4. Internal Audit- Basics
Definition of Internal Audit:
Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organization’s operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.
Objectives of Internal Audit:
Risk Management
Control
Governance
Risk:
Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a
loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome
sometimes exists (or existed).
Internal Control:
Internal Control is a process, effected by an entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of its objectives
(Operational, Reporting & Compliance).
Page 4
5. Why Internal Audit ?
CARO (Companies Require listed companies to have an internal audit system commensurate
with its size and nature of business. To comply with the requirements
(Auditor’s Report companies may either have an internal audit department or can outsource
Order, 2003) the internal audit function to an external agency.
Requires audit committee role to include oversight of the internal audit
function as one of the terms of reference. The agreement requires the audit
Clause 49 committee to review with management performance of internal audit
function.
Companies Act, Requires companies to appoint an auditor or auditors at every annual
1956 (Section general meeting to hold office from the conclusion of that meeting until
the conclusion of next annual general meeting.
224)
Page 5
7. Enterprise Risk Management
ERM defined:
A process, effected by an entity's board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential events
that may affect the entity, and manage risks to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives
The key to effectively protecting and growing returns for an organization’s shareholders is to
identify and manage the risks that could prevent the organization from achieving its business
objectives. The enterprise risk assessment is an efficient, comprehensive process that provides
insight on inherent risks from an industry perspective and links them to the organization’s
objectives, initiatives, and business processes.
Entity objectives can be viewed in the context of four categories:
Strategic
Operations
Reporting
Compliance
Enterprise risk management requires an entity to take a portfolio view of risk. Management
considers how individual risks interrelate and develops a portfolio view from two perspectives:
Business unit level
Entity level
Page 7
10. Compliance to Auditing Standards (ICAI)
Standards on Internal Audits:
• Standard on Internal Audit (SIA) 1, Planning an Internal Audit
• Standard on Internal Audit (SIA) 2, Basic Principles Governing Internal Audit
• Standard on Internal Audit (SIA) 3, Documentation
• Standard on Internal Audit (SIA) 4, Reporting
Adobe Acrobat
• Standard on Internal Audit (SIA) 5, Sampling Document
• Standard on Internal Audit (SIA) 6, Analytical Procedures
• Standard on Internal Audit (SIA) 7, Quality Assurance in Internal Audit
• Standard on Internal Audit (SIA) 8, Terms of Internal Audit Engagement
• Standard on Internal Audit (SIA) 9, Communication with Management
Page 10
11. Compliance to Auditing Standards (ICAI)
Standards on Internal Audits:
• Standard on Internal Audit (SIA) 10, Internal Audit Evidence
• Standard on Internal Audit (SIA) 11, Consideration of Fraud in an Internal Audit
• Standard on Internal Audit (SIA) 12, Internal Control Evaluation
• Standard on Internal Audit (SIA) 13, Enterprise Risk Management
• Standard on Internal Audit (SIA) 14, Internal Audit in an Information Technology
Environment
• Standard on Internal Audit (SIA) 15, Knowledge of the Entity and its Environment
• Standard on Internal Audit (SIA) 16, Using the Work of an Expert
• Standard on Internal Audit (SIA) 17, Consideration of Laws and Regulations in an
Internal Audit
• Standard on Internal Audit (SIA) 18, Related Parties
Page 11
12. Compliance to Auditing Standards
The IIA Standards types:
a) Attribute Standards: address the attributes of organizations and individuals
performing internal audit services. The attributes addressed are:
Purpose, Authority and Responsibility
Independence and Objectivity
Proficiency and Due Professional Care
Quality Assurance
b) Performance Standards: describe the nature of internal audit services and provide
quality criteria against which the performance of these services can be measured.
The criteria addressed are:
Managing Internal Audit Activity
Nature of Work
Engagement Planning
Performing the Engagement
Communicating Results
Monitoring Progress
Management’s Acceptance of Risk
c) Implementation Standards: expand upon the Attribute and Performance Standards,
providing guidance in specific types of engagements.
Page 12
13. Compliance to Auditing Standards (illustrative)
S.N. Title of Standard
1 1000 - Purpose, Authority, and Responsibility
2 1010 – Recognition of the definition of Internal Auditing, the Code of Ethics, and the Standards in
the Internal Audit Charter
3 1100 - Independence and Objectivity
4 1110 - Organizational Independence
5 1111 – Direct Interaction with the Board
6 1120 - Individual Objectivity
7 1130 - Impairments to Independence or Objectivity
8 1200 - Proficiency and Due Professional Care
9 1210 - Proficiency
10 1220 - Due Professional Care
11 1230 - Continuing Professional Development
12 1300 - Quality Assurance and Improvement Program
13 1310 - Quality Program Assessments
14 1311 - Internal Assessments
15 1312 - External Assessments
Page 13
15. IA Process Overview
1. Define 2. Validate 3. Execute 4. Retain
2.1
1.1 3.1
Request and receive
Define objectives of Execute audit steps
Data
analysis
4.1
3.2
2.2 Document process
1.2 Identify discrepancies
Validate Control reproduce data
Gain an understanding
Totals
3.3
4.2
1.3 Discuss discrepancies
2.3 Document Retention
Define data with stakeholders and
Perform data quality
requirements validate errors
Assessment
3.4
Assess impact on
objectives
Page 15
16. Execution Process Overview
Control Understand
Gather Info Evaluate
Evaluation the Process
Control Develop Consider
Reassess Scope
Reassess Scope Sampling or
Testing Test Plan Testing Substantive
CAATs
Testing
Substantive Develop Sampling or
Testing Testing
Test Plan CAATs
Formulate Assess Agree Action
Findings Root Prioritize Plan with the
Cause Management
Page 16
17. Evaluation Process
Control Objective
Risk Microsoft Office
Excel 97-2003 Worksheet
Is
Is a there a
Control in NO mitigating NO Missing Controls
Place? Control
? And in the appropriate
timeframe?
Yes Yes
Missing /
Assess Mitigation Mitigated Controls
Does
the control
address the NO Inadequate Controls
e.g. Are all relevant
risk?
attributes covered
Yes
Determination on Adequacy of Control Design
Page 17
18. Risk and Control Matrix
Sub Documents to be Conclusion
Sr. What Can Go
Process Process/ Control Description Test Procedures Referred for Test (Effective /
No. Wrong (Risk)
Activity Procedures Ineffective)
1 Client Quantity • Incorrect quantity • Quantity assessment • Obtain the latest • Measurement
Billing Assessment assessment by the is done against the Project Review Report sheets from the site
(Invoicin & Work billing engineer schedule of work (PRR) and Daily Progress • PRR and DPR
g& leading to under- (target billing) and the Report (DPR) for the • Raised RA Bills and
Collectio billing to the client actual work carried out period under review certified RA Bills
n) • Incorrect quantity at the site • Select sample RA Bills
assessment by the • The quantity and review whether
billing engineer assessment is also cross related records certifying
leading to over- checked against the the completion of
billing to the client MPR/DPR (Prepared by measured work are
the planning maintained
department who inturn • Ensure measured works
get the data from are strictly in accordance
execution department with scope of work and
and sub-contractors/ any variation is
vendors) seperately parked as
'Extra Work/Item'
• Quantities for billing
are supported by site
measurements/Stock
consumption and
issuance records
Page 18
19. Steps to Follow after identifying a Finding
• Discuss and validate errors with responsible stakeholders and process owners
• Consider whether there are any compensating controls within the process or system,
and extend the testing scope, if necessary
• Assess impact - Whether or not the objectives of the test have been met and if
alternative measures need to be taken
• Evaluate Exceptions or Errors Identified during Controls Testing for the following:
i. Potential Effect on control objectives
ii. Incidence, or level of error
iii. Cause of the control breakdown
iv. Actual Effect, if applicable
Page 19
20. Elements of a Finding
Criteria:
Provides a context for evaluating evidence and understanding the findings (Control Objectives)
• Policies & Procedures (Expectations of what should exist)
• Contracts & Agreements
• Laws & Regulations
• Standards & Benchmarks
• Defined business practices or measures which performance is compared or evaluated against
Condition:
Condition is a situation that exists or what was occurring when the control weakness was identified
i.e. The Exception or Deficiency
Cause:
Identifies the reason for the condition or the factor(s) responsible for the difference between the
situation that exists (condition) and the required or desired state (criteria), Common factors
include; poorly designed policies, procedures, or criteria, inconsistent, incomplete, or incorrect
implementation, segregation of duties or business conditions.
Effect or Risk Impact:
A clear, logical link to establish the impact or potential impact of the difference between the
situation that exists (condition) and the required or desired state (criteria), which identifies the
outcomes or consequences of the condition. Effect or risk impact may be used to demonstrate the
need for corrective action in response to identified condition.
Page 20
21. Recommendations
• Should address the root cause not just the symptoms
• Be relevant and practical
• Compare the benefits to costs
• More than 1 recommendation may be required to completely address an issue
• Use best practices as a source for creative insight, adapting to the needs of the
organization
Example:
Audit Objective: Evaluate and Document Credit limit Increase Procedures
Risk/Control Objective: Credit Limit Increase are manually reviewed and
approved prior to processing the request in the system
Sample Selection: 15 credit limit increase accounts from a system
generated report
Documents Obtained: Credit limit increase MIS and the credit limit increase
delegation of authority and Income documents
Exceptions noted: 3 of 15 credit limits increases were not reviewed
and approved per the delegation of authority and excess
credit limit was granted to customers.
Page 21
22. Section II - Assessing Risks & Internal Controls
23. Internal Control Structure
In many cases, you perform controls
and interact with the control
Monitoring:
structure every day • Monthly reviews of performance reports
• Internal audit function
MONITORING
Information & Communication:
• Vision and values
INFORMATION AND • Issue resolution calls
COMMUNICATION • Reporting
• Corporate communications (e-
Control Activities: mail, meetings)
CONTROL ACTIVITIES
• Credit limits
• Approvals
• Security Risk Assessment:
• Block Codes / RISK ASSESSMENT • Monthly Risk Control meetings
policies • Internal audit risk assessment
CONTROL ENVIRONMENT
Control Environment:
• Tone from the top
• Corporate Policies
• Organizational
authority
An internal control structure is simply a different way of viewing the business
– a perspective that focuses on doing the right things in the right way.
Page 23
24. Concepts and Objectives
Control definition reflects certain fundamental concepts:
Internal control is a process
Internal control is effected by people. It's not merely policy manuals and forms,
but people at every level of an organization.
Internal control can be expected to provide only reasonable assurance, not
absolute assurance, to an entity's management and board.
Objectives of Internal Control
Internal controls are established to further strengthen:
The reliability and integrity of information.
Compliance with policies, plans, procedures, laws and regulations.
The safeguarding of assets.
The economical and efficient use of resources.
The accomplishment of established objectives and goals for operations or programs.
Page 24
25. Control Techniques
Prevention techniques are designed to provide reasonable assurance that only valid
transactions are recognized, approved and submitted for processing. Therefore, many of
the preventive techniques are applied before the processing activity occurs. In most
situations, preventive techniques are likely to be more effective in a strong control
environment, when management authorization criteria are well-defined and properly
communicated.
Control type definitions:
Preventive - Manual
Preventive - System
Examples of preventive controls include:
• Segregation of duties (Preventive-Manual)
• Business systems integrity and continuity controls, e.g., application design standards,
change controls, security controls, systems backup and recovery (Preventive – System)
• Physical safeguard and access restriction controls (human, financial, physical and
information assets) (Preventive-Manual)
• Effective "whistle blowing" processes (Preventive-Manual)
Page 25
26. Control Techniques
Detection techniques are designed to provide reasonable assurance that errors and
irregularities are discovered and corrected on a timely basis. Detection techniques normally
are performed after processing has been completed. They are particularly important in an
environment that has relatively weak preventive techniques. That is, when front-end
approval and processing techniques do not provide reasonable assurance that unacceptable
transactions are prevented from being processed or do not assure that all approved
transactions are processed accurately. In this case, after-the-fact techniques become more
important in detecting and correcting processing errors.
Control type definitions:
Detective - Manual
Detective - System
Examples of detection techniques include:
• Reconciliation of batch balance reports to control logs maintained by originating
departments. (Detective – Manual)
• Review and approval of reference file maintenance (“was-is”) reports. (Detective –
Manual)
• Reconciliation of interface amounts exiting one system and entering another.
(Detective – System)
• Review of on-line access and transaction logs. (Detective – System)
Page 26
27. Risk Analysis
Risk Analysis
Risk Risk Risk
Assessment Management Monitoring
Process
Identification Control It
Level
Share or Activity
Measurement
Transfer It Level
Diversify or
Prioritization Entity Level
Avoid It
Page 27
28. Role of a Process Owner
General Expectations
• Acknowledge the responsibility for the design, implementation and maintenance
of the control structure within the business processes
• Contribute direction to identify, prioritize and review risks and controls
• Remove obstacles for compliance; remedy control deficiencies
• Continue or begin a program of self-assessment and testing to monitor the
controls within the processes
• Quarterly
- confirm key controls are implemented and effective
- maintain documentation to support this assessment
Immediate Action Items
• Educate personnel about the requirements and effort
• Reinforce internal focus on controls within the process
• Surface any risks, concerns or issues promptly to allow adequate attention for
correction (don’t wait for an audit)
• Fix control gaps within reasonable timescales
Page 28
30. Sampling
Population:
The entire set of universe from which a sample is selected & reviewed, and about which the auditor
wishes to draw conclusions.
Data availability for population:
An important aspect in sample selection is the availability of data. Depending upon the population,
entire data may or may not be available. In cases where entire data is not available, same should
be brought to the attention of the Management, be agreed with the stakeholders and be clearly
mentioned as a scope limitation.
Systematic selection:
A systematic approach is used by the auditor to select items, to minimize any potential human
judgment or bias. Every nth item within the population is selected in accordance with a defined
sampling interval.
Haphazard selection:
The auditor, without any conscious bias, selects sample items randomly, i.e., without any special
reason for including or omitting items from the sample
Stratification:
Prior to carrying out analytical procedures, it is important to stratify / classify the data into
separate logical sections. This classification would not only help in analyzing trends unique to that
particular category but would also help in assessing materiality while selecting a sample.
Page 30
31. Sampling
Perform Analytical procedures:
Analytical procedure is defined as an evaluation of financial information made by a study of
plausible relationships among both financial and non-financial data
Analyse abnormal transactions:
If the analytical procedures highlight certain abnormal transactions (where there are significant
aberrations), they should be separated and reviewed separately. Such transactions should be
reviewed in addition to the regular sample selected.
Using Excel / CAAT:
In case the testing objective can be applied by using excel / CAAT on the entire population, audit
procedures should be performed on the entire population else samples should be selected for
testing
Determining sample size and selecting sample:
The sample size will depend on the frequency of the control being tested and the level of evidence
that is judged to be necessary, by the client and the engagement team. For this purpose the
engagement team should define the areas under scope as either High or Low risk
Performing audit procedures and Evaluating Test results:
When weaknesses in internal controls are identified we should consider whether there are any
compensating controls within the process or system. If we believe there are appropriate
compensating controls, we should extend the testing scope to include testing of these compensating
controls.
Page 31
33. Need for Mathematical Tools
To recognize early warning bells, as part of audit procedures, and
protect business against fraud or error.
Identify transactions that are indicative of fraud or error using
tested and proven fraud & error detection techniques
“Scientific” sample selection through automated procedures
Reduced dependence on random sampling
To Identify red flags at Financial Statements Level.
Page 33
34. Using Excel as a Tool
• ‘IF’
• ‘IF’ in combination with ‘AND’
• ‘IF’ in Combination with ‘AND’ & ‘OR’
• ‘CountIF’ and ‘SUMIF’
• ‘SUMIFS’
• ‘VLOOKUP’
• Pivot Table Function
• Setting Filters
• Formula Auditing
Page 34
35. Using Excel as a Tool (illustrative)
Statistical Functions:
COUNT Computes the number of numbers in a range
COUNTA Computes the number of entries, including text entries in a
range
AVERAGE Sums the numbers in a range and divides the total by the number
of numbers
MEDIAN Computes the middle value in a range of numbers
MODE Computes the value that occurs most frequently
VLOOKUP Searches for a value in the leftmost column of a table, and then
returns a value in the same row from a column you specify in the
table.
PIVOT Summarizes the columns of information in a database
relationship to each other.
Page 35
36. Analyzing data in IDEA
Use of data analytics tools facilitates creating a virtual room where all relevant
audit content can be stored and accessed.
Page 36
38. Audit Report Structure
Covering Letter
Background/ Function Overview
Purpose/ Objectives
Scope of Work
Audit Approach
Limitation
Executive Summary (Significant Findings)
Detailed Observations
Follow Up of Prior Recommendations
Page 38
39. Audit Report Structure
S.N Priority Issue Risk Performance Management Responsibility
o. Improvement Response / Timelines
Observation
1 High It was observed that in 48 out of Incorrect credit The authority & Adequate steps will be Risk Team
60 cases (total population of 850 limit offered to responsibility taken up to ensure the
cases for credit limit customer leading within the Risk policy adherence by March 2013
enhancement for period March- to increased credit Team should be having periodic
May,2012) the credit limits risk exposure for explicitly defined process trainings for
enhanced for existing customers the Company, & documented for account management
was not as per the parameters which may approving the team. The risk team
defined in the policy. Excess eventually lead to credit limit would additionally
credit limit amounting to Rs higher increase support the training
13.22 Lacs was given to delinquencies. deviations and the requirements of the
customers. For details refer same should be AMU team.
Annexure 1 approved as per
DOA.
2 High Late Payment Charges amounting Possibility of Business should The implementation of Marketing
to Rs 1.3 Lacs were short-levied Revenue leakage evaluate the the revised LPC tier Team
on 260 accounts and the same for LPC and possibility of from Rs.700 to Rs.750
was excess levied on 296 Customer Implementing was delayed by ~40 March 2013
accounts. Further, the Finance dissatisfaction / continuous control days due to set up
Charges on these accounts would negative impact mechanism miss, later identified
be incorrect as the LPC is not on brand / through data by pricing team and
accurately levied reputation analytics tools and rectified on 12th
System Audit November 2012.
should be carried
out.
Page 39
41. Anti Fraud Control Framework
Code of conduct
Ethics policy
Gifts and hospitality
Agents
Facilitation payments
Policy Tone from top
Cross culture Zero tolerance
Disclosure Voice People Board
Openness responsibilities
Employee/ suppliers Process Due diligence
Training
Education
Roles and responsibilities
Accountability
Annual sign off
Self assessment
Testing
Page 41