MP
Uploaded byMalay Paul
PPT, PDF116 views

GRCICMAI

The document discusses internal auditing in the Indian context. It begins with acknowledging those who contributed to the presentation. The discussion then covers various topics related to internal auditing including the meaning of governance, risk and control; the role of internal auditors as collaborators; preparing for continuous auditing; auditing in a changing environment; and moving beyond just compliance. The presentation emphasizes the importance of internal auditors focusing on risk assessment and mitigation, auditing entire business processes, and leveraging technology. It also outlines how the role of internal auditing needs to transform from being perceived as a "policeman" to a "policy man".

Embed presentation

Download to read offline
1 INSTITUTE OF COST AND MANAGEMENT ACCOUNTANTS OF INDIA Presentation on : Internal Audit in Indian Scenario Presenter : Malay Paul Dtd. 29.06.2016 (06.00 p.m– 08.00 p.m)
2 Acknowledgement The author acknowledges use of freely available graphics in this presentation with the objective of propagating knowledge and clearer understanding. The views expressed herein are not having any bearing on the past and present professional engagement of the author.
Discussion Flow Meaning of GRC ( Governance, Risk & Control) Stakeholder Silo in business ecosystem IA ‘ s Role as “ Collaborator “ Rule maker’s intention – Journey has began Preparedness for ‘Continuous Audit’ Methodology and Case Study Auditing in ‘Motion’ – velocity of change Journey towards ‘beyond compliance’
4 “… it is very difficult to ascertain how much water the fishes are consuming from a pond full of water. Similarly, it is difficult to stop unauthorized use of funds by King’s men unless proper controls are in place.” Chanakya charted out ‘forty ways’ of embezzlement/ fraud e.g Revenue / Accounts Receivable ( Global Crossing, Quest), Inventory/Cost of Goods sold ( PharMor) Understating Liability/Expense ( Enron), Mis-presentation ( Bre-X Minerals) , Overstating Asset ( WorldCom) etc. The ways and means predicted by Chankya way back in Maurian era. - Arthasastra
5 ““Corporate governance is concernedCorporate governance is concerned with holding the balance betweenwith holding the balance between economic and social goals and betweeneconomic and social goals and between individual and communal goals…… Theindividual and communal goals…… The aim is to align as nearly as possible theaim is to align as nearly as possible the interests of individuals, corporations andinterests of individuals, corporations and society.”society.” Sir Adrian Cadbury Corporate Governance Overview, 1999 [World Bank Report]
6 ““ The conduct of business in accordanceThe conduct of business in accordance with shareholders’ desires, which generallywith shareholders’ desires, which generally is to make as much money as possible ,is to make as much money as possible , while conforming to the basic rules of thewhile conforming to the basic rules of the society embodied in law and local customs“society embodied in law and local customs“ Noble Laurate Milton FriedmanNoble Laurate Milton Friedman
7 The art of Corporate Governance is a parallel consign of ‘Dharma (nature)’ in human existence. Logically, ‘Fire’ has a ‘Dharma’ to burn; ‘Air’ has ‘Dharma’ to blow; signifying the quintessence of ‘Code of Conduct (COC)’. Rapid transformation in stakeholder expectation’, stipulate corporations universally to pursue self-ordained COC. As per the OECD (Organization for Economic Cooperation and Development) documents published in 1999, Corporate Governance is the system by which organizations are directed and controlled.
8  Control and Risk represent opposite sides of the same coin. Controls exist to mitigate risk; identification of control deficiencies highlight areas of potential risk. By examining risk, auditors can identify areas where controls are needed and/or not working.
9 IIA definition of Auditing, Assurance and our focus : “It is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve effectiveness of risk management, control and governance process.”
Corporate Governance CompetitionCompetition PoliticalPolitical GlobalizationGlobalization TechnologicalTechnological EconomicEconomic SociocultureSocioculture InternalAudit InternalAudit LegislationLegislation Board Board StatutoryStatutory AuditorAuditor AuditCom m . AuditCom m . Managem ent Managem ent
11 Compliances Accountability Transparency Ethical Behaviour Community Approach
Present Risk Assessment: Ad-hoc Activity Focus only on process ; Financial and Accounting Control Minimum use of Technology •Perceived as ‘Policeman’ Present Risk Assessment: Ad-hoc Activity Focus only on process ; Financial and Accounting Control Minimum use of Technology •Perceived as ‘Policeman’ Way-forward Risk assessment and mitigation – primary role Audit Business Processes- not just controls Tech./Knowledge Leveraging ‘Continuous Audit and Monitoring’ Fraud and Forensics Multidimensional Audit Transformation–‘Policy Man’ from ‘Policeman’ Way-forward Risk assessment and mitigation – primary role Audit Business Processes- not just controls Tech./Knowledge Leveraging ‘Continuous Audit and Monitoring’ Fraud and Forensics Multidimensional Audit Transformation–‘Policy Man’ from ‘Policeman’  Multifunctional Knowledge  Tech Savvy  New Tools – Benchmarking  Focus on Risk Management  Challenging self knowledge  Deep understanding of business pains  Multifunctional Knowledge  Tech Savvy  New Tools – Benchmarking  Focus on Risk Management  Challenging self knowledge  Deep understanding of business pains Re-engineering of I ARe-engineering of I A
Regular Business EcosystemRegular Business Ecosystem Investors Bankers Management Society Employees Customers Suppliers Regulators Shareholders
Purpose Why, What, When? Growth/ Survival People Who? Stakeholders Process How? GRC Value add COLLABORATIO N
Low High Level of Commitment HighLow Conversation Communication Coordination Co-operation Collaboration Level of purpose or Goal Collaborative Levels Progression towards Collaboration
• Slip in market share • Lower bottom line (net revenue) • Slower response to market • Lower product/service quality • Broken partnerships/tie-ups/arrangements • Loss of critical talent • Loss of long term customers/clients • Less agility and responsiveness
Company ( Entity ) Body Corporate What is to be done for one of the most admirable organization ? Board/ Audit Committee Management What we have done to manage the Business Risks ? CEO Management What unforeseen event might disrupt our strategy and achieving Goals ? CFO Management What could materially impact the Financial Result ? General Counsel Management What do we do to minimize legal & statutory liability and ensure Compliance ? COO Management What to do for ensuring operational excellence by way of quality & cost reduction ?
Stockholders Owners What the Company is doing to protect our return on Investment ? Regulators Legal Entity What is the status in addressing interest of all Stakeholders ? Customers Society What is the Co. strategy for good quality product at competitive price ? Suppliers Society What to do on innovation for cost competitiveness ? Employees Society What is the Company policy for my personal development and social status ? Society /Community Larger Universe What sort of employability & environmental measures taken in our interest ?
The above effectively prescribes for Continuous Auditing
The Institute of Internal Auditors (IIA) defines Continuous Auditing as “any method used by Auditors to perform audit-related activities on a more continuous or continual basis. It is the continuum of activities ranging from continuous controls assessment to continuous risk assessment – all activities on the control-risk continuum.”  Replacement of static Risk Based Internal Audit ( RBIA) plan with a dynamic approach  Risk bases are reviewed time and again for validation purposes , instead of Audit plan based on fixed risk matrix  Drawing immediate attention to changed risk scape  Completion of Annual Audit Plan by bifurcating in to time horizon (e.g quarterly coverage) not relevant ; unplanned audits are more significant than the planned ones  ‘Need based’ assignments (pro-active engagement)
oRBIA (Risk Based Internal Audit), Annual Plan prepared at the commencement of the year /period may not be entirely harmonised with complete risk profile of the entity, signalling presence of unattended risks. o Inadequacy in capturing dynamic risk profiles due to the absence of continuous risk review and mitigation programmes. oInadequacy in the flexibility of functioning of the Audit Team to report concerns emanated while conducting audit of an already committed area. oObligation of team members to deliver on a time bound manner, may severally impact the review quality and risk identification as well as their mitigation process. oAbsence of dynamism in coverage of high risk areas (which ceaselessly changes during audit period) under the RBIA Annual Plan, may effectively keep major concerns out of audit purview for a considerable period (may be for a year or more). oAbsence of critical appraisal of Risk management process to assess their robustness and adaptability under changed dynamics. oCustomary periodical reporting not been able to address real time risk issues to Management/ Audit Committee as well the steps taken by Management for mitigation. oBetter oversee and governance function of the Audit Committees may be affected due to non-appraisal of prevalent risk by audit team.
Risk Basket Audit Area Dependency on group Companies with fixed rate contracts Revenue Cycle Cyclical nature of industry attributing volatility to service rates Revenue Cycle Environmental pollution and property damages/losses Revenue Cycle Fixed Assets Currency fluctuations Treasury Cycle Revenue Cycle Dependency on contractual workforce for commercial operations Operating Cycle Treasury Cycle Increase in operating costs due to fuel price hike Operating Cycle Regulatory risk and Compliance Regulatory Cycle Business and Strategic Risk – An Example
Ref. Sr. Business Process R1 Business Development R2 Order Management & Invoicing R3 Accounts Receivable & Collections P1 Vendor Selection, Planning & Pricing P2 Purchase Ordering & Receipt P3 Inventory Management P4 Accounts Payable & Payments P5 Other Services and Expenses O = Operation O1 Operating Expenses T1 Loans (Secured & Unsecured) T2 Investments F1 Financial Reporting F2 Related Party/Inter group transactions A= Assets A1 Fixed Assets/CWIP H = Human Resource H1 HR and Payroll Process S= Safety S1 Health, Safety & Environment ( HSE) L1 Companies Act and SEBI Act L2 FEMA and allied Laws L3 Industrial and Labour relation L4 Other incidental /ancillary laws I = Infotech I1 Systems Controls L = Legal R = Revenue P = Payment T = Treasury F = Fin. Reporting Ref. Sr. Business Process R1 Business Development R2 Order Management & Invoicing R3 Accounts Receivable & Collections P1 Vendor Selection, Planning & Pricing P2 Purchase Ordering & Receipt P3 Inventory Management P4 Accounts Payable & Payments P5 Other Services and Expenses O = Operation O1 Operating Expenses T1 Loans (Secured & Unsecured) T2 Investments F1 Financial Reporting F2 Related Party/Inter group transactions A= Assets A1 Fixed Assets/CWIP H = Human Resource H1 HR and Payroll Process S= Safety S1 Health, Safety & Environment ( HSE) L1 Companies Act and SEBI Act L2 FEMA and allied Laws L3 Industrial and Labour relation L4 Other incidental /ancillary laws I = Infotech I1 Systems Controls L = Legal R = Revenue P = Payment T = Treasury F = Fin. Reporting
Sr. No. Business Processes of the Entity Assessment/Review during the Year 1st 2nd 3rd R1 Business Development Medium High High R2 Order Management and Invoicing High High Medium R3 Receivable & Collections Medium High High P1 Vendor Selection, Planning, Pricing High Medium Low P2 P.O and Receipts Logistics High Medium Medium P3 Inventory Management Medium Low Low P4 Accounts Payable & Payments Medium Medium Low P5 Other Service and Expenses Medium Low Low O1 Operating Expenses High Medium Medium T1 Loans (Secured & Unsecured) High High High T2 Investments High High High F1 Financial Reporting Medium Medium Medium F2 Related Party/Inter gr. transaction Medium Medium High A1 Fixed Assets/CWIP High Medium Low H1 HR and Payroll Process Low Medium Low S1 Health, Safety and Environment High High High L1 Companies Act and SEBI Act High Medium High L2 FEMA and allied Laws High Medium Medium L3 Industrial and Labour relation High Medium Medium L4 Other incidental /ancillary laws Medium Medium Medium I1 Application Control ( Systems) High Medium High
No. Business Process of Entity Reason for Change in Risk Classification R1 Business Development No growth in new business initiatives High spent on initiatives taken R2 Order Management and Invoicing Timely execution & avoidance of Liquidated Damages R3 Receivable & Collections High Receivables, poor collection initiative Cost of fund blockage increased P1 Vendor Selection, Planning, Pricing Prices benchmarked against market rates P2 P.O and Receipts Logistics Timely inventorization after quality check Just in time inventory maintained P3 Inventory Management Adequate inventory in terms of Production Plan P4 Accounts Payable & Payments Accurate and timely release of payment P5 Other Service and Expenses Low involvement of fund O1 Operating Expenses Initiatives for expense curtailment T1 Loans (Secured & Unsecured) High borrowings with varied interest rate T2 Investments New business initiatives and huge fund deployment F1 Financial Reporting Adherence to Accounting Policies Adequate provisions for accounting events F2 RP/Inter group transaction Pending reconciliation between Group entities A1 Fixed Assets/CWIP Timely capitalization and booking depreciation H1 HR and Payroll Process Adequacy of checks and balances S1 Health, Safety and Environment Nature of industry –pollutant L1 Companies Act and SEBI Act New regulations and compliance requirement L2 FEMA and allied Laws Min. fund movement and ensured compliance L3 Industrial and Labour relation IR Regulations mostly complied with L4 Other incidental /ancillary laws Transactional compliance I1 Application Control ( Systems) Inadequate access control Improper mapping of Delegation of Authority in ERP
Continuous Auditing through evaluation of risk base would change the way we audit and usher in more effectiveness of audit function. It pulls out hidden risk areas from apparently no-risk arena and coverts potentially (or common understanding of high risk) high risk areas into no-risk areas. Continuous introspection on a two-way basis - by management as well as audit team towards risk and mitigation process and their seamless adaptation makes ‘Risk Management’ robust. Timely detection of ‘Fraud’ – e.g Worldcom type This will help the audit committees in turning their hindsight into foresight and developing further insight.
Audit Opex reclassified as Capex, which improved E (Expense ) to R(Revenue) ratio by reducing the amount of E •Book Value of acquisitions illegimately classified as ‘Goodwill’, which improve E/R by increasing the effective amortization •Excessive write-down of Asset,which gives the impression that expenses are declining over a period i.e reduction of E/R nad increased nett income •Doubtful debts understated to Improve E/R Audit Opex reclassified as Capex, which improved E (Expense ) to R(Revenue) ratio by reducing the amount of E •Book Value of acquisitions illegimately classified as ‘Goodwill’, which improve E/R by increasing the effective amortization •Excessive write-down of Asset,which gives the impression that expenses are declining over a period i.e reduction of E/R nad increased nett income •Doubtful debts understated to Improve E/R Continuous Audit (CA) Create an alarm that simultaneously identifies (a) reduction of Opex (b) over Investment in Capex over a period • Increase in Plant , Equipment etc. that differs significantly from historical average • E and R month-on-month and average indicative of mismatch • Significant variance over established ratio Continuous Audit (CA) Create an alarm that simultaneously identifies (a) reduction of Opex (b) over Investment in Capex over a period • Increase in Plant , Equipment etc. that differs significantly from historical average • E and R month-on-month and average indicative of mismatch • Significant variance over established ratio TimelyTimely IdentificatioIdentificatio nn
» Role of continuous auditing is dependent on management’s efforts in continuous monitoring of controls. ˃ Inverse relationship: the greater the role of management, the less of a direct role from internal audit
30 C : Compliance with policies, plans, procedures, laws and regulations; A : Accomplishment of established objectives and goals for operations or programs ,not just the financial aspects; R : Reliability and integrity of information; E: Economical and efficient use of resources; S: Safeguarding of assets; These are collectively coined as “CARES”.
31 ‘Self’-assessment refers to the involvement of management and operating staff in the assessment process. Propagating a framework named ‘OPTION’, where O- Objective Setting P – Process and related Risk defining T- Test for results I- Initiate required activity O- Operate and replicate N- No or low risk outcome
32 Control Self- Assessment is a process whereby various role players in an Organization is brought together to identify and address risks relevant to their environment. Internal Auditors facilitates this process by channelling these benefits:- Enhances accountability of operating management or process owner over internal controls in general and specific terms with respect to ‘big picture’ i.e process linked with other operational areas. Embedding internal control effectiveness with daily or regular repetitive activities, enhance the compliance mechanism as well as cost of compliance. Better clarity and understanding of end to end processes and self-role with respect to broader organizational role. With widespread involvement of staff and managers, awareness over control aspects increases and the same can be embedded in performance monitoring purposes and aligned with ‘Balance Score Card (BSC)’. Regular trigger of control effectiveness across Organization enhances communications between operating staff and top management. Early warning system to pre-empt possibility of major failure/lapses. No ‘surprise’ all appraised
33 “…….even a straight line in ECG means we are not alive ” : Ratan Tata One can drive the car fast yet keep control because they have a facility to slow down or stop, if required. Like car driving is continuous coordination of feet and hand with reflexes, corporates demand ‘Continuous Audit’ and monitoring with total integration and business reflexes
34 » ‘Customer is the King’ , to satisfy his unending requirements business landscapes is changing universally. » Significant changes forcing businesses to constantly transform. » Internal Audit ought to renovate to dwell forward of these changes and to maximize it’s impact with a faster pace. » Corporate leaders demanding Internal Audit to improve visibility across the enterprise and provide strategic insights that can deliver lasting value for the organization. » Auditors around the universe are contemporizing the Internal Audit (IA) profession through technology-enabled methodologies. » As the business environment grows increasingly complex, IA is being asked to support the organization by delivering deeper insight and greater value more efficiently and effectively, necessitating IA functions to turn for business analytics. » Integration of IA function with the entity’s strategic initiatives.
SCOPE It’s about AUDIT It’s about ASSURANCE It’s about INTERNAL CONTROL It’s about Continuous Monitoring TIME It’s about how ORGANISATION .is operating
36 • Effect means ‘The result or consequence of some action or process’ • Engage- Determine relationship with Stakeholders • Focus– Understanding of ‘pains’ • Find – Addressing appropriately • Examine- What happened and impacts • Craft- Strategy to leverage • Technology- Determine appropriate resolution • Support – Communicate to convince
37

More Related Content

PDF
Operational Risk Management under BASEL era
byTreat Risk
 
PPTX
10 Key Principles of Operational Risk Management
byColleen Beck-Domanico
 
PPT
ICAAP - IBANK
byibankuk
 
PPTX
Operational Risk : Take a look at the raw canvas
byTreat Risk
 
PDF
Operational risk management (orm)
byBushra Angbeen
 
PDF
How to conduct an AML risk assessment
byAsia Pacific AML
 
PPT
Operational risk & incident reporting
byShivaLeela Choudary
 
PDF
Significance of a Robust AML Risk Assessment Process for FIs and RIAs
byAML Audit
 
Operational Risk Management under BASEL era
byTreat Risk
 
10 Key Principles of Operational Risk Management
byColleen Beck-Domanico
 
ICAAP - IBANK
byibankuk
 
Operational Risk : Take a look at the raw canvas
byTreat Risk
 
Operational risk management (orm)
byBushra Angbeen
 
How to conduct an AML risk assessment
byAsia Pacific AML
 
Operational risk & incident reporting
byShivaLeela Choudary
 
Significance of a Robust AML Risk Assessment Process for FIs and RIAs
byAML Audit
 

What's hot

PPTX
Operational risk ppt
byNehaKamboj10
 
PPTX
Operational Risk Management - A Gateway to managing the risk profile of your...
byEneni Oduwole
 
PDF
dt_mt_SREP_Pub_ICAAP_ILAAP_220216
byMark Micallef
 
PDF
Risk Management Essentials for Bankers
byDavid Vu
 
PPTX
Operational risk (by ms.sweta vijuraj)
bySaras Singh
 
PPT
Operational risk management (2)
byUjjwal 'Shanu'
 
PDF
dt_mt_SREP_Pub_Transformation
byMark Micallef
 
PDF
Operational risk management and measurement
byRahmat Mulyana
 
PPT
A Paradigm Shift in Audit Process
byPadmapriya V
 
PPTX
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
byFrackson Kathibula-Nyoni
 
PPT
Operational Risk for Bank
byRahmat Mulyana
 
PPTX
Manage Your Organization's Contract Risks Final
byFred Travis
 
PDF
Riskpro - Operational Risk Management
byManoj Jain
 
PDF
Risk Dashboard
byMichel Rochette
 
PPT
Operational Risk Management Oct 4
byav vedpuriswar
 
PDF
operational risk managemnt
byAshima Thakur
 
PPTX
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
byRobert Stroud
 
PDF
People risk collateral 2013
byRahul Bhan (CA, CIA, MBA)
 
PDF
AML and CTF 12-13 May 2016
byDamanpreet Chawla
 
Operational risk ppt
byNehaKamboj10
 
Operational Risk Management - A Gateway to managing the risk profile of your...
byEneni Oduwole
 
dt_mt_SREP_Pub_ICAAP_ILAAP_220216
byMark Micallef
 
Risk Management Essentials for Bankers
byDavid Vu
 
Operational risk (by ms.sweta vijuraj)
bySaras Singh
 
Operational risk management (2)
byUjjwal 'Shanu'
 
dt_mt_SREP_Pub_Transformation
byMark Micallef
 
Operational risk management and measurement
byRahmat Mulyana
 
A Paradigm Shift in Audit Process
byPadmapriya V
 
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
byFrackson Kathibula-Nyoni
 
Operational Risk for Bank
byRahmat Mulyana
 
Manage Your Organization's Contract Risks Final
byFred Travis
 
Riskpro - Operational Risk Management
byManoj Jain
 
Risk Dashboard
byMichel Rochette
 
Operational Risk Management Oct 4
byav vedpuriswar
 
operational risk managemnt
byAshima Thakur
 
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
byRobert Stroud
 
People risk collateral 2013
byRahul Bhan (CA, CIA, MBA)
 
AML and CTF 12-13 May 2016
byDamanpreet Chawla
 

Similar to GRCICMAI

PPTX
Risk based auditing
byTunde Elijah Kelani
 
PPTX
Internal audits role in compliance
bySalih Islam
 
PPTX
Ahmedabad_Session_II.pptx dasdfasfasfafafaffafa
bymenakampr823116018
 
PDF
Evolving role of internal auditing function
byDebashis Gupta
 
PPTX
INTERNAL AUDIT.pptxINTERNAL AUDIT.INTERNAL AUDIT.INTERNAL AUDIT.
bykowage4397
 
PPTX
Risk-Assessment-.pptx
bySiraj332397
 
PPTX
Xybion - best practices for audit management - final
byXybion Corporation
 
PPTX
CIA part 1 essentials of internal auditing
byariundalai1
 
PPTX
Audit-and-Assurance-II.pptxedfefefsferfw
bymdmustofaa9
 
PDF
Internal Audit and Risk Assesment for Audit
byDeepakChandekar1
 
PPTX
Risk-Assessment-.pptx
bySiraj332397
 
PDF
Chapter 7
byEasyStudy3
 
PPT
3a 2 Internal Audit A Bane Or Boon
byRajeswaran Muthu Venkatachalam
 
PDF
Chapter 7
byEasyStudy3
 
PPTX
The role of internal audit department
bySalih Islam
 
PPT
Internal Audit : an independent service to evaluate an organisation's.ppt
bySrabanAhmedMasum
 
DOCX
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
byHaresh Lalwani
 
PDF
Bestpractice Approaches To Internal Auditing Unknown
byzucarotesti86
 
PDF
A Sharper Focus By Ahmar Azam Iia 70 Years Celebration Magazine
byahmarazam
 
DOC
Internal Audit Services Mission
bydavidcurriecia
 
Risk based auditing
byTunde Elijah Kelani
 
Internal audits role in compliance
bySalih Islam
 
Ahmedabad_Session_II.pptx dasdfasfasfafafaffafa
bymenakampr823116018
 
Evolving role of internal auditing function
byDebashis Gupta
 
INTERNAL AUDIT.pptxINTERNAL AUDIT.INTERNAL AUDIT.INTERNAL AUDIT.
bykowage4397
 
Risk-Assessment-.pptx
bySiraj332397
 
Xybion - best practices for audit management - final
byXybion Corporation
 
CIA part 1 essentials of internal auditing
byariundalai1
 
Audit-and-Assurance-II.pptxedfefefsferfw
bymdmustofaa9
 
Internal Audit and Risk Assesment for Audit
byDeepakChandekar1
 
Risk-Assessment-.pptx
bySiraj332397
 
Chapter 7
byEasyStudy3
 
3a 2 Internal Audit A Bane Or Boon
byRajeswaran Muthu Venkatachalam
 
Chapter 7
byEasyStudy3
 
The role of internal audit department
bySalih Islam
 
Internal Audit : an independent service to evaluate an organisation's.ppt
bySrabanAhmedMasum
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
byHaresh Lalwani
 
Bestpractice Approaches To Internal Auditing Unknown
byzucarotesti86
 
A Sharper Focus By Ahmar Azam Iia 70 Years Celebration Magazine
byahmarazam
 
Internal Audit Services Mission
bydavidcurriecia
 

GRCICMAI

  • 1.
    1 INSTITUTE OF COSTAND MANAGEMENT ACCOUNTANTS OF INDIA Presentation on : Internal Audit in Indian Scenario Presenter : Malay Paul Dtd. 29.06.2016 (06.00 p.m– 08.00 p.m)
  • 2.
    2 Acknowledgement The author acknowledgesuse of freely available graphics in this presentation with the objective of propagating knowledge and clearer understanding. The views expressed herein are not having any bearing on the past and present professional engagement of the author.
  • 3.
    Discussion Flow Meaning ofGRC ( Governance, Risk & Control) Stakeholder Silo in business ecosystem IA ‘ s Role as “ Collaborator “ Rule maker’s intention – Journey has began Preparedness for ‘Continuous Audit’ Methodology and Case Study Auditing in ‘Motion’ – velocity of change Journey towards ‘beyond compliance’
  • 4.
    4 “… it isvery difficult to ascertain how much water the fishes are consuming from a pond full of water. Similarly, it is difficult to stop unauthorized use of funds by King’s men unless proper controls are in place.” Chanakya charted out ‘forty ways’ of embezzlement/ fraud e.g Revenue / Accounts Receivable ( Global Crossing, Quest), Inventory/Cost of Goods sold ( PharMor) Understating Liability/Expense ( Enron), Mis-presentation ( Bre-X Minerals) , Overstating Asset ( WorldCom) etc. The ways and means predicted by Chankya way back in Maurian era. - Arthasastra
  • 5.
    5 ““Corporate governance isconcernedCorporate governance is concerned with holding the balance betweenwith holding the balance between economic and social goals and betweeneconomic and social goals and between individual and communal goals…… Theindividual and communal goals…… The aim is to align as nearly as possible theaim is to align as nearly as possible the interests of individuals, corporations andinterests of individuals, corporations and society.”society.” Sir Adrian Cadbury Corporate Governance Overview, 1999 [World Bank Report]
  • 6.
    6 ““ The conductof business in accordanceThe conduct of business in accordance with shareholders’ desires, which generallywith shareholders’ desires, which generally is to make as much money as possible ,is to make as much money as possible , while conforming to the basic rules of thewhile conforming to the basic rules of the society embodied in law and local customs“society embodied in law and local customs“ Noble Laurate Milton FriedmanNoble Laurate Milton Friedman
  • 7.
    7 The art ofCorporate Governance is a parallel consign of ‘Dharma (nature)’ in human existence. Logically, ‘Fire’ has a ‘Dharma’ to burn; ‘Air’ has ‘Dharma’ to blow; signifying the quintessence of ‘Code of Conduct (COC)’. Rapid transformation in stakeholder expectation’, stipulate corporations universally to pursue self-ordained COC. As per the OECD (Organization for Economic Cooperation and Development) documents published in 1999, Corporate Governance is the system by which organizations are directed and controlled.
  • 8.
    8  Control andRisk represent opposite sides of the same coin. Controls exist to mitigate risk; identification of control deficiencies highlight areas of potential risk. By examining risk, auditors can identify areas where controls are needed and/or not working.
  • 9.
    9 IIA definition ofAuditing, Assurance and our focus : “It is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve effectiveness of risk management, control and governance process.”
  • 10.
  • 11.
  • 12.
    Present Risk Assessment: Ad-hocActivity Focus only on process ; Financial and Accounting Control Minimum use of Technology •Perceived as ‘Policeman’ Present Risk Assessment: Ad-hoc Activity Focus only on process ; Financial and Accounting Control Minimum use of Technology •Perceived as ‘Policeman’ Way-forward Risk assessment and mitigation – primary role Audit Business Processes- not just controls Tech./Knowledge Leveraging ‘Continuous Audit and Monitoring’ Fraud and Forensics Multidimensional Audit Transformation–‘Policy Man’ from ‘Policeman’ Way-forward Risk assessment and mitigation – primary role Audit Business Processes- not just controls Tech./Knowledge Leveraging ‘Continuous Audit and Monitoring’ Fraud and Forensics Multidimensional Audit Transformation–‘Policy Man’ from ‘Policeman’  Multifunctional Knowledge  Tech Savvy  New Tools – Benchmarking  Focus on Risk Management  Challenging self knowledge  Deep understanding of business pains  Multifunctional Knowledge  Tech Savvy  New Tools – Benchmarking  Focus on Risk Management  Challenging self knowledge  Deep understanding of business pains Re-engineering of I ARe-engineering of I A
  • 13.
    Regular Business EcosystemRegularBusiness Ecosystem Investors Bankers Management Society Employees Customers Suppliers Regulators Shareholders
  • 14.
  • 15.
  • 16.
    • Slip inmarket share • Lower bottom line (net revenue) • Slower response to market • Lower product/service quality • Broken partnerships/tie-ups/arrangements • Loss of critical talent • Loss of long term customers/clients • Less agility and responsiveness
  • 17.
    Company ( Entity) Body Corporate What is to be done for one of the most admirable organization ? Board/ Audit Committee Management What we have done to manage the Business Risks ? CEO Management What unforeseen event might disrupt our strategy and achieving Goals ? CFO Management What could materially impact the Financial Result ? General Counsel Management What do we do to minimize legal & statutory liability and ensure Compliance ? COO Management What to do for ensuring operational excellence by way of quality & cost reduction ?
  • 18.
    Stockholders Owners Whatthe Company is doing to protect our return on Investment ? Regulators Legal Entity What is the status in addressing interest of all Stakeholders ? Customers Society What is the Co. strategy for good quality product at competitive price ? Suppliers Society What to do on innovation for cost competitiveness ? Employees Society What is the Company policy for my personal development and social status ? Society /Community Larger Universe What sort of employability & environmental measures taken in our interest ?
  • 19.
    The above effectivelyprescribes for Continuous Auditing
  • 20.
    The Institute ofInternal Auditors (IIA) defines Continuous Auditing as “any method used by Auditors to perform audit-related activities on a more continuous or continual basis. It is the continuum of activities ranging from continuous controls assessment to continuous risk assessment – all activities on the control-risk continuum.”  Replacement of static Risk Based Internal Audit ( RBIA) plan with a dynamic approach  Risk bases are reviewed time and again for validation purposes , instead of Audit plan based on fixed risk matrix  Drawing immediate attention to changed risk scape  Completion of Annual Audit Plan by bifurcating in to time horizon (e.g quarterly coverage) not relevant ; unplanned audits are more significant than the planned ones  ‘Need based’ assignments (pro-active engagement)
  • 21.
    oRBIA (Risk BasedInternal Audit), Annual Plan prepared at the commencement of the year /period may not be entirely harmonised with complete risk profile of the entity, signalling presence of unattended risks. o Inadequacy in capturing dynamic risk profiles due to the absence of continuous risk review and mitigation programmes. oInadequacy in the flexibility of functioning of the Audit Team to report concerns emanated while conducting audit of an already committed area. oObligation of team members to deliver on a time bound manner, may severally impact the review quality and risk identification as well as their mitigation process. oAbsence of dynamism in coverage of high risk areas (which ceaselessly changes during audit period) under the RBIA Annual Plan, may effectively keep major concerns out of audit purview for a considerable period (may be for a year or more). oAbsence of critical appraisal of Risk management process to assess their robustness and adaptability under changed dynamics. oCustomary periodical reporting not been able to address real time risk issues to Management/ Audit Committee as well the steps taken by Management for mitigation. oBetter oversee and governance function of the Audit Committees may be affected due to non-appraisal of prevalent risk by audit team.
  • 22.
    Risk Basket AuditArea Dependency on group Companies with fixed rate contracts Revenue Cycle Cyclical nature of industry attributing volatility to service rates Revenue Cycle Environmental pollution and property damages/losses Revenue Cycle Fixed Assets Currency fluctuations Treasury Cycle Revenue Cycle Dependency on contractual workforce for commercial operations Operating Cycle Treasury Cycle Increase in operating costs due to fuel price hike Operating Cycle Regulatory risk and Compliance Regulatory Cycle Business and Strategic Risk – An Example
  • 24.
    Ref. Sr. BusinessProcess R1 Business Development R2 Order Management & Invoicing R3 Accounts Receivable & Collections P1 Vendor Selection, Planning & Pricing P2 Purchase Ordering & Receipt P3 Inventory Management P4 Accounts Payable & Payments P5 Other Services and Expenses O = Operation O1 Operating Expenses T1 Loans (Secured & Unsecured) T2 Investments F1 Financial Reporting F2 Related Party/Inter group transactions A= Assets A1 Fixed Assets/CWIP H = Human Resource H1 HR and Payroll Process S= Safety S1 Health, Safety & Environment ( HSE) L1 Companies Act and SEBI Act L2 FEMA and allied Laws L3 Industrial and Labour relation L4 Other incidental /ancillary laws I = Infotech I1 Systems Controls L = Legal R = Revenue P = Payment T = Treasury F = Fin. Reporting Ref. Sr. Business Process R1 Business Development R2 Order Management & Invoicing R3 Accounts Receivable & Collections P1 Vendor Selection, Planning & Pricing P2 Purchase Ordering & Receipt P3 Inventory Management P4 Accounts Payable & Payments P5 Other Services and Expenses O = Operation O1 Operating Expenses T1 Loans (Secured & Unsecured) T2 Investments F1 Financial Reporting F2 Related Party/Inter group transactions A= Assets A1 Fixed Assets/CWIP H = Human Resource H1 HR and Payroll Process S= Safety S1 Health, Safety & Environment ( HSE) L1 Companies Act and SEBI Act L2 FEMA and allied Laws L3 Industrial and Labour relation L4 Other incidental /ancillary laws I = Infotech I1 Systems Controls L = Legal R = Revenue P = Payment T = Treasury F = Fin. Reporting
  • 25.
    Sr. No. BusinessProcesses of the Entity Assessment/Review during the Year 1st 2nd 3rd R1 Business Development Medium High High R2 Order Management and Invoicing High High Medium R3 Receivable & Collections Medium High High P1 Vendor Selection, Planning, Pricing High Medium Low P2 P.O and Receipts Logistics High Medium Medium P3 Inventory Management Medium Low Low P4 Accounts Payable & Payments Medium Medium Low P5 Other Service and Expenses Medium Low Low O1 Operating Expenses High Medium Medium T1 Loans (Secured & Unsecured) High High High T2 Investments High High High F1 Financial Reporting Medium Medium Medium F2 Related Party/Inter gr. transaction Medium Medium High A1 Fixed Assets/CWIP High Medium Low H1 HR and Payroll Process Low Medium Low S1 Health, Safety and Environment High High High L1 Companies Act and SEBI Act High Medium High L2 FEMA and allied Laws High Medium Medium L3 Industrial and Labour relation High Medium Medium L4 Other incidental /ancillary laws Medium Medium Medium I1 Application Control ( Systems) High Medium High
  • 26.
    No. Business Processof Entity Reason for Change in Risk Classification R1 Business Development No growth in new business initiatives High spent on initiatives taken R2 Order Management and Invoicing Timely execution & avoidance of Liquidated Damages R3 Receivable & Collections High Receivables, poor collection initiative Cost of fund blockage increased P1 Vendor Selection, Planning, Pricing Prices benchmarked against market rates P2 P.O and Receipts Logistics Timely inventorization after quality check Just in time inventory maintained P3 Inventory Management Adequate inventory in terms of Production Plan P4 Accounts Payable & Payments Accurate and timely release of payment P5 Other Service and Expenses Low involvement of fund O1 Operating Expenses Initiatives for expense curtailment T1 Loans (Secured & Unsecured) High borrowings with varied interest rate T2 Investments New business initiatives and huge fund deployment F1 Financial Reporting Adherence to Accounting Policies Adequate provisions for accounting events F2 RP/Inter group transaction Pending reconciliation between Group entities A1 Fixed Assets/CWIP Timely capitalization and booking depreciation H1 HR and Payroll Process Adequacy of checks and balances S1 Health, Safety and Environment Nature of industry –pollutant L1 Companies Act and SEBI Act New regulations and compliance requirement L2 FEMA and allied Laws Min. fund movement and ensured compliance L3 Industrial and Labour relation IR Regulations mostly complied with L4 Other incidental /ancillary laws Transactional compliance I1 Application Control ( Systems) Inadequate access control Improper mapping of Delegation of Authority in ERP
  • 27.
    Continuous Auditing throughevaluation of risk base would change the way we audit and usher in more effectiveness of audit function. It pulls out hidden risk areas from apparently no-risk arena and coverts potentially (or common understanding of high risk) high risk areas into no-risk areas. Continuous introspection on a two-way basis - by management as well as audit team towards risk and mitigation process and their seamless adaptation makes ‘Risk Management’ robust. Timely detection of ‘Fraud’ – e.g Worldcom type This will help the audit committees in turning their hindsight into foresight and developing further insight.
  • 28.
    Audit Opex reclassified asCapex, which improved E (Expense ) to R(Revenue) ratio by reducing the amount of E •Book Value of acquisitions illegimately classified as ‘Goodwill’, which improve E/R by increasing the effective amortization •Excessive write-down of Asset,which gives the impression that expenses are declining over a period i.e reduction of E/R nad increased nett income •Doubtful debts understated to Improve E/R Audit Opex reclassified as Capex, which improved E (Expense ) to R(Revenue) ratio by reducing the amount of E •Book Value of acquisitions illegimately classified as ‘Goodwill’, which improve E/R by increasing the effective amortization •Excessive write-down of Asset,which gives the impression that expenses are declining over a period i.e reduction of E/R nad increased nett income •Doubtful debts understated to Improve E/R Continuous Audit (CA) Create an alarm that simultaneously identifies (a) reduction of Opex (b) over Investment in Capex over a period • Increase in Plant , Equipment etc. that differs significantly from historical average • E and R month-on-month and average indicative of mismatch • Significant variance over established ratio Continuous Audit (CA) Create an alarm that simultaneously identifies (a) reduction of Opex (b) over Investment in Capex over a period • Increase in Plant , Equipment etc. that differs significantly from historical average • E and R month-on-month and average indicative of mismatch • Significant variance over established ratio TimelyTimely IdentificatioIdentificatio nn
  • 29.
    » Role ofcontinuous auditing is dependent on management’s efforts in continuous monitoring of controls. ˃ Inverse relationship: the greater the role of management, the less of a direct role from internal audit
  • 30.
    30 C : Compliancewith policies, plans, procedures, laws and regulations; A : Accomplishment of established objectives and goals for operations or programs ,not just the financial aspects; R : Reliability and integrity of information; E: Economical and efficient use of resources; S: Safeguarding of assets; These are collectively coined as “CARES”.
  • 31.
    31 ‘Self’-assessment refers tothe involvement of management and operating staff in the assessment process. Propagating a framework named ‘OPTION’, where O- Objective Setting P – Process and related Risk defining T- Test for results I- Initiate required activity O- Operate and replicate N- No or low risk outcome
  • 32.
    32 Control Self- Assessmentis a process whereby various role players in an Organization is brought together to identify and address risks relevant to their environment. Internal Auditors facilitates this process by channelling these benefits:- Enhances accountability of operating management or process owner over internal controls in general and specific terms with respect to ‘big picture’ i.e process linked with other operational areas. Embedding internal control effectiveness with daily or regular repetitive activities, enhance the compliance mechanism as well as cost of compliance. Better clarity and understanding of end to end processes and self-role with respect to broader organizational role. With widespread involvement of staff and managers, awareness over control aspects increases and the same can be embedded in performance monitoring purposes and aligned with ‘Balance Score Card (BSC)’. Regular trigger of control effectiveness across Organization enhances communications between operating staff and top management. Early warning system to pre-empt possibility of major failure/lapses. No ‘surprise’ all appraised
  • 33.
    33 “…….even a straightline in ECG means we are not alive ” : Ratan Tata One can drive the car fast yet keep control because they have a facility to slow down or stop, if required. Like car driving is continuous coordination of feet and hand with reflexes, corporates demand ‘Continuous Audit’ and monitoring with total integration and business reflexes
  • 34.
    34 » ‘Customer isthe King’ , to satisfy his unending requirements business landscapes is changing universally. » Significant changes forcing businesses to constantly transform. » Internal Audit ought to renovate to dwell forward of these changes and to maximize it’s impact with a faster pace. » Corporate leaders demanding Internal Audit to improve visibility across the enterprise and provide strategic insights that can deliver lasting value for the organization. » Auditors around the universe are contemporizing the Internal Audit (IA) profession through technology-enabled methodologies. » As the business environment grows increasingly complex, IA is being asked to support the organization by delivering deeper insight and greater value more efficiently and effectively, necessitating IA functions to turn for business analytics. » Integration of IA function with the entity’s strategic initiatives.
  • 35.
    SCOPE It’s about AUDIT It’s about ASSURANCE It’sabout INTERNAL CONTROL It’s about Continuous Monitoring TIME It’s about how ORGANISATION .is operating
  • 36.
    36 • Effect means ‘Theresult or consequence of some action or process’ • Engage- Determine relationship with Stakeholders • Focus– Understanding of ‘pains’ • Find – Addressing appropriately • Examine- What happened and impacts • Craft- Strategy to leverage • Technology- Determine appropriate resolution • Support – Communicate to convince
  • 37.