Date post: | 25-Feb-2018 |
Category: |
Documents |
Upload: | sarvjeetkaushal |
View: | 219 times |
Download: | 0 times |
of 43
7/25/2019 Approach Note on Internal Audit_good Ppt
1/43
Approach Note on Internal Audit
CA. Deep Kumar Mendiratta
7/25/2019 Approach Note on Internal Audit_good Ppt
2/43
Contents
Sl. No. Particulars Page #
Section I
2. ERM Framework 6
3. Internal Audit Guidelines 9
4. Internal Audit Process, Approach & Methodology 14
Section II
1. Internal Audit - Basics 4
Page 2
1. Assessing Risks & Internal Controls 22
2. Internal Audit Sampling Methodology 29
3. Internal Audit Tools 32
4. Reporting and Follow-up 37
5. Internal Audit & Fraud 40
7/25/2019 Approach Note on Internal Audit_good Ppt
3/43
Section I - Why Internal Audit ?
7/25/2019 Approach Note on Internal Audit_good Ppt
4/43
Internal Audit- Basics
Definition of Internal Audit:Internal auditing is an independent,objective assurance and consulting activity designed to add value
and improve an organizations operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.
Objectives of Internal Audit:
Risk Management
Control
Governance
Page 4
Risk:Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a
loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome
sometimes exists (or existed).
Internal Control:
Internal Control is a process, effected by an entitys board of directors, management, and otherpersonnel, designed to provide reasonable assurance regarding the achievement of its objectives
(Operational, Reporting & Compliance).
7/25/2019 Approach Note on Internal Audit_good Ppt
5/43
CARO (Companies(Auditors Report
Order, 2003)
Require listed companies to have an internal audit system commensuratewith its size and nature of business. To comply with the requirementscompanies may either have an internal audit department or can outsourcethe internal audit function to an external agency.
Clause 49Requires audit committee role to include oversight of the internal auditfunction as one of the terms of reference. The agreement requires the auditcommittee to review with management performance of internal audit
Why Internal Audit ?
function.
Companies Act,1956 (Section
224)
Requires companies to appoint an auditor or auditors at every annualgeneral meeting to hold office from the conclusion of that meeting untilthe conclusion of next annual general meeting.
Page 5
7/25/2019 Approach Note on Internal Audit_good Ppt
6/43
Section I ERM Framework
7/25/2019 Approach Note on Internal Audit_good Ppt
7/43
Enterprise Risk Management
ERM defined:A process, effected by an entity's board of directors, management and other personnel,applied in strategy setting and across the enterprise, designed to identify potential eventsthat may affect the entity, and manage risks to be within its risk appetite, to providereasonable assurance regarding the achievement of entity objectives
The key to effectively protecting and growing returns for an organizations shareholders is toidentify and manage the risks that could prevent the organization from achieving its business
objectives. The enterprise risk assessment is an efficient, comprehensive process that provides
insight on inherent risks from an industry perspective and links them to the organizations
objectives, initiatives, and business processes.
Page 7
Entity objectives can be viewed in the context of four categories:
Strategic
Operations
Reporting
Compliance
Enterprise risk management requires an entity to take a portfolio view of risk. Management
considers how individual risks interrelate and develops a portfolio view from two perspectives:Business unit level
Entity level
7/25/2019 Approach Note on Internal Audit_good Ppt
8/43
Enterprise Risk Management Framework
Page 8
7/25/2019 Approach Note on Internal Audit_good Ppt
9/43
Section I - Internal Audit Guidelines
7/25/2019 Approach Note on Internal Audit_good Ppt
10/43
Compliance to Auditing Standards (ICAI)
Standards on Internal Audits:
Standard on Internal Audit (SIA) 1, Planning an Internal Audit
Standard on Internal Audit (SIA) 2, Basic Principles Governing Internal Audit
Standard on Internal Audit (SIA) 3, Documentation
Standard on Internal Audit (SIA) 4, Reporting
Adobe Acrobat
Page 10
Standard on Internal Audit (SIA) 5, Sampling
Standard on Internal Audit (SIA) 6, Analytical Procedures
Standard on Internal Audit (SIA) 7, Quality Assurance in Internal Audit
Standard on Internal Audit (SIA) 8, Terms of Internal Audit Engagement
Standard on Internal Audit (SIA) 9, Communication with Management
Document
7/25/2019 Approach Note on Internal Audit_good Ppt
11/43
Compliance to Auditing Standards (ICAI)
Standards on Internal Audits:
Standard on Internal Audit (SIA) 10, Internal Audit Evidence
Standard on Internal Audit (SIA) 11, Consideration of Fraud in an Internal Audit
Standard on Internal Audit (SIA) 12, Internal Control Evaluation
Standard on Internal Audit (SIA) 13, Enterprise Risk Management
Page 11
Standard on Internal Audit (SIA) 14, Internal Audit in an Information TechnologyEnvironment
Standard on Internal Audit (SIA) 15, Knowledge of the Entity and its Environment
Standard on Internal Audit (SIA) 16, Using the Work of an Expert
Standard on Internal Audit (SIA) 17, Consideration of Laws and Regulations in anInternal Audit
Standard on Internal Audit (SIA) 18, Related Parties
7/25/2019 Approach Note on Internal Audit_good Ppt
12/43
Compliance to Auditing Standards
The IIA Standards types:a) Attribute Standards: address the attributes of organizations and individuals
performing internal audit services. The attributes addressed are:
Purpose, Authority and Responsibility
Independence and Objectivity
Proficiency and Due Professional CareQuality Assurance
b) Performance Standards: describe the nature of internal audit services and providequality criteria against which the performance of these services can be measured.
Page 12
The criteria addressed are:
Managing Internal Audit Activity
Nature of Work
Engagement Planning
Performing the Engagement
Communicating Results
Monitoring ProgressManagements Acceptance of Risk
c) Implementation Standards: expand upon the Attribute and Performance Standards,providing guidance in specific types of engagements.
7/25/2019 Approach Note on Internal Audit_good Ppt
13/43
Compliance to Auditing Standards (illustrative)
S.N. Title of Standard
1 1000 - Purpose, Authority, and Responsibility
2 1010 Recognition of the definition of Internal Auditing, the Code of Ethics, and the Standards inthe Internal Audit Charter
3 1100 - Independence and Objectivity
4 1110 - Organizational Independence
5 1111 Direct Interaction with the Board
6 1120 - Individual Objectivity
Page 13
- mpa rments to n epen ence or ect v ty
8 1200 - Proficiency and Due Professional Care
9 1210 - Proficiency
10 1220 - Due Professional Care
11 1230 - Continuing Professional Development
12 1300 - Quality Assurance and Improvement Program
13 1310 - Quality Program Assessments
14 1311 - Internal Assessments
15 1312 - External Assessments
7/25/2019 Approach Note on Internal Audit_good Ppt
14/43
Section I - Internal Audit Process
7/25/2019 Approach Note on Internal Audit_good Ppt
15/43
IA Process Overview
1.1Define objectives ofanalysis
1.2Gain an understandin
2.1
Request and receiveData
2.2Validate Control
3.1Execute audit steps
3.2Identify discrepancies
4.1Document processreproduce data
1. Define 2. Validate 3. Execute 4. Retain
Page 15
1.3Define datarequirements
o a s
2.3Perform data qualityAssessment
3.3Discuss discrepancieswith stakeholders andvalidate errors
3.4
Assess impact onobjectives
4.2Document Retention
7/25/2019 Approach Note on Internal Audit_good Ppt
16/43
Execution Process Overview
ControlEvaluation
ControlTesting
Gather Info Understand
the Process Evaluate
DevelopTest Plan
Sampling orCAATs
TestingConsider
SubstantiveTesting
Reass
Page 16
SubstantiveTesting
FormulateFindings
DevelopTest Plan
Sampling orCAATs
Testing
AssessRootCause
PrioritizeAgree ActionPlan with theManagement
ssScope
7/25/2019 Approach Note on Internal Audit_good Ppt
17/43
Evaluation Process
Is a
Control inPlace?
Isthere a
mitigatingControl
?
Missing ControlsNO
Yes
NO
And in the appropriate
timeframe?
Yes
Control ObjectiveRisk
Microsoft Office
l 97-2003 Works
Page 17
Doesthe controladdress the
risk? e.g. Are all relevantattributes covered
Assess MitigationMissing /Mitigated Controls
Inadequate ControlsNO
Yes
Determination on Adequacy of Control Design
7/25/2019 Approach Note on Internal Audit_good Ppt
18/43
Risk and Control Matrix
Sr.No.
ProcessSub
Process/Activity
What Can GoWrong (Risk)
Control Description Test ProceduresDocuments to beReferred for Test
Procedures
Conclusion(Effective /Ineffective)
1 Client
Billing
(Invoicin
g &
Collection)
Quantity
Assessment
& Work
Incorrect quantity
assessment by the
billing engineer
leading to under-
billing to the client Incorrect quantity
assessment by the
billing engineer
leading to over-
billing to the client
Quantity assessment
is done against the
schedule of work
(target billing) and the
actual work carried outat the site
The quantity
assessment is also cross
checked against the
MPR/DPR (Prepared by
the planning
Obtain the latest
Project Review Report
(PRR) and Daily Progress
Report (DPR) for the
period under review Select sample RA Bills
and review whether
related records certifying
the completion of
measured work are
maintained
Measurement
sheets from the site
PRR and DPR
Raised RA Bills and
certified RA Bills
Page 18
department who inturn
get the data fromexecution department
and sub-contractors/
vendors)
Ensure measured works
are strictly in accordancewith scope of work and
any variation is
seperately parked as
'Extra Work/Item'
Quantities for billing
are supported by site
measurements/Stock
consumption andissuance records
7/25/2019 Approach Note on Internal Audit_good Ppt
19/43
Steps to Follow after identifying a Finding
Discuss and validate errors with responsible stakeholders and process owners
Consider whether there are any compensating controls within the process or system,and extend the testing scope, if necessary
Assess impact - Whether or not the objectives of the test have been met and if alternative measures need to be taken
Evaluate Exceptions or Errors Identified during Controls Testing for the following:
Page 19
. o en a ec on con ro o ec ves
ii. Incidence, or level of erroriii. Cause of the control breakdown
iv. Actual Effect, if applicable
7/25/2019 Approach Note on Internal Audit_good Ppt
20/43
Elements of a Finding
Criteria:Provides a context for evaluating evidence and understanding the findings (Control Objectives)
Policies & Procedures (Expectations of what should exist)
Contracts & Agreements
Laws & Regulations
Standards & Benchmarks
Defined business practices or measures which performance is compared or evaluated against
Condition:
Page 20
on t on s a s tuat on t at ex sts or w at was occurr ng w en t e contro wea ness was ent e
i.e. The Exception or Deficiency
Cause:
Identifies the reason for the condition or the factor(s) responsible for the difference between the
situation that exists (condition) and the required or desired state (criteria), Common factors
include; poorly designed policies, procedures, or criteria, inconsistent, incomplete, or incorrect
implementation, segregation of duties or business conditions.
Effect or Risk Impact:
A clear, logical link to establish the impact or potential impact of the difference between the
situation that exists (condition) and the required or desired state (criteria), which identifies the
outcomes or consequences of the condition. Effect or risk impact may be used to demonstrate the
need for corrective action in response to identified condition.
7/25/2019 Approach Note on Internal Audit_good Ppt
21/43
Recommendations
Should address the root cause not just the symptoms
Be relevant and practical
Compare the benefits to costs
More than 1 recommendation may be required to completely address an issue
Use best practices as a source for creative insight, adapting to the needs of the
organization
Example:
Page 21
Audit Objective: Evaluate and Document Credit limit Increase Procedures
Risk/Control Objective: Credit Limit Increase are manually reviewed andapproved prior to processing the request in the system
Sample Selection: 15 credit limit increase accounts from a systemgenerated report
Documents Obtained: Credit limit increase MIS and the credit limit increasedelegation of authority and Income documents
Exceptions noted: 3 of 15 credit limits increases were not reviewedand approved per the delegation of authority and excesscredit limit was granted to customers.
7/25/2019 Approach Note on Internal Audit_good Ppt
22/43
Section II - Assessing Risks & Internal Controls
7/25/2019 Approach Note on Internal Audit_good Ppt
23/43
Internal Control Structure
Monitoring: Monthly reviews of performance reports
Internal audit function
Control Activities:
Information & Communication: Vision and values
Issue resolution calls
Reporting
Corporate communications (e-
mail, meetings)
In many cases, you perform controlsand interact with the control
structure every day
MONITORING
INFORMATION ANDCOMMUNICATION
CONTROL ACTIVITIES
Page 23
Approvals Security
Block Codes /
policies
Risk Assessment: Monthly Risk Control meetings
Internal audit risk assessment
Control Environment: Tone from the top
Corporate Policies
Organizational
authority
An internal control structure is simply a different way of viewing the business
a perspective that focuses on doing the right things in the right way.
RISK ASSESSMENT
CONTROL ENVIRONMENT
7/25/2019 Approach Note on Internal Audit_good Ppt
24/43
Concepts and Objectives
Control definition reflects certain fundamental concepts:
Internal control is a process
Internal control is effected by people. It's not merely policy manuals and forms,
but people at every level of an organization.
Internal control can be expected to provide only reasonable assurance, not
absolute assurance, to an entity's management and board.
Page 24
Objectives of Internal Control
Internal controls are established to further strengthen:
The reliability and integrity of information.
Compliance with policies, plans, procedures, laws and regulations.
The safeguarding of assets. The economical and efficient use of resources.
The accomplishment of established objectives and goals for operations or programs.
7/25/2019 Approach Note on Internal Audit_good Ppt
25/43
Control TechniquesPrevention techniques are designed to provide reasonable assurance that only validtransactions are recognized, approved and submitted for processing. Therefore, many of
the preventive techniques are applied before the processing activity occurs. In most
situations, preventive techniques are likely to be more effective in a strong control
environment, when management authorization criteria are well-defined and properly
communicated.
Control type definitions:Preventive - Manual
Preventive - System
Page 25
Examples of preventive controls include:
Segregation of duties (Preventive-Manual) Business systems integrity and continuity controls, e.g., application design standards,
change controls, security controls, systems backup and recovery (Preventive System) Physical safeguard and access restriction controls (human, financial, physical and
information assets) (Preventive-Manual) Effective "whistle blowing" processes (Preventive-Manual)
7/25/2019 Approach Note on Internal Audit_good Ppt
26/43
Control TechniquesDetection techniques are designed to provide reasonable assurance that errors andirregularities are discovered and corrected on a timely basis. Detection techniques normally
are performed after processing has been completed. They are particularly important in an
environment that has relatively weak preventive techniques. That is, when front-end
approval and processing techniques do not provide reasonable assurance that unacceptable
transactions are prevented from being processed or do not assure that all approved
transactions are processed accurately. In this case, after-the-fact techniques become moreimportant in detecting and correcting processing errors.
Control type definitions:Detective - Manual
Page 26
Detective - System
Examples of detection techniques include:
Reconciliation of batch balance reports to control logs maintained by originating
departments. (Detective Manual) Review and approval of reference file maintenance (was-is) reports. (Detective
Manual) Reconciliation of interface amounts exiting one system and entering another.
(Detective System) Review of on-line access and transaction logs. (Detective System)
7/25/2019 Approach Note on Internal Audit_good Ppt
27/43
Risk Analysis
RiskManagement RiskMonitoringRiskAssessment
Risk Analysis
Page 27
Control It
Share orTransfer It
Diversify orAvoid It
rocess
Level
ActivityLevel
Entity Level
Identification
Measurement
Prioritization
7/25/2019 Approach Note on Internal Audit_good Ppt
28/43
Role of a Process Owner
General Expectations Acknowledge the responsibility for the design, implementation and maintenance
of the control structure within the business processes
Contribute direction to identify, prioritize and review risks and controls
Remove obstacles for compliance; remedy control deficiencies Continue or begin a program of self-assessment and testing to monitor the
controls within the processes
Quarterly
Page 28
- confirm key controls are implemented and effective
- maintain documentation to support this assessment
Immediate Action Items
Educate personnel about the requirements and effort
Reinforce internal focus on controls within the process
Surface any risks, concerns or issues promptly to allow adequate attention for
correction (dont wait for an audit)
Fix control gaps within reasonable timescales
7/25/2019 Approach Note on Internal Audit_good Ppt
29/43
Section II - Internal Audit Sampling
7/25/2019 Approach Note on Internal Audit_good Ppt
30/43
Sampling
Population:The entire set of universe from which a sample is selected & reviewed, and about which the auditor
wishes to draw conclusions.
Data availability for population:
An important aspect in sample selection is the availability of data. Depending upon the population,
entire data may or may not be available. In cases where entire data is not available, same should
be brought to the attention of the Management, be agreed with the stakeholders and be clearly
mentioned as a scope limitation.
Systematic selection:
A systematic approach is used by the auditor to select items, to minimize any potential human
Page 30
judgment or bias. Every nth item within the population is selected in accordance with a defined
sampling interval.
Haphazard selection:
The auditor, without any conscious bias, selects sample items randomly, i.e., without any special
reason for including or omitting items from the sample
Stratification:
Prior to carrying out analytical procedures, it is important to stratify / classify the data into
separate logical sections. This classification would not only help in analyzing trends unique to that
particular category but would also help in assessing materiality while selecting a sample.
7/25/2019 Approach Note on Internal Audit_good Ppt
31/43
Sampling
Perform Analytical procedures:Analytical procedure is defined as an evaluation of financial information made by a study of
plausible relationships among both financial and non-financial data
Analyse abnormal transactions:
If the analytical procedures highlight certain abnormal transactions (where there are significant
aberrations), they should be separated and reviewed separately. Such transactions should bereviewed in addition to the regular sample selected.
Using Excel / CAAT:
In case the testing objective can be applied by using excel / CAAT on the entire population, audit
Page 31
proce ures s ou e per orme on e en re popu a on e se samp es s ou e se ec e or
testingDetermining sample size and selecting sample:
The sample size will depend on the frequency of the control being tested and the level of evidence
that is judged to be necessary, by the client and the engagement team. For this purpose the
engagement team should define the areas under scope as either High or Low risk
Performing audit procedures and Evaluating Test results:When weaknesses in internal controls are identified we should consider whether there are any
compensating controls within the process or system. If we believe there are appropriate
compensating controls, we should extend the testing scope to include testing of these compensating
controls.
7/25/2019 Approach Note on Internal Audit_good Ppt
32/43
Section II - Internal Audit Tools
7/25/2019 Approach Note on Internal Audit_good Ppt
33/43
Need for Mathematical Tools
To recognize early warning bells, as part of audit procedures, andprotect business against fraud or error.
Identify transactions that are indicative of fraud or error using
tested and proven fraud & error detection techniques
Scientific sample selection through automated procedures
Page 33
e uce epen ence on ran om samp ng
To Identify red flags at Financial Statements Level.
7/25/2019 Approach Note on Internal Audit_good Ppt
34/43
Using Excel as a Tool
IF
IF in combination with AND
IF in Combination with AND & OR
CountIF and SUMIF
SUMIFS
Page 34
Pivot Table Function
Setting Filters
Formula Auditing
7/25/2019 Approach Note on Internal Audit_good Ppt
35/43
Using Excel as a Tool (illustrative)
Statistical Functions:
COUNT Computes the number of numbers in a range
COUNTA Computes the number of entries, including text entries in a
range
AVERAGE Sums the numbers in a range and divides the total by the number
of numbers
Page 35
MEDIAN Computes the middle value in a range of numbers
MODE Computes the value that occurs most frequently
VLOOKUP Searches for a value in the leftmost column of a table, and then
returns a value in the same row from a column you specify in thetable.
PIVOT Summarizes the columns of information in a database
relationship to each other.
7/25/2019 Approach Note on Internal Audit_good Ppt
36/43
Analyzing data in IDEA
Use of data analytics tools facilitates creating a virtual room where all relevantaudit content can be stored and accessed.
Page 36
7/25/2019 Approach Note on Internal Audit_good Ppt
37/43
Section II - Reporting and Follow-up
7/25/2019 Approach Note on Internal Audit_good Ppt
38/43
Audit Report Structure
Covering Letter
Background/ Function Overview
Purpose/ Objectives
Scope of Work
Audit Approach
Limitation
Executive Summary (Significant Findings)
Page 38
Detailed Observations
Follow Up of Prior Recommendations
7/25/2019 Approach Note on Internal Audit_good Ppt
39/43
Audit Report StructureS.N
o.
Priority Issue Risk Performance
ImprovementObservation
Management
Response
Responsibility
/ Timelines
1 High It was observed that in 48 out of
60 cases (total population of 850
cases for credit limit
enhancement for period March-
May,2012) the credit limits
enhanced for existing customerswas not as per the parameters
defined in the policy. Excess
credit limit amounting to Rs
13.22 Lacs was given to
customers. For details refer
Annexure 1
Incorrect credit
limit offered to
customer leading
to increased credit
risk exposure for
the Company,which may
eventually lead to
higher
delinquencies.
The authority &
responsibility
within the Risk
Team should be
explicitly defined
& documented forapproving the
credit limit
increase
deviations and the
same should be
approved as per
Adequate steps will be
taken up to ensure the
policy adherence by
having periodic
process trainings for
account managementteam. The risk team
would additionally
support the training
requirements of the
AMU team.
Risk Team
March 2013
Page 39
.
2 High Late Payment Charges amounting
to Rs 1.3 Lacs were short-levied
on 260 accounts and the same
was excess levied on 296
accounts. Further, the Finance
Charges on these accounts would
be incorrect as the LPC is not
accurately levied
Possibility of
Revenue leakage
for LPC and
Customer
dissatisfaction /
negative impact
on brand /
reputation
Business should
evaluate the
possibility of
Implementing
continuous control
mechanism
through data
analytics tools and
System Auditshould be carried
out.
The implementation of
the revised LPC tier
from Rs.700 to Rs.750
was delayed by ~40
days due to set up
miss, later identified
by pricing team and
rectified on 12th
November 2012.
Marketing
Team
March 2013
7/25/2019 Approach Note on Internal Audit_good Ppt
40/43
Section II - Internal Audit and Fraud
d l k
7/25/2019 Approach Note on Internal Audit_good Ppt
41/43
Anti Fraud Control Framework
Code of conduct Ethics policy Gifts and hospitality Agents Facilitation payments
Policy Tone from top Zero tolerance
Page 41
Process
Roles and responsibilities Accountability Annual sign off
Self assessment Testing
People
Board
responsibilities Due diligence
Training Education
Voice
Disclosure
Openness Employee/ suppliers
F d P i S
7/25/2019 Approach Note on Internal Audit_good Ppt
42/43
Fraud Prevention Strategy
Page 42
7/25/2019 Approach Note on Internal Audit_good Ppt
43/43
Thank You
Page 43