Approach Note on Internal Audit
CA. Deep Kumar Mendiratta
Contents
Sl. No. Particulars Page #
Section I
2. ERM Framework 6
3. Internal Audit Guidelines 9
4. Internal Audit Process, Approach & Methodology 14
Section II
1. Internal Audit - Basics 4
Page 2
1. Assessing Risks & Internal Controls 22
2. Internal Audit Sampling Methodology 29
3. Internal Audit Tools 32
4. Reporting and Follow-up 37
Section II
5. Internal Audit & Fraud 40
Section I - Why Internal Audit ?
Internal Audit- BasicsDefinition of Internal Audit:
Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organization’s operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.
Objectives of Internal Audit:
� Risk Management
� Control
� Governance
Risk:
Page 4
Risk:
Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a
loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome
sometimes exists (or existed).
Internal Control:
Internal Control is a process, effected by an entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of its objectives
(Operational, Reporting & Compliance).
CARO (Companies (Auditor’s Report
Order, 2003)
Require listed companies to have an internal audit system commensuratewith its size and nature of business. To comply with the requirementscompanies may either have an internal audit department or can outsourcethe internal audit function to an external agency.
Clause 49Requires audit committee role to include oversight of the internal auditfunction as one of the terms of reference. The agreement requires the auditcommittee to review with management performance of internal auditfunction.
Why Internal Audit ?
function.
Companies Act, 1956 (Section
224)
Requires companies to appoint an auditor or auditors at every annualgeneral meeting to hold office from the conclusion of that meeting untilthe conclusion of next annual general meeting.
Page 5
Section I – ERM Framework
Enterprise Risk ManagementERM defined:
A process, effected by an entity's board of directors, management and other personnel,applied in strategy setting and across the enterprise, designed to identify potential eventsthat may affect the entity, and manage risks to be within its risk appetite, to providereasonable assurance regarding the achievement of entity objectives
The key to effectively protecting and growing returns for an organization’s shareholders is to
identify and manage the risks that could prevent the organization from achieving its business
objectives. The enterprise risk assessment is an efficient, comprehensive process that provides
insight on inherent risks from an industry perspective and links them to the organization’s
objectives, initiatives, and business processes.
Page 7
Entity objectives can be viewed in the context of four categories:
�Strategic
�Operations
�Reporting
�Compliance
Enterprise risk management requires an entity to take a portfolio view of risk. Management
considers how individual risks interrelate and develops a portfolio view from two perspectives:
�Business unit level
�Entity level
Enterprise Risk Management Framework
Page 8
Section I - Internal Audit Guidelines
Compliance to Auditing Standards (ICAI)
Standards on Internal Audits:
• Standard on Internal Audit (SIA) 1, Planning an Internal Audit
• Standard on Internal Audit (SIA) 2, Basic Principles Governing Internal Audit
• Standard on Internal Audit (SIA) 3, Documentation
• Standard on Internal Audit (SIA) 4, Reporting
• Standard on Internal Audit (SIA) 5, SamplingAdobe Acrobat
Page 10
• Standard on Internal Audit (SIA) 5, Sampling
• Standard on Internal Audit (SIA) 6, Analytical Procedures
• Standard on Internal Audit (SIA) 7, Quality Assurance in Internal Audit
• Standard on Internal Audit (SIA) 8, Terms of Internal Audit Engagement
• Standard on Internal Audit (SIA) 9, Communication with Management
Adobe Acrobat
Document
Compliance to Auditing Standards (ICAI)
Standards on Internal Audits:
• Standard on Internal Audit (SIA) 10, Internal Audit Evidence
• Standard on Internal Audit (SIA) 11, Consideration of Fraud in an Internal Audit
• Standard on Internal Audit (SIA) 12, Internal Control Evaluation
• Standard on Internal Audit (SIA) 13, Enterprise Risk Management
• Standard on Internal Audit (SIA) 14, Internal Audit in an Information Technology
Page 11
• Standard on Internal Audit (SIA) 14, Internal Audit in an Information Technology
Environment
• Standard on Internal Audit (SIA) 15, Knowledge of the Entity and its Environment
• Standard on Internal Audit (SIA) 16, Using the Work of an Expert
• Standard on Internal Audit (SIA) 17, Consideration of Laws and Regulations in an
Internal Audit
• Standard on Internal Audit (SIA) 18, Related Parties
Compliance to Auditing Standards
The IIA Standards types:a) Attribute Standards: address the attributes of organizations and individuals
performing internal audit services. The attributes addressed are:
�Purpose, Authority and Responsibility
� Independence and Objectivity
�Proficiency and Due Professional Care
�Quality Assurance
b) Performance Standards: describe the nature of internal audit services and provide
quality criteria against which the performance of these services can be measured.
The criteria addressed are:
Page 12
The criteria addressed are:
�Managing Internal Audit Activity
�Nature of Work
�Engagement Planning
�Performing the Engagement
�Communicating Results
�Monitoring Progress
�Management’s Acceptance of Risk
c) Implementation Standards: expand upon the Attribute and Performance Standards,
providing guidance in specific types of engagements.
Compliance to Auditing Standards (illustrative)
S.N. Title of Standard
1 1000 - Purpose, Authority, and Responsibility
2 1010 – Recognition of the definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter
3 1100 - Independence and Objectivity
4 1110 - Organizational Independence
5 1111 – Direct Interaction with the Board
6 1120 - Individual Objectivity
7 1130 - Impairments to Independence or Objectivity
Page 13
7 1130 - Impairments to Independence or Objectivity
8 1200 - Proficiency and Due Professional Care
9 1210 - Proficiency
10 1220 - Due Professional Care
11 1230 - Continuing Professional Development
12 1300 - Quality Assurance and Improvement Program
13 1310 - Quality Program Assessments
14 1311 - Internal Assessments
15 1312 - External Assessments
Section I - Internal Audit Process
IA Process Overview
1.1 Define objectives of analysis
1.2 Gain an understanding
2.1Request and receiveData
2.2Validate Control Totals
3.1 Execute audit steps
3.2Identify discrepancies
4.1 Document processreproduce data
1. Define 2. Validate 3. Execute 4. Retain
Page 15
Gain an understanding
1.3 Define data requirements
Totals
2.3Perform data qualityAssessment
3.3Discuss discrepancieswith stakeholders and validate errors
3.4Assess impact on objectives
4.2 Document Retention
Execution Process Overview
Control Evaluation
Control
Testing
Gather InfoUnderstand
the ProcessEvaluate
Develop
Test PlanSampling or
CAATsTesting
Consider
Substantive
Testing
Reasse
ss Scope
Page 16
Substantive
Testing
Formulate
Findings
Develop
Test PlanSampling or
CAATsTesting
Assess
Root
CausePrioritize
Agree Action
Plan with the
Management
Reasse
ss Scope
Evaluation Process
Is aControl in
Place?
Is there a
mitigatingControl
?
Missing ControlsNO
Yes
NO
And in the appropriate
timeframe?
Yes
Control ObjectiveRisk
Microsoft Office
Excel 97-2003 Worksheet
Page 17
Doesthe controladdress the
risk?e.g. Are all relevant
attributes covered
Assess MitigationMissing / Mitigated Controls
Inadequate ControlsNO
Yes
Determination on Adequacy of Control Design
Risk and Control Matrix
Sr. No.
ProcessSub
Process/ Activity
What Can Go Wrong (Risk)
Control Description Test ProceduresDocuments to be Referred for Test
Procedures
Conclusion (Effective / Ineffective)
1 Client
Billing
(Invoicin
g &
Collectio
n)
Quantity
Assessment
& Work
• Incorrect quantity
assessment by the
billing engineer
leading to under-
billing to the client
• Incorrect quantity
assessment by the
billing engineer
leading to over-
billing to the client
• Quantity assessment
is done against the
schedule of work
(target billing) and the
actual work carried out
at the site
• The quantity
assessment is also cross
checked against the
MPR/DPR (Prepared by
the planning
department who inturn
• Obtain the latest
Project Review Report
(PRR) and Daily Progress
Report (DPR) for the
period under review
• Select sample RA Bills
and review whether
related records certifying
the completion of
measured work are
maintained
• Ensure measured works
• Measurement
sheets from the site
• PRR and DPR
• Raised RA Bills and
certified RA Bills
Page 18
the planning
department who inturn
get the data from
execution department
and sub-contractors/
vendors)
maintained
• Ensure measured works
are strictly in accordance
with scope of work and
any variation is
seperately parked as
'Extra Work/Item'
• Quantities for billing
are supported by site
measurements/Stock
consumption and
issuance records
Steps to Follow after identifying a Finding
• Discuss and validate errors with responsible stakeholders and process owners
• Consider whether there are any compensating controls within the process or system,
and extend the testing scope, if necessary
• Assess impact - Whether or not the objectives of the test have been met and if
alternative measures need to be taken
• Evaluate Exceptions or Errors Identified during Controls Testing for the following:
i. Potential Effect on control objectives
Page 19
i. Potential Effect on control objectives
ii. Incidence, or level of error
iii. Cause of the control breakdown
iv. Actual Effect, if applicable
Elements of a Finding
Criteria:
Provides a context for evaluating evidence and understanding the findings (Control Objectives)
• Policies & Procedures (Expectations of what should exist)
• Contracts & Agreements
• Laws & Regulations
• Standards & Benchmarks
• Defined business practices or measures which performance is compared or evaluated against
Condition:
Condition is a situation that exists or what was occurring when the control weakness was identified
Page 20
Condition is a situation that exists or what was occurring when the control weakness was identified
i.e. The Exception or Deficiency
Cause:
Identifies the reason for the condition or the factor(s) responsible for the difference between the
situation that exists (condition) and the required or desired state (criteria), Common factors
include; poorly designed policies, procedures, or criteria, inconsistent, incomplete, or incorrect
implementation, segregation of duties or business conditions.
Effect or Risk Impact:
A clear, logical link to establish the impact or potential impact of the difference between the
situation that exists (condition) and the required or desired state (criteria), which identifies the
outcomes or consequences of the condition. Effect or risk impact may be used to demonstrate the
need for corrective action in response to identified condition.
Recommendations
• Should address the root cause not just the symptoms
• Be relevant and practical
• Compare the benefits to costs
• More than 1 recommendation may be required to completely address an issue
• Use best practices as a source for creative insight, adapting to the needs of the
organization
Example:
Page 21
Audit Objective: Evaluate and Document Credit limit Increase Procedures
Risk/Control Objective: Credit Limit Increase are manually reviewed and approved prior to processing the request in the system
Sample Selection: 15 credit limit increase accounts from a system generated report
Documents Obtained: Credit limit increase MIS and the credit limit increase delegation of authority and Income documents
Exceptions noted: 3 of 15 credit limits increases were not reviewed and approved per the delegation of authority and excess credit limit was granted to customers.
Section II - Assessing Risks & Internal Controls
Internal Control Structure
Monitoring:• Monthly reviews of performance reports
• Internal audit function
Control Activities:• Credit limits
Information & Communication:• Vision and values
• Issue resolution calls
• Reporting
• Corporate communications (e-
mail, meetings)
In many cases, you perform controls
and interact with the control
structure every day
MONITORING
INFORMATION AND COMMUNICATION
CONTROL ACTIVITIES
Page 23
• Credit limits
• Approvals
• Security
• Block Codes /
policies
Risk Assessment:• Monthly Risk Control meetings
• Internal audit risk assessment
Control Environment:• Tone from the top
• Corporate Policies
• Organizational
authority
An internal control structure is simply a different way of viewing the business
– a perspective that focuses on doing the right things in the right way.
RISK ASSESSMENT
CONTROL ENVIRONMENT
Concepts and Objectives
Control definition reflects certain fundamental concepts:
� Internal control is a process
� Internal control is effected by people. It's not merely policy manuals and forms,
but people at every level of an organization.
� Internal control can be expected to provide only reasonable assurance, not
absolute assurance, to an entity's management and board.
Objectives of Internal Control
Page 24
Objectives of Internal Control
Internal controls are established to further strengthen:
� The reliability and integrity of information.
� Compliance with policies, plans, procedures, laws and regulations.
� The safeguarding of assets.
� The economical and efficient use of resources.
� The accomplishment of established objectives and goals for operations or programs.
Control TechniquesPrevention techniques are designed to provide reasonable assurance that only valid
transactions are recognized, approved and submitted for processing. Therefore, many of
the preventive techniques are applied before the processing activity occurs. In most
situations, preventive techniques are likely to be more effective in a strong control
environment, when management authorization criteria are well-defined and properly
communicated.
Control type definitions:Preventive - Manual
Preventive - System
Page 25
Examples of preventive controls include:
• Segregation of duties (Preventive-Manual)• Business systems integrity and continuity controls, e.g., application design standards,
change controls, security controls, systems backup and recovery (Preventive – System)• Physical safeguard and access restriction controls (human, financial, physical and
information assets) (Preventive-Manual)• Effective "whistle blowing" processes (Preventive-Manual)
Control TechniquesDetection techniques are designed to provide reasonable assurance that errors and
irregularities are discovered and corrected on a timely basis. Detection techniques normally
are performed after processing has been completed. They are particularly important in an
environment that has relatively weak preventive techniques. That is, when front-end
approval and processing techniques do not provide reasonable assurance that unacceptable
transactions are prevented from being processed or do not assure that all approved
transactions are processed accurately. In this case, after-the-fact techniques become more
important in detecting and correcting processing errors.
Control type definitions:Detective - Manual
Page 26
Detective - Manual
Detective - System
Examples of detection techniques include:
• Reconciliation of batch balance reports to control logs maintained by originating
departments. (Detective – Manual)• Review and approval of reference file maintenance (“was-is”) reports. (Detective –
Manual)• Reconciliation of interface amounts exiting one system and entering another.
(Detective – System)• Review of on-line access and transaction logs. (Detective – System)
Risk Analysis
RiskManagement
Process
RiskMonitoring
RiskAssessment
Risk Analysis
Page 27
Control It
Share orTransfer It
Diversify or
Avoid It
ProcessLevel
ActivityLevel
Entity Level
Identification
Measurement
Prioritization
Role of a Process Owner� General Expectations
• Acknowledge the responsibility for the design, implementation and maintenance
of the control structure within the business processes
• Contribute direction to identify, prioritize and review risks and controls
• Remove obstacles for compliance; remedy control deficiencies
• Continue or begin a program of self-assessment and testing to monitor the
controls within the processes
• Quarterly
Page 28
• Quarterly- confirm key controls are implemented and effective
- maintain documentation to support this assessment
� Immediate Action Items
• Educate personnel about the requirements and effort
• Reinforce internal focus on controls within the process
• Surface any risks, concerns or issues promptly to allow adequate attention for
correction (don’t wait for an audit)
• Fix control gaps within reasonable timescales
Section II - Internal Audit Sampling
Sampling
Population:The entire set of universe from which a sample is selected & reviewed, and about which the auditor
wishes to draw conclusions.
Data availability for population:
An important aspect in sample selection is the availability of data. Depending upon the population,
entire data may or may not be available. In cases where entire data is not available, same should
be brought to the attention of the Management, be agreed with the stakeholders and be clearly
mentioned as a scope limitation.
Systematic selection:
A systematic approach is used by the auditor to select items, to minimize any potential human
Page 30
A systematic approach is used by the auditor to select items, to minimize any potential human
judgment or bias. Every nth item within the population is selected in accordance with a defined
sampling interval.
Haphazard selection:
The auditor, without any conscious bias, selects sample items randomly, i.e., without any special
reason for including or omitting items from the sample
Stratification:
Prior to carrying out analytical procedures, it is important to stratify / classify the data into
separate logical sections. This classification would not only help in analyzing trends unique to that
particular category but would also help in assessing materiality while selecting a sample.
Sampling
Perform Analytical procedures:
Analytical procedure is defined as an evaluation of financial information made by a study of
plausible relationships among both financial and non-financial data
Analyse abnormal transactions:
If the analytical procedures highlight certain abnormal transactions (where there are significant
aberrations), they should be separated and reviewed separately. Such transactions should be
reviewed in addition to the regular sample selected.
Using Excel / CAAT:
In case the testing objective can be applied by using excel / CAAT on the entire population, audit
procedures should be performed on the entire population else samples should be selected for
Page 31
procedures should be performed on the entire population else samples should be selected for
testing
Determining sample size and selecting sample:
The sample size will depend on the frequency of the control being tested and the level of evidence
that is judged to be necessary, by the client and the engagement team. For this purpose the
engagement team should define the areas under scope as either High or Low risk
Performing audit procedures and Evaluating Test results:
When weaknesses in internal controls are identified we should consider whether there are any
compensating controls within the process or system. If we believe there are appropriate
compensating controls, we should extend the testing scope to include testing of these compensating
controls.
Section II - Internal Audit Tools
Need for Mathematical Tools
� To recognize early warning bells, as part of audit procedures, and
protect business against fraud or error.
� Identify transactions that are indicative of fraud or error using
tested and proven fraud & error detection techniques
� “Scientific” sample selection through automated procedures
� Reduced dependence on random sampling
Page 33
� Reduced dependence on random sampling
� To Identify red flags at Financial Statements Level.
Using Excel as a Tool
• ‘IF’
• ‘IF’ in combination with ‘AND’
• ‘IF’ in Combination with ‘AND’ & ‘OR’
• ‘CountIF’ and ‘SUMIF’
• ‘SUMIFS’
• ‘VLOOKUP’
Page 34
• ‘VLOOKUP’
• Pivot Table Function
• Setting Filters
• Formula Auditing
Using Excel as a Tool (illustrative)
Statistical Functions:
COUNT Computes the number of numbers in a range
COUNTA Computes the number of entries, including text entries in a
range
AVERAGE Sums the numbers in a range and divides the total by the number
of numbers
Page 35
MEDIAN Computes the middle value in a range of numbers
MODE Computes the value that occurs most frequently
VLOOKUP Searches for a value in the leftmost column of a table, and then
returns a value in the same row from a column you specify in the
table.
PIVOT Summarizes the columns of information in a database
relationship to each other.
Analyzing data in IDEA
Use of data analytics tools facilitates creating a virtual room where all relevant
audit content can be stored and accessed.
Page 36
Section II - Reporting and Follow-up
Audit Report Structure
� Covering Letter
� Background/ Function Overview
� Purpose/ Objectives
� Scope of Work
� Audit Approach
� Limitation
� Executive Summary (Significant Findings)
Page 38
Executive Summary (Significant Findings)
� Detailed Observations
� Follow Up of Prior Recommendations
Audit Report StructureS.No.
Priority Issue Risk Performance ImprovementObservation
Management Response
Responsibility/ Timelines
1 High It was observed that in 48 out of
60 cases (total population of 850
cases for credit limit
enhancement for period March-
May,2012) the credit limits
enhanced for existing customers
was not as per the parameters
defined in the policy. Excess
credit limit amounting to Rs
13.22 Lacs was given to
customers. For details refer
Annexure 1
Incorrect credit
limit offered to
customer leading
to increased credit
risk exposure for
the Company,
which may
eventually lead to
higher
delinquencies.
The authority &
responsibility
within the Risk
Team should be
explicitly defined
& documented for
approving the
credit limit
increase
deviations and the
same should be
approved as per
DOA.
Adequate steps will be
taken up to ensure the
policy adherence by
having periodic
process trainings for
account management
team. The risk team
would additionally
support the training
requirements of the
AMU team.
Risk Team
March 2013
Page 39
DOA.
2 High Late Payment Charges amounting
to Rs 1.3 Lacs were short-levied
on 260 accounts and the same
was excess levied on 296
accounts. Further, the Finance
Charges on these accounts would
be incorrect as the LPC is not
accurately levied
Possibility of
Revenue leakage
for LPC and
Customer
dissatisfaction /
negative impact
on brand /
reputation
Business should
evaluate the
possibility of
Implementing
continuous control
mechanism
through data
analytics tools and
System Audit
should be carried
out.
The implementation of
the revised LPC tier
from Rs.700 to Rs.750
was delayed by ~40
days due to set up
miss, later identified
by pricing team and
rectified on 12th
November 2012.
Marketing
Team
March 2013
Section II - Internal Audit and Fraud
Anti Fraud Control Framework
� Code of conduct
� Ethics policy
� Gifts and hospitality
� Agents
� Facilitation payments
Policy� Tone from top
� Zero tolerance� Cross culture
Page 41
Process
� Roles and responsibilities
� Accountability
� Annual sign off
� Self assessment
� Testing
People
� Zero tolerance
� Board
responsibilities
� Due diligence
� Training
� Education
Voice� Cross culture
� Disclosure
� Openness
� Employee/ suppliers
Fraud Prevention Strategy
Page 42
Thank You
Page 43