PRESENTATION ON STANDARDS ON INTERNAL AUDIT CODIFYING THE

PRESENTATION ON STANDARDS ON INTERNAL AUDIT – CODIFYING THE BEST PRACTICES ORGANISED BY LUCKNOW BRANCH OF CIRC OF ICAI ON MAY 04, 2013 AT LUCKNOW Presented by: CA Verendra Kalra

What is an internal audit? Para 3. 1 of the Preface to the SIA’s issued by ICAI in 2004 describes internal audit as“A continuous and critical appraisal of functioning of an entity with a view: • to suggest improvements, • to add value and strengthen the overall governance mechanism • including the entity’s strategic risk management and internal control system” 2 SIA's-Codifying the Best Practices 2

Prerequisites of an internal audit function • Internal auditor should be independent of the activities they audit. The internal audit function is, generally, considered independent when it can carry out its work freely and objectively. Independence permits internal auditors to render impartial and unbiased judgment essential to the proper conduct of audits. • Internal audit is a management function, thus, it has the high-level objective of serving management's needs through constructive recommendations in areas such as, internal control, risk, utilization of resources, compliance with laws, management information system, etc. 3 SIA's-Codifying the Best Practices 3

Prerequisites of an internal audit function • Internal audit's role should be a dynamic one, continually changing to meet the needs of the organization. There is often a need to change audit plans as circumstances warrant. These changes may include coverage of new areas, assistance to management in solving problems, and the development of new internal audit techniques. • An effective internal audit function plays a key role in assisting the board to discharge its governance responsibilities. Thus, it contributes in accomplishment of objectives and goals of the organization through ethical and effective governance. 4 SIA's-Codifying the Best Practices 4

Prerequisites of an internal audit function • Risk management enables management to effectively deal with risk, associated uncertainty and enhancing the capacity to build value to the entity or enterprise and its stakeholders. Internal auditor plays an important role in providing assurance to management on the effectiveness of risk management. • Internal audit function constitutes a separate component of internal control with the objective of determining whether other internal controls are well designed and properly operated. Thus, the examination and appraisal of controls are normally components, either directly or indirectly, of every type of internal auditing assignment. SIA's-Codifying the Best Practices 5

Need for an internal audit-as mandated by law • • • Clause 49 of the listing agreements as mandated by SEBI Section 292 A of The Companies Act 1956 Companies (Auditor's Report) Order, 2003 Section 581 ZF of the Companies Act, IRDA (Investment) (Fourth Amendment) Regulations, 2008 for stock brokers • Sections 302 and 404 of the Sarbanes Oxley Act of 2002…. SIA's-Codifying the Best Practices 6

Types of Internal audits -Few Examples • Internal audit requirements under Companies (Auditor’s Report) Order, 2003 (CARO, 2003) • Internal audit of Enterprise risk management process • Internal audit of corporate governance • Internal audit of transactions of Depository Participants • Internal audit in Banks • Internal audit of treasury operations • Internal audit of plastic money operations • Internal audit of Mutual funds SIA's-Codifying the Best Practices 7

Types of Internal audits -Few Examples • • • Internal audit of a Not -for- Profit Organization Risk based Internal Audit of Intellectual property Internal audit of stock and Inventories Internal audit of adherence to competition Law Internal Audit - Controls due Diligence Reviews Internal Audit of ESOP Transactions Internal Audit of NBFCs Internal Audit of compliance with FEMA laws Internal Audit of compliance with Labour Law Internal Audit of Financial Instruments SIA's-Codifying the Best Practices 8

Objectives of an internal audit As per Para 3 of SIA 1 on planning an IA, IA inter alia helps in: • Understanding and assessing the risks and evaluate the adequacies of the prevalent internal controls. • Identifying areas for systems improvement and strengthening controls. • Ensuring optimum utilization of the resources of the entity, for example, human resources, physical resources etc. • Ensuring proper and timely identification of liabilities, including contingent liabilities of the entity. SIA's-Codifying the Best Practices 9

Objectives of an internal audit • Ensuring compliance with internal and external guidelines and policies of the entity as well as the applicable statutory and regulatory requirements. • Safeguarding the assets of the entity. • Reviewing and ensuring adequacy of information systems security and control. • Reviewing and ensuring adequacy, relevance, reliability and timeliness of management information system. SIA's-Codifying the Best Practices 10

Internal audit-some perspectives • Need not be mandated by law-hence wider scope and more opportunities. • Need not be an exclusive area for CA’s-hence CA’s need to be competitive. • Scope is very different as compared to statutory audit-hence requires different set of skills- some of which may not be already possessed by a traditional external auditor. • Assurance as well as consultative role- External audit is only about assurance • Needs specialized knowledge of the Industry • Proactive Risk based process driven approach vs. traditional reactive transaction based approach. • Helps to develops in the auditor an eye for detail as success of IA hinges on the quality of Root Cause Analysis. SIA's-Codifying the Best Practices 11

Internal audit-some perspectives • Requires effective involvement of top management to be successful. Mere reporting without implementation will not create the impact. • IA plan has to be dynamic as IA fatigue invariably sets in after some time. • IA being a continuous activity-requires to keep track of followup's- which is not required in a statutory audit, once it is complete. • Learning as a professional is much wider in a IA. SIA's-Codifying the Best Practices 12

Internal audit-some perspectives The above factors impact the: • Approach and objective • Skills required • Articulation of scope clearly before the commencement of the IA. SIA's-Codifying the Best Practices 13

Standards on Internal Audit (SIAs) • SIAs o Issued by the Council of the Institute of Chartered Accountants of India-not mandatory so far. o SIAs apply whenever internal audit is carried out o Till date 18 SIAs issued. o Codify best practices in area of internal audit o Provide a benchmark of the performance of the internal audit services • Preface to the Standards on Internal Audit • Framework for Standards on Internal Audit SIA's-Codifying the Best Practices 14

Preface to the Standards on Internal Audit • Scope of the Standards on Internal Audit (SIAs)-mandatory • Scope of the Guidance Notes on Internal Auditrecommendatory • Implications of the departures from SIAs/GN’s • Procedure for issuing the SIAs and Guidance Notes SIA's-Codifying the Best Practices 15

Framework for Standards on Internal Audit • Provide a frame of reference for the SIAs being issued • Overall objective is to promote the professionalism in the internal audit activity. • Applies to all the persons performing IA, irrespective of whether the function is performed in-house or by an external agency. • Has four well defined components. SIA's-Codifying the Best Practices 16

Components of the Framework The Code of Conduct • Establishes the essential principles of conduct and prescribes for the professionals in internal audit activity such as ethical conduct, integrity, confidentiality etc. This is apart from the applicability of other pronouncements of ICAI on a member. The Competence Framework • Describes the key characteristics that are required of persons performing internal audit such as objectivity, technical competence, interpersonal skills, operational efficiency and due professional care. The competency framework is the minimum expectation. SIA's-Codifying the Best Practices 17

Components of the Framework The Body of Standards • Standards specifies the basic principles and processes. • Mandatory minimum requirements The Technical Guidance • Provide guidance to internal auditors in resolving professional issue arising while carrying out internal audit. It includes explanatory material on SIA’s or Technical Guides. The first 3 components are mandatory. SIA's-Codifying the Best Practices 18

SIA-1 Planning an Internal Audit The standard talks about the following: • Objectives of planning • Factors affecting the planning process • Scope of planning • The planning process-obtaining knowledge of the business • Establishing the audit universe • Establishing the objectives of the engagement • Establishing the scope of the engagement • Deciding the resource allocation • Preparation of the audit program • Develop and document plan in consultation with those charged with governance, including the Audit Committee SIA's-Codifying the Best Practices 19

SIA-1 Planning an Internal Audit Internal audit plan should be based on : o the objectives of the activity o significant risks o risk management and internal control system o reflect the risk management strategy SIA's-Codifying the Best Practices 20

SIA-2 Basic Principles Governing Internal Audit • Lays down elaborate principles to give guidance on auditing procedure and reporting practices • Compliance with basic principles • Require application of procedures and practices appropriate to particular circumstances SIA's-Codifying the Best Practices 21

SIA-2 Basic Principles Governing Internal Audit Explains the principles which governs the internal auditor’s professional responsibilities: • Integrity, objectivity and independence, • Confidentiality • Due professional care, skills and competence • Work performed by others • Documentation • Planning • Evidence • Internal Control and Risk Management systems • Reporting SIA's-Codifying the Best Practices 22

SIA-3 Documentation • Provides guidance on documentation requirements in internal audit • “IA documentation” means the record of audit procedures performed, incl. audit planning, relevant evidence obtained, and conclusions reached. It thus includes all papers prepared or obtained in connection with his work. • Form and content of documentation • Identification of the preparer and reviewer. • Detention and retention of the documentation SIA's-Codifying the Best Practices 23

SIA-3 Documentation • May be on paper or on electronic or any other media • Should include: • internal audit charter, • internal audit plan, • nature, timing and extent of audit procedures performed, and • conclusions drawn from the evidence obtained • Signed by the preparers and reviewers SIA's-Codifying the Best Practices 24

SIA - 4 Reporting (Issued in August 2008) • Establish standards on the form and content of internal auditor’s report. • Describes basic elements of an internal auditor’s report • Deals with different stages of communication and discussion of the report • Describes the reporting responsibilities of the internal auditor SIA's-Codifying the Best Practices 25

SIA - 4 Reporting (Issued in August 2008) Basic Elements of the Internal Audit Report • Title; • Addressee; • Report Distribution List; • Period of coverage of the Report; • Opening or introductory paragraph; • Objectives paragraph; • Scope paragraph; • Executive Summary; • Observations, findings and recommendations made by the internal auditor; • Comments from the local management; • Action Taken Report; SIA's-Codifying the Best Practices 26

SIA - 4 Reporting (Issued in August 2008) Basic Elements of the Internal Audit Report…. • Limitation of scope para • Date of the report; • Place of signature; and • Internal auditor’s signature with Membership Number. Communication to management: • Discussion draft • Exit meeting • Formal draft • Final report SIA's-Codifying the Best Practices 27

SIA-5 Sampling • Provide guidance regarding the design and selection of an audit sample • Guide on the use of audit sampling in the internal audit engagement • Deals with evaluation of sample results • Guidance on use of sample in risk assessment procedures and tests of controls performed by the internal auditor SIA's-Codifying the Best Practices 28

Evaluation of Sample Results The internal auditor should: • analyse the nature and cause of any errors detected in the sample; • project the errors found in the sample to the population; • reassess the sampling risk; and • consider their possible effect on the particular internal audit objective and on other areas of the internal audit engagement. Sample size at times may be prescribed by the client itself. SIA's-Codifying the Best Practices 29

SIA-6 Analytical Procedures • Provide guidance regarding the application of analytical procedures during internal audit • Deals with the aspects such as: o the nature and purpose of analytical procedures, o analytical procedures as risk assessment procedures and planning the internal audit o Analytical procedures as substantive procedures o Analytical procedures in the overall review at the end of the internal audit o Extent of reliance on analytical procedures SIA's-Codifying the Best Practices 30

SIA-6 Analytical Procedures as Risk Assessment Procedures and in Planning the Internal Audit • To obtain an understanding of the entity and its environment and in identifying areas of potential risk. Analytical Procedures as Substantive Procedures • When their use can be more efficient than Test of Details in reducing detection risk for specific financial statement assertions. SIA's-Codifying the Best Practices 31

SIA-6 Analytical Procedures in the Overall Review at the end of the Internal Audit • Forming an overall conclusion as to whether the systems, processes and controls as a whole are robust, operating effectively and are consistent with the internal auditor's knowledge of the business. SIA's-Codifying the Best Practices 32

SIA-7 Quality Assurance in Internal Audit Objective: • Provide assurance that internal auditor comply with professional standards, regulatory and legal requirements • Person within the entity should be entrusted with the responsibility for quality in the internal audit • Include policies and procedures addressing each of following elements: o Leadership responsibilities for quality in internal audit o Ethical requirements o Acceptance and continuance of client relationship and specific engagement, as may be applicable o Human resources o Engagement performance o Monitoring SIA's-Codifying the Best Practices 33

SIA-7 Quality Assurance in Internal Audit • Lays down that the quality in internal audit should provide reasonable assurance that the internal auditors comply with professional standards, regulatory and legal requirements so that the reports issued by them are appropriate in the circumstances. • Provides the guidance to the person entrusted with the responsibility for the quality of the internal audit whether inhouse internal audit or a firm carrying out internal audit. • This Standard also provide the extensive guidance about the internal quality reviews, external quality reviews and communicating the results thereof. SIA's-Codifying the Best Practices 34

SIA-8 Terms of Internal Audit Engagement (Issued in August 2008) • Establish standards in respect of terms of engagement of the internal audit activity whether carried out in house or by an external agency. • Clarity on terms of internal audit engagement is essential for inculcating professionalism and avoiding misunderstanding as to any aspect of the engagement. • The terms of engagement should be approved by the BOD or a relevant committee thereof such as the Audit committee. SIA's-Codifying the Best Practices 35

SIA-8 Terms of Internal Audit Engagement Elements of Terms of Engagement • Scope • Responsibility • Authority • Confidentiality • Limitations • Reporting • Compensation • Compliance with Standards SIA also talks about the manner in which withdrawal from the engagement should be done, if so required. SIA's-Codifying the Best Practices 36

SIA-9 Communication with Management • Provides a framework for internal auditor’s communication with management and identifies some specific matters to be communicated with management as described in the terms of the engagement. • Deals with the aspects such as: o Matters to be communicated o The communication process- Forms, Timing, Adequacy o Documentation of Communication SIA's-Codifying the Best Practices 37

SIA-9 Communication with Management Matters to be Communicated • Internal Auditor’s responsibilities in relation to the terms of engagement • Planned scope and timing of the Internal Audit • Significant findings from the Internal Audit o Discussion draft o Exit meeting o Formal draft o Final report Timing of communication • Material weaknesses and threats to independence to be communicated as soon as practicable SIA's-Codifying the Best Practices 38

SIA-10 Internal Audit Evidence • Deals with the aspects such as: o objective of the internal audit evidence, o sufficiency and appropriateness of internal audit evidence, o procedures for obtaining evidence • Internal audit evidence should enable internal auditor to form an opinion on scope of terms of engagement SIA's-Codifying the Best Practices 39

SIA-10 Internal Audit Evidence Obtaining internal audit evidence-manner thereof • Inspection • Observation • Inquiry and confirmation • Computation • Analytical review SIA's-Codifying the Best Practices 40

Sufficient and Appropriate Internal Audit Evidence Internal auditor’s judgment as to what is sufficient and appropriate internal audit evidence is usually influenced by: • The materiality of the item. • The type of information available. • Degree of risk of misstatement which may be affected by factors such as : o The nature of the item. o The nature or size of the business carried on by the entity. o Situation which may exert an unusual influence on management SIA's-Codifying the Best Practices 41

SIA-11 Consideration of Fraud in an Internal Audit • Deals with the aspects such as: o what is fraud ? o concept of internal control system, o elements of internal control system, o responsibilities of the internal auditors, o to whom the internal auditors will communicate about the presence of fraud, o documentation of fraud risk factors when identified SIA's-Codifying the Best Practices 42

SIA-11 Consideration of Fraud in an Internal Audit Responsibilities of the Internal Auditor • Internal auditor to help management fulfill the responsibilities relating to fraud detection and prevention • Approach of internal auditor should include o Control Environment o Risk Assessment o Information System and Communication o Control Activities o Monitoring SIA's-Codifying the Best Practices 43

SIA-12 Internal Control Evaluation Deals with the aspects such as: • Nature, Purpose and Types of Internal Controls • Inherent Limitations of Internal Controls • Role of Internal Auditor in Evaluating Internal Controls • Monitoring Internal Audit findings • Communication of Continuing Internal Control Weaknesses SIA's-Codifying the Best Practices 44

SIA-12 Internal Control Evaluation Role of Internal Auditor • Examine continued effectiveness of internal control system through evaluation and make recommendations, if any, for improving effectiveness. • Focus towards improving internal control structure and promoting better corporate governance. • Make management aware, as soon as practical and at an appropriate level, of material weaknesses in design or operation of internal control systems • Describes Risk and Enterprise Risk Management SIA's-Codifying the Best Practices 45

SIA-13 Enterprise Risk Management Deals with the aspects such as: • Process of ERM and Internal Audit • Role of Internal Auditor in Relation to ERM • Monitoring Internal Audit findings • Internal Audit Plan and Risk Assessment SIA's-Codifying the Best Practices 46

SIA-13 Enterprise Risk Management Role of Internal Auditor in Relation to ERM • Provide assurance to management on effectiveness of risk management • Review maturity of ERM structure by considering whether framework so developed, : • Protects enterprise against surprises; • Stabilizes overall performance with less volatile earnings; • Operates within established risk appetite; • Protects ability of enterprise to attend to its core business • Creates system to proactively manage risks SIA's-Codifying the Best Practices 47

SIA-14 Internal Audit in an IT Environment Describes: • Skills and competence to conduct internal audit in an IT environment • Factors to be consider while planning such an internal audit • Matters that may effect audit in an IT environment • Risk Assessment • Audit Procedures • Review of IT Environment • Outsourced Information Processing • Documentation SIA's-Codifying the Best Practices 48

SIA-14 Internal Audit in an IT Environment Review of Information Technology Environment • Overall objective and scope of an internal audit does not change in an IT environment • Consider IT environment in designing audit procedures to review systems, processes, controls and risk management framework • Apply professional judgment and skill in reviewing IT environment and assessing interface of such IT infrastructure with other business processes SIA's-Codifying the Best Practices 49

SIA-15 Knowledge of the Entity and its Environment (Issued in March 2009) Establish standards to provide guidance on: • what constitutes knowledge of an entity’s business • Its importance to various phases of internal audit engagement • techniques to be adopted by internal auditor in acquiring such knowledge about entity and its environment • guidelines regarding application, usage and documentation of such knowledge by internal auditor • Using information appropriately assists internal auditor in SIA's-Codifying the Best Practices 50

SIA-15 Knowledge of the Entity and its Environment • • Assessing risks and in identifying key focus areas Planning and performing internal audit effectively and efficiently Evaluating audit evidence Providing better quality of service to client SIA's-Codifying the Best Practices 51

SIA-16 Using the Work of an Expert (Issued in March 2009) • • Provide guidance where the internal auditor uses the work performed by an expert Explains situations in which need for using work of an expert might arise Considering skills and competence and objectivity of the expert Lays down procedures for evaluating the work of an expert SIA's-Codifying the Best Practices 52

SIA-17 Consideration of laws and regulations in an internal audit • Non-compliance – Acts of omission or commission by the entity, either intentional or unintentional, which are contrary to the prevailing laws or regulations. Such acts include transactions entered into by, or in the name of, the entity, or on its behalf, by those charged with governance, management or employees. Non-compliance does not include personal misconduct (unrelated to the business activities of the entity) by those charged with governance, management or employees of the entity. SIA's-Codifying the Best Practices 53

SIA-16 Using the Work of an Expert Reference to an expert in Report • IA should not, normally, refer to work of an expert in internal audit report • Reference may be useful in cases o Existence of material weaknesses or deficiencies in internal control system o Beneficial to the readers • Reference should outline assumptions, broad methodology and conclusions of expert SIA's-Codifying the Best Practices 54

SIA-17 Consideration of laws and regulations in an internal audit Non-compliance with laws and regulations may result in fines, litigation or other consequences for the entity that may have a material effect on not only the reporting framework of the financial statements but also on the functioning of Consideration of Laws and Regulations in an Internal Audit the entity and which in extreme cases may impair their ability to continue as a going concern itself. 4 th May 2013 • SIA's-Codifying the Best Practices 55

SIA-17 Consideration of laws and regulations in an internal audit Objectives of Internal auditor are: • To obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations generally recognized to have a direct effect on the determination of material amounts and disclosures in the financial statements; • To perform specified audit procedures to help identify instances of noncompliance with other laws and regulations that may have a significant impact on the functioning of the entity; and SIA's-Codifying the Best Practices 56

SIA-17 Consideration of laws and regulations in an internal audit • To respond appropriately to non-compliance or suspected non-compliance with laws and regulations identified during the internal audit. Responsibility of internal auditor: • Since the role of an internal auditor is to carry out a continuous and critical appraisal of the functioning of an entity and suggest improvements thereto, the identification of non-compliance with laws and regulations is also an inherent part of his responsibilities. SIA's-Codifying the Best Practices 57

SIA-18 Related parties (Issued in January 2013) Procedures for identification and reporting of non-compliance • The SIA gives elaborate guidelines on these issues as well. • Purpose of SIA is to provide guidance on the procedures to be followed by the internal auditor in ensuring that related party activities of the entity are properly captured through internal controls; and that related party activities are consistent with the entity’s code of conduct and conflict of interest policy, applicable laws and regulations and disclosure requirements. • Parties are considered to be related, if at any time during the reporting period, one party has the ability to control the other party or exercise significant influence over the other party in making financial and/ or operating decisions. SIA's-Codifying the Best Practices 58

SIA-18 Related parties 4 th May 2013 The standard gives guidance on: • Procedures to be followed • Type of evidences to be examined • Evaluating management’s support for the assertion that a related party transaction was conducted on terms equivalent to those prevailing in an arm’s length transaction. • Documentation of such relationships • Communication with those charged with governance SIA's-Codifying the Best Practices 59

THANK YOU CONTACT DETAILS: 4 th May 2013 Head Office 75/7 Rajpur Road, Dehradun T +91. 135. 2743283, 2747084 F +91. 135. 2740186 E info@vkalra. com W www. vkalra. com Branch Office 80/28 Malviya Nagar, New Delhi E info@vkalra. com W www. vkalra. com