Auditing Standards Practical

Aspects

Dr. Amit Bagga ,FCA, CMA, Phd.

Effective Compliance with Standards

Definition

Internal

auditing is an independent, objective

assurance and consulting activity designed to add

value and improve an organization's operations.

It

helps an organisation accomplish its objectives by

bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management,
control, and governance processes.
The Institute of Internal Auditors

Effective Auditing Standards - Essentials

Principle
based

Amenable to
enforcement

Easy to
understand
Auditing
Standards

Flexibility for
application

Universal
acceptance

While AUDIT is an
independent examination
of financial statements for
expressing an opinion
thereon, whereas
assurance is provided by
such an examination and
report.

Nature & Purpose

Assist team in
planning
& performing
Assist
supervision
& direction

Assist
external
inspection

Record
matters of
continuing
significance
Create
accountability

Objective
Prepare documentation
that provides

Sufficient & Appropriate

record of basis of
auditors report

Evidence that audit was

planned and performed

Requirements
Assembly
of
Final Audit File

Documentation of
Audit Procedures
and Audit Evidence obtained

Timely Preparation of Audit Documentation

The Role of the

Internal Audit Department

Were Here to Help!

Identify Risks
Find Better Ways and Best Practices
Partner With You to Find Solutions
Prevent Problems

We have a plan!
Audit plan developed with input from across
the organization
Risk factors:
Impact
Probability
Controls

IA Code of Ethics
Principles
Internal auditors are expected to apply & uphold the following principles:

Integrity

The integrity of internal auditors establishes trust & so provides the

basis for reliance on their judgment

Objectivity

Internal auditors exhibit the highest professional objectivity in

gathering, evaluating & communicating information. Internal
auditors make a balanced assessment of all relevant circumstances
& are not unduly influenced by their own interests or others in
forming judgments

Confidentiality

Internal auditors respect the value and ownership of information

they receive & do not disclose information without appropriate
authority unless there is a legal or professional obligation to do so

Competency

Internal auditors apply knowledge, skills, & experience needed

12

What is Internal Audit?

Internal Audit is a professional activity which helps organisations to achieve their
stated objectives by:

Analyzing key processes, procedures & operations

Identifying key controls in each such operation, procedure & process

Evaluating the adequacy of these controls

Testing compliance of sample transactions against these controls

Reporting results of the evaluation of controls and compliance testing of

transactions

Recommending stronger controls wherever necessary

Suggesting methods to improve compliance with key controls

Follow up of action taken on recommendations made in previous reports

13

What are Internal Controls?

Internal Controls are important checks instituted by management to have
reasonable assurance that:

Operations are carried out in an efficient & effective manner

Transactions are recorded accurately & completely

Assets are properly recorded & safeguarded

Laws are complied with

Reliable reports are generated

14

Some examples of Internal Control

Budgetary Control

Fixed Assets Register

Bank & Special Account Reconciliations

Reconciliation of Financial & Physical M & E Reports

15

Internal Audit (IA) Mandate

Compliance & Advisory roles
What does it do?

Primary role in improving internal control, accuracy,

reliability & integrity of information including financial &
operational reporting

Monitoring & evaluation of effectiveness of risk management

processes

Role in corporate oversight, safeguarding of assets,

economical & efficient use of resources, compliance with
laws & regulations, deterring fraud

What does it not do?

Perform management activities/ responsibilities (these include

establishing internal controls)
16

Internal Control Facts

FACTS:
Internal control starts with a strong set of policies and procedures
While internal auditors play a key role in the system of control, management has
responsibility for internal control
Internal control is integral to every aspect of business/operations

Internal control makes the right things happen the first time

Internal controls should be built into, not onto business processes

17

Internal Control Practices

How?
Internal control is a process. It's a means to an end, not an
end in itself
Internal control is effected by people as a team, not by
internal auditor. It's not merely policy manuals & forms,
but people at every level of an organization

Internal control can be expected to provide only reasonable

assurance, not absolute assurance, to an entity's
management and governing bodies/ committees
Uses systematic methodology for analysing business
processes, procedures & activities
The cost of IA should not exceed expected benefits to be
derived

18

Internal Control Structure

An internal control structure is simply a different way of viewing
operations a perspective that focuses on doing the right things in the
Reporting
right way
Monthly reviews of
performance reports
Supervisory activities

Purchasing limits
Approvals/ segregations
Security
Reconciliations
Proper operating &
accounting procedures

MONITORING
INFORMATION AND
INFORMATION
&
COMMUNICATION
COMMUNICATION
CONTROL ACTIVITIES
CONTROL
ACTIVITIES

RISK ASSESSMENT
CONTROL ENVIRONMENT

Corporate
communications
(e-mail, meetings)
Based on
identification &
analysis of risks to
achievement of
objectives
Corporate Policies
Tone at the top, ethics
Organisational
authority
Skilled personnel

In many cases, you perform controls and interact

with the control structure every day, perhaps
without even realising it
19

Role in Risk Management

Focus on risk of occurrences that could prevent the project from
achieving its goals

There are many types of risk strategic, operational, financial

reporting, legal/regulatory, fraud, ineffective/inefficient
resources, technological, human capital, credibility, etc.

use

of

Focus on areas with high risk & high probability that controls are not in
place or are weak

Dont forget positive risks opportunities!

Add value by eliminating unnecessary controls, if
underlying risks are minimal/within projects risk appetite!
20

Internal Audit is Intake Point for

Whistleblowers
organization policy requires Internal Audit to receive
reports of
Misconduct
Fraud

Role in Internal Control

1. Compliance audit: review of financial & operating controls &
transactions for conformity with laws, regulations &
procedures, e.g.,

Access to IT system appropriate to users role

Segregation of duties in high risk areas
Balancing & reconciliation between systems
Systems back up & recovery
Physical safeguard & access restriction controls
Reconciliations, comparison budget of actual

2. Operational audit: review of various functions within project

to evaluate efficiency, effectiveness, & economy

22

Nature of Internal Audit Activity

Establish scope & activities for audit to Management

Develop & execute risk based sampling & testing approach to determine
whether most important controls are operating as intended (NB: input from
Management required e.g. 100% sampling of WA review)

Report issues/make recommendations/negotiate action plans with

Management to address issues

Follow up on reported findings periodically

Describe key risks facing the business activities within scope of audit
Identify control procedures used to ensure each key risk is properly controlled &
monitored

23

Contents of Audit Plan

Updated annually

Risk based audit plan developed with input from project

staff

including Management

Summary of key goals, risks & corresponding major audits, to illustrate alignment

Based on risk assessment & available resources

Appendix materials, such as planning approach, assumptions & brief descriptions

of all planned audits & related prioritization

Approved by management/ appropriate oversight Committee

24

Contents of Audit Report

Observations
Narration/ description
Remedial action
Consequences/ fall out
Recommendation for improvement (prioritized between high and
normal)

Response (action plan) who, when and how

25

IAs Proactive Role

Identify Risks
Find Better Ways and Best Practices
Partner With Management to Find Solutions

Prevent Problems
Provide training
Respond to policy & technical accounting questions

Offer suggestions for improvement

Advisory role

26

Preventive Measures

Make sure your controls are working

Review and reconcile
Check the work of your subordinates
Dont give in to the temptation to skip
controls because you are busy!

What is included in the audit

report?

What was found

Why it happened
What is required
What effect it has
Recommendation for improvement
Response who, when and how

What happens after the audit?

Follow-up
Review corrective action
Report to Audit Committee

We are here to help

We provide training
Respond to policy and
technical accounting
questions
Offer suggestions for
improvement
Advisory role

How To Conduct Internal Audit

Internal Audit or Inspection?

Many companies have GMP inspections or

regularly scheduled inspections of
Prerequisite programs.
These differ from audits because:

They are typically based on a standard checklist that

designed to look at each point individually and
determine if a requirement is being followed
Internal audits look at the system and include the
interaction of processes

RISK
MANAGEMENT
Section 138(1)
Prescribed class of companies shall conduct the internal
audit of the functions and activities of the company.
As per Draft Rules: Every listed company, every public
company with paid up share capital > Rs 50 cr, or turnover of
200cr or any outstanding loans or borrowings from banks or
public financial institutions > Rs. 100 cr or which has
accepted deposits of > Rs. 25 cr at any point of time during
the last financial year)

12/21/2014

34

RISK
MANAGEMENT

Evaluation of internal financial controls and

risk management systems
The Boards report to contain a statement
indicating development and implementation of
risk management policy. Section 134 (3)(n)
Board Report to contain statement indicating the
manner in which formal annual evaluation has
been made by the Board of its own performance
and that of its committees and individual
directors. Section 134 (3)(p)
(As per Draft Rules: This is applicable for every
listed company and public company having paid
up share capital of Rs. 25cr or more, calculated
as at the end of the preceding FY)

12/21/2014

35

Meeting of Audit Committee:

Audit Committee should meet at least four times in a year.
Maximum Gap between 2 Meetings is 4 Months.
Minimum 2 Director must be present.

EXPANDED ROLE OF AUDIT COMMITTEE

Directors Responsibility Statement

Section 135 (5)
Directors Responsibility Statement referred to in clause (c) of sub-section (3) shall state that
..
(b) the directors had selected such accounting policies and applied them consistently and
made judgments and estimates that are reasonable and prudent so as to give a true and fair
view ;
(c) the directors had taken proper and sufficient care for the maintenance of adequate
accounting records in accordance with the provisions of this Act for safeguarding the assets of
the company and for preventing and detecting fraud and other irregularities;
..
(e) the directors, in the case of a listed company, had laid down internal financial controls to be
followed by the company and that such internal financial controls are adequate and were
operating effectively.
Explanation.For the purposes of this clause, the term internal financial controls means the
policies and procedures adopted by the company for ensuring the orderly and efficient
conduct of its business, including adherence to companys policies, the safeguarding of its
assets, the prevention and detection of frauds and errors, the accuracy and completeness of
the accounting records, and the timely preparation of reliable financial information;
(f) the directors had devised proper systems to ensure compliance with the provisions of all
applicable laws and that such systems were adequate and operating effectively.
50