Independent assurance

Ø on effectiveness of internal controls and risk mgt processes

Ø to enhance governance and achieve organisational objectives

Indicative Objectives and scope of Internal Audit

o Monitoring of internal controls : Performing 3 way matching of PO, receipt of material (GRN) and
vendor invoices before approving vendor payment
o Examination of financial and operating information: Internal Audit of sales records, delivery records,
sales commission for identifying correctness of revenue recorded
o Review of operating activities: Reviewing Inventory mgt activities and appropriate handling to
prevent damages
o Review of compliance with laws and regulations: Compliance with newly applicable Tax Regime.
o Risk management: Evaluation & mgt of Risk Exposure for complex financial instruments transactions
o Governance: Assessment of Governance Process in achieving objectives on ethics and values.

Applicability of Internal Audit

Sec 138 of Companies Act, 2013 read with Rule 13 of Companies (Accounts) Rules 2014
o Listed Cos
o Unlisted public Companies [during preceding FY]
Ø Deposits >= 25 Cr (anytime) or
Ø PUSC >= 50 Cr or
Ø Borrowings (Bank/FI) > 100 Cr (anytime) or
Ø T/o >= 200 Cr
o Pvt Co.
Ø Borrowings > 100 Cr (anytime) or
Ø T/o >= 200 Cr
Note: Co. which gets covered under any of above criteria shall comply with requirements within 6
months of commencement of such applicability.

JKT Pvt. Ltd. having ₹ 40 lacs paid-up capital, ₹9.50 crores reserves and turnover of last 3
consecutive FY, immediately preceding FY being ₹ 49 cr, ₹ 145 cr and ₹ 260 cr, but does not have
any internal audit system. In view of management, internal audit system is not mandatory. Comment.
In given case, JKT Pvt. Ltd. is having a t/o of ₹ 260 crores during preceding FY which is more than
200 cr. Hence, co. has statutory requirement to appoint Internal Auditor and conduct internal audit.

Who can be Internal Auditor?

Ø Individual/firm/body corporate
Ø CA/Cost a/c /any other professional whether in practice or not
Ø May or may not be employee of Co.
 AB Pvt. Ltd. company, having o/s loans & borrowings from banks > ₹100 Cr, wants to appoint Mr. X, a
practicing cost accountant, as an internal auditor. Is appointment of Mr. X valid?
Internal auditor shall either be a CA or cost accountant (whether engaged in practice or not), or
such other professional as may be decided by Board to conduct an internal audit of companies.
Thus, Appointment of Mr. X as an internal auditor of AB Pvt. Ltd is valid.

SIA 210 Critical Activities performed by Internal Audit Function

Ø Define overall plan, scope and methodology of Internal Audit Function on a periodic basis.
Ø Oversee and monitor various audit assignments, their proper planning, execution, reporting of
findings and subsequent closure of reported observations.
Ø Plan, acquire, engage and review performance, training and development of professional staff, talent
and other resources to achieve its objectives.
Ø Identify, source, engage and manage external experts and technical solutions, if required.
Ø Communicate and engage with all key stakeholders regarding progress and achievement of objectives.

Learn with Fun J

Main Responsibilities of Internal Auditor [A/c function & financial records]

Ø Maintain adequate system of Internal Control by continuous examination of accounting procedures
Ø To operate independently of a/c staff & not divert from his resp.
Ø Not involve himself in performance of executive functions to maintain objective outlook
Ø observe facts & situations, bring them to notice of authorities who would otherwise never know them
Ø Associate closely with management & keep knowledge upto date about business
Ø At all times, must enjoy independent status
Learn with Fun J

Scope of Internal Auditor’s work includes review of:

1. Internal control systems & procedures
Ø Assess design & operating efficiency & effectiveness of IC
Ø To minimize overall internal audit risk i.e. inherent risk, control risk & detection risk
 Ø Controls should be inbuilt in operating functions à cost effective
Ø Review should consider limitations of Internal Control à cost benefit, human errors, collusion &
abuse by process owner
2. Custodianship & Safeguarding of Assets
Ø Verify existence of assets
Ø Review Segregation of Duties is in place
Ø Ensure all assets accounted fully
Ø Review control systems for intangible assets e.g. procedures related to credit control
3. Compliance with Policies, Plans, Procedures & Regulations
Ø Point out specific weakness & suggest remedial action
4. Relevance & Reliability of Information
Ø Review information systems
Ø Examine whether reporting by exception i.e reports highlight significant & distinctive features
5. Review of Organisation structure
Ø Review Manner in which activities of organisation are grouped for managerial control.
Ø Examine organisation chart à check structure is simple & economical & no function enjoys undue
dominance over others
Ø Responsibilities of managerial staff at headquarter shouldn’t overlap with chief executives of
operating units
Ø Examine reasonableness of Span of control of each executive (no. of subordinates that executive
controls)
Ø Where dual responsibilities can’t be avoided, primary one should be specified
Ø Evaluate process for managerial development in enterprise
Learn with Fun J

6. Review of utilisation of Resources

Ø Check proper operating std & norms established
Ø Whether detailed enough to be identified with specific operating responsibilities
Ø Review method of establishing operating standards & norms. Examine the assumptions.
Ø Where there is wide divergence between actual performance & std, reasons maybe considered

7. Accomplishment of Goals & Objectives

Ø Objectives clearly stated & attainable
Ø Expressed in quantifiable terms
Ø Sufficient flexibility in plan to permit improvements
 Qualities of Internal Auditor
1. Special expertise for evaluating management control system esp. financial & accounting controls
2. Must have Accounting & financial expertise to discharge his duties
3. Expected to evaluate operational performance & non-monetary controls. Requires basic knowledge
of technology & commercial practices of entity
4. Basic knowledge of commerce, laws, taxation, cost accounting, tax, economics, EDP systems.
5. Understanding of mgt principles & techniques & ability to deal with people.
6. By conduct his provide assurance to mgt that confidentiality will be maintained
Learn with Fun J

Internal Audit Report

SIA 370 Reporting by IA in 2 stages:
1) At end of assignment IA Report covering specific area, function or part of entity is prepared
highlighting key observations. Issued with details of manner of conducting assignment & key findings
from audit. Issued to Auditee with copies to local mgt agreed in planning phase.
2) On periodic basis, at close of plan period, report on IA activities covering Entity & plan period is
prepared by Chief Internal Auditor (or EP in case of external service provider). Normally done on
Quarterly basis & submitted to Audit Committee. A part of IA report may form part of the Periodic
Report shared with AC.
This SIA pertains to responsibility to issue only IA report pertaining to specific assignments.

Performing Internal Audit Engg.

Step 1 – Obtain knowledge of the Business and its Environment
Ø Conduct meetings with key stakeholders, BOD and KMP to obtain understanding of organization’s
business environment, its operations, vision, mission and top mgt’s expectations from audit functions.
Ø Obtain understanding of various business documents – SOPs & F.S Etc.
Ø Also obtain understanding of underlying IT landscape, various applications & ERP systems of
organization and MIS of organization.

Step 2 – Perform Audit Planning

Plan audit engg. as per SIA 310, Planning Internal Audit Assignment.
Ø Audit scope must be approved by Audit Committee and BOD.
Ø Once approved, IA must share detailed Audit Plan with KMPs and plan in advance detailed schedule
of Audit to be conducted.
Ø Conduct opening meeting with key stakeholders before start of audit engg. and share details of
Information and System Access required to perform audit.
Ø Detailed work plan prepared by audit managers & approved by Head of IA / Chief Internal Auditor.
Ø Plan prepared after performing evaluation of all major underlying risks in process being reviewed &
audit checks to be performed to assess adequacy of control environment to mitigate such risks.

Step 3 – Gather required information

Ø Obtain reqd info. & perform checks to ensure correctness & integrity of info. received.
Ø Obtain info. directly from source.
Ø Adequate planning should be done and advance intimation should be made for any interim info. needed
for performing audit checks.

Step 4 – Perform audit checks

Ø Analytical Procedures:
Collate all data and perform analytical procedures to identify key trends and outliers. Analytical
procedures should be performed as per SIA 6, Analytical Procedures. Relevant analytical tools may
be used to review complete data for audit period.
Ø Sampling:
Select sample as per SIA 5, Sampling. Detailed audit testing performed as per audit work plan.
Ø Evidence:
Adequate evidences must be collected and stored as per SIA 320, Internal Audit Evidence. IA must
prepare detailed listed of Identified audit issues and controls gaps.
Ø Reporting
Interim reports may be issued after proper review of work performed as per SIA 350, Review and
Supervision of Audit Assignments.
Ø Documentation
Adequate document of work papers to be ensured as per SIA 330, Internal Audit Documentation

Step 5 – Reporting of Internal Audit Issues

Ø Prepare draft report of Internal Audit comprising of
ü business process/ function reviewed as per scope,
ü detailed audit coverage and exclusions, audit period covered,
ü summary along with detailed issues over gaps noted with implication on business &
ü recommendation to mitigate the identified gaps.
Ø Mgt Action Plan should be agreed along with responsibility of action and timelines for actions. Also
review status of actions taken by management against actions agreed during previous audits & report
status of such follow up in audit report.
Ø Thereafter circulate Final Report and present findings to Audit Committee. Adhere to SIA 360,
Communication with Mgt and SIA 370, Reporting Results while sharing result of internal audit with
stakeholders.

2 Stages Reporting
SIA 370 Reporting by IA in 2 stages:
1) At end of assignment report covering specific area, function or part of entity is prepared highlighting
key observations. Details of manner of conducting assignment & key findings from audit. Issued to
Auditee with copies to local mgt agreed in planning phase.
2) On periodic basis, at close of plan period, report on IA activities covering Entity & plan period is
prepared by Chief Internal Auditor (or EP in case of external service provider). Normally done on
Quarterly basis & submitted to Audit Committee.
This SIA pertains to responsibility to issue only IA report pertaining to specific assignments.

Key Elements of Internal Audit Report

a) Overview of scope, objective & approach of audit assignments
b) Fact that Internal audit completed as per Standard on Internal Audit
c) Executive summary of key observations covering important aspects & specific to scope of assignment
d) Summary of corrective actions required(or agreed by mgt) for each observation
e) Nature of assurance, if any, which can be derived from observations.
Learn with Fun J

Notes:
• Content & form depends on Prof judgment of IA in consultation with auditee
• Draft report to be issued before Final Report

Follow Up
o As per SIA 390 Monitoring & Reporting of Prior Audit Issues (PAI), ChIA is responsible for
continuously monitoring closure of PAI through timely implementation of action plans.
o Responsibility to implement action plans stays with the mgt.
o IA review follow up action taken by mgt based on his observations. If no action taken in reasonable
time, draw mgt attention to it. Where mgt not acted on his suggestions or implemented
recommendations à IA ascertain reasons
o Where mgt accepted recommendations & initiated necessary action, IA review manner & extent of
implementation of recommendations & report which recomm. not implemented fully/partly.
 Relationship b/w Internal Auditor(IA) & External Auditors(EA)
• Scope & objective of Internal audit dependent on size & structure of entity & requirements of mgt.
IA reviews a/c systems & internal control, examines financial & operating info for mgt, there’s a lot
of overlap b/w work of IA & EA.
• Work done by IA has important bearing on work of EA. Fn. of IA is integral part of system of IC.
• It’s a statutory requirement as per sec 138, Audit committee in consultation with IA formulate
scope, functioning, methodology, & periodicity (SFMPE) for conducting Internal audit.
• Obligatory for stat auditor (EA) to examine scope & effectiveness of work carried out by IA. He
should examine internal audit dept of org, strength of staff & qualification & powers.
• Extent of independence exhibited by IA & status in organisation, determine effectiveness of audit.
• EA should evaluate internal audit function to determine NTE of compliance & substantive procedures.

Difference between Internal & External Audit

Basis Internal Audit External Audit

Meaning Ongoing audit function Audit function performed by
performed within an independent body not part of
organisation by separate organisation
internal audit dept
Examination Examines operational Examines accuracy & validity
efficiency of organisation of F.S.
Appointment By mgt By members
Users of Report Management Stakeholders
Period Continuous process throughout Done once in a year
year
Opinion On the effectiveness of On truthness & fairness of
operational acts of organisation F.S.
Status of Could be employee Can’t be employee
Auditor

Factors responsible for high employee attrition rate are as under:

i. Job Stress & work life imbalance
ii. Wrong policies of the Management
iii. Unbearable behaviour of Senior Staff
iv. Safety factors
v. Limited opportunities for promotion
vi. Low monetary benefits
vii. Lack of labour welfare schemes.