approach note on internal audit [compatibility mode]

Approach Note on Internal Audit

CA. Deep Kumar Mendiratta

Contents

Sl. No. Particulars Page #

Section I

2. ERM Framework 6

3. Internal Audit Guidelines 9

4. Internal Audit Process, Approach & Methodology 14

Section II

1. Internal Audit - Basics 4

1. Assessing Risks & Internal Controls 22

2. Internal Audit Sampling Methodology 29

3. Internal Audit Tools 32

4. Reporting and Follow-up 37

Section II

5. Internal Audit & Fraud 40

Section I - Why Internal Audit ?

Internal Audit- BasicsDefinition of Internal Audit:

Internal auditing is an independent, objective assurance and consulting activity designed to add value

and improve an organization’s operations. It helps an organization accomplish its objectives by

bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk

management, control, and governance processes.

Objectives of Internal Audit:

� Risk Management

� Control

� Governance

Risk:

Risk:

Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a

loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome

sometimes exists (or existed).

Internal Control:

Internal Control is a process, effected by an entity’s board of directors, management, and other

personnel, designed to provide reasonable assurance regarding the achievement of its objectives

(Operational, Reporting & Compliance).

CARO (Companies (Auditor’s Report

Order, 2003)

Require listed companies to have an internal audit system commensuratewith its size and nature of business. To comply with the requirementscompanies may either have an internal audit department or can outsourcethe internal audit function to an external agency.

Clause 49Requires audit committee role to include oversight of the internal auditfunction as one of the terms of reference. The agreement requires the auditcommittee to review with management performance of internal auditfunction.

Why Internal Audit ?

function.

Companies Act, 1956 (Section

224)

Requires companies to appoint an auditor or auditors at every annualgeneral meeting to hold office from the conclusion of that meeting untilthe conclusion of next annual general meeting.

Section I – ERM Framework

Enterprise Risk ManagementERM defined:

A process, effected by an entity's board of directors, management and other personnel,applied in strategy setting and across the enterprise, designed to identify potential eventsthat may affect the entity, and manage risks to be within its risk appetite, to providereasonable assurance regarding the achievement of entity objectives

The key to effectively protecting and growing returns for an organization’s shareholders is to

identify and manage the risks that could prevent the organization from achieving its business

objectives. The enterprise risk assessment is an efficient, comprehensive process that provides

insight on inherent risks from an industry perspective and links them to the organization’s

objectives, initiatives, and business processes.

Entity objectives can be viewed in the context of four categories:

�Strategic

�Operations

�Reporting

�Compliance

Enterprise risk management requires an entity to take a portfolio view of risk. Management

considers how individual risks interrelate and develops a portfolio view from two perspectives:

�Business unit level

�Entity level

Enterprise Risk Management Framework

Section I - Internal Audit Guidelines

Compliance to Auditing Standards (ICAI)

Standards on Internal Audits:

• Standard on Internal Audit (SIA) 1, Planning an Internal Audit

• Standard on Internal Audit (SIA) 2, Basic Principles Governing Internal Audit

• Standard on Internal Audit (SIA) 3, Documentation

• Standard on Internal Audit (SIA) 4, Reporting

• Standard on Internal Audit (SIA) 5, SamplingAdobe Acrobat

• Standard on Internal Audit (SIA) 5, Sampling

• Standard on Internal Audit (SIA) 6, Analytical Procedures

• Standard on Internal Audit (SIA) 7, Quality Assurance in Internal Audit

• Standard on Internal Audit (SIA) 8, Terms of Internal Audit Engagement

• Standard on Internal Audit (SIA) 9, Communication with Management

Adobe Acrobat

Document

Compliance to Auditing Standards (ICAI)

Standards on Internal Audits:

• Standard on Internal Audit (SIA) 10, Internal Audit Evidence

• Standard on Internal Audit (SIA) 11, Consideration of Fraud in an Internal Audit

• Standard on Internal Audit (SIA) 12, Internal Control Evaluation

• Standard on Internal Audit (SIA) 13, Enterprise Risk Management

• Standard on Internal Audit (SIA) 14, Internal Audit in an Information Technology

• Standard on Internal Audit (SIA) 14, Internal Audit in an Information Technology

Environment

• Standard on Internal Audit (SIA) 15, Knowledge of the Entity and its Environment

• Standard on Internal Audit (SIA) 16, Using the Work of an Expert

• Standard on Internal Audit (SIA) 17, Consideration of Laws and Regulations in an

Internal Audit

• Standard on Internal Audit (SIA) 18, Related Parties

Compliance to Auditing Standards

The IIA Standards types:a) Attribute Standards: address the attributes of organizations and individuals

performing internal audit services. The attributes addressed are:

�Purpose, Authority and Responsibility

� Independence and Objectivity

�Proficiency and Due Professional Care

�Quality Assurance

b) Performance Standards: describe the nature of internal audit services and provide

quality criteria against which the performance of these services can be measured.

The criteria addressed are:

The criteria addressed are:

�Managing Internal Audit Activity

�Nature of Work

�Engagement Planning

�Performing the Engagement

�Communicating Results

�Monitoring Progress

�Management’s Acceptance of Risk

c) Implementation Standards: expand upon the Attribute and Performance Standards,

providing guidance in specific types of engagements.

Compliance to Auditing Standards (illustrative)

S.N. Title of Standard

1 1000 - Purpose, Authority, and Responsibility

2 1010 – Recognition of the definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter

3 1100 - Independence and Objectivity

4 1110 - Organizational Independence

5 1111 – Direct Interaction with the Board

6 1120 - Individual Objectivity

7 1130 - Impairments to Independence or Objectivity

7 1130 - Impairments to Independence or Objectivity

8 1200 - Proficiency and Due Professional Care

9 1210 - Proficiency

10 1220 - Due Professional Care

11 1230 - Continuing Professional Development

12 1300 - Quality Assurance and Improvement Program

13 1310 - Quality Program Assessments

14 1311 - Internal Assessments

15 1312 - External Assessments

Section I - Internal Audit Process

IA Process Overview

1.1 Define objectives of analysis

1.2 Gain an understanding

2.1Request and receiveData

2.2Validate Control Totals

3.1 Execute audit steps

3.2Identify discrepancies

4.1 Document processreproduce data

1. Define 2. Validate 3. Execute 4. Retain

Gain an understanding

1.3 Define data requirements

Totals

2.3Perform data qualityAssessment

3.3Discuss discrepancieswith stakeholders and validate errors

3.4Assess impact on objectives

4.2 Document Retention

Execution Process Overview

Control Evaluation

Control

Testing

Gather InfoUnderstand

the ProcessEvaluate

Develop

Test PlanSampling or

CAATsTesting

Consider

Substantive

Testing

Reasse

ss Scope

Substantive

Testing

Formulate

Findings

Develop

Test PlanSampling or

CAATsTesting

Assess

Root

CausePrioritize

Agree Action

Plan with the

Management

Reasse

ss Scope

Evaluation Process

Is aControl in

Place?

Is there a

mitigatingControl

?

Missing ControlsNO

Yes

NO

And in the appropriate

timeframe?

Yes

Control ObjectiveRisk

Microsoft Office

Excel 97-2003 Worksheet

Doesthe controladdress the

risk?e.g. Are all relevant

attributes covered

Assess MitigationMissing / Mitigated Controls

Inadequate ControlsNO

Yes

Determination on Adequacy of Control Design

Risk and Control Matrix

Sr. No.

ProcessSub

Process/ Activity

What Can Go Wrong (Risk)

Control Description Test ProceduresDocuments to be Referred for Test

Procedures

Conclusion (Effective / Ineffective)

1 Client

Billing

(Invoicin

g &

Collectio

n)

Quantity

Assessment

& Work

• Incorrect quantity

assessment by the

billing engineer

leading to under-

billing to the client

• Incorrect quantity

assessment by the

billing engineer

leading to over-

billing to the client

• Quantity assessment

is done against the

schedule of work

(target billing) and the

actual work carried out

at the site

• The quantity

assessment is also cross

checked against the

MPR/DPR (Prepared by

the planning

department who inturn

• Obtain the latest

Project Review Report

(PRR) and Daily Progress

Report (DPR) for the

period under review

• Select sample RA Bills

and review whether

related records certifying

the completion of

measured work are

maintained

• Ensure measured works

• Measurement

sheets from the site

• PRR and DPR

• Raised RA Bills and

certified RA Bills

the planning

department who inturn

get the data from

execution department

and sub-contractors/

vendors)

maintained

• Ensure measured works

are strictly in accordance

with scope of work and

any variation is

seperately parked as

'Extra Work/Item'

• Quantities for billing

are supported by site

measurements/Stock

consumption and

issuance records

Steps to Follow after identifying a Finding

• Discuss and validate errors with responsible stakeholders and process owners

• Consider whether there are any compensating controls within the process or system,

and extend the testing scope, if necessary

• Assess impact - Whether or not the objectives of the test have been met and if

alternative measures need to be taken

• Evaluate Exceptions or Errors Identified during Controls Testing for the following:

i. Potential Effect on control objectives

i. Potential Effect on control objectives

ii. Incidence, or level of error

iii. Cause of the control breakdown

iv. Actual Effect, if applicable

Elements of a Finding

Criteria:

Provides a context for evaluating evidence and understanding the findings (Control Objectives)

• Policies & Procedures (Expectations of what should exist)

• Contracts & Agreements

• Laws & Regulations

• Standards & Benchmarks

• Defined business practices or measures which performance is compared or evaluated against

Condition:

Condition is a situation that exists or what was occurring when the control weakness was identified

Condition is a situation that exists or what was occurring when the control weakness was identified

i.e. The Exception or Deficiency

Cause:

Identifies the reason for the condition or the factor(s) responsible for the difference between the

situation that exists (condition) and the required or desired state (criteria), Common factors

include; poorly designed policies, procedures, or criteria, inconsistent, incomplete, or incorrect

implementation, segregation of duties or business conditions.

Effect or Risk Impact:

A clear, logical link to establish the impact or potential impact of the difference between the

situation that exists (condition) and the required or desired state (criteria), which identifies the

outcomes or consequences of the condition. Effect or risk impact may be used to demonstrate the

need for corrective action in response to identified condition.

Recommendations

• Should address the root cause not just the symptoms

• Be relevant and practical

• Compare the benefits to costs

• More than 1 recommendation may be required to completely address an issue

• Use best practices as a source for creative insight, adapting to the needs of the

organization

Example:

Audit Objective: Evaluate and Document Credit limit Increase Procedures

Risk/Control Objective: Credit Limit Increase are manually reviewed and approved prior to processing the request in the system

Sample Selection: 15 credit limit increase accounts from a system generated report

Documents Obtained: Credit limit increase MIS and the credit limit increase delegation of authority and Income documents

Exceptions noted: 3 of 15 credit limits increases were not reviewed and approved per the delegation of authority and excess credit limit was granted to customers.

Section II - Assessing Risks & Internal Controls

Internal Control Structure

Monitoring:• Monthly reviews of performance reports

• Internal audit function

Control Activities:• Credit limits

Information & Communication:• Vision and values

• Issue resolution calls

• Reporting

• Corporate communications (e-

mail, meetings)

In many cases, you perform controls

and interact with the control

structure every day

MONITORING

INFORMATION AND COMMUNICATION

CONTROL ACTIVITIES

• Credit limits

• Approvals

• Security

• Block Codes /

policies

Risk Assessment:• Monthly Risk Control meetings

• Internal audit risk assessment

Control Environment:• Tone from the top

• Corporate Policies

• Organizational

authority

An internal control structure is simply a different way of viewing the business

– a perspective that focuses on doing the right things in the right way.

RISK ASSESSMENT

CONTROL ENVIRONMENT

Concepts and Objectives

Control definition reflects certain fundamental concepts:

� Internal control is a process

� Internal control is effected by people. It's not merely policy manuals and forms,

but people at every level of an organization.

� Internal control can be expected to provide only reasonable assurance, not

absolute assurance, to an entity's management and board.

Objectives of Internal Control

Objectives of Internal Control

Internal controls are established to further strengthen:

� The reliability and integrity of information.

� Compliance with policies, plans, procedures, laws and regulations.

� The safeguarding of assets.

� The economical and efficient use of resources.

� The accomplishment of established objectives and goals for operations or programs.

Control TechniquesPrevention techniques are designed to provide reasonable assurance that only valid

transactions are recognized, approved and submitted for processing. Therefore, many of

the preventive techniques are applied before the processing activity occurs. In most

situations, preventive techniques are likely to be more effective in a strong control

environment, when management authorization criteria are well-defined and properly

communicated.

Control type definitions:Preventive - Manual

Preventive - System

Examples of preventive controls include:

• Segregation of duties (Preventive-Manual)• Business systems integrity and continuity controls, e.g., application design standards,

change controls, security controls, systems backup and recovery (Preventive – System)• Physical safeguard and access restriction controls (human, financial, physical and

information assets) (Preventive-Manual)• Effective "whistle blowing" processes (Preventive-Manual)

Control TechniquesDetection techniques are designed to provide reasonable assurance that errors and

irregularities are discovered and corrected on a timely basis. Detection techniques normally

are performed after processing has been completed. They are particularly important in an

environment that has relatively weak preventive techniques. That is, when front-end

approval and processing techniques do not provide reasonable assurance that unacceptable

transactions are prevented from being processed or do not assure that all approved

transactions are processed accurately. In this case, after-the-fact techniques become more

important in detecting and correcting processing errors.

Control type definitions:Detective - Manual

Detective - Manual

Detective - System

Examples of detection techniques include:

• Reconciliation of batch balance reports to control logs maintained by originating

departments. (Detective – Manual)• Review and approval of reference file maintenance (“was-is”) reports. (Detective –

Manual)• Reconciliation of interface amounts exiting one system and entering another.

(Detective – System)• Review of on-line access and transaction logs. (Detective – System)

Risk Analysis

RiskManagement

Process

RiskMonitoring

RiskAssessment

Risk Analysis

Control It

Share orTransfer It

Diversify or

Avoid It

ProcessLevel

ActivityLevel

Entity Level

Identification

Measurement

Prioritization

Role of a Process Owner� General Expectations

• Acknowledge the responsibility for the design, implementation and maintenance

of the control structure within the business processes

• Contribute direction to identify, prioritize and review risks and controls

• Remove obstacles for compliance; remedy control deficiencies

• Continue or begin a program of self-assessment and testing to monitor the

controls within the processes

• Quarterly

• Quarterly- confirm key controls are implemented and effective

- maintain documentation to support this assessment

� Immediate Action Items

• Educate personnel about the requirements and effort

• Reinforce internal focus on controls within the process

• Surface any risks, concerns or issues promptly to allow adequate attention for

correction (don’t wait for an audit)

• Fix control gaps within reasonable timescales

Section II - Internal Audit Sampling

Sampling

Population:The entire set of universe from which a sample is selected & reviewed, and about which the auditor

wishes to draw conclusions.

Data availability for population:

An important aspect in sample selection is the availability of data. Depending upon the population,

entire data may or may not be available. In cases where entire data is not available, same should

be brought to the attention of the Management, be agreed with the stakeholders and be clearly

mentioned as a scope limitation.

Systematic selection:

A systematic approach is used by the auditor to select items, to minimize any potential human

A systematic approach is used by the auditor to select items, to minimize any potential human

judgment or bias. Every nth item within the population is selected in accordance with a defined

sampling interval.

Haphazard selection:

The auditor, without any conscious bias, selects sample items randomly, i.e., without any special

reason for including or omitting items from the sample

Stratification:

Prior to carrying out analytical procedures, it is important to stratify / classify the data into

separate logical sections. This classification would not only help in analyzing trends unique to that

particular category but would also help in assessing materiality while selecting a sample.

Sampling

Perform Analytical procedures:

Analytical procedure is defined as an evaluation of financial information made by a study of

plausible relationships among both financial and non-financial data

Analyse abnormal transactions:

If the analytical procedures highlight certain abnormal transactions (where there are significant

aberrations), they should be separated and reviewed separately. Such transactions should be

reviewed in addition to the regular sample selected.

Using Excel / CAAT:

In case the testing objective can be applied by using excel / CAAT on the entire population, audit

procedures should be performed on the entire population else samples should be selected for

procedures should be performed on the entire population else samples should be selected for

testing

Determining sample size and selecting sample:

The sample size will depend on the frequency of the control being tested and the level of evidence

that is judged to be necessary, by the client and the engagement team. For this purpose the

engagement team should define the areas under scope as either High or Low risk

Performing audit procedures and Evaluating Test results:

When weaknesses in internal controls are identified we should consider whether there are any

compensating controls within the process or system. If we believe there are appropriate

compensating controls, we should extend the testing scope to include testing of these compensating

controls.

Section II - Internal Audit Tools

Need for Mathematical Tools

� To recognize early warning bells, as part of audit procedures, and

protect business against fraud or error.

� Identify transactions that are indicative of fraud or error using

tested and proven fraud & error detection techniques

� “Scientific” sample selection through automated procedures

� Reduced dependence on random sampling

� Reduced dependence on random sampling

� To Identify red flags at Financial Statements Level.

Using Excel as a Tool

• ‘IF’

• ‘IF’ in combination with ‘AND’

• ‘IF’ in Combination with ‘AND’ & ‘OR’

• ‘CountIF’ and ‘SUMIF’

• ‘SUMIFS’

• ‘VLOOKUP’

• ‘VLOOKUP’

• Pivot Table Function

• Setting Filters

• Formula Auditing

Using Excel as a Tool (illustrative)

Statistical Functions:

COUNT Computes the number of numbers in a range

COUNTA Computes the number of entries, including text entries in a

range

AVERAGE Sums the numbers in a range and divides the total by the number

of numbers

MEDIAN Computes the middle value in a range of numbers

MODE Computes the value that occurs most frequently

VLOOKUP Searches for a value in the leftmost column of a table, and then

returns a value in the same row from a column you specify in the

table.

PIVOT Summarizes the columns of information in a database

relationship to each other.

Analyzing data in IDEA

Use of data analytics tools facilitates creating a virtual room where all relevant

audit content can be stored and accessed.

Section II - Reporting and Follow-up

Audit Report Structure

� Covering Letter

� Background/ Function Overview

� Purpose/ Objectives

� Scope of Work

� Audit Approach

� Limitation

� Executive Summary (Significant Findings)

Executive Summary (Significant Findings)

� Detailed Observations

� Follow Up of Prior Recommendations

Audit Report StructureS.No.

Priority Issue Risk Performance ImprovementObservation

Management Response

Responsibility/ Timelines

1 High It was observed that in 48 out of

60 cases (total population of 850

cases for credit limit

enhancement for period March-

May,2012) the credit limits

enhanced for existing customers

was not as per the parameters

defined in the policy. Excess

credit limit amounting to Rs

13.22 Lacs was given to

customers. For details refer

Annexure 1

Incorrect credit

limit offered to

customer leading

to increased credit

risk exposure for

the Company,

which may

eventually lead to

higher

delinquencies.

The authority &

responsibility

within the Risk

Team should be

explicitly defined

& documented for

approving the

credit limit

increase

deviations and the

same should be

approved as per

DOA.

Adequate steps will be

taken up to ensure the

policy adherence by

having periodic

process trainings for

account management

team. The risk team

would additionally

support the training

requirements of the

AMU team.

Risk Team

March 2013

DOA.

2 High Late Payment Charges amounting

to Rs 1.3 Lacs were short-levied

on 260 accounts and the same

was excess levied on 296

accounts. Further, the Finance

Charges on these accounts would

be incorrect as the LPC is not

accurately levied

Possibility of

Revenue leakage

for LPC and

Customer

dissatisfaction /

negative impact

on brand /

reputation

Business should

evaluate the

possibility of

Implementing

continuous control

mechanism

through data

analytics tools and

System Audit

should be carried

out.

The implementation of

the revised LPC tier

from Rs.700 to Rs.750

was delayed by ~40

days due to set up

miss, later identified

by pricing team and

rectified on 12th

November 2012.

Marketing

Team

March 2013

Section II - Internal Audit and Fraud

Anti Fraud Control Framework

� Code of conduct

� Ethics policy

� Gifts and hospitality

� Agents

� Facilitation payments

Policy� Tone from top

� Zero tolerance� Cross culture

Process

� Roles and responsibilities

� Accountability

� Annual sign off

� Self assessment

� Testing

People

� Zero tolerance

� Board

responsibilities

� Due diligence

� Training

� Education

Voice� Cross culture

� Disclosure

� Openness

� Employee/ suppliers

Fraud Prevention Strategy

Thank You

approach note on internal audit [compatibility mode]

Documents

internal audit process

objectives of internal

internal audit tools

internal audit guidelines9

internal audit function

internal audit basics4

internal audit fraud

internal audit department