Approach Note on Internal Audit

CA. Deep Kumar Mendiratta

Contents
Sl. No.

Particulars

Page #

Section I
1.

Internal Audit - Basics

2.

ERM Framework

3.

Internal Audit Guidelines

4.

Internal Audit Process, Approach & Methodology

14

1.

Assessing Risks & Internal Controls

22

2.

Internal Audit Sampling Methodology

29

3.

Internal Audit Tools

32

4.

Reporting and Follow-up

37

5.

Internal Audit & Fraud

40

Section II

Page 2

Section I - Why Internal Audit ?

Internal Audit- Basics

Definition of Internal Audit:
Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organizations operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.

Objectives of Internal Audit:

Risk Management
Control
Governance

Risk:
Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a
loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome
sometimes exists (or existed).

Internal Control:
Internal Control is a process, effected by an entitys board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of its objectives
(Operational, Reporting & Compliance).

Page 4

Why Internal Audit ?

CARO (Companies
(Auditors Report
Order, 2003)

Require listed companies to have an internal audit system commensurate

with its size and nature of business. To comply with the requirements
companies may either have an internal audit department or can outsource
the internal audit function to an external agency.

Clause 49

Requires audit committee role to include oversight of the internal audit

function as one of the terms of reference. The agreement requires the audit
committee to review with management performance of internal audit
function.

Companies Act,
1956 (Section
224)

Page 5

Requires companies to appoint an auditor or auditors at every annual

general meeting to hold office from the conclusion of that meeting until
the conclusion of next annual general meeting.

Section I ERM Framework

Enterprise Risk Management

ERM defined:
A process, effected by an entity's board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential events
that may affect the entity, and manage risks to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives
The key to effectively protecting and growing returns for an organizations shareholders is to
identify and manage the risks that could prevent the organization from achieving its business
objectives. The enterprise risk assessment is an efficient, comprehensive process that provides
insight on inherent risks from an industry perspective and links them to the organizations
objectives, initiatives, and business processes.
Entity objectives can be viewed in the context of four categories:
 Strategic
 Operations
 Reporting
 Compliance
Enterprise risk management requires an entity to take a portfolio view of risk. Management
considers how individual risks interrelate and develops a portfolio view from two perspectives:
 Business unit level
 Entity level

Page 7

Enterprise Risk Management Framework

Page 8

Section I - Internal Audit Guidelines

Compliance to Auditing Standards (ICAI)

Standards on Internal Audits:
Standard on Internal Audit (SIA) 1, Planning an Internal Audit
Standard on Internal Audit (SIA) 2, Basic Principles Governing Internal Audit
Standard on Internal Audit (SIA) 3, Documentation
Standard on Internal Audit (SIA) 4, Reporting
Standard on Internal Audit (SIA) 5, Sampling

Adobe Acrobat
Document

Standard on Internal Audit (SIA) 6, Analytical Procedures

Standard on Internal Audit (SIA) 7, Quality Assurance in Internal Audit
Standard on Internal Audit (SIA) 8, Terms of Internal Audit Engagement
Standard on Internal Audit (SIA) 9, Communication with Management

Page 10

Compliance to Auditing Standards (ICAI)

Standards on Internal Audits:
Standard on Internal Audit (SIA) 10, Internal Audit Evidence
Standard on Internal Audit (SIA) 11, Consideration of Fraud in an Internal Audit
Standard on Internal Audit (SIA) 12, Internal Control Evaluation
Standard on Internal Audit (SIA) 13, Enterprise Risk Management
Standard on Internal Audit (SIA) 14, Internal Audit in an Information Technology
Environment
Standard on Internal Audit (SIA) 15, Knowledge of the Entity and its Environment
Standard on Internal Audit (SIA) 16, Using the Work of an Expert
Standard on Internal Audit (SIA) 17, Consideration of Laws and Regulations in an
Internal Audit
Standard on Internal Audit (SIA) 18, Related Parties
Page 11

Compliance to Auditing Standards

The IIA Standards types:
a) Attribute Standards: address the attributes of organizations and individuals
performing internal audit services. The attributes addressed are:
Purpose, Authority and Responsibility
Independence and Objectivity
Proficiency and Due Professional Care
Quality Assurance
b) Performance Standards: describe the nature of internal audit services and provide
quality criteria against which the performance of these services can be measured.
The criteria addressed are:
Managing Internal Audit Activity
Nature of Work
Engagement Planning
Performing the Engagement
Communicating Results
Monitoring Progress
Managements Acceptance of Risk
c) Implementation Standards: expand upon the Attribute and Performance Standards,
providing guidance in specific types of engagements.
Page 12

Compliance to Auditing Standards (illustrative)

S.N.

Title of Standard

1000 - Purpose, Authority, and Responsibility

1010 Recognition of the definition of Internal Auditing, the Code of Ethics, and the Standards in
the Internal Audit Charter

1100 - Independence and Objectivity

1110 - Organizational Independence

1111 Direct Interaction with the Board

1120 - Individual Objectivity

1130 - Impairments to Independence or Objectivity

1200 - Proficiency and Due Professional Care

1210 - Proficiency

10

1220 - Due Professional Care

11

1230 - Continuing Professional Development

12

1300 - Quality Assurance and Improvement Program

13

1310 - Quality Program Assessments

14

1311 - Internal Assessments

15

1312 - External Assessments

Page 13

Section I - Internal Audit Process

IA Process Overview
1. Define
1.1
Define objectives of
analysis
1.2
Gain an understanding

1.3
Define data
requirements

2. Validate

3. Execute

2.1
Request and receive
Data

3.1
Execute audit steps

2.2
Validate Control
Totals
2.3
Perform data quality
Assessment

3.2
Identify discrepancies
3.3
Discuss discrepancies
with stakeholders and
validate errors
3.4
Assess impact on
objectives

Page 15

4. Retain

4.1
Document process
reproduce data
4.2
Document Retention

Execution Process Overview

Gather Info

Understand
the Process

Control
Testing

Develop
Test Plan

Sampling or
CAATs

Testing

Develop
Test Plan

Sampling or
CAATs

Testing

Substantive
Testing

Formulate
Findings

Page 16

Reassess Scope

Control
Evaluation

Assess
Root
Cause

Prioritize

Evaluate

Consider
Substantive
Testing

Agree Action
Plan with the
Management

Evaluation Process
Control Objective
Risk

Is a
Control in
Place?

Yes

NO

Microsoft Office
Excel 97-2003 Worksheet

Is
there a
mitigating
NO
Control
? And in the appropriate
timeframe?

Yes
Assess Mitigation

Does
the control
address the
e.g. Are all relevant
risk?
attributes covered

NO

Yes
Determination on Adequacy of Control Design
Page 17

Missing Controls

Missing /
Mitigated Controls

Inadequate Controls

Risk and Control Matrix

Sr.
Process
No.

Sub
Process/
Activity

1 Client Quantity
Billing Assessment
(Invoicin & Work
g&
Collectio
n)

Page 18

What Can Go
Wrong (Risk)

Control Description

Test Procedures

Documents to be
Referred for Test
Procedures

Incorrect quantity Quantity assessment Obtain the latest

Measurement
Project Review Report sheets from the site
assessment by the is done against the
billing engineer
schedule of work
(PRR) and Daily Progress PRR and DPR
Raised RA Bills and
leading to under- (target billing) and the Report (DPR) for the
billing to the client actual work carried out period under review
certified RA Bills
Incorrect quantity at the site
Select sample RA Bills
assessment by the The quantity
and review whether
billing engineer
assessment is also cross related records certifying
leading to overchecked against the
the completion of
billing to the client MPR/DPR (Prepared by measured work are
the planning
maintained
department who inturn Ensure measured works
get the data from
are strictly in accordance
execution department with scope of work and
and sub-contractors/ any variation is
seperately parked as
vendors)
'Extra Work/Item'
Quantities for billing
are supported by site
measurements/Stock
consumption and
issuance records

Conclusion
(Effective /
Ineffective)

Steps to Follow after identifying a Finding

Discuss and validate errors with responsible stakeholders and process owners
Consider whether there are any compensating controls within the process or system,
and extend the testing scope, if necessary
Assess impact - Whether or not the objectives of the test have been met and if
alternative measures need to be taken
Evaluate Exceptions or Errors Identified during Controls Testing for the following:
i.
ii.
iii.
iv.

Page 19

Potential Effect on control objectives

Incidence, or level of error
Cause of the control breakdown
Actual Effect, if applicable

Elements of a Finding
Criteria:
Provides a context for evaluating evidence and understanding the findings (Control Objectives)
Policies & Procedures (Expectations of what should exist)
Contracts & Agreements
Laws & Regulations
Standards & Benchmarks
Defined business practices or measures which performance is compared or evaluated against

Condition:
Condition is a situation that exists or what was occurring when the control weakness was identified
i.e. The Exception or Deficiency

Cause:
Identifies the reason for the condition or the factor(s) responsible for the difference between the
situation that exists (condition) and the required or desired state (criteria), Common factors
include; poorly designed policies, procedures, or criteria, inconsistent, incomplete, or incorrect
implementation, segregation of duties or business conditions.

Effect or Risk Impact:

A clear, logical link to establish the impact or potential impact of the difference between the
situation that exists (condition) and the required or desired state (criteria), which identifies the
outcomes or consequences of the condition. Effect or risk impact may be used to demonstrate the
need for corrective action in response to identified condition.
Page 20

Recommendations
Should address the root cause not just the symptoms
Be relevant and practical
Compare the benefits to costs
More than 1 recommendation may be required to completely address an issue
Use best practices as a source for creative insight, adapting to the needs of the
organization
Example:
Audit Objective:
Risk/Control Objective:
Sample Selection:
Documents Obtained:
Exceptions noted:

Page 21

Evaluate and Document Credit limit Increase Procedures

Credit Limit Increase are manually reviewed and
approved prior to processing the request in the system
15 credit limit increase accounts from a system
generated report
Credit limit increase MIS and the credit limit increase
delegation of authority and Income documents
3 of 15 credit limits increases were not reviewed
and approved per the delegation of authority and excess
credit limit was granted to customers.

Section II - Assessing Risks & Internal Controls

Internal Control Structure

In many cases, you perform controls
and interact with the control
structure every day

Monitoring:
Monthly reviews of performance reports
Internal audit function
MONITORING
INFORMATION AND
COMMUNICATION

Control Activities:
Credit limits
Approvals
Security
Block Codes /
policies

CONTROL ACTIVITIES

RISK ASSESSMENT

Information & Communication:

Vision and values
Issue resolution calls
Reporting
Corporate communications (email, meetings)
Risk Assessment:
Monthly Risk Control meetings
Internal audit risk assessment

CONTROL ENVIRONMENT
Control Environment:
Tone from the top
Corporate Policies
Organizational
authority

An internal control structure is simply a different way of viewing the business

a perspective that focuses on doing the right things in the right way.
Page 23

Concepts and Objectives

Control definition reflects certain fundamental concepts:
 Internal control is a process
 Internal control is effected by people. It's not merely policy manuals and forms,
but people at every level of an organization.
 Internal control can be expected to provide only reasonable assurance, not
absolute assurance, to an entity's management and board.

Objectives of Internal Control

Internal controls are established to further strengthen:






The reliability and integrity of information.

Compliance with policies, plans, procedures, laws and regulations.
The safeguarding of assets.
The economical and efficient use of resources.
The accomplishment of established objectives and goals for operations or programs.

Page 24

Control Techniques
Prevention techniques are designed to provide reasonable assurance that only valid
transactions are recognized, approved and submitted for processing. Therefore, many of
the preventive techniques are applied before the processing activity occurs. In most
situations, preventive techniques are likely to be more effective in a strong control
environment, when management authorization criteria are well-defined and properly
communicated.
Control type definitions:
Preventive - Manual
Preventive - System
Examples of preventive controls include:
Segregation of duties (Preventive-Manual)
Business systems integrity and continuity controls, e.g., application design standards,
change controls, security controls, systems backup and recovery (Preventive System)
Physical safeguard and access restriction controls (human, financial, physical and
information assets) (Preventive-Manual)
Effective "whistle blowing" processes (Preventive-Manual)

Page 25

Control Techniques
Detection techniques are designed to provide reasonable assurance that errors and
irregularities are discovered and corrected on a timely basis. Detection techniques normally
are performed after processing has been completed. They are particularly important in an
environment that has relatively weak preventive techniques. That is, when front-end
approval and processing techniques do not provide reasonable assurance that unacceptable
transactions are prevented from being processed or do not assure that all approved
transactions are processed accurately. In this case, after-the-fact techniques become more
important in detecting and correcting processing errors.
Control type definitions:
Detective - Manual
Detective - System
Examples of detection techniques include:
Reconciliation of batch balance reports to control logs maintained by originating
departments. (Detective Manual)
Review and approval of reference file maintenance (was-is) reports. (Detective
Manual)
Reconciliation of interface amounts exiting one system and entering another.
(Detective System)
Review of on-line access and transaction logs. (Detective System)

Page 26

Risk Analysis
Risk Analysis

Risk
Assessment

Risk
Management

Risk
Monitoring

Identification

Control It

Process
Level

Measurement

Share or
Transfer It

Activity
Level

Prioritization

Diversify or
Avoid It

Entity Level

Page 27

Role of a Process Owner

 General Expectations
Acknowledge the responsibility for the design, implementation and maintenance
of the control structure within the business processes
Contribute direction to identify, prioritize and review risks and controls
Remove obstacles for compliance; remedy control deficiencies
Continue or begin a program of self-assessment and testing to monitor the
controls within the processes
Quarterly
- confirm key controls are implemented and effective
- maintain documentation to support this assessment

 Immediate Action Items

Educate personnel about the requirements and effort
Reinforce internal focus on controls within the process
Surface any risks, concerns or issues promptly to allow adequate attention for
correction (dont wait for an audit)
Fix control gaps within reasonable timescales

Page 28

Section II - Internal Audit Sampling

Sampling
Population:
The entire set of universe from which a sample is selected & reviewed, and about which the auditor
wishes to draw conclusions.

Data availability for population:

An important aspect in sample selection is the availability of data. Depending upon the population,
entire data may or may not be available. In cases where entire data is not available, same should
be brought to the attention of the Management, be agreed with the stakeholders and be clearly
mentioned as a scope limitation.

Systematic selection:
A systematic approach is used by the auditor to select items, to minimize any potential human
judgment or bias. Every nth item within the population is selected in accordance with a defined
sampling interval.

Haphazard selection:
The auditor, without any conscious bias, selects sample items randomly, i.e., without any special
reason for including or omitting items from the sample

Stratification:
Prior to carrying out analytical procedures, it is important to stratify / classify the data into
separate logical sections. This classification would not only help in analyzing trends unique to that
particular category but would also help in assessing materiality while selecting a sample.

Page 30

Sampling
Perform Analytical procedures:
Analytical procedure is defined as an evaluation of financial information made by a study of
plausible relationships among both financial and non-financial data

Analyse abnormal transactions:

If the analytical procedures highlight certain abnormal transactions (where there are significant
aberrations), they should be separated and reviewed separately. Such transactions should be
reviewed in addition to the regular sample selected.

Using Excel / CAAT:

In case the testing objective can be applied by using excel / CAAT on the entire population, audit
procedures should be performed on the entire population else samples should be selected for
testing

Determining sample size and selecting sample:

The sample size will depend on the frequency of the control being tested and the level of evidence
that is judged to be necessary, by the client and the engagement team. For this purpose the
engagement team should define the areas under scope as either High or Low risk

Performing audit procedures and Evaluating Test results:

When weaknesses in internal controls are identified we should consider whether there are any
compensating controls within the process or system. If we believe there are appropriate
compensating controls, we should extend the testing scope to include testing of these compensating
controls.

Page 31

Section II - Internal Audit Tools

Need for Mathematical Tools

To recognize early warning bells, as part of audit procedures, and
protect business against fraud or error.

Identify transactions that are indicative of fraud or error using
tested and proven fraud & error detection techniques

Scientific sample selection through automated procedures

Reduced dependence on random sampling

To Identify red flags at Financial Statements Level.

Page 33

Using Excel as a Tool

IF
IF in combination with AND
IF in Combination with AND & OR
CountIF and SUMIF
SUMIFS
VLOOKUP
Pivot Table Function
Setting Filters
Formula Auditing

Page 34

Using Excel as a Tool (illustrative)

Statistical Functions:

COUNT

Computes the number of numbers in a range

COUNTA

Computes the number of entries, including text entries in a

range

AVERAGE

Sums the numbers in a range and divides the total by the number
of numbers

MEDIAN

Computes the middle value in a range of numbers

MODE

Computes the value that occurs most frequently

VLOOKUP

Searches for a value in the leftmost column of a table, and then

returns a value in the same row from a column you specify in the
table.

PIVOT

Summarizes the columns of information in a database

relationship to each other.

Page 35

Analyzing data in IDEA

Use of data analytics tools facilitates creating a virtual room where all relevant
audit content can be stored and accessed.

Page 36

Section II - Reporting and Follow-up

Audit Report Structure

 Covering Letter
 Background/ Function Overview
 Purpose/ Objectives
 Scope of Work
 Audit Approach
 Limitation
 Executive Summary (Significant Findings)
 Detailed Observations
 Follow Up of Prior Recommendations

Page 38

Audit Report Structure

S.N
o.

Priority

Issue

Risk

Performance
Improvement
Observation

Management
Response

Responsibility
/ Timelines

High

It was observed that in 48 out of

60 cases (total population of 850
cases
for
credit
limit
enhancement for period MarchMay,2012) the credit limits
enhanced for existing customers
was not as per the parameters
defined in the policy. Excess
credit limit amounting to Rs
13.22 Lacs was given to
customers. For details refer
Annexure 1

Incorrect
credit
limit offered to
customer leading
to increased credit
risk exposure for
the
Company,
which
may
eventually lead to
higher
delinquencies.

The authority &

responsibility
within the Risk
Team should be
explicitly defined
& documented for
approving
the
credit
limit
increase
deviations and the
same should be
approved as per
DOA.

Adequate steps will be

taken up to ensure the
policy adherence by
having
periodic
process trainings for
account management
team. The risk team
would
additionally
support the training
requirements of the
AMU team.

Risk Team

Late Payment Charges amounting

to Rs 1.3 Lacs were short-levied
on 260 accounts and the same
was excess levied on 296
accounts. Further, the Finance
Charges on these accounts would
be incorrect as the LPC is not
accurately levied

Possibility
of
Revenue leakage
for
LPC
and
Customer
dissatisfaction
/
negative
impact
on
brand
/
reputation

Business
should
evaluate
the
possibility
of
Implementing
continuous control
mechanism
through
data
analytics tools and
System
Audit
should be carried
out.

The implementation of
the revised LPC tier
from Rs.700 to Rs.750
was delayed by ~40
days due to set up
miss, later identified
by pricing team and
rectified
on
12th
November 2012.

Marketing
Team

High

Page 39

March 2013

March 2013

Section II - Internal Audit and Fraud

Anti Fraud Control Framework

 Code of conduct
 Ethics policy
 Gifts and hospitality
 Agents
 Facilitation payments
Policy

 Tone from top

 Zero tolerance
 Cross culture
Voice
People  Board
 Disclosure
responsibilities
 Openness
 Due diligence
 Employee/ suppliers
Process
 Training
 Education
 Roles and responsibilities
 Accountability
 Annual sign off
 Self assessment
 Testing

Page 41

Fraud Prevention Strategy

Page 42

Thank You

Page 43