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk

management, control, and governance processes.”

Independence is established by the organizational and reporting structure. Objectivity is achieved by

an appropriate mind-set. The internal audit activity evaluates risk exposures relating to the

organization's governance, operations and information systems, in relation to:

Effectiveness and efficiency of operations.

Reliability and integrity of financial and operational information.

Ability of the existing risk assessment process to identify & negate emerging risks

Safeguarding of assets.

Compliance with laws, regulations, and contracts.

Changing Role of Internal Auditing

Internal auditing has moved from a traditional financial and compliance audit role to risk

based audit that provides assurance, advice and insight in risk management, internal

controls and governance.

The internal auditors are expected to provide recommendations for improvement in those

areas where opportunities or deficiencies are identified. While management is responsible

for internal controls, the internal audit activity provides assurance to management and the

audit committee that internal controls are effective and working as intended.

The internal audit activity is led by the chief Audit Executive (CAE) or the head of internal

audit. The CAE delineates the purpose, scope, authority, responsibility and independence of

the internal audit activity in a written charter that is approved by the audit committee.

Impact of Risk Management on Business Performance

33%

42%

10%

10%

3% 2% Strongly Positive

Marginally Positive

No Impact

Marginally Negative

Strongly Negative

Unaware

In a survey conducted by the Institute of Internal Auditors on audit executives, itwas revealed that over 70% of the business feel that assessing and deployment ofrisk management has had a positive impact on the day to day businessperformance of the company.

HOW IS ENTERPRISE- WISE RISK MANAGED CURRENTLY?

45%

26%

16%

13%

Compliance

Department

Legal

Department

Internal

Auditor

Others

Stakeholders expect an Internal Audit Professional to be more proactive in assessing and

providing measures in responding to risk.

Collaborate with other departments internal to the entity as well as with other assurance

providers to deliver quality service.

Greater need for efficiency and effectiveness, which calls for leveraging technology and

embracing data analytical tools more often to enhance the value of Internal Audits.

LEVEL OF MATURITY OF INTERNAL AUDIT PROFESSION

3%

2%

76%

19%

Goal not defined

Not Aligned

Partially Aligned

Fully Aligned

Only 19% of Internal Audit Department is fully aligned with strategic plan of theirorganisation and 76% are partially aligned.

There is a need for Internal Audit plan to encompass organisational strategic plan whichcould strategically support the attainment of the organisational goal.

Are the Objectives of an Internal Audit in line with objectives of their clientele?

INVOLVEMENT OF INTERNAL AUDITORS

54%

39%

60%

54%

61%

22%

44%

28%

37%

32%

24%

17%

12%

9%

7%

New Product/Service

Organic Growth Initiatives

Strategic Alliances

Mergers & Acquisitions

New Geographical Markets

Significant Involvement Moderate Involvement No Involvement

The Internal Audit Profession study reveals that across the diverse business opportunities available in

our country, the involvement of internal auditor & his function is only moderately utilised.

Knowledge of Business & Industry

41%

23%32%

47%

16% 15% 14%8%

43%

62%54%

45%

East Asia & Pacific Europe South Asia North America

Staff possess traditional accounting skills Staff possess knowledge of business and Industry

Staff possess both skills

Skills of Internal Audit Staff Region wise

SOURCES OF RECRUITING STAFF AT GLOBAL LEVEL?

14%

12%

19%

25%

19%

11%

Other

Other Audit Firms

Professional Networks

Internal Transfers

Employment Agencies

Universities

Responses to CBOK surveyquestions regarding sourcesused for recruitment showedthat different sources are usedfor recruitment of internalaudit functions.

The chart reflects that internaltransfers gained the highestpercentage, followed by useof an employment agencyand the use of professionalnetworks.

DEPLOYMENT OF DATA ANALYTICS

CURRENTLY

IN 3 YRS from NOW

ENTITY WIDE SPECIFIC USE ADHOC USE

35% 63% 2%

47% 50% 3%

Significant changes in the Internal Audit Function is predicted with entity widedeployment & utilisation of Data Analytics Tools, which would elevate theInternal Audit function & create a new standard of delivery by:• Providing actionable insights into the risks that matter & increase focus on risks• Embracing technology & improving audit quality.

Data Analytics - Use in Internal Audit Life Cycle

Risk Assessment

Audit Execution

Reporting

Audit Planning

Monitoring

80%

73%

70%

67%

67%

16%

20%

25%

26%

24%

4%

7%

5%

7%

9%

Utilised Not Utilised Cannot Say

Embedding data analytics into theaudit plan can help internal auditguide risk assessment, drive enterpriseefficiencies and result that add tangiblevalue to the business, and effectivelycommunicate to the interested parties.

The potential for making valueaddition through technology isenormous, especially if IA is able tointegrate a higher % of data analyticalprocedures into their audit approach.

Skills that provide significant value addition

25% 23% 19% 18% 15%

Communication Technology Skills Critical Thinking Global Markets Data Analytics

A survey for seeking value through Internal Audit wherein various skillswere presented and the respondent had to choose 5 options among variousoptions reflected that, Technology is second only to Communication followedby Critical thinking. It stands to reason, then, that a solid tech platform withthe propensity for advanced data analytical and feedback mechanism isinevitable.

INTERNAL AUDIT & FRAUD RISKS

• Fraud risk management

• Common fraud situations

• Investigation of suspected frauds-Schemes & Techniques

• Root cause analysis

• Control improvement recommendations

• Monitoring of a reporting/whistle blower hotline

• Providing Ethics training sessions

• SIA 11- Identify indicators of frauds/factors that might increase risk of

opportunities for frauds/exercise reasonable care and professional

skepticism.

EXTERNAL PRESSURE?

Experienced Coercion to change a rating or finding in an Internal Audit Report

Asia - Pacific USA & Canada Europe Middle East

78% 85%74% 76%

22% 15%26% 24%

No Yes

Every 4th Auditor in Europe is subject to coercion and is made to change or withdraw his findings followed by auditors in the Middle East and then Asia- Pacific. In such cases, crucial findings vital for business & investment decisions fail to make it to the Internal Audit Report.

Managers’ and External Auditors’ preference

In-House

Outsourcing

Co-sourcing

External Auditorsperception: Higherperceived quality ofinternal audit function,greater reliance oninternal audit function,and relatively lowplanned external auditeffort by externalauditor

Company managerspreference for internalaudit function sourcingarrangements

Common preference of external auditors and

company

Note: Red coloured arrows have a relatively stronger effect compared to dashed arrows

IA - ATTRIBUTES OF EXCELLENCE

Focus on critical

risks & issues

Match talent to

business model

Leverage

technology

efficiently

Align value

proposition with

stakeholders

expectation

Promote quality

improvement &

innovation

Engage & manage

stakeholders

relationshipsDeliver cost effective

services

Enable a client

service culture

Stakeholders prefer Strategic role of IA

99%

40%60%

1%

Strategic Role Support Functions

Audit Professionals Survey

Stakeholders Survey

Is an Internal Auditor a Strategist or a

Supporter ?

A Survey of diverse companies havingannual revenue of $1 Bn + wasconducted and their expectation of therole of Internal Audit Personnel wasenquired, the same set of question werepresented to the Professionals as well.

Focus of an Audit Plan

15%

13%

14%

18%

21%

19%

Compliance Financial Regulatory

Technology Operational Strategic

Comprehensive outlook

To summarise, the Internal Audit Professionals to meet the raised expectations, must adopt the following:

Align InternalAudit plan andobjectives with thelong term goal ofthe business.

Make use of Technology,Big Data, Data Analyticstools, Artificial Intelligencein providing insightful andvaluable reports.

Become more deeplyinvolved in businessmatters, and not just inquestioning processes,controls & compliances toplay a strategic role.

THANK YOU!

tnmanoharan@gmail.com