|
|
Total Number of Subscribers: 1626 |
|
|
|
|
|
|
|
Date: 27th April 2010 |
Compiled by: M Sathya Kumar |
|
Background An external audit firm is conducting internal audit in
an engineering company since the last two years. The audit committee chairman
had a one to one meeting with the partner–in-charge for a review of the
present internal audit reports and the internal audit process. During the
discussions, the chairman asked the internal auditor to present an annual
internal audit plan that takes into account the bigger picture rather than
smaller issues and really adds value to the business. Based on recent
corporate events and the Board’s responsibilities in the matter of
Transparency and Control, the Audit Committee Chairperson enquired with the
– Chief Audit Executive - CAE, the status of implementation of
Standards of Internal Audit of ICAI. The CAE highlighted that a Risk Based Audit Planning
process is being currently followed. However, the process has not been
benchmarked against the Standards. The CAE affirmed that the entire activity
will be aligned with Indian Standards and a report presented in the next
Audit Committee. Methodology The internal audit function has a five member team. The
internal auditor therefore has to select projects (areas) with high risk to
the organisation and direct the limited resources towards such projects.
Frequency of high risk areas needs to be high – maybe twice a year
whereas in cases of low risk or almost zero risk areas, the frequency may be
once in three years and so on. A benchmark against the standard was carried out by the
team to identify further areas for improvement. Opportunities for Improvement Overall, the Standard sought to address Audit Planning
from 2 dimensions – 1.
Overall Annual Audit Plan 2.
Audit engagement or each specific audit For the Overall Annual Audit Plan, the areas identified
were - 1. The existing Audit Charter adequately explained the
‘purpose, authority and responsibility’ of the Internal Audit
function. The Audit Charter designed earlier had not been reviewed and
revised for the last two years. During the last two years, the auditee had
implemented an ERP and adopted a Balanced Scorecard strategy for evaluating
performance. Efforts of Cost Reduction have rationalised middle level
management. a. The CAE and the team felt that the focus of audit
needed to be revised through use of Audit Tools and the possibility of taking
on a leading role in implementing Continuous Auditing. b. One of the overall objectives that the standard expects
the Internal Audit to achieve is to "strengthen overall governance,
particularly strategic risk management". The Audit Charter had not
mentioned any specific responsibility for this objective. The audit team
appreciated the following fact however with this objective that: i. When strategic risks are taken, there is no audit
involvement. ii. The operating management does not perceive any
specific role of the internal auditors in strategic risk management. iii. The Internal Auditor is expected not to be a part
of the decision. In this way, he/she retains their independence. If he is a
part of this process, it may be a barrier to his independence at a later
date, when the decision might not achieve the desired objectives. The
Internal Auditor’s role as an assurance provider may get compromised if
the internal auditor is involved in decision making. One of the internal audit team members pointed out
however that if he gets additional information at a later date, should he not
then advise review of the decision rather than wait for issuance of the
report? This change was therefore sought to be introduced and
highlighted specifically for discussion. The CAE took a stand that while the
Internal Auditor could be a part of the Strategic Risk Management process, it
should be seen as a ‘facilitator role’ and not as member of the
decision making team. 2. While the Audit Plan was provided to the Audit
Committee for approval, there was hardly any debate on the same and it was
approved. The CAE thought that in the current practice, they were not really
benefiting from the experience and knowledge of the Audit Committee Members.
He therefore thought it fit to arrange for meetings with each of the Audit
Committee Members to gain individual input prior to the next Audit Committee
Meeting, where his first report would be presented. These meetings helped the
CAE improve the audit plan. 3. The Risk Based Audit Planning process as currently
implemented ( Refer article of BCAJ IAS article in March/April, 2003) was
generally found to be robust. The process included the following – a. Identify the Audit Universe (comprehensive list of
Audit Areas), b. Established weights and ranks for criteria which will
form the basis of ranking the audit areas and cut off score c. Applying criteria to the various audit areas d. Arrive at scores for each area e. Applying the Cut off criteria and shortlisting the
areas of audit for the year. This forms a part of the Annual Audit Plan. 4. The revised Annual Audit Plan was also reviewed
alongwith the first report. In order to ensure continuing relevance of the
audit plan, a process of a half yearly review of the audit plan with the
Audit Committee was suggested and approved. For the Audit Engagement or Each Specific Audit Project
– A brainstorming on the issues and difficulties faced by
the Audit Team Members in Audit Engagements was undertaken. A few of the
difficulties that came up from all members was - Ø the general appreciation of raising the right business
issues in the audit reports, Ø the adequacy of time for performance of the audit
– at times, key areas of audit were left out given the demands of
completing the report. Ø the team members voiced their concern that the response
that the CAE gets from officials was not the same as that received by them.
They felt that the auditees employees did not give the required seriousness,
which resulted in avoidable delays. The team thought of the options that the Standard
provided towards overcoming these difficulties. The following were the guidelines
that they felt could overcome the difficulties – 1. Preliminary Review – A visit by the CAE along
with the audit team members of the audit area was planned to be conducted 15
days prior to the actual start date. This audit visit was to understand the
business process area and operational realities within which the team
performs, the expectations of the auditee and the auditor are discussed and
firmed up, the data and time requirements from the auditees are discussed and
the JOINT objectives of the audit process are laid down. The auditee’s
person-in-charge is made aware of the audit objectives, methodology and the
ways that risk and control needs to be looked at within the Risk Management
Framework implemented. Apprehensions of the Auditee team are laid to rest in
these interactions. This meeting is also sought to be used as a means to
improve auditee’s person-in-charge responses. 2. Audit Engagement Planning – The Preliminary
Review meeting was also to be used to study past reports . The larger participation
of all team members in identification of potential risk and control focus in
each area was scheduled for at least once a fortnight in such a way that no
area is taken up without the inputs received from all team members. These measures would also ensure that the issues that
are relevant to the organisation and the auditee team are addressed. This
will also ensure that there is an ongoing value addition out of the audit
process. 3. The CAE decided to improve the following areas
– a. Resource allocation in line with the scope The knowledge and skills required for each audit was
sought to be formally identified and matched with the ability of the team
members. In case there was a mismatch, the CAE considered the option of
training a team member in the area in advance and also involving an outside
professional for the specific aspect of audit as part of the on the job
training for the team. The option of including a guest auditor from within
the organisation also was considered. b. Detailed Audit Programme with specific priority for
audit checks Normally the Audit Programmes were packed with all
possible tests to be conducted during an audit for all identified risks and
controls. The team decided to identify which controls significantly mitigate
the risk (Key Control). Single control mitigating multiple risks were also
sought to be specifically identified in a list of controls. The audit
priority was focused on key controls. This focus improved audit
effectiveness. Conclusions These measures were implemented in the quarter and some
significant improvements were observed. The gaps identified vis a vis the
standard and the measures already taken and thus impact were shared with the
Audit Committee. The initiatives taken were highly appreciated by the Audit All the action of CAE were based on Internal audit
standard issued by the Institute of Chartered Accountant of India. EXHIBIT 1 – Standards of Internal
Audit – 1 of The The internal auditor should, in consultation with those
charged with governance, including the audit committee, develop and document
a plan for each internal audit engagement to help him conduct the engagement
in an efficient and timely manner. The internal audit plan should be comprehensive enough
to ensure that it helps in achieving of the above overall objectives of an
internal audit. The internal audit plan should, generally, also be consistent
with the goals and objectives of the internal audit function as listed out in
the internal audit charter as well as the goals and objectives of the
organisation. An internal audit charter is an important document defining the
position of the internal audit vis a vis the organisation. The internal audit
charter also outlines the scope of internal audit as well as the duties,
responsibilities and powers of the internal auditor(s). In case the entire
internal audit or the particular internal audit engagement has been
outsourced, the internal auditor should also ensure that the plan is consistent
with the terms of engagement. A plan once prepared should be continuously reviewed by
the internal auditor to identify any modifications required to bring the same
in line with the changes, if any, in the audit environment. However, any
major modification to the internal audit plan should be done in consultation
with those charged with governance. Further, the internal auditor should also
document the changes to the internal audit plan. Internal audit plan should cover areas such as: Ø Obtaining the knowledge of the legal and regulatory
framework within which the entity operates. Ø Obtaining the knowledge of the entity’s accounting
and internal control systems and policies. Ø Determining the effectiveness of the internal control
procedures adopted by the entity. Ø Determining the nature, timing and extent of procedures
to be performed. Ø Identifying the activities warranting special focus
based on the materiality and criticality of such activities, and their
overall effect on operations of the entity. Ø Identifying and allocating staff to the different
activities to be undertaken. Ø Setting the time budget for each of the activities. Ø Identifying the reporting responsibilities. The internal audit plan should also identify the
benchmarks against which the actual results of the activities, the actual
time spent, the cost incurred would be measured. The internal auditor should obtain a level of knowledge
of the entity sufficient to enable him to identify events, transactions,
policies and practices that may have a significant effect on the financial
information. The audit universe and the related audit plan should
also reflect changes in the management’s course of action, corporate
objectives, etc. The internal auditor should periodically, say half yearly,
review the audit universe to identify any changes therein and make necessary
amendments, to make the audit plan responsive to those changes. The establishment of such objectives should be based on
the auditor’s knowledge of the client’s business, especially a
preliminary understanding and review of the risks and controls associated
with the activities forming the subject matter of the internal audit
engagement. The internal auditor should also document the results of
his preliminary review so conducted. For this purpose, the internal auditor should prepare an
audit work schedule, detailing aspects such as: Ø activities/ procedures to be performed; Ø engagement team responsible for performing these
activities/ procedures and Ø time allocated to each of these activities/ procedures. 18. While preparing the work schedule, the internal
auditor should have regard to aspects such as: Ø any significant changes to the entity’s missions
and objectives, business processes, and management’s strategies to
counter these changes, for example, changes in the entity’s controls
structure or changes in the risk assessment and management structures Ø any changes or proposed changes to the governance
structure of the entity. The engagement work schedule should, however, be
flexible enough to accommodate any unanticipated changes as well as
professional judgment of the engagement team in the components of the audit
universe as discussed above. The work schedule should also reflect the
internal auditor’s assessment of risks associated with various areas
covered by the particular internal audit engagement and the priority attached
thereto. 19. The internal auditor should also prepare a formal
internal audit programme listing the procedures essential for meeting the
objective of the internal audit plan. Though the form and content of the
audit programme and the extent of its details would vary with the circumstances
of each case, yet the internal audit programme should be so designed as to
achieve the objectives of the engagement and also provide assurance that the
internal audit is carried out in accordance with the Standards on Internal
Audit. |
|
|
|
|
|
|
|
|
Rewards
waiting for feedback at |
|
|
|
|
|
Disclaimer: We believe that the information contained in this e-zine is true. If you do not wish to receive Smart Trainee please click here. |
|
|
|
|
|
Click here to contact us, if you are unable to view the content properly |
|
|
|
|
|
|
|
