Exposure Draft of Framework Governing Internal Audits (Comments to be received by January 17, 2018)
INTRODUCTION AND SCOPE
1.1 Internal audits are conducted within a defined framework that lays down the boundaries and identifies, in a broad manner, how the internal audit activity is performed. This framework provides the required clarity on key components of the audit activity and helps aggregate all aspects of the internal audit process in a cohesive manner thereby ensuring standardisation of key requirements governing internal audit assignments.
1.2 Scope: All activities of an internal audit life cycle are included, such as, scoping and planning, gathering & review of evidence, fieldwork testing, physical observations, documentation, using the work of other experts, evaluating controls and systems, communication and reporting of results.
2.0 OBJECTIVE
2.1 The main objective of a framework is:
(i) To provide clarity on key components which govern the overall internal audit process and how it’s conducted;
(ii) To ensure that all internal audits are performed by deploying certain basic principles, designed to ensure high quality of outcome;
(iii) To provide a high degree of comfort to the auditee on the reliability of the assurance provided or advice given; and
(iv) To provide high credibility to the internal audit reports and other communications issued by the internal auditor.
2.2 The overall objective of the Framework is to promote professionalism in the conduct of an internal audit assignment by the internal auditor and to ensure basic minimum standards of quality worthy of the qualification of the internal auditor and to promote the credibility of the internal audit report issued.
3.0 DEFINITION OF INTERNAL AUDIT*
3.1 An Internal Audit is defined as follows:
“Internal audit provides independent assurance on effectiveness of internal controls, risk management processes and contributes to enhancing governance for achieving organizational objectives.”
3.2 A brief explanation of the key terms used above is as follows:
(i) Independence: Internal audit should be an independent function, achieved through the position, organization structure and reporting of the internal auditor.
(ii) Internal controls and risk management are an integral part of management function and business operations. An internal auditor is expected to evaluate the design and operating effectiveness of internal controls and risk management processes (including reporting processes) as designed and implemented by the management.
(iii) Governance is a set of relationships between the company and its various stakeholders and provides the structure through which the company’s objectives are set, and the constant performance monitoring required to help attain them.
(iv) Organizational objectives incorporate the interests of all stakeholders and include compliance with internal policies and procedures and laws and regulations.
(v) Advisory role: At certain times, in addition to providing assurance, the internal auditor may adopt an advisory role to help an organization achieve its objectives, provided this does not compromise the independence of the internal auditor.
3.3 This definition forms the basis of all the Standards on Internal Audit (SIA) issued by the IASB. Hence, all internal audit activities are conducted applying the above definition as a basis.
4.0 THE FRAMEWORK
4.1 The Framework governing Internal Audits comprises four key components, all directed at establishing the credibility of the Internal Auditor and the manner in which the Internal Audit Process is executed. All the components are inherent in the whole internal audit process and implicitly form part of the SIAs, even though they may not be mentioned explicitly in the SIAs.
4.2 The key components of the framework are as follows:
(i) Code of Ethics;
(ii) Basic Principles governing an Internal Audit:
Independence;
Integrity & Objectivity;
Due professional care;
Confidentiality;
Skills and Competence;
Risk based approach;
Systems & process focus;
Participation in decision making;
Concern for multiple stakeholders; and
Quality and continuous improvement.
(iii) Internal Audit Charter; and
(iv) Compliance with IASB Pronouncements.Each of these components is fully explained in the next Section.
5.0 COMPONENTS OF THE FRAMEWORK
5.1 The Code of Ethics
Every internal auditor is bound by a written code of ethics, issued by an organisation and/or the institute of his qualification. This commits the internal auditor to ethical standards applied with utmost integrity and sincerity. A member of the Institute of Chartered Accountants of India, carrying out an internal audit activity, is additionally governed by:
(a) the requirements of the Chartered Accountants Act, 1949;
(b) the Code of Ethics issued by the Institute of Chartered Accountants of India; and
(c) other relevant pronouncements of the Institute of Chartered Accountants of India.
One of these requirements includes the need to obtain a no objection certificate from the previous internal auditor at the time of changeover.
5.2 Basic Principles governing an Internal Audit:
There are a set of basic fundamental principles which govern internal audit toensure the achievement of desired objectives in the best possible manner. These ten basic principles are listed below which are designed to lay out the credibility of the internal auditor (first five principles) and the manner in which the internal auditor is expected to perform his duties (last five principles).
5.2.1 Independence
The Internal Auditor should be free from any undue influences which force him to deviate from the truth. He should be independent not only in mind but also in appearance. Hence he should not undertake any assignment which might appear to be in conflict with his independence or jeopardise his objectivity. Also, there should be no external pressure or interference on the internal auditor in establishing the scope of his assignments, the manner in which he conducts his work or reports his findings.
The independence of the internal audit function as a whole, as placed within the organisation also plays a large part in establishing the independence of the internal auditor. The overall organisation structure of key personnel, the position and reporting of the Chief Internal Auditor within this structure along with the powers and authority which he derives from his superiors helps to further establish his independence.
The Internal Audit function should be positioned outside of the functions which are subject to internal audit and ideally, the Chief Internal Auditor should report directly to the highest governing authority of the Company (generally the Chairman of the Board Audit Committee). However, many times the Chief Internal Auditor has a dual reporting responsibility, wherein he administratively reports to an executive officer (e.g., MD or CEO), but functionally into the Chairman of the Audit Committee, which is also acceptable.
Sometimes the internal auditor is exposed to a different type of risk to his independence, whereby management seeks active business support from the internal auditor. Apart from providing basic assurance and advisory inputs, he is assigned certain operational responsibilities (such as risk management, compliance, system automation, process re-engineering, etc.). Although some limited operational role may be acceptable for a short duration of time, the Internal Auditor should do so only after defining his limitations along the following lines:
(a) Unable to assume ownership or accountability of the process; and
(b) Inability to take operational decisions which may be subject to an audit later on.
along with the powers and authority which he derives from his superiors helps to further establish his independence.
The Internal Audit function should be positioned outside of the functions which are subject to internal audit and ideally, the Chief Internal Auditor should report directly to the highest governing authority of the Company (generally the Chairman of the Board Audit Committee). However, many times the Chief Internal Auditor has a dual reporting responsibility, wherein he administratively reports to an executive officer (e.g., MD or CEO), but functionally into the Chairman of the Audit Committee, which is also acceptable.
Sometimes the internal auditor is exposed to a different type of risk to his independence, whereby management seeks active business support from the internal auditor. Apart from providing basic assurance and advisory inputs, he is assigned certain operational responsibilities (such as risk management, compliance, system automation, process re-engineering, etc.). Although some limited operational role may be acceptable for a short duration of time, the Internal Auditor should do so only after defining his limitations along the following lines:
(a) Unable to assume ownership or accountability of the process; and
(b) Inability to take operational decisions which may be subject to an audit later on.
Integrity & Objectivity
The internal auditor should be honest, truthful and a person of high integrity. He must operate in a highly professional manner and seen to be fair in all his dealings. He should not seek to derive any undue personal benefit from his position or in the performance of his duty.
He must conduct his work in a highly objective manner, especially in the gathering and evaluation of facts and evidence matter. He must not allow prejudice or bias to override his objectivity, especially in arriving at conclusions.
5.2.3 Due Professional Care
The internal auditor should exercise due professional care and diligence expected of him while carrying out the internal audit. Due professional care signifies that the internal auditor exercises reasonable care in carrying out the work entrusted to him to ensure the achievement of planned objectives. The internal auditor has to pay particular attention to certain key aspects, such as establishing the scope of the engagement so as not to miss out any important aspects, recognizing the risks and materiality of the areas, having required skills to review complex matters, establishing the extent of testing required to achieve the objectives, etc.
Due professional care, however, neither implies nor guarantees infallibility, nor does it require the internal auditor to go far beyond the established scope of the engagement.
5.2.4 Confidentiality
The internal auditor should at all times, maintain the utmost confidentiality of all information acquired during the course of his audit work. He should not disclose any such information to a party outside of the Internal Audit function and that also on a “need to know basis”.
The internal auditor should keep confidential information away from other employees of the entity and under no circumstances should confidential information be shared with third parties outside of the company, without the specific authority of the management/client or unless there is a legal or a professional responsibility to do so (e.g., to share information with Statutory Auditors). Internal audit reports should be addressed to specified internal auditees and distributed to only those who appointed/engaged the Internal Auditor services.
5.2.5 Skills and Competence
The internal auditor should have sound knowledge, strong inter-personal skills, practical experience, expertise in certain areas and other competence required to conduct a high-quality audit. He should undertake only those assignments for which he has the requisite competence.
The internal auditor should either have, or obtain, such skills and competence, as necessary for the purpose of discharging his responsibilities. Continuing Professional Education is a key part of this exercise. In addition to the basic technical skills, the internal auditor should have the softer skills (such as interpersonal/communication skills) required to engage with a multitude of stake-holders.
Where the internal auditor believes he is lacking in certain expertise, he is expected to procure the required skills either though in-house experts or through the services of an outside expert, provided their independence is not compromised. Key is to ensure that the audit team as a whole has all the expertise and knowledge of the area under review.
5.2.6 Risk based approach
Risk based internal audits are designed to link the audit procedures with the risks which impact the achievement of organisational objectives. The internal auditor identifies the important audit areas through a risk assessment exercise (using impact and probability of errors as a basis) and tailors the audit activity such that detailed audit procedures are conducted over high risk areas/issues while less time is devoted to low risk areas through curtailed audit procedures. Additionally, it ensures that risks under consideration are more aligned to the overall strategic and company objectives rather than narrowly focused on process objectives.
This risk based approach therefore ensures these three fold objectives:
(a) Audit procedures need not cover the whole process and can be limited to only the important controls in the process;
(b) Provide a linkage to aspects more relevant and connected with broader company & functional objectives; and
(c) Findings and issues highlighted are significant and important and time is not wasted on areas with low probability of significant observations.
5.2.7 System and Process Focus
A system and process based internal audit goes beyond transaction and balance audits (focussed to error detection), to review the design and interlinkage of the controls (focussed on error prevention). A root cause analysis conducted on each exception helps to identify opportunities to improve the systems or to automate the process with the objective to prevent a repetition of such errors. This is a more sustainable approach as it helps the internal auditor to move away from people to process and from detection to prevention.
5.2.8 Participation is decision making
In conducting internal audit assignments, the internal auditor should avoid passing judgement or render an opinion on past management decisions. As part of his advisory role, the internal auditor should avoid participation in operational decision making which may be subject to a subsequent audit. The focus of the internal auditor should remain with the quality and operating effectiveness of the decision making process and how best to strengthen it, such that the chance of flawed or erroneous decisions is minimised. However, the internal auditor is at full liberty to present the lessons could be learnt from such past decisions.
5.2.9 Balancing of multiple stakeholder interests
The internal auditor needs to evaluate the implication of his observations and recommendations on multiple stakeholders, especially where their interests maybe conflicting in nature. In such situations, the internal auditor should remain objective and present a balanced view to the auditee. This would allow senior management to take the final call since they are generally privy to the full information and best placed to balance the strategy/objectives of the company with expectations/interests of the diverse stakeholders.
5.2.10 Quality and continuous improvement
The quality of the internal audit work should be paramount in the mind of the internal auditor since the credibility of the audit reports depends on the reliability of the findings. The Chief Internal Auditor should have in place a process of quality control to:
(a) ensure factual accuracy of the observations and validate the accuracy of all findings; and
(b) continuously improve the quality of the internal audit process and the internal audit reports.
The Internal auditor also has to ensure that a self assessment mechanism is in place to monitor his own performance and also that of his subordinates and external experts on whom he is relying to complete some part of the audit work.
5.3 Internal Audit Charter
The constitution and establishment of the Internal Audit function within the organisation is generally articulated in a formal document called the Internal Audit Charter. It defines all important aspects of the functioning of the Internal Audit department and provides clarity to the Internal Auditor regarding the manner in which the internal audit work is undertaken and how his responsibility is to be discharged.
Typical key contents of the Charter are as follows (indicative list):
(a) Vision & Mission of the Internal Audit function
(b) Purpose & Objectives
(c) Scope & Approach
(d) Accountability & Authority
(e) Roles & Responsibility
(f) Reporting structure
(g) Independence
(h) Standards of audit practice
The Internal Audit Charter is generally reviewed and approved by the highest governing body of the organisation; either the Board of Directors or the Audit Committee. It’s important that the governing body is aware and in agreement with its contents in order to support the internal audit agenda.
Where the Internal Audit charter is absent, it’s recommended that a formal document of this nature be put in place and used as the basis on which the internal audits will be conducted. Where the Internal Audit function is completely outsourced to an outside agency, a similar document should be developed as part of the terms of reference of the engagement.
The Internal Audit Charter should be reviewed periodically to ensure that it stays relevant to the changing needs and expectations of the board members, its management and the organisation. It is the responsibility of the Chief Internal Auditor to ensure periodic review and revision.
5.4 Compliance with IASB Pronouncements
The IASB has issues a number of Standards, Guidelines and Clarifications (collectively referred to as Pronouncements) on Internal Audit and this body of pronouncements has to be complied with by the internal auditor. These pronouncements are designed to provide the internal auditor with all the information required to deliver a high quality service and thus maintain reliability and credibility of his work.
If, for any reason, a member is unable to comply with any of the mandatory requirements, in accordance with the SIAs, his internal audit report should draw attention to the material departures therefrom. Any significant deviations from the procedures outlined in the pronouncements could also be viewed as shortcoming in taking due professional care.
A peer review mechanism for quality control is to be followed to ensure that members have adhered to all aspects of the pronouncements.
6.0 EFFECTIVE DATE
6.1 This Framework governing Internal Audits is applicable for all internal audits beginning on or after …….
6.2 In the first year of its implementation, this Framework will be mandatory only for internal audits conducted on Listed Companies, and thereafter, it will become mandatory for internal audits conducted on all companies subject to internal audit as per Companies Act, 2013 (Refer Preface to the Framework and Standards on Internal Audit, Section 4.1).