2. Objectives of Planning
Use of Internal Audit
Factors affecting Planning Process
Scope of Planning
Factors affecting scope of Internal Audit.
Planning process
3. Internal audit plan is a document defining the
scope, coverage and resources, including time,
required for an internal audit over a defined
period.
Objectives include:
suggest improvements to the functioning of
the entity.
strengthen the overall governance mechanism
of the entity
4. Understand, assess and evaluate the risks and
adequacies of the prevalent internal controls.
Identifying areas for systems improvement
Ensuring optimum utilization of the resources
Ensuring proper and timely identification of liabilities
Ensuring compliance with internal/ external guidelines
Safeguarding the assets of the entity
Reviewing and ensuring adequacy of information
systems security and control.
Reviewing and ensuring adequacy, relevance, reliability
and timeliness of management information system.
5. Objectives of the activity and significant risks
associated with the same.
The risk management and internal control
system instituted in the organization.
Selection of engagement team.
Business/Industry developments.
Changes in the financial reporting framework
6. Knowledge of the legal and regulatory framework
Knowledge of the entity’s accounting, internal
control systems and policies
Determining the effectiveness of the internal
control procedures
Determining the nature, timing and extent of
procedures to be performed
Identifying the activities warranting special focus
Allocation of staff to different activities.
Setting the time budget for each of the activities
Identifying the reporting responsibilities
7. Terms of the engagement
Nature of accounting system and Accounting policies adopted.
Nature of information technology system used by the client
Authorization and delegation of authority in the systems
environment
The nature of management information system in vogue and
Expected audit coverage
Materiality thresholds established in respect of various areas of
audit
Nature and extent of audit evidence to be obtained
Experience and skills of the staff
Requirements of the applicable pronouncements of the ICAI.
Statutory or regulatory framework in which the entity operates
8. Obtaining Knowledge of the Business
Establishing the Audit Universe
Establishing the Objectives of the Engagement
Establishing the Scope of the Engagement
Deciding the Resource Allocation
Preparation of Audit Programme
9.
10. Integrity, Objectivity and Independence
Confidentiality
Due Professional Care , Skills and Competence
Work performed by Others and Documentation
Planning
Evidence
Internal Control; and Risk Management System
Reporting
11. Straightforward, honest and sincere in his approach
to his professional work
Maintain an impartial attitude
Immediately bring any actual or apparent conflict
of interest to the attention of the appropriate level
of management
Maintain the confidentiality of the information
acquired in the course of his work
12. Due professional Care to be applied:
In Deciding the extent of work required to
achieve the objectives of the engagement.
In assessment of risk management
Control and governance processes and
Cost benefit analysis.
Obtain skills and competence through general
education, technical knowledge through study
and formal courses.
13. Direct, supervise and review the work delegated to
assistants.
No reasons to believe that he should not have
relied on the work of the expert
Responsible for forming his opinion on the areas/
processes being subject to internal audit or his
findings.
Document matters, providing evidence that the
audit was carried out in accordance with the
Standards on Internal Audit
14. Obtain knowledge of the legal and regulatory
framework
Obtain knowledge of the entity’s accounting and
internal control systems.
Determining the effectiveness of the internal
control procedures.
Identifying the activities warranting special focus
Setting the time budget for each of the activities
Identifying the reporting responsibilities
Benchmark the actual results of the activities.
15. Obtain an understanding of the risk management
and internal control framework.
Perform steps for assessing the adequacy.
Review the adequacy.
Perform risk-based audits on the basis of risk
assessment process.
Evidence: obtain appropriate evidence to draw
reasonable conclusions.
Reporting: Review and assess the conclusions
drawn from the evidence obtained and suggest
remedial action
16.
17. Reviewer
Use of documentation
Factors affecting Documentation
Matters to be Documented
Identification of Preparer and Reviewer
Exceptional Circumstances
Document Retention and Access
18. Reviewer means an Individual who has:
reasonable knowledge and experience of
internal audit processes
reasonable knowledge of SIAs, other relevant
pronouncements of the Institute.
reasonable understanding of the business
environment in which the entity operates
reasonable understanding of internal audit
issues relevant to the entity’s industry
19. Enables an experienced internal auditor, having no
previous connection with the internal audit to
understand:
The nature, timing and extent of the audit
procedures performed.
The results of the audit procedures and the audit
evidence obtained.
Significant matters arising during the audit and the
conclusions reached thereon.
Terms and conditions of an internal audit
engagement, scope of work, reporting requirements,
any other special conditions, affecting the internal
audit.
20. The nature and extent of the audit procedures to
be performed
The identified risks of material misstatement
The extent of judgment required in performing
the work.
The significance of the audit evidence obtained.
The nature and extent of exceptions identified.
The need to document a conclusion or the basis
for a conclusion.
The audit methodology and tools used.
21. Engagement letter or the internal audit charter
Internal audit plan and programme, Chart of the
organizational structure and Progress report, MIS
report.
Analytical procedures performed and results
thereof
Copies of significant contracts and agreements
Internal review reports
Evaluation questionnaires, checklists, flowcharts
Certification and representations obtained from
management
Results of risk and internal control assessments
22. Who performed that task and the date such work was
completed.
Who reviewed the task performed and the date and extent of
such review.
Reasons for creating particular internal audit documentation.
Source of the information contained in the internal audit
documentation and
Any cross referencing to any other internal audit
documentation
The preparers and reviewers of the internal audit
documentation should also sign the workings.
The internal audit file should be assembled within sixty days
after the signing of the internal audit report.
23. The details of circumstances encountered
along with the documentary evidence.
The new or additional audit procedures
performed, audit evidence obtained, and
conclusions reached and
When and by whom the resulting changes to
the audit documentation were made, and
reviewed.
24. Formulate policies for custody and retention.
Ownership of audit documents.
Access to Third party.
Retention of Documents.
25.
26. Contents of the SIA
Introduction
Basic Elements of Internal Audit Report
Communication to Management
Limitation on Scope
Restriction on Usage and Report Circulation
Otherwise Than to the List of Intended
Recipients
27. Introduction
o To establish standards on the form and content of the internal
auditor’s report.
Basic Elements of an Audit Report
Title
Addressee
Report Distribution List
Period of coverage of the Report
Opening or introductory paragraph, Objectives & scope Paragraph
Executive Summary
Observations, findings and recommendations
Comments from the local management and Action Taken Report
Date, Place, Signature with membership number of the Internal
Auditor.
28. Communication with the management to ensure that
the recommendations in the final report are
practical.
The stages of communication and discussion should
be as under :
› Discussion Draft
› Exit Meeting
› Formal Draft
› Final Report
29. Limitation on Scope
› When there is a limitation on the scope of the work,
the report should describe the limitation.
Restriction on Usage and Report Circulation
Otherwise Than to the List of Intended Recipients
› The Report should contain:
It should be used for intended purpose only as
agreed upon.
The circulation of the Report should be limited to
the recipients mentioned in the Report Distribution
List.
30.
31. Contents of the SIA
Introduction
Definitions
Use of Sampling in Risk Assessment Procedures and
Tests of Controls
Design of the Sample
Sample Size
Statistical and Non-Statistical Approaches
Selection of the Sample
Evaluation of Sample Results
Documentation
32. Introduction
To establish standards on the design and selection of an audit sample and
provide guidance on the use of audit sampling.
The SIA defines the following
› Audit Sampling
› Error
› Population
› Sampling Risk
› Sampling Unit
› Statistical Sampling
› Tolerable Error
Use of sampling in Risk Assessment and tests of control
To obtain an understanding of the entity, business and its environment, and
its internal control.
Sampling of tests of controls is appropriate when application of the control
leaves audit evidence of performance
Risk can be reduced by increasing sample size for both tests of controls and
tests of details.
33. Design of the sample
› The sample should be designed considering the specific audit
objectives, the population from which the auditor wishes to
sample, and the sample size
Sample Size
Should be determined considering sampling risk, the tolerable
error, and the expected error.
Lower the risk, greater the sample size.
Statistical and Non-Statistical Approaches
Decision of using either statistical or non-statistical sampling is a
matter of the internal auditor’s professional judgment.
When applying statistical sampling, sample size may be ascertained
using either probability theory or professional judgment.
34. Selection of Sample
› It should be selected in such a way that the sample can be expected to be
representative of the population.
› Commonly used sampling methods are:
Random selection and use of CAAT’s
Systematic Selection
Haphazard Selection
Evaluation of Sample Results
The auditor should:
Analyse the nature and cause of any errors detected in the sample.
Project the errors found in the sample to the population.
Reassess the sampling risk.
Consider their possible effect on the particular internal audit objective.
Evaluate the sample results to determine if the assessment of the relevant
characteristics of the population is confirmed or not.
35. The documentation includes:
› Relationship between the design of the sample and specific
audit objectives.
› Assessment of the expected rate of error in the population to
be tested.
› Assessment of the sampling risk and the tolerable error
› Assessment of the nature and cause of errors.
› Rationale for using a particular sampling technique and
results thereof.
› Analysis of the nature an cause of any errors detected in the
sample.
› Projection of the errors found in the sample to the
population
› Reassessment of sampling risk, where appropriate
› Effect of the sample results on the internal audit’s objective.
36.
37. Contents of the SIA
Introduction.
Nature and Purpose.
Analytical Procedures as Risk Assessment
Procedures and in Planning the Internal Audit.
Analytical Procedures as Substantive Procedures.
Analytical Procedures in the Overall Review at
the End of the Internal Audit.
Extent of Reliance on Analytical Procedures
Investigating Unusual Items or Trends.
38. Introduction
To apply analytical procedures as the risk assessment procedures at the
planning and overall review stages of the internal audit.
Nature and Purpose
Analytical procedures include the consideration of comparisons of the entity's
financial and non-financial information.
In determining the extent to which the analytical procedures should be used,
the following factors have to be considered
› Significance of the area being examined.
› Adequacy of the system of internal control.
› Availability and reliability of financial and non-financial information.
› Precision with which the results of analytical procedures can be predicted.
› Availability and comparability of information regarding the industry in
which the organization operates.
› Extent to which other auditing procedures provide support for audit
results.
39. Analytical Procedures as Risk Assessment Procedures and
in Planning the Internal Audit.
› To obtain an understanding of the business, the entity and
its environment and in identifying areas of potential risk.
› Planning the internal audit for use both financial and non-
financial information
Analytical Procedures as Substantive Procedures
› To reduce detection risk relating to specific financial
statement assertions and assertions relating to process.
› Inquire with the management as to the availability and
reliability of information needed to apply analytical
procedures.
40. Analytical procedure should be applied at or near the end
of the internal audit when forming an overall conclusion.
Extent of Reliance on Analytical Procedures is based on the
following factors
› Materiality of the items involved.
› Internal audit procedures directed toward the same internal audit
objectives.
› Accuracy with which the expected results of analytical procedures can
be predicted.
› Assessments of inherent and control risks.
Investigating Unusual Items or Trends
When analytical procedures identify significant fluctuations or
When relationships that are inconsistent with other relevant
information or
Data that deviate from predicted amounts.
The internal auditor should investigate and obtain adequate explanations
and appropriate corroborative evidence.
43. Independent management function.
Continuous and critical appraisal of the entity
Suggest improvements and strengthen the
overall governance mechanism of the entity.
Provides assurance that there is transparency
in reporting, as a part of good governance.
44. Scope:
Applicable whenever an internal audit is
carried.
Whether by internal audit department or
external firm of Professional accountants.
Objective:
To Establish standards and provide guidance
To Ensure Compliance with professional
standards, regulatory and legal requirements.
To Improve functionalities of the
organization, Transparency in reporting and
good governance.
45. Leadership responsibilities for quality in
internal audit
Ethical requirements
Acceptance and continuance of client
relationship and specific engagement
Human resources
Engagement performance
Monitoring
46. Internal Quality Reviews
Internal Quality Reviewer
Communicating the results of Internal
Quality Reviews
External Quality Reviews
External Quality Reviewer
Communicating the results of External
Quality Reviews
49. Agree on the terms of the engagement before
commencement of Audit.
The agreed terms would need to be recorded
in an engagement letter.
The responsibility of the internal auditor to
prepare the engagement letter.
To be signed both by the internal auditors as
well as the auditee.
Approval by Board of Directors/ Audit
Committee.
Periodic review and modification of Terms of
Engagement.
51. If unable to agree to any change in the terms
or is not permitted to continue as per the
original terms, then auditor should withdraw
from the engagement.
Consider whether there is an obligation,
contractual or otherwise, to report the
withdrawal to other parties.
54. Provides a framework for matters to be
communicated with the management.
Internal auditor should consider the
following:
Communicate clearly the responsibilities,
scope and timing of Audit.
Obtain relevant Information
Provide timely observations
Promote effective two way communication.
55. 1. Planned scope and Timing of Internal Audit
2. Significant findings from the Internal Audit
Stages of Communication:
a) Discussion Draft
b) Exit Meeting
c) Formal Draft
d) Final Report
56. Establishing the communication Process
Forms of Communication
Timing of Communication
Adequacy of the Communication Process
57. In case of Oral communication the internal
auditor shall document, when and to whom
they were communicated.
In case of Written communication the auditor
shall retain a copy of the communication as
part of the internal audit documentation.
58.
59. Introduction and Objective
Audit Evidence
Categories of Documentary Evidence
Modes of obtaining Audit Evidence
60. Scope and coverage are much broader than
Statutory Audit.
Covers comments on internal control systems,
risk management, propriety aspect of
transactions.
This Standard deals with the qualitative and
quantitative aspects of evidence in internal
audit.
61. Internal audit evidence is persuasive rather
than conclusive in nature
The internal auditor may obtain evidence on a
selective basis by way of judgmental or
statistical sampling procedures
The internal auditor’s judgement is usually
influenced by:
› The materiality of the item.
› The type of information available.
› Degree of risk of misstatement.
62. Documentary evidence originating from and
held by third parties.
Documentary evidence originating from third
parties and held by the entity.
Documentary evidence originating from the
entity and held by third parties and
Documentary evidence originating from and
held by entity.
65. Introduction
Objectives of Internal Control System
Elements of Internal Control System
Responsibilities of Internal Auditor
66. Fraud is defined as an intentional act by one
or more individuals among management,
those charged with governance, or third
parties, involving the use of deception to
obtain unjust or illegal advantage.
The primary responsibility for prevention and
detection of frauds rests with management
and those charged with governance
67. Internal control refers to the process designed,
implemented and maintained by the management
of the entity to ensure accomplishment of its
following objectives:
Reliability of financial reporting.
Efficiency and effectiveness in operations.
Compliance with applicable laws and regulations.
Safeguarding of assets.
68. The control environment.
Entity’s risk assessment process.
Information system and communication.
Control activities.
Monitoring of controls.
69. Control Environment
Risk Assessment
Information system and communication
Control Activities
Monitoring
Communication of Fraud
Documentation
70.
71. Introduction
Factors reflected in the Control Environment
Inherent Limitations of Internal Controls
Role of Internal Auditor
Areas to be Reviewed by Internal Auditor.
Areas of Evaluation
Controls present in a System Driven Environment
Tests of Control
Communication of Internal Control Weakness
Disclosure
72. Establish Standards and provide guidance on
procedures to be followed by Internal Auditor
Communication of weakness in Internal
control.
Internal control system consists of
interrelated components such as Risk
assessment, Control (or Operating)
environment, Monitoring, etc.
73. Factors reflected in the control Environment:
Entity organization Structure
Functioning of BOD/ Governing Body.
Management's philosophy and operating style
Management's control system.
Integrity and ethical values
Commitment to competence
Human resource policies and practices
74. Cost benefit Analysis
Potentiality for Human Error
Circumvention of Internal controls by
parties within/ outside the entity.
Misuse of Power
Manipulations by Management.
75. Evaluation of the efficiency and effectiveness
of controls
Recommending new controls where needed –
or discontinuing unnecessary controls
Using control frameworks
Developing control self-assessment
76. Mission, vision, ethical and organizational value-system of
the entity
Personnel allocation, appraisal system, and development
policies
Accounting and financial reporting policies and compliance
with applicable legal and regulatory standards
Objective of measurement and key performance indicators
Documentation standards
Risk management structure
Operational framework
Processes and procedures followed
Degree of management supervision
Information systems, communication channels
Business Continuity and Disaster Recovery Procedures
77. Verify mission statement and written goals
and objectives.
Assessing risks at the entity level.
Assessing risks at the activity (or process)
level.
Prepare Business Control Worksheet.
Ensure all risks to the entity are identified.
Ascertain those risks for which no controls
exist or existing controls are inadequate.
78. Determine whether the entity uses:
Encryption tools, protocols to protect
confidential or sensitive information.
Back-up and restore features to reduce the risk
of permanent loss of data.
Virus protection software and
Passwords that restrict user access to
networks, data and applications.
79. Performed to obtain effectiveness of the:
Design of the internal control systems.
Operation of the internal controls throughout
the period.
Cost Benefit analysis.
Includes Inspection of Documents,
Inquiries and Observation, Re-performance ,
Reconciliations and Testing of Internal
Controls.
80. In case of continuing internal control
weaknesses, consider whether:
Management has increased supervision and
monitoring;
Additional or compensating controls have
been instituted; and/or
Management accepts the risk inherent with
the control weakness.
81. The internal auditor in his report to the
management, should provide:
A description of the significant deficiency or
material weakness in internal control.
His opinion on the possible effect of such
weakness on the entity’s control environment.
82.
83. Introduction
Process of ERM and Internal Audit
Scope
Maturity of ERM structure
Disclosure
84. ERM enables management:
To effectively deal with risk
Associated uncertainty and enhancing the
capacity to build value to the entity
Types of Risks:
Strategic
Operational
Financial and
Knowledge
85. Enterprise Risk Management is a structured,
consistent and continuous process of
measuring or assessing risk and developing
strategies to manage risk within the risk
appetite.
Process consists of Risk identification,
prioritization and reporting, Risk mitigation,
Risk monitoring and assurance.
86. Risk maturity level
Compliance with the risk management policy
In case of the risks covered by the internal
audit plan:
Assess the efficiency and effectiveness of the
risk response.
Assess whether the score of the residual risk is
within the risk appetite
87. Protects the enterprise against surprises
Stabilizes overall performance with less
volatile earnings
Operates within established risk appetite
Protects ability of the enterprise to attend to
its core business and
Creates a system to proactively manage risks.
88. Assurance rating (segregated into High,
Medium or Low) as a result of the review
Tests conducted
Samples covered and
Observations and recommendations.
89.
90. Matters to Consider
Planning
Nature of Risks
Reliability of ICS
Review of IT Environment
91. The extent to which the IT environment is
used
The flow of authorised, correct and
complete data to the processing centre.
•The processing, analysis and reporting
tasks undertaken in the installation and
•The impact of computer-based accounting
system on the audit trail.
92. Information Technology Infrastructure
Significance and complexity of
computerised processing
Determination of the organisational
structure.
Determination of the availability of data
93. Lack of transaction trails
Uniform processing of transactions
Lack of segregation of functions
Potential for errors and irregularities
Initiation or execution of transactions
Dependence of other controls over computer
processing
Potential for increased management supervision
Potential for the use of CAAT.
94. Authorised, correct and complete data is
made available for processing.
Timely detection and correction of errors
Interruption in the working of the IT
environment .
Accuracy and completeness of output.
Adequate data security
Unauthorised amendments to the programs
Safe custody of source code of application
software and data files.
95. System Audit reports
Reports of system breaches
Reports of network failures/ virus attacks
and threats to perimeter security.
General controls
Application controls
Business Continuity Planning, Crisis
Management, Disaster Recovery Procedures.
98. What constitutes the knowledge of an entity’s
business.
Importance to the various phases of an
internal audit engagement .
Techniques to be adopted in acquiring such
knowledge.
Identify appropriate, reliable and useful
information
99. Relevant industry, regulatory, and other
external factors.
Nature of the entity and its Business
operations.
Investment, Financing activities and Financial
reporting.
Accounting policies, Business risk,
objectives and strategies of the entity.
100. Previous engagement experience
Business plan/organisational structure and
Internal documentation produced by the
entity.
Incorporation documents and Visits to the
entity premises.
Discussion with key management persons,
statutory auditors, Suppliers, customers and
third party agencies.
Publications related to the industry.
101. Assessing risks and identifying key focus
areas.
Planning and performing the internal audit
effectively and efficiently.
Evaluating audit evidence.
Providing better quality of service to the client
The information obtained should be
adequately documented.
102.
103. Introduction
Need to use work of Expert
Skills and Competence of Expert
Evaluating the work of an Expert
Disclosure
104. An expert is a person, firm or other
association of persons possessing special skill,
expertise, knowledge and experience in a
particular field.
Use expert if internal Audit Team does not
possess the required knowledge.
If Expert is engaged by the senior
management or those charged with
governance.
105. Factors to be Considered:
Materiality of the item being examined.
Nature and complexity of the transaction.
Risk of error.
Extent of Internal audit evidence available.
106. The expert’s professional qualifications or
membership in an appropriate professional
body.
The reputation of the expert in the relevant
discipline.
The knowledge and specific experience of
the expert in the industry to which the
auditee entity operates.
107. The objectives and scope of the work
Access to records, personnel and physical
properties.
The ownership and custody of engagement
documentation and working papers.
Confidentiality of the expert's work
Expert’s relationship with the auditee
Confidentiality of the auditee’s information
used by the expert.
Verify the source data used, assumptions made
and methods used in obtaining the result.
108. Normally work of an expert is not required to
be disclosed.
Disclose the work if it is beneficial to the
reader after obtaining Prior consent of Expert.
Outline the assumptions, broad
methodology and conclusions of the expert.
109.
110. Scope and Objective.
Responsibility of Management
Responsibility of Internal Auditor
Types of Laws and Regulations
Compliance with Laws and Regulations.
Audit procedures in case of Non Compliance
identified.
Reporting of non compliance
111. To consider laws and regulations when
performing an internal audit.
To test and report on compliance with specific
laws or regulations.
Non compliance- Acts of omission or
commission by the entity, either intentional
or unintentional, which are contrary to the
prevailing laws or regulations.
Non-compliance does not include personal
misconduct by those charged with
governance, management or employees of the
entity.
112. To obtain sufficient appropriate audit
evidence
To perform specified audit procedures
To respond appropriately to non-compliance
or suspected non-compliance
113. To ensure compliance with the provisions of
laws and regulations
This can be achieved by assigning appropriate
responsibilities to the following:
• A compliance committee
A audit committee.
114. Should not assume any accountability for
risk management decisions taken by the
management.
Inherent limitations on the internal auditor’s
ability to detect non-compliance:
To many laws and regulations
Non-compliance may involve conduct
designed to conceal it
Legal determination by a court of law.
115. Laws and regulations having direct effect on
Financial Statements:
Obtain sufficient appropriate audit evidence
to ensure compliance.
Laws and regulations having no direct effect on
Financial Statements:
Undertake specified audit procedures to
identify non-compliance.
May have a significant impact on the functioning
of the entity.
116. Obtaining an Understanding of the Legal and
Regulatory Framework
Laws and Regulations having Direct Effect on
Financials.
Procedures to Identify Instances of Non-
Compliance.
Non-Compliance brought to the Internal Auditor’s
Attention through Other Audit Procedures
Written Representations
Internal Audit Procedures When Non-Compliance is
Not Identified or
Suspected
117. Indications of Non-Compliance with Laws and
Regulations
Matters Relevant to the Internal Auditor’s Evaluation
Evaluating the Implications of Non-Compliance
118. Reporting Non-Compliance to those Charged with
Governance
Reporting Non-Compliance in the Internal Auditor’s
Report
If precluded from obtaining sufficient appropriate
audit evidence then Report the same.
If unable to determine whether non-compliance is
due to limitations imposed by the circumstances /
management then evaluate the observations and
findings in accordance with SIA 4.