9. Basic elements of the audit report Layout of the internal audit report includes:
• Titles, Addressee, Report distribution list,
• Period of coverage of the report, Opening or introductory paragraph, Objectives paragraph, Scope
paragraph,
• Executive summary, Observations, findings and recommendations,
• Action taken report
• Date of the report, place of signature and Membership number.
Auditor should excise due professional care Ensure that internal audit report is:
• Clear and Factual,
• Specific and Concise,
• Unambiguous and Timely,
• Complies with generally accepted audit procedures in India.
Communication to management
• Different stages of communication are:
• Discussion of draft,
• Exit meeting,
• Formal draft
• Final report
Limitation on scope and restriction on usage & circulation
• Describe the limitation
• For intended purpose and limited to distribution list
ICAI SIA 4 Reporting
10. Basic elements of the audit report Layout of the internal audit report includes:
• Titles, Addressee,
• Opening or introductory paragraph (identification of Financial statements audited and statement of
responsability of the management and auditor)
• Scope para describing the nature of audit and reference to accounting standards, regulatory sections
that govern the audit and description of work performed
• Opinion para giving reference to financial statement framework used for preparation the financial
statements and expression to opinion
• Date of the report, place of signature and Auditor’s signature.
ICAI SA 700 The Auditor’s Report on Financial Statements
Debate:
• Auditor’s commentary
• Going concern
Significant uncertainty:
“Without qualifying our opinion, we draw attention to Note X of Schedule…. The
entity is the defendant in a lawsuit alleging infringement of certain patent
rights……the ultimate outcome of the matter cannot be presently determined, and no
provision for any liability that may result has been made in the financial statements”
“in our opinion…………”
12. Query to be thoroughly investigated to unearth the facts
Audit findings, as discussed with Client Management and / or the audit sponsor at the closure meeting should be
documented in clear, succinct language. For each issue, the following information should be communicated (known as the ‘so
what factor’):
• Description – what is the issue? This should be factual and free of interpretation.
Example: We reviewed twenty-five payments and found ten of the payments were not approved in
accordance with the organisation’s policy.
• Cause – what is the root cause of the problem
Example: This has been caused by a lack of training for new accounts payable personnel. The cause should be
discussed with the client prior to writing the report.
• Impact – what is the impact on the organisation? You may consider:
What is the risk?
Why should management be concerned?
Does this issue have the potential to impact the organisation’s strategic objectives?
Could this lead to a material misstatement in the organisation’s financial statements?
Could this lead to a loss of reputation?
Findings should be rated and prioritised in order of importance to assist the client understand the relative
importance of the issues. The ratings also allow Client Management and the Audit Committee to compare the
criticality of issues across internal audit reports.
From Query to Reporting
13. Our responsibility is to turn up, tick a
few things and express an opinion on
the site based on our audit.
We conducted our audit in accordance
withadmittedly-not-quite generally
accepted auditing standards.
14. Rating Financial impact
on business
Impact on customer Strategic Regulatory Management effort Publicity &
reputation
People
SEVERE
> Rs. 2 million
damage or loss
Material impact for many
customers
Failure to achieve
two or more goals
Loss of key business
licence
Criminal offence by
director or manager
Regulatory censure
An event so severe in
nature it leads to a
change in the
management
structure of A. The
event may lead to a
collapse of the
business
Dramatic loss of
stakeholder
confidence
undermining business
viability
Extensive negative
public exposure
Multiple fatalities,
permanent disability
A large number of key
executives or
directors resign
MAJOR
> Rs. 1 million
damage or loss
Impact for many
customers
Failure to achieve
one of more goals
Conditions imposed on
business licence
Civil offence by director
or manager
Regulatory censure
A critical event which
with proper
management can be
endured. May involve
some management
changes
Negative public
exposure with
significant impact
Single fatality or
permanent disability
Some key executives
leave company (not
perceived as
employer of choice)
MODERATE
> Rs. 0.5 million
damage or loss
Potential impact for some
customers
Moderate implication
for business licence
Civil offence by
company
Increased regulatory
oversight
A significant event
which can be
managed under
normal circumstances
Concerns becoming
broader and more
vocalised within the
industry
Serious multiple
injuries
Poor reputation as an
employer
Key employee leaves
MINOR
Rs. 0.2 million
damage or loss
No impact Minor implications for
business licence
Civil offence by
employee
Potential review by
regulator
An event, the
consequences of
which can be
absorbed but
management effort is
required to minimise
the impact
Serious segmented
stakeholder concerns/
incidents
Moderate injury or
illness
General staff morale
problems
High staff turnover
INSIGNICAN
T
> Rs. 2 million
damage or loss
No impact Minor breach of law
Minor sanction or
penalty
Potential review by
regulator
An event, the impact
of which can be
absorbed through
normal activity
Minor isolated
stakeholder
concerns/
impacts
Minor injury or illness
Increased staff
turnover
Assessing the Impact of Risk
15. • What has gone wrong?
• What has been violated?
• What is the consequence/ reputation/ financial/ compliance exposure?
• What is the remedy?
• What is the alternative remedy?
• What is the best remedy? Is it complying with laws?
• How the situation can be corrected? What is the time and cost for correcting the situation?
• Is there a cause/ root cause which can be addressed?
• Is your observation independent of your client relationship?
• Are you making a constructive/ positive case for change or embarrassing auditees?
• How will your view affect the client?
Audit Observation & Opinion Building
16. Analyzing the Audience
• Who will be the most important readers of the report?
• How much do they know about the subject?
• How do they plan on using the report?
• How interested are they in the report?
• What’s their reaction going to be to the report’s message?
17. Demonstrate the procedure adopted for undertaking physical verification of inventory (Give brief details w.r.t.
description of items verified, names of persons involved in verification, manner of verification of physical stock
and of comparison with the book stocks, methodology adopted in the count etc.)
“The difference between the physical balances and the book balance in respect of the
Exhibited items have been identified. The difference is Rs. XXXX implying that the
inventory position has been under/ over reported in the year end unaudited financials.
Subsequent to our verification the differences were adjusted in the books and the
book (quantity) balance were brought in line with the physical balances. The
quantities included in the year-end audited financials represent the so adjusted book
balances. To adjust the differences, the following entries were passed in the books of
accounts…………………………. ”
Reporting Significant deviation in Physical Verification
Example
18. Approvals for waiver of charges were documented through e-mails, however, instances
were also identified wherein charges were reversed by ABC, for which specific waivers
were not on record.
We were informed, these charges were not leviable considering the nature of the
product, however, possibility of such waivers being recorded without approval cannot be
ruled out in the absence of System controls.
Reporting on Out of System Approvals
Example
20. Page 20
Insert Organization Logo
Here
Internal Audit Report
[Name of Entity]
[Name of Audit Area / Location / Period Covered]
Date:
Distribution
For action For information
Insert name or business unit/group [Insert title] Insert name or business unit/group [Insert title]
[Insert name] [Insert title] [Insert name] [Insert title]
[Insert name] [Insert title] [Insert name] [Insert title]
22. SCOPE OVERVIEW
Summary of objective and scope
[Sample text: An internal audit of [insert organization name] [insert process name] was performed in [insert month and year] and covered [insert business unit(s)].
The overall objective of the internal audit was to determine the effectiveness of key controls as identified with Management and compliance with current policies and
procedures relating to [insert process name], and to identify any improvement opportunities. The internal audit did not cover [insert any specific areas not covered and
any significant limitations].
The specific objectives, scope and approach of the internal audit were agreed with [insert organization name] Management.
Responsibilities of the Management and Internal Auditors
The internal audit procedures rely on information and representations made available to the internal auditor by the management of the Company and comprise
inquiries and observations and limited tests of transactions on a sample basis, covering the detailed assessment objectives. Accordingly, the internal audit procedures
may not detect fraud, defalcations and irregularities.
Internal auditors work does not in any way diminish the responsibilities of the Company’s management. The design, development, implementation and operation of
internal control systems are the responsibility of the respective Company’s managers. They are accountable for ensuring that adequate controls exist in the areas of
their responsibility and should not rely solely on periodic visits as a means of monitoring the adequacy and integrity of controls.
Linkage to your risk assessment study
[Sample text – option 1: This report delivery is planned in the Internal Audit Plan of [year] as approved by the Audit Committee. The scope areas have been risk
assessed in the Risk Assessment Plan [insert title/reference] provided to our team during the internal audit planning stage, however, it is important to note that this
linkage does not indicate full coverage of enterprise risks which are managed through a number of business processes and control procedures.]
[Sample text – option 2: This internal audit has been performed at the request of the [insert title e.g. Audit Committee/CEO/CFO] of [insert organization name]. This
ad hoc internal audit is in addition to the internal audits set out in the 201X/201X Internal Audit Plan.]
23. METHODOLOGY:
INTERNAL AUDIT APPROACH
APPROACH
[Sample text: The internal audit of [insert organization name] [insert process name]
was performed using the following approach:
•[insert nature of specific procedures and testing performed to meet the
objectives of the internal audit, for example:
• names and titles of organization management/personnel interviewed
• details of information and documentation provided
• processes/systems documented
• areas and time period of walk-throughs, and observation and enquiry
performed
• areas, extent (i.e. sample sizes) and time period of items selected for testing
• the use of any third party subcontractors, where agreed with the
organization].]
INTERNAL AUDIT TEAM
Prepared by:
Name: Signature:
Reviewed by:
Name: Signature:
24. Report status
Audit Opening
Audit Closing
Draft Observation Summary issued on
Draft Report issued on
Management responses received
Discussion with the Management &
Validations
Final report issued on
TEAM INTRODUCTIONS & AUDIT TIMELINE
25. Executive Summary
Implementation Summary of Previous Report
Rating Process /
Sub
Process
Report Period
/ Reference
Management Action
Plan
Responsibility & Date Implementation Status
27. Key findings and recommendations
[Sample text: The findings identified during the course of this internal audit are illustrated in the summary below. A full list of the findings identified and the
recommendations made is included in this report. Classifications of internal audit findings are detailed in Appendix X to this report.
These findings and recommendations were discussed with [insert organization name] Management responsible for the operations of [insert process name].
Management has accepted the findings and has agreed action plans to address the recommendations. This report also includes any findings and recommendations
where Management has implemented the action plans to date.
The management action plans will be included in the tracking of internal audit recommendations maintained by [insert name of the function responsible for internal
audit]
Executive Summary (Contd.)
Sr. No. Risk Rating Observation Headline / Title Observation Summary Recommendation Summary Detailed
Observation #
1. High
2. Medium
3. Low
Sr.
No.
Report Number of
Observations
Number of High rated
Observations
Implemented Direct Financial Benefits
1.
2.
3.
28. Observation
<Observation in detail>
Risk/ Implications
• <Risk / Implication in detail>
Recommendation
Management Response/
Proposed action steps Responsibility & Timeline
Root Cause
1. <Recommendation 1 in detail>
2. <Recommendation 2 in detail>
1.1 <Proposed action steps for Recommendation 1>
1.2 <Proposed action steps for Recommendation 1>
2.1 <Proposed action steps for Recommendation 2>
1
Mr. XYXYXY
GM - Production (Shafts)
February 15, 2012
2
Mr. XYXYXY
GM - Production (Shafts)
April 1, 2012
Sr. No. # : Title of Observation
DETAILED OBSERVATION
29. The individual risk within the areas are reviewed and an overall rating of High, Medium or Low is assigned based on the following definition:
High A weakness where there is substantial risk of loss, fraud, impropriety, poor value for
money, or failure to achieve organisational objectives. Such risk could lead to an adverse
impact on the business. Remedial measures must be taken urgently.
Medium A weakness in control which, although not fundamental, relates to shortcomings which
expose individual business systems to a less immediate level of threatening risk or poor
value of money. Such a risk could impact on operational objectives and should be of
concern to senior management and requires prompt specific action.
Low Areas that individually have no significant impact, but where management would benefit
from improved controls and/or have the opportunity to achieve greater effectiveness
and/or efficiency.
RISK GRADING RATIONALE (INDIVIDUAL RISKS)
31. GAP
No.
Internal control weakness/Process Improvement
COSO Category of
Control
Impact Recommendation
Selection and Analysis of Broker
The company has not followed appropriate process
while selection of brokers for equity shares. The
criteria for the broker is not defined and
documented. Brokerage comparative statement and
other benefits are not documented for selection of
brokers for investment in equity shares.
The effective brokerage rate analysis was done and
it was observed that company has done its 68% of
investment through A Stock Broking whose rate is
more than B in XYZ Ltd.
Effective brokerage rate analysis was done for ABC
portfolio wherein the 44% of total transaction (in
value) are done through A Stock Broking whose
rate was more than S and C.
Risk of incurring excess
cost due to absence of
competitive analysis
Broker wise analysis
must be carried out to
ensure better service
and low transaction cost
Managements Comments
Ø Process Owner:
Ø Comment:
Operational Weakness – During Investment Function (Eq Shares)
32. GAP
No.
Control deficiency/ Audit Observation
COSO Category
of Control
Impact Recommendation
Broker Selection and Evaluation Procedures
There is no written procedure for selection and
evaluation of equity brokers as a result the equity deal
team has not followed consistent broker selection
process.
Higher Equity Brokerage Payout to A Stock Broking
Effective brokerage rate analysis reveals that the
company has executed 68% of investment
transactions through A Stock Broking. Despite a
higher share of business to A the brokerage rate of A
is more than B. The quantum of excess payout is
estimated at @@@.
Absence of
defined norms
leading to
process
inefficiencies and
financial losses
Absence of
monitoring
checks leading to
process
inefficiencies and
financial losses
Broker selection and
evaluation procedures
should be framed by the
front/mid office team and
adopted by the Board. The
procedures should include
the broker selection criteria,
value added benefits
expected from the broker
and quantum of trading
limits.
Periodical monitoring checks
such as Broker wise analysis
must be carried out to lower
transaction costs and
improved service levels.
Managements Comments
Ø Process Owner:
Ø Comment:
Higher Equity Brokerage Payout
33. Inventory Turnover and Finished Goods Turnover analysis
Observations
Inventory Turnover Ratio:-
The inventory turnover ratio of 3.16 which is very low implying that
the company is carrying its stock for a very long period and are not
managing its inventory efficiently.
It has been observed that these products are hazardous and
company takes 116 days to convert raw material into sales, so it is
very risky to hold such high inventory.
Finished Goods Turnover Ratio:-
Finished goods turnover ratio of 11.84 implies that the company is
able to convert its finished goods stock 11.84 times.
In 31 days it is able to sell the finished goods manufactured.
Root Cause
Absence of defined control procedures
Poor implementation of defined / not defined job responsibility
Recommendation
A complete assessment of inventory on terms of quantity and
valuation is essential.
High value and risky material needs to be stored in proper conditions
and required quantity.
Management Action Plan
Particulars Rs.(lacs)
Cost of Goods Sold 1614
Opening Stock as on 1/4/2012 400
Closing stock as on 31/12/2012 621
Average Stock 511
Inventory Turnover Ratio 3.16
Inventory Turnover Ratio in no of days 116
Particulars Rs.(lacs)
Sales (Export and Local) 1932
Opening Stock as on 1/4/2012 ( FG) 72
Closing stock as on 31/12/2012( FG) 253
Average Stock (FG) 163
Finished Goods Turnover Ratio 11.84
Finished Goods Turnover in no of days 31
Inventory Turnover Ratio: - Finished Goods Turnover Ratio: -
34. CARO Para 4 (ii) (a)
Whether physical verification of inventory has been conducted at reasonable intervals
by the management.
Observation
Practice of conducting physical verification of inventory is not carried out by the
management at regular intervals. However, physical verification has been carried out
in the month of July 2012 and reverse calculation was done to arrive at 31st march
2012 stock
CARO Para 4 (ii) (c)
Whether the company is maintaining proper records of inventory and whether any
material discrepancies were noticed on physical verification and if so, whether the
same have been properly dealt with in the books of account
Observation
Stock prior to April 2011 was maintained at AB location and these stocks were
brought in the books by passing stock transfer entry. While passing transfer entry,
reconciliation of these stocks with warehouse stock was not carried out and as a
result discrepancies were noticed. No relevant supporting documents were made
available for such adjustment. As of date of audit i.e. 20th July, 2012 re-conciliation is
in process.
Summary
High
CARO Para 4 (ii) – Inventory Management
• Inventory records should be maintained properly in the books of accounts
on real time basis
• Reconciliation with warehouse stock should be done on monthly basis.
Monthly report of reconciled stock should be submitted to senior
management
• Physical verification should be conducted half yearly by independent party
Recommendation
Management Action Plan Awareness Monitoring
Auditee Response: Post physical verification of stock by internal auditor, the
stock records will be reconciled and thereafter it will be maintained properly
by the company.
Timeline:
Process Owner:
35. CARO Para 4 (iv) (a)
Is there an adequate internal control procedure commensurate with
the size of the company and the nature of its business, for the
purchase of inventory and fixed assets and for the sale of goods.
Whether there is a continuing failure to correct major weaknesses
in internal control?
Observation
Company does not have adequate system control in relation to
purchase and sales of inventory & fixed assets. For instance;
i) Tally (Accounting System) allows passing of sales entry even
if there is no stock with the company and as a result stock
report is showing negative stock. This lapse in system control
is highly prone to error.
ii) Competitive rate analysis for fixed assets procurement is not
done
iii) Sales price list is not maintained in system to ensure that all
products are sold at defined price
Is there an adequate internal control
system commensurate with the size of the
company and the nature of its business,
for the purchase of inventory and fixed
assets and for the sale of goods and
services. Whether there is a continuing
failure to correct major weaknesses in
internal control system;
36. Storage Facility
On verifying the storage facility, it was observed that bins and pallets were allocated
without proper spacing and stacking of products. Many of the bins were kept empty and
some bins & pallets were not utilized fully.
• As per the agreement with Aramex, Inward Process Point no.5.2 - Di representative
to be present during barcode pasting when no barcode are there on the products on
receipt, however on discussion it was learned that Aramex staff did bar code pasting
on their own and they were never accompanied by Di staff during this process.
• It was observed that practice of affixing preprinted system generated barcodes on
the material boxes is not in place and handwritten codes are affixed on the same
which are highly susceptible to errors. Also if any box has got empty and new
material is store in it, previous label code is not removed and new label code is affix
on the same. Thus 2 codes are reflected on the same box.
• 27 cases have been observed where location is incorrectly defined in the Optilog.
This makes tracking of materials difficult in case of emergency. [Refer Annexure VII
for details]
• As per agreement with Aramex, all rusted/corroded fittings to be isolated from
saleable inventory, however it was observed that many of the rusted materials were
still stored along with good quality materials and this can affect the quality of non-
rusted materials.
• Also as per agreement, rubber hose should be securely stretch-wrapped and stored
in warehouse, however during verification it was observed that some hose were lying
unwrapped.
• Cameras and smoke detectors at bin storage area on 2nd floor were not in working
condition.
All the operational gaps to be filled in by taking utmost care and using due diligence
for a better and smooth functioning business operation. Detailed list of
recommendation as per next slide.
Recommendation
• Auditee Response:
• Timeline:
• Process Owner:
Observation
Management Action Plan Awareness Monitoring
• Operation ineffectiveness
Root cause
Operational
Ineffectiveness
System
Deficiency
External
Design
Deficiency
High
Risk Implication Operational Control Compliance
• Financial loss to Dixon due to overcharging by Aramex.
• Handwritten codes are susceptible to errors
• Incorrect geographical mapping may lead to unfulfilled sales order due to misplaced items.
• Rusted/corroded items to be separated to avoid damage to other good products.
• Rubber hoses to be covered to avoid getting it dirty and its appealing looks may get diminished.
• Non-functioning Cameras, no audit trail in case of theft. Insurance claim may be denied.
Root cause
37. Observation
Risk
Implications
Criticality Probability
Existing
Maturity
Recommendation
Desired
Maturity
Non Compliance with SEBI Regulation
• Outstanding clients review – funding violation
W.r.t. the Exchange circular no. NSE/MEMB/261 dated May
27, 1997 regarding clarification given by SEBI on
applicability of Rule 8(1)(f) and 8(3)(f) of Securities Contract
(Regulation) Rules, 1957, relating to fund based activities of
brokers and as per clarification vide NSE Circular Ref.No:
136/2012 dated 26th April, 2012 - If debit balances arise out
of client’s failure to pay such amount for more than fifth
trading day reckoned from date of pay-in, and further
exposure is granted to client it would be construed as a
funding violation even if fully paid collaterals are available for
margins.
On review of long outstanding client positions (more than
T+5day) for the period 01st April 2011 to 31st May 2012, it
was observed that clients were being funded for debits in
their account and for the same they were being charged
Delayed payment Charges (DPC), as sufficient collaterals
were available in client’s account.
• Non
Compliance
with SEBI
Regulation
Very High Very High
Repeatabl
e
• Funding violation to be
avoided, by adhering to
exchange guidelines.
• A complete compliance
manual needs to be defined
which indicate checkpoints
for all the applicable
compliances and its
adherence with a feature
enhancement in Risk
Management Software for a
risk and self-certification
process
Managed
Non Compliance with SEBI Regulation
• Simplify the start
• Full review to unearth the extent of non-compliance
• Recent Penalties & Reputation
• Level of exposure client category wise and ageing
39. Unhelpful Client Communication Practices
• Issuing client communication prior to Superior & Partner review
• Asking too many questions at once.
• Saying you understand when you don’t!
• Arguing.
• Criticising individuals.
• Taking sides.
40. • Headlines grab attention
• First impression matters
• Story telling – follow a theme
• Concise - word count helps
• Big picture and detailing – both are equally important
• Self review, superior review and partner review
• Use graphics, photo graphs (where presented as evidence)
• Avoid repetition of phrases, words
• Cut prepositions
• Adopt a positive
• Write while auditing
Tips for success
42. Scenario 1:
• Unbudgeted capex spending of INR 5 million
• Uninsured Material in warehouse of the company
43. Scenario 2:
• 100% depreciation charged on low value assets
• Assets recorded at zero value
44. Scenario 3:
• Procurement Policy states that purchases should be made only against
valid contracts. Material purchased without any underlying contract
• There is a trend of delay in receipt of material
45. Scenario 4:
• You are a Statutory Auditor of a Listed company and have completed your
annual review. You have to frame a management letter to the CFO
highlighting weaknesses in Fixed Assets, Revenue Recognition, Inventory
controls and failure to implement internal auditor recommendations.