ICAI SIA - Notes and Summary
ICAI SIA - Notes and Summary
ICAI SIA - Notes and Summary
FROM
ISSUED BY
The Standards on Internal Audit shall apply whenever an internal audit is carried
out.
SIAs will be mandatory from the respective date(s) mentioned in the SIA(s).
However, any limitation in the applicability of a specific Standard shall be made
clear in the Standard.
Authority
******
Requirement of Plan:
The internal audit plan should be comprehensive enough to ensure that it helps in
achieving of the above overall objectives of an internal audit.
Thus, According to the standard, The internal audit plan should be-
Consistent with the goals and objectives of the internal audit function.
In case the entire internal audit has been outsourced, the internal auditor
should also ensure that the plan is consistent with the terms of the
engagement.
The internal auditor should consider the information gathered during the
preliminary review stage to determine the scope of his audit procedures.
Though the form and content of the audit program and the extent of its details
would vary with the circumstances of each case, yet the internal audit program
should be so designed as to achieve the objectives of the engagement and also
provide assurance that the internal audit is carried out in accordance with the
Standards on Internal Audit.
*******
Applicability:
The standard specifies following principles governing the internal audit. These are
very similar to the principles specified in normal auditing standard of the institute.
Confidentiality
The internal auditor should maintain the confidentiality of the information acquired in
the course of his work and should not disclose any such information to a third party,
including the employees of the entity, without the specific authority of the
management/client or unless there is a legal or a professional responsibility to do so.
Documentation
(i) Obtain an understanding of the risk management and internal control framework
established and implemented by the management.
(ii) Perform steps for assessing the adequacy of the framework developed in relation
to the organisational set up and structure.
(iv) Perform risk based audits on the basis of risk assessment process.
It is important to note that the standard has specified the subject of risk management
as a consideration for auditors. It is required for the auditor to understand, assess,
review and comment on risk management. It is also important for the auditors to
conduct the audit based on the risk assessment approach.
*******
Applicability:
Abstracts or copies of the entity's records, for example, significant and specific
contracts and agreements, may be included as part of internal audit
documentation, if considered appropriate.
(a) the nature, timing and extent of the audit procedures performed to comply
with SIAs and applicable legal and regulatory requirements;
(b) the results of the audit procedures and the audit evidence obtained;
(c) significant matters arising during the audit and the conclusions reached
thereon;
It is, however, neither necessary nor practicable to document every matter the
auditor considers during the audit.
The standard also specifies that the Identification of the Preparer and
Reviewer should be documented for the working papers along with the source
and cross referencing for documents.
The preparers and reviewers of the internal audit documentation should also sign
them.
The internal audit file should be assembled within sixty days after the signing
of the internal audit report. Assembly of the internal audit documentation file is
only an administrative process and does not involve performance of any new audit
procedures or formulation of new conclusions.
If Audit working papers are required to be changed later on, then the internal
auditor should document the details of circumstances and all the necessary
additional documentation.
The internal auditor should formulate policies as to the custody and retention of
the internal audit documentation within the framework of the overall policy of the
entity in relation to the retention of documents. The internal auditor retains the
ownership of the internal audit documentation.
*******
Reporting
The internal auditor should review and assess the analysis drawn from the internal
audit evidence obtained as the basis for his conclusion on the efficiency and
effectiveness of systems, processes and controls including items of financial
statements.
Title;
Addressee;
Action Taken Report Action taken/ not taken pursuant to the observations
made in the previous internal audit reports;
The internal auditor's report, in line with the terms of the engagement, should
describe the internal audit as including:
The report should be signed by the internal auditor in his personal name. The
internal auditor should also mention the membership number assigned by the
Institute of Chartered Accountants of India in the report so issued by him.
The internal auditor should discuss the draft with the entity's management prior to
issuing the final report. The different stages of communication and discussion
should be as under:
Discussion Draft –
Exit Meeting –
Formal Draft –
Final Report –
Limitation on Scope
When there is a limitation on the scope of the internal auditor's work, the internal
auditor's report should describe the limitation.
*******
When using either statistical or non statistical sampling methods, the internal
auditor should design and select an audit sample, perform audit procedures
thereon, and evaluate sample results so as to provide sufficient appropriate audit
evidence to meet the objectives of the internal audit engagement unless
otherwise specified by the client.
"Audit sampling" means the application of audit procedures to less than 100% of
the items within an account balance or class of transactions to enable the
internal auditor to obtain and evaluate audit evidence about some
characteristic of the items selected in order to form a conclusion concerning
the population.
"Sampling risk", means the risk that from the possibility that the internal auditor's
conclusions, based on examination of a sample may be different from the
conclusion reached if the entire population was subjected to the same types of
internal audit procedure. The two types of sampling risk are --
The risk that the internal auditor concludes that controls are more effective
than they actually are, or that a material error or misstatement does not exist
when in fact it does.
The risk that the internal auditor concludes that controls are less effective
than they actually are, or that a material error or misstatement exists when in
fact it does not.
Stratification
To assist in the efficient and effective design of the sample, stratification may be
appropriate.
Tolerable Error
Tolerable error is the maximum error in the population that the internal auditor
would be willing to accept and still concludes that the result from the sample has
achieved the objective(s) of the internal audit.
Expected Error
If the internal auditor expects error to be present in the population, a larger
sample than when no error is expected ordinarily needs to be examined to
conclude that the actual error in the population is not greater than the planned
tolerable error.
The internal auditor should select sample items in such a way that that sample
can be expected to be representative of the population. This requires that all
items or sampling units in the population have an opportunity, of being
selected.
o Systematic selection
o Haphazard selection
Documentation
*******
The internal auditor should apply analytical procedures as the risk assessment
procedures at the planning and overall review stages of the internal audit.
Various methods may be used in performing the above procedures. These range
from simple comparisons to complex analyses using advanced statistical
techniques.
Analytical procedures may identify, among other things, differences that are not
expected or absence of differences when they are expected, which may have
arisen on account of factors such as errors, frauds, unusual or non recurring
transaction or events, etc.
o Nature of the business, entity and the degree to which information can
be disaggregated.
*******
In the case of the in-house internal audit or a firm carrying out internal audit, the
person entrusted with the responsibility for the quality in internal audit should
ensure that the system of quality assurance include policies and procedures
addressing each of the following elements:
Ethical requirements - The person entrusted with the responsibility for the
quality in internal audit should establish policies and procedures designed to
provide it with reasonable assurance that the personnel comply with relevant
ethical requirements.
Human resources - The person entrusted with the responsibility for the quality in
internal audit should establish policies and procedures regarding assessment of the
staff's capabilities and competence designed to provide it with reasonable
assurance that there are sufficient personnel with the capabilities, competence,
and commitment to ethical principles.
Engagement performance - The person entrusted with the responsibility for the
quality in internal audit should establish policies and procedures designed to
provide it with reasonable assurance that engagements are performed in
accordance with the applicable professional Standards and regulatory and legal
requirements and that the reports issued by the internal auditors are appropriate
in the circumstances.
Monitoring - The person entrusted with the responsibility for the quality in
internal audit should establish policies and procedures designed to provide
reasonable assurance that the policies and procedures relating to the system of
quality assurance are relevant, adequate, operating effectively and complied with
in practice.
The external quality reviewer should discuss his findings with the person entrusted
with the responsibility for the quality in internal audit.
His final report should contain his opinion on all the parameters of the internal
audit activity, and should be submitted to the person entrusted with the
responsibility for the quality in internal audit and copies thereof be also sent to
those charged with governance.
*******
The internal auditor and the auditee should agree on the terms of the
engagement before its commencement.
The following are the key elements of the terms of the internal audit engagement:
o Scope
o Responsibility
o Authority
o Confidentiality
o Limitations
o Reporting
o Compensation
Scope
The terms of the engagement should contain a statement in respect of the scope
of the internal audit engagement. The scope It should indicate areas where
internal auditors are expected to make their recommendations and value added
comments.
The terms of engagement should clearly mention that the internal auditor
would not, ordinarily, be involved in the preparation of the financial
Responsibility
The terms of the engagement should clearly mention the responsibility of the
auditee vis a vis the internal auditor.
Authority
The terms of engagement should provide the internal auditor with requisite
authority, including unrestricted access to all departments, records, property and
personnel and authority to call for information. Also, the internal auditor should
have full authority on his technologies and other properties like hardware and
audit tools he may use in course of performing internal audit.
Confidentiality
The terms of engagement should be clear that the ownership of the working
papers rests with the internal auditor and not the auditee.
The terms should lay down the policy and the procedures to be followed regarding
requests received for internal auditor's working papers from third parties including
external auditors.
The engagement letter should contain a condition that the report of the internal
auditor should not be distributed or circulated by the auditee or the internal
auditor to any party other than that mutually agreed between the internal auditor
and the auditee unless there is a statutory or a regulatory requirement to do so.
Limitations
The terms of engagement should specify clearly the limitations on scope, coverage
and reporting requirement, if any.
It may also mention that the internal auditor or any of his employees shall not
be liable to the auditee for any claims, damages, liabilities or expenses relating
to the engagement exceeding the aggregate amount of compensation agreed
upon by both the parties.
Reporting
The terms of the engagement should clearly lay down the requirements as to the
manner, frequency of reporting and the list of intended recipients of the internal
audit report.
Compensation
The terms of the internal audit engagement should contain a statement that the
internal audit engagement would be carried out in accordance with the
professional Standards applicable to such engagement as on the date of audit.
In case the internal auditor is unable to agree to any change in the terms of the
engagement and/ or is not permitted to continue as per the original terms, he
should withdraw from the engagement and should consider whether there is an
obligation, contractual or otherwise, to report the circumstances necessitating the
withdrawal to other parties.
*******