Internal Audit Scope, Process and Tools

ICAI, Hyderabad

September 05, 2014

CA Nikshit HV Shah

1 ICAI Hyderabad

Agenda

Understanding Definition Scope Fraud IA role Process Tools

2

Reality Check

Reality check

As per a report of The IIA Several survey respondents cited internal auditors

as having primary responsibility for deterring

(preventing) financial reporting fraud

As per Association of Certified Fraud Examiners (ACFE) Survey:

Survey participants estimated that the typical organization loses 5% of its revenues to fraud each

year. 4

Reality check

5

ACFE Survey: 5% revenue loss, when applied to the 2011 Gross

World Product, this figure translates to a potential

projected annual fraud loss of more than $3.5

trillion.

This is a huge amount, economy of one developing country be changed

On an average, frauds reported in the survey lasted for 18 months before being detected.

Understanding IA

What is IA?

Point the five important elements, outcomes, factors, expectations, considerations for an

Internal Audit project.

Traditional approach and Modern approach

7

Traditional Risk Based Audits

Traditional isk Based IA approach: Perform a risk assessment and rate the various

elements in the audit universe (e.g., locations,

business units, processes, and projects) based

o the audit tea s assess e t of risk. Prioritize audits ased o the audit tea s

assessment of risk.

8

New approach - Risk Based Audits

Enterprise Risk Management (ERM) approach:

Instead of starting with an assessment of the audit universe, the auditor starts with the risks to the enterprise as a whole.

The goal is to provide assurance on how well a age e t s pro esses are a le to a age the

more significant risks.

Internal Audit will audit the processes and controls that management relies on to manage the more significant risks to the enterprise.

9

What is Risk Based Auditing?

Focus on risk of occurrences that could prevent the organization from achieving its goals

There are many types of risk fraud, improper reporting, ineffective or inefficient use of resources, credibility loss, etc.

Focus on areas with high risk and high probability that controls are not in place or are weak

10

Understanding Internal Audit

Internal audit is a tool to measure and evaluate:

Systems, procedures, practices, compliance with policies for accounting, financial and other

operations

Practices to ensure the rules and regulations governing the operations of the organization are

adhered to

Risks and also suggests remedial measures, thereby acting as a catalyst for change and action.

11

Purpose & Definition

Purpose and role of IA

13

Definition

As defined by The IIA IA is an

independent objective assurance consulting activity

Designed to add value improve an organization's operations.

It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

14

IA Standards - ICAI

15

Scope

Scope

IA functions controls testing operational efficiency testing

Types of services

Assurance Services - involve the internal auditors objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, operation, function, process, system or other subject matter.

Consulting services - are advisory in nature, and are generally performed at the specific request of an engagement client.

17

Scope Area for review Internal Audit can review the following areas:

Fraud risk assessment Regulatory compliance process Finance & Payroll practice Internal Controls and documentation Accounting and reporting processes Talent/HR related processes Security of assets physical and IT Policy making and updation

Not an exhaustive list.. 18

Who needs Internal Audit?

As per Companies Act 2013 Mandatory internal audit for prescribed classes of companies.

U/s 138 - W.e.f April 2014 Who: CA, Cost Accountant or Other professional Internal or external: either Applicable to:

Every listed company Unlisted Public company having

Paid up share capital 50 crores or more in PFY TO of 200 crores or more in PFY O/S loans 100 crores or more anytime in PFY O/S deposit 25 crores or more anytime in PFY

Private company having 200 crores TO or 100 crores loan O/S

19

Process & Approach

IA Process & Methodology

INTERNAL

AUDIT

METHODOLOGY

1

Define

Engagement 2

Develop Risk

Model

3

Develop Plan

4

Design Project

Workplan

5

Execute Project

Workplan

6

Deliver Results

and Insights

21

Overview to Internal Audit Approach:

Based on Business Risk Common Sense/Analytic Approach Focus on Internal Control Issue Focused Integrated Approach

22

We have a plan!

Risk based audit plan developed with input from across the entity

Risk factors: Impact Probability Controls

What would be the impact on the entity if this item failed to

function

High Impact - it could create serious problems for the Entity that could result in the loss or use of resources, a significant loss of

revenues/funding, or unfavorable publicity and possible harm to

the E tity s reputatio

Medium Impact the Entity would recognize the impact, but would be able to manage the problem

Low Impact - it would not have a significant impact on the Entity or its reputation

24

Impact

Probability

Without considering existing process controls that may exist, what is the probability that this breakdown could occur?

Every area has certain checks that help prevent things from going wrong.

If the controls were not in place, what is the possibility that something would go wrong

High Probability it is very likely that something could go

wrong

Medium Probability it is possible that something could go wrong

Low Probability it is not likely that anything will go wrong

25

Controls

How well does the Entity manage this potential risk, i.e. how good are the controls in this area?

Are there currently processes in place that provide good checks and balances?

Good processes exist that should prevent the majority of possible losses or other problems

Average processes are in place that will usually prevent problems, although the processes could be better

Poor there are few processes in place to prevent losses or problems, or the processes are not working

26

Preventive Measures

Make sure your controls are working Review and reconcile Check the work of your subordinates Do t gi e i to the te ptatio to skip

controls because you are busy!

27

Audit Approach

Apply simple analytic/common sense approach Understand / Document: Systems, Procedures,

Internal Controls, Duties & People

Evaluate: are systems functioning as designed, are controls & procedures adequate, are duties

properly segregated, etc.

Test: for compliance to key controls / procedures, key information produced by systems.

28

Review the Prior Workpapers --

review the key systems, reports,

controls, people -- what were the

issues from the last audit

Audit team will review past review &

determine items to be requested/

samples as part of pre-engagement

planning

Discuss with Audit Team/management

issues & concerns, determine what

additional information/samples should

be requested prior to conducting

systems review

Interview the appropriate

associates, review processes,

perform initial testing

Determine if additional testing is

needed, update systems

documentation, request reports/

samples for testing based upon

review work performed

Perform Systems testing

Discuss preliminary findings with audit

team, get feedback as to additonal

testing to perform, how to summarize

and conclude on issues

Share findings, systems

documentation with auditee,

get their feedback/

corrections/disputes

Work with audit team to draft

preliminary findings for closing

meeting/audit report

Present the findings to

management in closing meeting/

draft audit report

Review the feedback from

management & factor it into the

final report/perform additional

audit steps

Issue the final audit report

Internal Audit Approach Simplified:

29

IA process in phases

1. Pre-engagement planning

2. Risk assessment

3. Developing audit plan

4. Audit program

5. Execution testing 6. Reporting and deliverables

30

Fraud

Definition of Fraud

Intentional deception to cause a person to give up property or some lawful right.

Deceit, Trickery, cheating. We ster s Ne World Di tio ary

32

Identification of fraud

Fraud encompasses an array of irregularities and illegal acts characterized by intentional deception

Fraud can be perpetrated for the benefit of or the detriment of the organization and by persons outside as well as inside the organization.

33

Auditing Standards

SIA 11 by ICAI and standard issued by IIA:

The internal auditor should have sufficient knowledge to identify the indicators of fraud

but is not expected to have the expertise of a

person whose primary responsibility is

detecting and investigating fraud

34

IA should determine whether

The organizational environment fosters control consciousness To e at the Top Prohibited activities and actions Ethics or fraud hotlines Hiring and promoting procedures Audit committee oversight Fraud vulnerability assessment Investigative process Remediation

35

Internal Auditor Responsibilities

Have sufficient knowledge of fraud Be alert to opportunities where fraud could occur Evaluate the need for further action Perform additional audit procedures to gather

evidence to support the suspected fraud

Notify/Report the appropriate authorities

36

How Fraud is Identified

37

Reporting Fraud

Reporting a fraud consist of the various oral or written, interim or final communications to

management regarding the status and results

of fraud investigation.

Sufficient investigation should take place to establish reasonable certainty that a fraud has

occurred before any fraud reporting is made.

38

39

Sample case study

Auditors miss!!!

$1.04 billion that Satyam claimed to have on its ala e sheet i o -interest- eari g deposits.

Any reasonable company would have either invested the money into an interest-bearing account, or returned the excess cash to the shareholders.

The large a ou t of ash thus should ha e ee a red-flag for the auditors that further erifi atio a d testing was necessary.

Also, the auditors did not independently verify with the banks in which Satyam claimed to have deposits.

40

IA process steps

Risk Assessment

Understand

Clients Business

Design Risk Profile

Based on the

Outcomes of the

Risk Management

Process

Conduct Risk

Management Process

i.e. Interviews,

Interactive Workshops,

ur ey s, etc

Develop Risk

Management

Framework

Inquiries

Risk

Management

Framework

Risk Profile

High, Medium,

Low

Review

Prior Year Work

Papers

42

http://coe/Library/Local Settings/Risk Workshop CWW 301003/Indicative CWW Risk Management Framework.dochttp://coe/Library/Local Settings/Temporary Internet Files/OLK3D/Risk Report Audit Comm - Short Form.pdf

43

Audit Planning:

Establishing Audit Objective & Scope Obtaining Background Information Determining Resources Needed Issuing Announcement Letter Preparing Audit Program Conducting an Opening Meeting

44

Developing Audit Plan

Prioritize risk

with the

purpose of

developing the

internal audit

plan

Perform On-

Going

Reassessment of

Internal Audit

Plan

Agree on Timing

of Internal Audits

Obtain Client

Senior

Management &

Audit Committee

Approval

Recommend Risk-

Based Internal

Audit Strategic

Plan

Strategic Internal

Audit Plan

Audit Committee

Presentation

High-Level

Project Budget

Risk Assessment

45

Project Audit Program

Terms of

Reference

Conduct Audit

Project Planning

Meeting with

Staff

Prepare Project

Audit Program

(Part of risk &

control matrix)

Document Business

Processes (Specify

Risk Areas)

Identify

Risks

Understand

Process/System

Risk Audit

Program

Flowcharts,

Narratives &

Exhibits, Risk

Control Matrix

Risk Control

Matrix

Terms of

Reference

Controls

Adequate to

Mitigate

Risk?

To

Audit

Report

To

Client

Files

No

Yes

Conduct Planning

Meetings and Risk

Assessment with

Clients

Sample Audit program Some of the key fields that should be documented in

an Audit Program are:

Area of the process audited Key Risk and Sub-risk Controls Objectives Control Activities Testing procedure WP reference Observations

46

47

Review Prior Work papers / Initial Risk Assessment Update Process Documentation Perform Systems or Other Testing Discuss Issues with Management Throughout engagement -

No urprises strategy Prepare Observations in a Fair & Independent Manner Complete and save Workpapers Back observations with numbers and specific transactions

Conducting Fieldwork:

48

Issue Sheets

(Findings)

Perform &

Document

Tests/

Conclusions

Update

Strategic

Internal Audit

Plan

Issue Internal

Audit Report

Review Issues &

Recommendations

With Area

Management (Exit

Conference)

Evaluate Test

Results

Draft Reports Exit Conference Summary

Review Work

papers

Work papers

From

Clients

To

Client

Files

Management

Responses

Final Report

Final Report Mgt. Responses

Execute Audit Program / Testing

Work Paper Documentation

Describe the purpose of working papers. Apply firm policies and guidance as well as

est pra ti es to the preparatio of orki g papers.

Describe workpaper retention policies. Differentiate among types of correspondence

and evaluate their relevance to the audit file.

Share tips and tricks

49

Elements of Workpapers

Working papers need to:

Clearly demonstrate what work was performed. Contain sufficient information such as nature,

timing, extent, and results of the procedures

performed, evidence obtained, and conclusions

reached.

Preparer and Reviewer of working papers with the dates.

50

Example IA work paper

51

52

Closing Meeting, Audit Report, Memos Open Communication Due Professional Care Thorough, Review Issues

(identify significant vs. insignificant)

Objective/Factual Presentation bring support (documented examples)

Tactful, Flexible, Open & Listen! Know the Issues Importance/Support

Presenting Observations to Management:

53

Reporting and Deliverables

Define Reporting

Responsibilities

Evaluate IA

Performance Against

Client Expectations

Re-Evaluate the

Internal Audit Plan

Conduct Periodic Status

Meetings with Senior

Management & the Audit

Committee

Audit Committee

Presentation of IA

Activities

Executive Summary of IA

Activities

Summarize & Report

Current IA Activities

EP s

Survey

Follow-up & Track Key

IA Recommendations

Attend Audit Committee

Meetings

Communicate

Risks/Exposures of Audit

Findings

Strategic Plan

Periodic Meetings

with A.C. Chairman

54

Do s a d Do ts Best Practices Do

Pay attention to details (double check cross references)

Review the file for spelling and grammatical errors Include information electronically when possible

Don t Use time dependent descriptions (currently, soon, in

a few months)

Include excessively large detailed material unless the entire file has been reviewed and is necessary

55

IA Tools

Microsoft Office Products Access Excel Word PowerPoint Outlook

AS/2 (Auditsystem2) application used to document program reference aterial a d share & re ie /p s.

ACL (Audit Control Language)

56

Thank you!!!

Lets keep it safe out there!

CA Nikshit HV Shah

8886116020

nikshit.h.shah@icai.org