Fundamentals of Internal Auditing

Internal Auditing Standards

1. Planning an Internal Audit

1. Internal audit plan should cover areas such as obtaining knowledge of legal and regulatory framework within which the entity operates, obtaining knowledge of the entity’s accounting and internal control systems and policies, determining the effectiveness of internal control procedures adopted by the entity, determining the nature, timing and extent of procedures to be performed, identifying activities warranting special focus based on materiality and criticality of such activities, and their overall effect on operations of the entity, identifying and allocating staff to different activities to be undertaken.
2. Planning process includes obtaining knowledge of business, establishing the audit universe, establishing the objectives of engagement, establishing scope of the engagement, deciding resource allocation, preparation of audit programed.
3. Plan to be finalized in consultation with the appropriate authority before commencement of the work.

2. Basic Principles Governing Internal Audit

1. Internal auditor should adhere to the basic principles governing an internal audit.
2. These principles are integrity, objectivity and independence, confidentiality, skills and competence, work performed by others, documentation, planning, internal audit evidence, accounting system and internal control, and internal audit conclusions and reporting.

3. Documentation

1. Internal audit documentation should be designed and properly organized to meet the requirements and circumstances of each audit. To formulate policies for standardization of internal audit documentation.
2. It should be sufficiently complete and detailed for an internal auditor to obtain an overall understanding of the audit.
3. It should cover all the important aspects of an engagement viz., engagement acceptance, engagement planning, risk assessment and assessment of internal controls, evidence obtained and examination / evaluation carried out, review of the findings, communication and reporting and follow up.

4. Reporting

1. To review and assess the analysis drawn from internal audit evidence obtained as the basis for his conclusion on the efficiency and effectiveness of systems, processes and controls including items of financial statements.
2. Report clearly expressing significant observations, suggestion / recommendations based on the policies, processes, risks, controls and transaction processing taken as a whole and managements responses.
3. Report includes basic elements such as title, addressee, report distribution list, period of coverage of the report, opening or introductory paragraph, objectives paragraph, scope paragraph (describing the nature of an internal audit), executive summary (highlighting key material issues, observations, control weaknesses and exceptions), observations, findings and recommendations made by the internal auditor, comments from the local management, action taken report — action taken / not taken pursuant to the observations made in the previous internal audit reports, date of the report, place of signature and Internal auditor’s signature with membership number.

5. Sampling

1. Design and select an audit sample, perform audit procedures thereon, and evaluate sample results so as to provide sufficient appropriate audit evidence to meet the objectives of internal audit engagement unless otherwise specified by the client.
2. When designing an audit sample, internal auditor should consider specific audit objectives, the population from which internal auditor wishes to sample, and the sample size.
3. When determining the sample size, internal auditor should consider sampling risk, tolerable error and the expected error.

6. Analytical Procedures

1. To apply analytical procedures as the risk assessment procedures at the planning and overall review stages of internal audit.
2. Analytical procedures are analysis of significant ratios and trends including resulting investigation of fluctuations and relationships that are inconsistent with other relevant information or which deviate from predicted amounts.
3. Factors to be considered for analytical procedures are significance of the area being examined, adequacy of the system of internal control, availability and reliability of financial and non—financial information, the precision with which results of analytical procedures can be predicted, availability and comparability of information regarding the industry in which the organization operates, the extent to which other auditing procedures provide support for audit results. After evaluating the aforementioned factors, internal auditor should consider and use additional auditing procedures, as necessary, to achieve the audit objective.

7. Quality Assurance in Internal Audit

1. A system for assuring quality in internal audit should provide reasonable assurance that the internal auditors comply with professional standards, regulatory and legal requirements, so that the reports issued by them are appropriate in the circumstance. In order to ensure compliance with the professional standards, regulatory and legal requirements, and to achieve the desired objective of internal audit, a person within the organization should be entrusted with the responsibility for the quality in the internal audit, whether done in—house or by an external agency.
2. In case of in—house internal audit or a firm carrying out internal audit, the person entrusted with the responsibility for the quality in internal audit should ensure that the system of quality assurance includes policies and procedures addressing leadership responsibilities for quality in internal audit, ethical requirements, acceptance and continuance of client relationship and specific engagement, as may be applicable, human resources, engagement performance, monitoring. The quality assurance framework should cover all the elements of internal audit activity.

8. Terms of Internal Audit Engagement

1. Internal auditor and the auditee should agree on the terms of engagement before commencement. Terms should be approved by the Board of Directors or a relevant Committee thereof such as the Audit Committee or such other person(s) as may be authorized by the Board in this regard.
2. It should contain a statement in respect of the scope of internal audit engagement.
3. It should clearly mention that internal auditor would not be involved in the preparation of auditee’s financial statements. It should also be made clear that the internal audit would not result in the expression of an opinion or any other form of assurance on the auditee’s financial statements or any part thereof.
4. The terms of engagement should clearly mention the responsibility of the auditee vis-a-vis the internal auditor.

9. Communication with Management

1. Internal auditor while performing audit should communicate clearly the responsibilities of internal auditor and an overview of the planned scope and timing of audit with the management.
2. Communication regarding the planned scope and timing of internal audit may assist the management to understand better the objectives of internal auditor’s work, to discuss issues of risk and materiality with internal auditor and to identify any areas in which they may request the internal auditor to undertake additional procedures, assist the internal auditor to understand the entity and its environment better.
3. Different stages of communication and discussion should be:- discussion of draft; exit meeting; formal draft; and final report.

10. Internal Audit Evidence

1. To obtain sufficient appropriate evidence to enable him to draw reasonable conclusions there from on which to base his opinion or findings.
2. Scope of an internal audit is much broader in comparison to that of statutory audit. The depth of coverage of internal audit, being a management function, would also be much wider. An internal audit function normally is spread beyond checking of financial transactions and is expected to cover comments on internal control systems, risk management, propriety aspect of transactions.
3. To evaluate sufficiency of appropriate audit evidence before conclusions there from. The internal audit evidence should enable internal auditor to form an opinion on the scope of the terms of engagement.

11. Consideration of Fraud in an Internal Audit

1. An internal auditor is not expected to possess skills and knowledge of a person expert in detecting and investigating frauds, he should, however, have reasonable knowledge of factors that might increase the risk of opportunities for frauds in an entity and exercise reasonable care and professional skepticism while carrying out internal audit.
2. A system of internal control comprise of following five elements namely control environment, entity’s risk assessment process, information system and communication, control activities and monitoring of controls. It is essential for internal auditor to gain an understanding of the components of system of internal control.
3. The primary responsibility for prevention and detection of frauds is that of the management of the entity. The internal auditor should, however, help the management fulfill its responsibilities relating to fraud prevention and detection.

12. Internal Control Evaluation

1. The system of internal control must be under continuous supervision by management to determine that it is functioning as prescribed and is modified, as appropriate, for changes in environment. Internal control system extends beyond those matters which relate directly to the functions of accounting system and comprises of control environment and control activities.
2. To examine the continued effectiveness of internal control system through evaluation and make recommendations, if any, for improving that effectiveness. To focus towards improving internal control structure and promoting better corporate governance.
3. To obtain an understanding of significant processes and internal control systems sufficient to plan the internal audit engagement and develop an effective audit approach, assess and evaluate the maturity of entity’s internal control, assess management’s attitudes, awareness and actions regarding internal controls and their importance in the entity.

13. Enterprise Risk Management

1. Risk is an event which can prevent, hinder, fail to further or otherwise obstruct the enterprise in achieving its objectives. Risk may be broadly classified into Strategic, Operational, Financial and Knowledge.
2. ERM is a structured, consistent and continuous process of measuring or assessing risk and developing strategies to manage risk within the risk appetite. It involves identification, assessment, mitigation, planning and implementation of risk and developing an appropriate risk response policy. Management is responsible for establishing and operating the risk management framework.
3. ERM process consists of Risk identification, prioritization and reporting, Risk mitigation, Risk monitoring and assurance. The corporate risk function establishes the policies and procedures, and the assurance phase is accomplished by internal audit. The role of internal auditor is to provide assurance to management on the effectiveness of risk management.

14. Internal Audit in an Information Technology Environment

1. The overall objective and scope of an internal audit does not change in an IT environment. However, the use of a computer changes the processing, storage, retrieval and communication of financial information and the interplay of processes, systems and control procedures. This may affect the internal control systems employed by the entity. Accordingly, and IT environment may affect the procedures followed by the internal auditor in obtaining a sufficient understanding of the processes, systems and internal control system and the auditor’s review of the entity’s risk management and continuity systems.
2. To consider the effect of an IT environment on internal audit engagement, inter alia the extent to which IT environment is used to record, compile, process and analyse information and the system of internal control in existence in the entity with regard to flow of authorized, correct and complete data to the processing center, the processing, analysis and reporting tasks undertaken in the installation and the impact of computer— based accounting system on the audit trail that could otherwise be expected to exist in an entirely manual system.
3. To have sufficient knowledge of information technology systems to plan, direct, supervise, control and review the work performed. The sufficiency of knowledge would depend on the nature and extent of the IT environment.

15. Knowledge of the Entity and its Environment

1. To obtain knowledge of the economy, entity’s business and its operating environment, including its regulatory environment and the industry in which it operates, sufficient to enable him to review the key risks and entity— wide processes, systems, procedures and controls. To identify sufficient, appropriate, reliable and useful information to achieve the objectives of the engagement.
2. Prior to accepting an engagement, the internal auditor should obtain a preliminary knowledge of the industry and of the nature of ownership, management, regulatory environment and operations of the entity subjected to internal audit, and should consider whether a level of knowledge of the entity’s business adequate to perform the internal audit can be obtained.
3. Following the acceptance of the engagement, further and more detailed information should be obtained.

16. Using the Work of an Expert

1. To obtain technical advice and assistance from competent experts if the internal audit team does not possess necessary knowledge, skills, expertise or experience needed to perform all or part of the internal audit engagement.
2. When the internal auditor uses the work of an expert, he should satisfy himself about the competence, objectivity and independence of such expert and consider the impact of such assistance or advice on the overall result f internal audit engagement, especially in cases where the outside expert is engaged by senior management or those charged with governance.
3. When determining whether to use the work of an expert or not, internal auditor should consider the materiality of the item being examined, the nature and complexity of the item including the risk of error therein, the other internal audit evidence available with respect to the item.

17. Consideration of Laws and Regulations in an Internal Audit

1. It is the primary responsibility of management, with the oversight of those charged with governance, to ensure that the entity’s operations are conducted in accordance with the provisions of laws and regulations, including compliance with the provisions of laws and regulations that determine the reported amounts and disclosures in an entity’s financial statements.
2. The objectives of the internal auditor are to obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations generally recognised to have a direct effect on the determination of material amounts and disclosures in the financial statements, to perform specified audit procedures to help identify instances of non-compliance with other laws and regulations that may have a significant impact on the functioning of the entity and to respond appropriately to non-compliance or suspected non-compliance with laws and regulations identified during the internal audit.

Internal Auditing and Fraud Investigations

In the minds of the public at large and of many clients, the discovery of frauds is the principal function of the auditor, overshadowing his other duties entirely, and although this is far from correct, there can be no question that it is of great importance.

Fraud may be divided broadly into two classes:

1. Defalcation, involving either misappropriation of money or goods.
2. The fraudulent manipulation of accounts not involving defalcation.

As regards the first, where accounting staff are not subjected to any form of check, the opportunities of committing fraud are so frequent, and the methods necessary to conceal it so comparatively simple, that it is safe to say that no business of any size could be carried on under such conditions for very long without the risk of fraud taking place. In small business where the individual proprietor is in touch with the whole of the detail, and is able to supervise it effectively, the possibilities of concealing fraud may be remote. As soon, however, as the business increases in size and the proprietor is no longer able to do this the a check is to be carried out by members of the staff themselves assisted by an independent auditor. Where the staff is sufficiently large to enable the whole of the work to be sub-divided the auditor should examine carefully the system in force and ascertain it’s deficiencies, if any.

The auditor, should pay particular attention to those classes of transactions which offer scope for fraud, the principal of which are cash transactions of one kind or another.

As general principles only are under consideration here, the actual way in which these transactions should be verified will be dealt with indue course but it may be noted that there are two methods by means of which the misappropriation of money may be concealed, the first is by the inclusion of fictitious payments, and the second by the omission of cash received, the latter class being much more difficult to detect.

The second class of fraud entailing the falsification of accounts without corresponding defalcations, is naturally considerable less frequent than the class of fraud above mentioned, but when it does occur it may involve very large amount. It may be done for the purpose of bolstering up a business which is in an insecure condition, in order to maintain the confidence of shareholders, creditors or the public; or it may be done by a manager for the purpose of increasing the apparent profit of the business, thus showing that he has been successful in his management, and possibly increasing the commission on results payable to him; or by directors for the purpose of enabling them to pay dividends which would otherwise not have been possible. Several notable cases of this sort of falsification have occurred. It need only be pointed out here that this form of fraud is often very ingeniously and skillfully concealed, and is in many cases carried out by persons holding positions of the highest trust, and having the entire confidence of directors and shareholders.

The Internal Audit Department has a big role to play in preventing fraud in different organizations, as a part of protective functions. Every big organization has an internal audit  manual and such a manual usually outlines the internal audit function in detail vulnerable areas where loss through fraudulent means may arise frequently. Examples of vulnerable areas are stores receipt/consumption, Cash expenditure, sizeable receipts of cash, civil maintenance jobs etc. The internal audit manual prescribes in detail the manner and procedure as to how internal audit function would be carried out in these areas. The manual also directs the frequency of such audit. If internal audit of such areas is done accordingly, the possibility of occurrence of both visible and invisible frauds get eroded.

In discharging his functions in sensible areas as mentioned aforesaid, the auditor has to be extra intelligent and imaginative to enable him to think ahead of many others. However, it needs to be mentioned that the success of internal auditor in preventing fraud is also depending on the cooperation from other departments of the organization.

External Links:

• The  Institute of Internal Auditors  (IIA)
• Standards on Internal Audits  (The Institute of Chartered Accountants of India (ICAI))
• Internal Auditing – Resources  (ICAEW)