My topic today -

not
Internal Audit is a business decision making tool.

Trust None
Gujarat

CA Sandesh Mundra
 Statutory Warning
• All the characters in this audit presentation are
fictional. If they in any way relate to your
professional lives, its only a matter of
coincidence, and the presenter shall be in no
way liable for any of his acts / verbal utterances
during this brief presentation.

CA Sandesh Mundra
 To elaborate – Lets read a story….
• M/s ABC is a growing concern in the
construction sector which has very weak internal
control systems at present, and so a need is felt
for an external agency for better controls.

CA Sandesh Mundra
• A firm M/s CA is appointed as internal auditor
after a lot of deliberations and negotiations.

Idiot

CA Sandesh Mundra
• Management is not in a position to give a proper
scope for audit and ask CA to frame its scope on
its own.
• CA starts the review of the existing scenarios by
visiting the construction sites of the entity.
• In its audit plan it lays down various audit
procedures so as to cover all the aspects.

CA Sandesh Mundra
• It ensures that the company staff is also verbally
communicated about the audit procedures, since
the audit procedures are not documented
properly, they are not shared in black and white.
• It deploys 3-4 articled assitants for carrying out
the audits with immense focus on transactional
audit

CA Sandesh Mundra
Verbal Communication Problems in an organisation

Telephone Call :-

From: Managing Director To: General managers

Tomorrow morning there will be a total eclipse of the sun at nine o’clock. This is something which we
cannot see everyday. So let all employees line up outside, in their best clothes to watch it. To mark the
occasion of this rare occurrence, I will personally explain the phenomenon to them. If it is raining we will
not be able to see it very well and in that case the employees should assemble in the canteen.

From: General managers To: Industry Managers

By order of the Managing Director, we shall follow the disappearance of the sun in our best clothes, in
the canteen at nine o’ clock tomorrow morning. The Managing Director will tell us whether it is going to
rain. This is something which we cannot see happen everyday.

From: Industry Managers To: Location heads

If it is raining in the canteen tomorrow morning, which is something that we cannot see happen
everyday, the Managing director in his best clothes, will disappear at nine o’ clock.

From: Location heads To: Marketing Executives

Tomorrow morning at nine o’ clock, the Managing Director will disappear without his clothes. It’s a pity
that we can’t see this happen everyday?

CA Sandesh Mundra
The CA then commences the audit and finds a lot
of audit errors in all aspects be it accounts, stores
management, HR, vehicle and admin controls.

For e.g. It find various instances where:-

a. Purchase orders are not available for materials purchased
directly at the site
b. No workorders are prepared for the sub-contractors
c. Stores issues the materials without receiving proper indent
from the site
d. Payment vouchers do not carry the authorised signatory
approvals
e. Lack of controls over fuel consumption at the site

CA Sandesh Mundra
• Prepares a very big and exhaustive
report (to the immense satisfaction of CA) and
submits to the management and related
staff by email.

CA Sandesh Mundra
• He keeps doing the same thing for the next one
year, and finds that the management response
to the queries is very poor and starts loosing
interest in audit but pursues the audit due to
monetary reasons. – Level of Perfection

• Most of the reporting to the

client are prepared by the
transactional audit staff and
follow up for compliance is
regularly done with the
ground level
staff in the organisation.
CA Sandesh Mundra
• Management brings in Mr Z, a very senior professional
with huge exp in the construction sector. Mr Z also brings
in several new jobs at far off locations where he knows
the local conditions - jee well.

• CA is asked to frame the Role and Responsibility &

Remuneration structure on paper for Mr Z.

• Mr Z brings in several organisational changes, gets some

staff from his old organisation and is found to be very co-
operative to the internal auditors and seems to be well on
the way to take organisation to the next level.

• Mr Z also brings in various process changes based on his

past experience. CA is very impressed with him.
CA Sandesh Mundra
 With some bad jobs in the pocket the cash flows start getting
adversely affected.

To make matters worse, huge investments are being made in

Equipment purchase to cut down the rental cost.

Because of poor accounting systems the organisation is not

able to maintain the project wise accounting and hence the losses
are not traced to any particular project.

CA Sandesh Mundra
• Two years go by and the management starts
feeling the need to cut down overheads
b’coz of business losses.

• In the very same year, Mr Z who manages

the biggest construction Site - "X" is found to
have carried out a fraud to the tune of Rs. 50
Lacs. This is discovered by the promoter
after he left the organisation

CA Sandesh Mundra
• Meeting is called and Immediate question to
auditor is "Was he able to detect any major
problem at Site X". Auditor asks mgmt to read
the report already submitted remains speechless
after that.
o Figuring out what went wrong in the audit procedures! – Non shrink

CA Sandesh Mundra
• He goes back and checks his internal audit
report submitted for Site - "X" and finds out that
their report contains a lot of documentation
related issues for this business.
• Upon reviewing the complete report he makes
various observations
o Most of the overtime payments carry only the signature of Mr Z.
o For Purchases from two local parties no qty check is carried by stores.
o Lot of delay observed in preparation of sub-contractor billing.
o Site shows a lot of sales bills which have not been accepted by the
client

• He is astonished to see the nature of lapses and

concludes that there could have been a fraud.

CA Sandesh Mundra
 He presents the same report again to the
management in a summarised format, to give
a feeling that there was no lapse in audit
procedures adopted for Site - "X".

Also points out the failure on the part of the

management in taking the previous audit
report in a casual manner. - Interpretation

CA Sandesh Mundra
• After few months, the management in a bid to
cut down the overheads, significantly reduces
the fees and scope of internal auditor.

CA Sandesh Mundra
Auditor is very unhappy!

CA Sandesh Mundra
 How does the Auditor feel?

• Management should have given time to review the

internal audit reports on regular basis.
• Top Management being non-financial
guys, were never interested in following
the company policies themselves,
setting a very bad example for others.
• Management should give a regular
feedback, if they wish to customize
the format of internal audit
report according to their needs.

CA Sandesh Mundra
 How does the Auditor feel? (cont……)

• Management rarely called upon the internal auditors to

discuss the internal audit reports on a periodic basis.
• Management needs to be more clear in giving the
scope of work for internal audit.
• It is a pure failure on management compliance aspect
and that the auditor has been unnecessarily made the
scape goat.

CA Sandesh Mundra
• Lets now look what the other side feels ?
o If there is someone from the management side, do
you have any points for the stand of fees reduction?

CA Sandesh Mundra
MANAGEMENT's VIEW :-

• When CA was appointed, the scope of work he

had set, should not have been to carry out pure
internal audit but to build stronger systems
within the organization. Management is already
aware of the various problems in the business.

• Ensuring that the audit recommendations are

implemented should also be in auditor’s scope.

CA Sandesh Mundra
 MANAGEMENT's VIEW (cont….):-
• Instead of always pointing out the
documentation related issues, the auditor should
have been the first to point out some possible
wrong doing at Site - "X".
• Adopting a passive mode of emails to
communicate the reports was not appropriate for
this kind of organisation, as all employees were
not equipped to handle the emails.
• The focus should have been more on the
quality, rather than quantity in terms of reporting.
• Post-Mortem Approach does not quite fit the
requirements.
CA Sandesh Mundra
• At this stage are we all left pondering about the
value that we are adding to the client
• Are we approached by the client when any
major business decisions are to be taken?
o If No, then its very serious, as Internal Audit is
considered as the “Nose” of the organisation

CA Sandesh Mundra
Thief and Police

There are three categories in which we can divide the

police :-

a. Those who are not able to catch the thief

b. Those who catch the thief after he has stolen something
c. Those who catch when the idea of theft originates in the
thief's mind CA Sandesh Mundra
“When business fails, accountants perform”

CA Sandesh Mundra
So we see after this GAP analysis that there are lot
of lessons to be drawn from this story

• Business Model of the client has to be

absolutely clear to the auditor, if he wants to add
some value to the client through his reports.
o Org Hierarchy
o Performance factors
o Relevance of Documentation
o Possibility of Cost overruns
o Study of Cultures across the organisation

CA Sandesh Mundra
 Lessons (cont…..)

• Auditor should have a good foresight and should

be able to present the actual scenario in a very
crisp and clear fashion.
o Report the present in summarised format
o Predicting what can go wrong looking to present conditions
o Understand the management’s language
o Power to stop payments (This gives some feeling of power to the auditor).
Audit is lot more meaningful if its part of the process rather than a
standalone activity.

CA Sandesh Mundra
CA Sandesh Mundra
 Lessons (cont…..)
• Whatever may be client's opinion about the
scope, the auditor needs to take a stand on the
basis of his own understanding.
o Focus may be more on implementation of internal
controls rather than documentation for a given client
depending on actual situation.
o In the initial years, the role is more like management.
o Importance of audit points to be explained till the last
mile.
o Ego creates a lot of practical issues

CA Sandesh Mundra
 Lessons (cont…..)
• Communication Strategy should also change
depending on the nature of client.
o Flow from the top
o Medium may be different at different levels within the same organisation
o Delegation of responsibility within the organisation
o Follow up (Immense amount of Patience)

“God, give me patience…....

and make it quick! "

CA Sandesh Mundra
Telecom Call Centre

CA Sandesh Mundra
 Lessons (cont…..)

• Voice level Modulation is of some importance in

front of the management.
• The auditor should also have the guts to say to
the management, that because of management
approach, he is not able to add any value to the
organisation and he may better be disengaged
from the assignment, to showcase the
seriousness on his part.
o Do you think its practicable?
o Consciousness about reporting compliance.

CA Sandesh Mundra
 Think long Term
• Baba Ramdev Model

CA Sandesh Mundra
 The Audit Process Model
INPUTS PROCESSES OUTPUTS OUTCOMES

Internal Audit
Knowledge
and Skills

Analyses,
Appraisals,
Computers, Recommendations,
Software and Counsel and
IIA Standards Information Supporting the
Internal Audit
Organization in
Practices and
the Discharge of
Procedures
their
Responsibilities
Time and Promote the
Money Effective use of
Internal Control

Reputation
for Integrity
and Fairness
CA Sandesh Mundra
 Audit Interaction with Auditee
Competition Cooperation Collaboration

Auditor Manager Auditor Manager Audit Team

Auditor Manager

Internal Audit Internal Audit Internal Audit

CA Sandesh Mundra
• After this brief story lets focus on the other side
of the topic

- Zia

CA Sandesh Mundra
• Internal Audit as a Business Decision Making
Tool

o Continuing the very same example ahead, lets see

some of the areas where management was found to
be weak in decision making and how CA could have
played his part.

CA Sandesh Mundra
Domain of Decision Making

Strategic Planning
Operations

CA Sandesh Mundra
 Vision and Mission
• Understanding the Promoter’s thought process about
the organisation’s future
• Whether the overall controls within the organisation are
in sync with the vision statement
• Whether the employee mindset is in sync
• Uniformity of systems across the organisation

• Parliament - Planning

CA Sandesh Mundra
 Organisational Hierarchy
• Management is struck up in various
areas:-
o Bifurcation of the organisation into various
departments
o Deciding the designation and authority
level posts in various deparments
o Role, Responsibility and Authority Structure
for all the posts
o Built in mechanism to get the best out of
the team

• For e.g. At the construction site, the

accountants at the site are not very
clear whom do they have to report to.

• Senior Joinee

CA Sandesh Mundra
 Corporate Governance

From Audit Perspective we divide all activities of

the organisation into :-
a. Compliance - Identify Gaps
b. Process Orientation - Adherence to processes

• Transperancy
• Legal Framework

CA Sandesh Mundra
CA Sandesh Mundra
Enterprise Risk Management

Two most important ways that internal auditing

provides value to the organization are in providing
objective assurance

- that the major business risks are being managed

appropriately and
- providing assurance that the risk management and
internal control framework is operating effectively.

CA Sandesh Mundra
Role auditors can play in risk management domain:-
Core Internal Audit Roles with regard to ERM:-
• Giving assurance on risk management process.
• Giving assurance that the risks are correctly evaluated.
• Evaluating risk management process

Legitimate internal audit roles with safeguards:-

• Facilitating identification and evaluation of risks
• Coaching management in responding to risks
• Co-ordinating ERM activities
• Consolidated reporting on risks
• Maintaining and developing the ERM framework
• Championing establishment of ERM
• Developing RM Strategy for board approval

Roles the internal auditor should not take:-

• Setting the risk appetite
• Imposing the risk management process
• Management assurance on risks
• Taking decisions on risk response
• Implementing risk response on management’s behalf
• Accountability of risk management
• Evaluating the reporting of key risks
• Reviewing the management of key risks

CA Sandesh Mundra
CA Sandesh Mundra
 Is risk management really new?
• Yes and no
• Understanding risks is not new at all - most of us
have an inherent understanding of risk ; e.g.
health and safety risk assessments are well
established; audit and others use it
• However, risk management in a corporate
governance sense is new. It promotes ownership
of the RM process at a high level
 Value of Risk-Based Audit Planning
• Yields disciplined analytical approach to evaluating the
audit universe

• Highlights potential risks in organization that might

otherwise be unknown

• Fosters dedicated audit coverage to high-risk areas

• Allocates resources where pay-back is greatest

• Provides a tool for management to gauge or

assess enterprise risk
 Key Definitions
• Risk: The uncertainty of an event occurring that could have
an impact on the achievement of objectives.

• Risk assessment: A systemic process for assessing and

integrating professional judgments about probable adverse
conditions and/or events.

• Risk management: The culture, processes and

structures that are directed towards the effective
management of potential opportunities and adverse
effects.
 The Objective of Risk-Based Planning:

H
Target audit
resources
where risk is
greatest!
Impact

L H
Probability
Source: A Guide to the Use of Risk Management Within the Internal Audit Process
©
2002 – The IIA – Australia
 A Risk Assessment Process for
Annual Audit Planning

1. Define the audit universe

2. Identify and weight risk factors

3. Establish a mechanism and score

risk factors for auditable units

4. Sort the auditable units by total risk

score

5. Develop the annual audit plan based

on the ranked audit universe
 Risk Assessment in Annual Planning:

Risk Planning Model

PROBABILITY

PROBABILITY
MATERIALITY

Impact on Visibility and

Enterprise Sensitivity
Operations
 Risk Assessment in Annual Planning:

Risk Factors

Materiality Points
• Audit Area over Rs. 100 Lacs 8-10
• Audit Area Rs. 25 Las to Rs. 100 Lacs 4-7
• Audit Area less than Rs. 25 Lacs 1-3
 Risk Assessment in Annual Planning:

Risk Factors

Impact on Operations Points

 Significant impact on core business 8-10
 Significant impact on specific
program moderate impact on core
business 4-7
 Negligible impact on specific program
or core business 1-3
 Risk Assessment in Annual Planning:

Risk Factors

Public Sensitivity Points

 Likely to result in public or
congressional interest 8-10
 May result in public or
congressional interest 4-7
 Unlikely to result in public or
congressional interest 1-3
 Risk Assessment in Annual Planning:

Probability Factors

Probability of Risk
Points
 High probability of significant issues 0.8-1.0
 Moderate probability of significant
issues and high probability of
improvement needed 0.4-0.7
 Low probability of significant issues
and moderate to low probability of
improvement needed 0.1-0.3
CA Sandesh Mundra
 Risk Assessment in Annual Planning:

Example of Risk Assessment

e
ty
ty

cor
bili
ia li

tal
ity
ct

kS
ba
ib il

bto
ter
pa
Potential Audit Subject

Pro

Ris
Vis
Ma

Su
Im
Security of Office Equipment 1 7 5 16 0.5 8.0
Environmental Compliance 2 7 8 22 0.6 13.2
Executive Compensation 3 5 9 17 0.3 5.1
The basic process steps are:

Establish the context

Identify the risks

Analyse the risks

Evaluate the risks

Treat the risks

Next
• Some of the risks pertaining to the construction
site are :-

CA Sandesh Mundra
S.No. Particulars

1Delay in possession of site

2Productivity of equipment
3Unavailability of equipment, spares, fuel
4Inappropriate equipment
5Weather Poor quality, productivity and unavailability of labour
6Capability of professional staff – Incompetence, unreasonableness
7Poor industrial relations with Suppliers
8Labour – sickness, absenteeism
9Poor supply, suitability and unavailability of materials
10Poor quality, productivity and unavailability of subcontractors
11Safety – accidents
12Failure to construct to programme & specification
13Poor workmanship
Ground conditions – inadequate site investigation, inadequate information in documents, unforeseen
14 problems
Mistakes while performing work Poor relationship of professional staff to each other – consultants,
15 architects, subcontractors, etc.
16Coordination failure of construction Workers
17Liaison with public services
18Irregularity of work load
19Theft
20Errors or omissions and additions in bills of quantities
21Insufficient time to prepare bid tenders
22Accessibility to the site
23Damage during transportation or storage

24 Damage during construction due to negligence of any party, vandalism, accident

25Errors or omissions and additions in bills of quantities
 Major Control Points
• Out of all areas
o Identify 4-5 major areas after proper study of the business
model,
o lay down the existing process flow for these areas,
o suggest improvements and press hard for necessary changes
taking the management in confidence. For e.g. For a civil
contracting company some of major focus areas are:-
 Supply Labour and Overtime controls
 Equipment Related Controls - Own vs Hire
 Client vs Sub-Contractor Qty comparison and timely billing at both
ends
 Free Issue Material Reconciliation
 and Timely Project Completion.

CA Sandesh Mundra
 New Developments – Dynamic Business

• Risk matrix should be prepared for any new

venture / expansion to new locations.
 Border Compliances for Material Transfer
 Local civil Issues
 Level of Security at Client's premises
 Availability of staff locally
 Distance between staff quarters and construction site, also
between the labour colony and the construction site.
 Level of implementation of Safety and Quality Measures at
Client Premises.
 Availability of drawings at the start of the work.

CA Sandesh Mundra
Capital Expenditure
• Expenditure on Immovables

• Watch is even required on the personal capital

expenditures by the promoters

• Investment in Equipments – Most crucial

decision
o For e.g. in Construction the dynamics are most crucial as one is not
aware of capacity constraints
o Equipment Questionnaire for different equipments
o Control Chart for deciding the rental terms
o Monitoring the Equipment Usage

CA Sandesh Mundra
Financial Decision Making
1. MIS - Management Information System -
a) Checking the correctness as MIS is the basis for decision making.
b) Continuous improvisation of MIS.

2. Cash Flow Review - Alarm Bells

a) Proper inputs to the promoters regarding short term and long term
mismatch in cash flows. Solutions in case of big gaps in cash flow.

3. Overhead Analysis
a) Should be prepared in such a manner that cost cutting becomes
easy at any point in time.

CA Sandesh Mundra
 Rules of Politics
• Think
• Speak
• Write
• Sign
• Follow

CA Sandesh Mundra
 Lets take a break …… Independence of
Internal Auditor

Thus if as a professional we can do all this we can achieve the

needs of the client. And last and most important requirement is to
ensure that we follow the same principles which we advocate.

Some examples
• Out of Pocket Expenses purely as per company policies.
• Not using any facilities of the company for one's own personal
purposes.
• Maintaining distance with the clients on a personal level.
• If the fees is less, pls professional put across your viewpoint in
front of the client.

These policies might affect you in short term, but would help you
achieve the long term goal.

CA Sandesh Mundra
 Hierarchy within the audit organisation

• Tier 1 - Transactional Audit

• Tier 2 - Systems Audit

• Tier 3 – Management Audit

Documented roles and responsibility structure of the audit

team is the need of the hour

CA Sandesh Mundra
• Transaction audit
- Can be pre, concurrent or post
- Necessary evil
- Help discipline in the organization
- Systems cannot totally replace this

• Systems audit
- Backbone to the process/operations
- Vital for efficiency & control
- Necessary for survival

CA Sandesh Mundra
• Management audit
- Judgmental
- Hence controversial

•Requires
- In-depth knowledge
- Technical capabilities
- Credibility

•Difficult to identify the areas for application

CA Sandesh Mundra
 Auditor’s Motto –
We’re Here to Help!

• Identify Risks
• Find Better Ways and Best Practices
• Partner to Find Solutions
• Prevent Problems
- CA’s are smart
CA Sandesh Mundra
• Thanks for a patient hearing…..

CA Sandesh Mundra