|
|
Total Number of Subscribers: 1626 |
|
|
|
|
|
|
|
Date: 6th April 2010 |
Compiled by: M Sathya Kumar |
|
Background An
external audit firm is conducting internal audit in an engineering company since
the last two years. The audit committee chairman had a one to one meeting
with the partner–in-charge for a review of the present internal audit
reports and the internal audit process. During the discussions, the chairman
asked the internal auditor to present an annual internal audit plan that
takes into account the bigger picture rather than smaller issues and really
adds value to the business. Based on recent corporate events and the
Board’s responsibilities in the matter of Transparency and Control, the
Audit Committee Chairperson enquired with the – Chief Audit Executive -
CAE, the status of implementation of Standards of Internal Audit of ICAI. The
CAE highlighted that a Risk Based Audit Planning process is being currently
followed. However, the process has not been benchmarked against the
Standards. The CAE affirmed that the entire activity will be aligned with
Indian Standards and a report presented in the next Audit Committee. Methodology The
internal audit function has a five member team. The internal auditor
therefore has to select projects (areas) with high risk to the organisation
and direct the limited resources towards such projects. Frequency of high
risk areas needs to be high – maybe twice a year whereas in cases of
low risk or almost zero risk areas, the frequency may be once in three years
and so on. A
benchmark against the standard was carried out by the team to identify
further areas for improvement. Opportunities for Improvement Overall, the Standard
sought to address Audit Planning from 2 dimensions – 1. Overall Annual
Audit Plan 2. Audit engagement
or each specific audit For
the Overall Annual Audit Plan, the areas identified were – 1.
The existing Audit Charter adequately explained the ‘purpose, authority
and responsibility’ of the Internal Audit function. The Audit Charter
designed earlier had not been reviewed and revised for the last two years.
During the last two years, the auditee had implemented an ERP and adopted a
Balanced Scorecard strategy for evaluating performance. Efforts of Cost
Reduction have rationalised middle level management. a.
The CAE and the team felt that the focus of audit needed to be revised
through use of Audit Tools and the possibility of taking on a leading role in
implementing Continuous Auditing. b.
One of the overall objectives that the standard expects the Internal Audit to
achieve is to "strengthen overall governance, particularly strategic
risk management". The Audit Charter had not mentioned any specific
responsibility for this objective. The audit team appreciated the following
fact however with this objective that: i.
When strategic risks are taken, there is no audit involvement. ii.
The operating management does not perceive any specific role of the internal
auditors in strategic risk management. iii.
The Internal Auditor is expected not to be a part of the decision. In this
way, he/she retains their independence. If he is a part of this process, it
may be a barrier to his independence at a later date, when the decision might
not achieve the desired objectives. The Internal Auditor’s role as an
assurance provider may get compromised if the internal auditor is involved in
decision making. One
of the internal audit team members pointed out however that if he gets
additional information at a later date, should he not then advise review of
the decision rather than wait for issuance of the report? This
change was therefore sought to be introduced and highlighted specifically for
discussion. The CAE took a stand that while the Internal Auditor could be a
part of the Strategic Risk Management process, it should be seen as a
‘facilitator role’ and not as member of the decision making team. 2.
While the Audit Plan was provided to the Audit Committee for approval, there
was hardly any debate on the same and it was approved. The CAE thought that
in the current practice, they were not really benefiting from the experience
and knowledge of the Audit Committee Members. He therefore thought it fit to
arrange for meetings with each of the Audit Committee Members to gain
individual input prior to the next Audit Committee Meeting, where his first
report would be presented. These meetings helped the CAE improve the audit
plan. 3.
The Risk Based Audit Planning process as currently implemented ( Refer
article of BCAJ IAS article in March/April, 2003) was generally found to be
robust. The process included the following – a.
Identify the Audit Universe (comprehensive list of Audit Areas), b.
Established weights and ranks for criteria which will form the basis of
ranking the audit areas and cut off score c.
Applying criteria to the various audit areas d.
Arrive at scores for each area e.
Applying the Cut off criteria and shortlisting the areas of audit for the
year. This forms a part of the Annual Audit Plan. 4.
The revised Annual Audit Plan was also reviewed alongwith the first report.
In order to ensure continuing relevance of the audit plan, a process of a
half yearly review of the audit plan with the Audit Committee was suggested
and approved. For
the Audit Engagement or Each Specific Audit Project – A
brainstorming on the issues and difficulties faced by the Audit Team Members
in Audit Engagements was undertaken. A few of the difficulties that came up
from all members was - •
the general appreciation of raising the right business issues in the audit
reports, •
the adequacy of time for performance of the audit – at times, key areas
of audit were left out given the demands of completing the report. •
the team members voiced their concern that the response that the CAE gets
from officials was not the same as that received by them. They felt that the
auditees employees did not give the required seriousness, which resulted in
avoidable delays. The
team thought of the options that the Standard provided towards overcoming
these difficulties. The following were the guidelines that they felt could
overcome the difficulties – 1.
Preliminary Review – A visit by the CAE along with the audit team
members of the audit area was planned to be conducted 15 days prior to the
actual start date. This audit visit was to understand the business process
area and operational realities within which the team performs, the
expectations of the auditee and the auditor are discussed and firmed up, the
data and time requirements from the auditees are discussed and the JOINT
objectives of the audit process are laid down. The auditee’s person-in-charge
is made aware of the audit objectives, methodology and the ways that risk and
control needs to be looked at within the Risk Management Framework
implemented. Apprehensions of the Auditee team are laid to rest in these
interactions. This meeting is also sought to be used as a means to improve
auditee’s person-in-charge responses. 2.
Audit Engagement Planning – The Preliminary Review meeting was also to
be used to study past reports . The larger participation of all team members
in identification of potential risk and control focus in each area was
scheduled for at least once a fortnight in such a way that no area is taken
up without the inputs received from all team members. These
measures would also ensure that the issues that are relevant to the organisation
and the auditee team are addressed. This will also ensure that there is an
ongoing value addition out of the audit process. 3.
The CAE decided to improve the following areas – a.
Resource allocation in line with the scope The
knowledge and skills required for each audit was sought to be formally
identified and matched with the ability of the team members. In case there
was a mismatch, the CAE considered the option of training a team member in
the area in advance and also involving an outside professional for the
specific aspect of audit as part of the on the job training for the team. The
option of including a guest auditor from within the organisation also was
considered. b.
Detailed Audit Programme with specific priority for audit checks Normally
the Audit Programmes were packed with all possible tests to be conducted
during an audit for all identified risks and controls. The team decided to
identify which controls significantly mitigate the risk (Key Control). Single
control mitigating multiple risks were also sought to be specifically
identified in a list of controls. The audit priority was focused on key
controls. This focus improved audit effectiveness. Conclusions These
measures were implemented in the quarter and some significant improvements
were observed. The gaps identified vis a vis the standard and the measures
already taken and thus impact were shared with the Audit Committee. The
initiatives taken were highly appreciated by the Audit All
the action of CAE were based on Internal audit standard issued by the
Institute of Chartered Accountant of India. EXHIBIT 1 – Standards of Internal Audit – 1 of The The
internal auditor should, in consultation with those charged with governance,
including the audit committee, develop and document a plan for each internal
audit engagement to help him conduct the engagement in an efficient and
timely manner. The
internal audit plan should be comprehensive enough to ensure that it helps in
achieving of the above overall objectives of an internal audit. The internal
audit plan should, generally, also be consistent with the goals and
objectives of the internal audit function as listed out in the internal audit
charter as well as the goals and objectives of the organisation. An internal
audit charter is an important document defining the position of the internal
audit vis a vis the organisation. The internal audit charter also outlines
the scope of internal audit as well as the duties, responsibilities and
powers of the internal auditor(s). In case the entire internal audit or the
particular internal audit engagement has been outsourced, the internal
auditor should also ensure that the plan is consistent with the terms of engagement. A
plan once prepared should be continuously reviewed by the internal auditor to
identify any modifications required to bring the same in line with the
changes, if any, in the audit environment. However, any major modification to
the internal audit plan should be done in consultation with those charged
with governance. Further, the internal auditor should also document the
changes to the internal audit plan. Internal
audit plan should cover areas such as: •
Obtaining the
knowledge of the legal and regulatory framework within which the entity
operates. •
Obtaining the
knowledge of the entity’s accounting and internal control systems and
policies. •
Determining the
effectiveness of the internal control procedures adopted by the entity. •
Determining the
nature, timing and extent of procedures to be performed. •
Identifying the
activities warranting special focus based on the materiality and criticality
of such activities, and their overall effect on operations of the entity. •
Identifying and
allocating staff to the different activities to be undertaken. •
Setting the time
budget for each of the activities. •
Identifying the
reporting responsibilities. The
internal audit plan should also identify the benchmarks against which the
actual results of the activities, the actual time spent, the cost incurred
would be measured. The
internal auditor should obtain a level of knowledge of the entity sufficient
to enable him to identify events, transactions, policies and practices that
may have a significant effect on the financial information. The
audit universe and the related audit plan should also reflect changes in the
management’s course of action, corporate objectives, etc. The internal
auditor should periodically, say half yearly, review the audit universe to
identify any changes therein and make necessary amendments, to make the audit
plan responsive to those changes. The
establishment of such objectives should be based on the auditor’s
knowledge of the client’s business, especially a preliminary
understanding and review of the risks and controls associated with the
activities forming the subject matter of the internal audit engagement. The
internal auditor should also document the results of his preliminary review
so conducted. For
this purpose, the internal auditor should prepare an audit work schedule,
detailing aspects such as: •
activities/
procedures to be performed; •
engagement team
responsible for performing these activities/ procedures and •
time allocated to
each of these activities/ procedures. 18.
While preparing the work schedule, the internal auditor should have regard to
aspects such as: •
any significant
changes to the entity’s missions and objectives, business processes,
and management’s strategies to counter these changes, for example,
changes in the entity’s controls structure or changes in the risk
assessment and management structures •
any changes or
proposed changes to the governance structure of the entity. The engagement
work schedule should, however, be flexible enough to accommodate any
unanticipated changes as well as professional judgment of the engagement team
in the components of the audit universe as discussed above. The work schedule
should also reflect the internal auditor’s assessment of risks
associated with various areas covered by the particular internal audit
engagement and the priority attached thereto. 19.
The internal auditor should also prepare a formal internal audit programme
listing the procedures essential for meeting the objective of the internal
audit plan. Though the form and content of the audit programme and the extent
of its details would vary with the circumstances of each case, yet the
internal audit programme should be so designed as to achieve the objectives
of the engagement and also provide assurance that the internal audit is
carried out in accordance with the Standards on Internal Audit. Article
by Deepjee Singhal Manish Pipalia Chartered Accountants. |
|
|
|
|
|
|
|
|
Rewards
waiting for feedback at |
|
|
|
|
|
Disclaimer: We believe that the information contained in this e-zine is true. If you do not wish to receive Smart Trainee please click here. |
|
|
|
|
|
Click here to contact us, if you are unable to view the content properly |
|
|
|
|
|
|
|
