Approach Note on Internal Audit_good Ppt

7/25/2019 Approach Note on Internal Audit_good Ppt

1/43

Approach Note on Internal Audit

CA. Deep Kumar Mendiratta


2/43

Contents

Sl. No. Particulars Page #

Section I

2. ERM Framework 6

3. Internal Audit Guidelines 9

4. Internal Audit Process, Approach & Methodology 14

Section II

1. Internal Audit - Basics 4

Page 2

1. Assessing Risks & Internal Controls 22

2. Internal Audit Sampling Methodology 29

3. Internal Audit Tools 32

4. Reporting and Follow-up 37

5. Internal Audit & Fraud 40


3/43

Section I - Why Internal Audit ?


4/43

Internal Audit- Basics

Definition of Internal Audit:Internal auditing is an independent,objective assurance and consulting activity designed to add value

and improve an organizations operations. It helps an organization accomplish its objectives by

bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk

management, control, and governance processes.

Objectives of Internal Audit:

Risk Management

Control

Governance

Page 4

Risk:Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a

loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome

sometimes exists (or existed).

Internal Control:

Internal Control is a process, effected by an entitys board of directors, management, and otherpersonnel, designed to provide reasonable assurance regarding the achievement of its objectives

(Operational, Reporting & Compliance).


5/43

CARO (Companies(Auditors Report

Order, 2003)

Require listed companies to have an internal audit system commensuratewith its size and nature of business. To comply with the requirementscompanies may either have an internal audit department or can outsourcethe internal audit function to an external agency.

Clause 49Requires audit committee role to include oversight of the internal auditfunction as one of the terms of reference. The agreement requires the auditcommittee to review with management performance of internal audit

Why Internal Audit ?

function.

Companies Act,1956 (Section

224)

Requires companies to appoint an auditor or auditors at every annualgeneral meeting to hold office from the conclusion of that meeting untilthe conclusion of next annual general meeting.

Page 5


6/43

Section I ERM Framework


7/43

Enterprise Risk Management

ERM defined:A process, effected by an entity's board of directors, management and other personnel,applied in strategy setting and across the enterprise, designed to identify potential eventsthat may affect the entity, and manage risks to be within its risk appetite, to providereasonable assurance regarding the achievement of entity objectives

The key to effectively protecting and growing returns for an organizations shareholders is toidentify and manage the risks that could prevent the organization from achieving its business

objectives. The enterprise risk assessment is an efficient, comprehensive process that provides

insight on inherent risks from an industry perspective and links them to the organizations

objectives, initiatives, and business processes.

Page 7

Entity objectives can be viewed in the context of four categories:

Strategic

Operations

Reporting

Compliance

Enterprise risk management requires an entity to take a portfolio view of risk. Management

considers how individual risks interrelate and develops a portfolio view from two perspectives:Business unit level

Entity level


8/43

Enterprise Risk Management Framework

Page 8


9/43

Section I - Internal Audit Guidelines


10/43

Compliance to Auditing Standards (ICAI)

Standards on Internal Audits:

Standard on Internal Audit (SIA) 1, Planning an Internal Audit

Standard on Internal Audit (SIA) 2, Basic Principles Governing Internal Audit

Standard on Internal Audit (SIA) 3, Documentation

Standard on Internal Audit (SIA) 4, Reporting

Adobe Acrobat

Page 10

Standard on Internal Audit (SIA) 5, Sampling

Standard on Internal Audit (SIA) 6, Analytical Procedures

Standard on Internal Audit (SIA) 7, Quality Assurance in Internal Audit

Standard on Internal Audit (SIA) 8, Terms of Internal Audit Engagement

Standard on Internal Audit (SIA) 9, Communication with Management

Document


11/43

Compliance to Auditing Standards (ICAI)

Standards on Internal Audits:

Standard on Internal Audit (SIA) 10, Internal Audit Evidence

Standard on Internal Audit (SIA) 11, Consideration of Fraud in an Internal Audit

Standard on Internal Audit (SIA) 12, Internal Control Evaluation

Standard on Internal Audit (SIA) 13, Enterprise Risk Management

Page 11

Standard on Internal Audit (SIA) 14, Internal Audit in an Information TechnologyEnvironment

Standard on Internal Audit (SIA) 15, Knowledge of the Entity and its Environment

Standard on Internal Audit (SIA) 16, Using the Work of an Expert

Standard on Internal Audit (SIA) 17, Consideration of Laws and Regulations in anInternal Audit

Standard on Internal Audit (SIA) 18, Related Parties


12/43

Compliance to Auditing Standards

The IIA Standards types:a) Attribute Standards: address the attributes of organizations and individuals

performing internal audit services. The attributes addressed are:

Purpose, Authority and Responsibility

Independence and Objectivity

Proficiency and Due Professional CareQuality Assurance

b) Performance Standards: describe the nature of internal audit services and providequality criteria against which the performance of these services can be measured.

Page 12

The criteria addressed are:

Managing Internal Audit Activity

Nature of Work

Engagement Planning

Performing the Engagement

Communicating Results

Monitoring ProgressManagements Acceptance of Risk

c) Implementation Standards: expand upon the Attribute and Performance Standards,providing guidance in specific types of engagements.


13/43

Compliance to Auditing Standards (illustrative)

S.N. Title of Standard

1 1000 - Purpose, Authority, and Responsibility

2 1010 Recognition of the definition of Internal Auditing, the Code of Ethics, and the Standards inthe Internal Audit Charter

3 1100 - Independence and Objectivity

4 1110 - Organizational Independence

5 1111 Direct Interaction with the Board

6 1120 - Individual Objectivity

Page 13

- mpa rments to n epen ence or ect v ty

8 1200 - Proficiency and Due Professional Care

9 1210 - Proficiency

10 1220 - Due Professional Care

11 1230 - Continuing Professional Development

12 1300 - Quality Assurance and Improvement Program

13 1310 - Quality Program Assessments

14 1311 - Internal Assessments

15 1312 - External Assessments


14/43

Section I - Internal Audit Process


15/43

IA Process Overview

1.1Define objectives ofanalysis

1.2Gain an understandin

2.1

Request and receiveData

2.2Validate Control

3.1Execute audit steps

3.2Identify discrepancies

4.1Document processreproduce data

1. Define 2. Validate 3. Execute 4. Retain

Page 15

1.3Define datarequirements

o a s

2.3Perform data qualityAssessment

3.3Discuss discrepancieswith stakeholders andvalidate errors

3.4

Assess impact onobjectives

4.2Document Retention


16/43

Execution Process Overview

ControlEvaluation

ControlTesting

Gather Info Understand

the Process Evaluate

DevelopTest Plan

Sampling orCAATs

TestingConsider

SubstantiveTesting

Reass

Page 16

SubstantiveTesting

FormulateFindings

DevelopTest Plan

Sampling orCAATs

Testing

AssessRootCause

PrioritizeAgree ActionPlan with theManagement

ssScope


17/43

Evaluation Process

Is a

Control inPlace?

Isthere a

mitigatingControl

?

Missing ControlsNO

Yes

NO

And in the appropriate

timeframe?

Yes

Control ObjectiveRisk

Microsoft Office

l 97-2003 Works

Page 17

Doesthe controladdress the

risk? e.g. Are all relevantattributes covered

Assess MitigationMissing /Mitigated Controls

Inadequate ControlsNO

Yes

Determination on Adequacy of Control Design


18/43

Risk and Control Matrix

Sr.No.

ProcessSub

Process/Activity

What Can GoWrong (Risk)

Control Description Test ProceduresDocuments to beReferred for Test

Procedures

Conclusion(Effective /Ineffective)

1 Client

Billing

(Invoicin

g &

Collection)

Quantity

Assessment

& Work

Incorrect quantity

assessment by the

billing engineer

leading to under-

billing to the client Incorrect quantity

assessment by the

billing engineer

leading to over-

billing to the client

Quantity assessment

is done against the

schedule of work

(target billing) and the

actual work carried outat the site

The quantity

assessment is also cross

checked against the

MPR/DPR (Prepared by

the planning

Obtain the latest

Project Review Report

(PRR) and Daily Progress

Report (DPR) for the

period under review Select sample RA Bills

and review whether

related records certifying

the completion of

measured work are

maintained

Measurement

sheets from the site

PRR and DPR

Raised RA Bills and

certified RA Bills

Page 18

department who inturn

get the data fromexecution department

and sub-contractors/

vendors)

Ensure measured works

are strictly in accordancewith scope of work and

any variation is

seperately parked as

'Extra Work/Item'

Quantities for billing

are supported by site

measurements/Stock

consumption andissuance records


19/43

Steps to Follow after identifying a Finding

Discuss and validate errors with responsible stakeholders and process owners

Consider whether there are any compensating controls within the process or system,and extend the testing scope, if necessary

Assess impact - Whether or not the objectives of the test have been met and if alternative measures need to be taken

Evaluate Exceptions or Errors Identified during Controls Testing for the following:

Page 19

. o en a ec on con ro o ec ves

ii. Incidence, or level of erroriii. Cause of the control breakdown

iv. Actual Effect, if applicable


20/43

Elements of a Finding

Criteria:Provides a context for evaluating evidence and understanding the findings (Control Objectives)

Policies & Procedures (Expectations of what should exist)

Contracts & Agreements

Laws & Regulations

Standards & Benchmarks

Defined business practices or measures which performance is compared or evaluated against

Condition:

Page 20

on t on s a s tuat on t at ex sts or w at was occurr ng w en t e contro wea ness was ent e

i.e. The Exception or Deficiency

Cause:

Identifies the reason for the condition or the factor(s) responsible for the difference between the

situation that exists (condition) and the required or desired state (criteria), Common factors

include; poorly designed policies, procedures, or criteria, inconsistent, incomplete, or incorrect

implementation, segregation of duties or business conditions.

Effect or Risk Impact:

A clear, logical link to establish the impact or potential impact of the difference between the

situation that exists (condition) and the required or desired state (criteria), which identifies the

outcomes or consequences of the condition. Effect or risk impact may be used to demonstrate the

need for corrective action in response to identified condition.


21/43

Recommendations

Should address the root cause not just the symptoms

Be relevant and practical

Compare the benefits to costs

More than 1 recommendation may be required to completely address an issue

Use best practices as a source for creative insight, adapting to the needs of the

organization

Example:

Page 21

Audit Objective: Evaluate and Document Credit limit Increase Procedures

Risk/Control Objective: Credit Limit Increase are manually reviewed andapproved prior to processing the request in the system

Sample Selection: 15 credit limit increase accounts from a systemgenerated report

Documents Obtained: Credit limit increase MIS and the credit limit increasedelegation of authority and Income documents

Exceptions noted: 3 of 15 credit limits increases were not reviewedand approved per the delegation of authority and excesscredit limit was granted to customers.


22/43

Section II - Assessing Risks & Internal Controls


23/43

Internal Control Structure

Monitoring: Monthly reviews of performance reports

Internal audit function

Control Activities:

Information & Communication: Vision and values

Issue resolution calls

Reporting

Corporate communications (e-

mail, meetings)

In many cases, you perform controlsand interact with the control

structure every day

MONITORING

INFORMATION ANDCOMMUNICATION

CONTROL ACTIVITIES

Page 23

Approvals Security

Block Codes /

policies

Risk Assessment: Monthly Risk Control meetings

Internal audit risk assessment

Control Environment: Tone from the top

Corporate Policies

Organizational

authority

An internal control structure is simply a different way of viewing the business

a perspective that focuses on doing the right things in the right way.

RISK ASSESSMENT

CONTROL ENVIRONMENT


24/43

Concepts and Objectives

Control definition reflects certain fundamental concepts:

Internal control is a process

Internal control is effected by people. It's not merely policy manuals and forms,

but people at every level of an organization.

Internal control can be expected to provide only reasonable assurance, not

absolute assurance, to an entity's management and board.

Page 24

Objectives of Internal Control

Internal controls are established to further strengthen:

The reliability and integrity of information.

Compliance with policies, plans, procedures, laws and regulations.

The safeguarding of assets. The economical and efficient use of resources.

The accomplishment of established objectives and goals for operations or programs.


25/43

Control TechniquesPrevention techniques are designed to provide reasonable assurance that only validtransactions are recognized, approved and submitted for processing. Therefore, many of

the preventive techniques are applied before the processing activity occurs. In most

situations, preventive techniques are likely to be more effective in a strong control

environment, when management authorization criteria are well-defined and properly

communicated.

Control type definitions:Preventive - Manual

Preventive - System

Page 25

Examples of preventive controls include:

Segregation of duties (Preventive-Manual) Business systems integrity and continuity controls, e.g., application design standards,

change controls, security controls, systems backup and recovery (Preventive System) Physical safeguard and access restriction controls (human, financial, physical and

information assets) (Preventive-Manual) Effective "whistle blowing" processes (Preventive-Manual)


26/43

Control TechniquesDetection techniques are designed to provide reasonable assurance that errors andirregularities are discovered and corrected on a timely basis. Detection techniques normally

are performed after processing has been completed. They are particularly important in an

environment that has relatively weak preventive techniques. That is, when front-end

approval and processing techniques do not provide reasonable assurance that unacceptable

transactions are prevented from being processed or do not assure that all approved

transactions are processed accurately. In this case, after-the-fact techniques become moreimportant in detecting and correcting processing errors.

Control type definitions:Detective - Manual

Page 26

Detective - System

Examples of detection techniques include:

Reconciliation of batch balance reports to control logs maintained by originating

departments. (Detective Manual) Review and approval of reference file maintenance (was-is) reports. (Detective

Manual) Reconciliation of interface amounts exiting one system and entering another.

(Detective System) Review of on-line access and transaction logs. (Detective System)


27/43

Risk Analysis

RiskManagement RiskMonitoringRiskAssessment

Risk Analysis

Page 27

Control It

Share orTransfer It

Diversify orAvoid It

rocess

Level

ActivityLevel

Entity Level

Identification

Measurement

Prioritization


28/43

Role of a Process Owner

General Expectations Acknowledge the responsibility for the design, implementation and maintenance

of the control structure within the business processes

Contribute direction to identify, prioritize and review risks and controls

Remove obstacles for compliance; remedy control deficiencies Continue or begin a program of self-assessment and testing to monitor the

controls within the processes

Quarterly

Page 28

- confirm key controls are implemented and effective

- maintain documentation to support this assessment

Immediate Action Items

Educate personnel about the requirements and effort

Reinforce internal focus on controls within the process

Surface any risks, concerns or issues promptly to allow adequate attention for

correction (dont wait for an audit)

Fix control gaps within reasonable timescales


29/43

Section II - Internal Audit Sampling


30/43

Sampling

Population:The entire set of universe from which a sample is selected & reviewed, and about which the auditor

wishes to draw conclusions.

Data availability for population:

An important aspect in sample selection is the availability of data. Depending upon the population,

entire data may or may not be available. In cases where entire data is not available, same should

be brought to the attention of the Management, be agreed with the stakeholders and be clearly

mentioned as a scope limitation.

Systematic selection:

A systematic approach is used by the auditor to select items, to minimize any potential human

Page 30

judgment or bias. Every nth item within the population is selected in accordance with a defined

sampling interval.

Haphazard selection:

The auditor, without any conscious bias, selects sample items randomly, i.e., without any special

reason for including or omitting items from the sample

Stratification:

Prior to carrying out analytical procedures, it is important to stratify / classify the data into

separate logical sections. This classification would not only help in analyzing trends unique to that

particular category but would also help in assessing materiality while selecting a sample.


31/43

Sampling

Perform Analytical procedures:Analytical procedure is defined as an evaluation of financial information made by a study of

plausible relationships among both financial and non-financial data

Analyse abnormal transactions:

If the analytical procedures highlight certain abnormal transactions (where there are significant

aberrations), they should be separated and reviewed separately. Such transactions should bereviewed in addition to the regular sample selected.

Using Excel / CAAT:

In case the testing objective can be applied by using excel / CAAT on the entire population, audit

Page 31

proce ures s ou e per orme on e en re popu a on e se samp es s ou e se ec e or

testingDetermining sample size and selecting sample:

The sample size will depend on the frequency of the control being tested and the level of evidence

that is judged to be necessary, by the client and the engagement team. For this purpose the

engagement team should define the areas under scope as either High or Low risk

Performing audit procedures and Evaluating Test results:When weaknesses in internal controls are identified we should consider whether there are any

compensating controls within the process or system. If we believe there are appropriate

compensating controls, we should extend the testing scope to include testing of these compensating

controls.


32/43

Section II - Internal Audit Tools


33/43

Need for Mathematical Tools

To recognize early warning bells, as part of audit procedures, andprotect business against fraud or error.

Identify transactions that are indicative of fraud or error using

tested and proven fraud & error detection techniques

Scientific sample selection through automated procedures

Page 33

e uce epen ence on ran om samp ng

To Identify red flags at Financial Statements Level.


34/43

Using Excel as a Tool

IF

IF in combination with AND

IF in Combination with AND & OR

CountIF and SUMIF

SUMIFS

Page 34

Pivot Table Function

Setting Filters

Formula Auditing


35/43

Using Excel as a Tool (illustrative)

Statistical Functions:

COUNT Computes the number of numbers in a range

COUNTA Computes the number of entries, including text entries in a

range

AVERAGE Sums the numbers in a range and divides the total by the number

of numbers

Page 35

MEDIAN Computes the middle value in a range of numbers

MODE Computes the value that occurs most frequently

VLOOKUP Searches for a value in the leftmost column of a table, and then

returns a value in the same row from a column you specify in thetable.

PIVOT Summarizes the columns of information in a database

relationship to each other.


36/43

Analyzing data in IDEA

Use of data analytics tools facilitates creating a virtual room where all relevantaudit content can be stored and accessed.

Page 36


37/43

Section II - Reporting and Follow-up


38/43

Audit Report Structure

Covering Letter

Background/ Function Overview

Purpose/ Objectives

Scope of Work

Audit Approach

Limitation

Executive Summary (Significant Findings)

Page 38

Detailed Observations

Follow Up of Prior Recommendations


39/43

Audit Report StructureS.N

o.

Priority Issue Risk Performance

ImprovementObservation

Management

Response

Responsibility

/ Timelines

1 High It was observed that in 48 out of

60 cases (total population of 850

cases for credit limit

enhancement for period March-

May,2012) the credit limits

enhanced for existing customerswas not as per the parameters

defined in the policy. Excess

credit limit amounting to Rs

13.22 Lacs was given to

customers. For details refer

Annexure 1

Incorrect credit

limit offered to

customer leading

to increased credit

risk exposure for

the Company,which may

eventually lead to

higher

delinquencies.

The authority &

responsibility

within the Risk

Team should be

explicitly defined

& documented forapproving the

credit limit

increase

deviations and the

same should be

approved as per

Adequate steps will be

taken up to ensure the

policy adherence by

having periodic

process trainings for

account managementteam. The risk team

would additionally

support the training

requirements of the

AMU team.

Risk Team

March 2013

Page 39

.

2 High Late Payment Charges amounting

to Rs 1.3 Lacs were short-levied

on 260 accounts and the same

was excess levied on 296

accounts. Further, the Finance

Charges on these accounts would

be incorrect as the LPC is not

accurately levied

Possibility of

Revenue leakage

for LPC and

Customer

dissatisfaction /

negative impact

on brand /

reputation

Business should

evaluate the

possibility of

Implementing

continuous control

mechanism

through data

analytics tools and

System Auditshould be carried

out.

The implementation of

the revised LPC tier

from Rs.700 to Rs.750

was delayed by ~40

days due to set up

miss, later identified

by pricing team and

rectified on 12th

November 2012.

Marketing

Team

March 2013


40/43

Section II - Internal Audit and Fraud

d l k


41/43

Anti Fraud Control Framework

Code of conduct Ethics policy Gifts and hospitality Agents Facilitation payments

Policy Tone from top Zero tolerance

Page 41

Process

Roles and responsibilities Accountability Annual sign off

Self assessment Testing

People

Board

responsibilities Due diligence

Training Education

Voice

Disclosure

Openness Employee/ suppliers

F d P i S


42/43

Fraud Prevention Strategy

Page 42


43/43

Thank You

Page 43