Background
An external audit firm is conducting internal audit in an engineering company since the last two years. The audit committee chairman had a one to one meeting with the partner–in-charge for a review of the present internal audit reports and the internal audit process. During the discussions, the chairman asked the internal auditor to present an annual internal audit plan that takes into account the bigger picture rather than smaller issues and really adds value to the business. Based on recent corporate events and the Board’s responsibilities in the matter of Transparency and Control, the Audit Committee Chairperson enquired with the – Chief Audit Executive – CAE, the status of implementation of Standards of Internal Audit of ICAI.
The CAE highlighted that a Risk Based Audit Planning process is being currently followed. However, the process has not been benchmarked against the Standards. The CAE affirmed that the entire activity will be aligned with Indian Standards and a report presented in the next Audit Committee.
Methodology
The internal audit function has a five member team. The internal auditor therefore has to select projects (areas) with high risk to the organisation and direct the limited resources towards such projects. Frequency of high risk areas needs to be high – maybe twice a year whereas in cases of low risk or almost zero risk areas, the frequency may be once in three years and so on.
A benchmark against the standard was carried out by the team to identify further areas for improvement.
Opportunities for Improvement
Overall, the Standard sought to address Audit Planning from 2 dimensions –
1. Overall Annual Audit Plan
2. Audit engagement or each specific audit project
For the Overall Annual Audit Plan, the areas identified were –
1. The existing Audit Charter adequately explained the ‘purpose, authority and responsibility’ of the Internal Audit function. The Audit Charter designed earlier had not been reviewed and revised for the last two years. During the last two years, the auditee had implemented an ERP and adopted a Balanced Scorecard strategy for evaluating performance. Efforts of Cost Reduction have rationalised middle level management.
a. The CAE and the team felt that the focus of audit needed to be revised through use of Audit Tools and the possibility of taking on a leading role in implementing Continuous Auditing.
b. One of the overall objectives that the standard expects the Internal Audit to achieve is to “strengthen overall governance, particularly strategic risk management”. The Audit Charter had not mentioned any specific responsibility for this objective. The audit team appreciated the following fact however with this objective that:
i. When strategic risks are taken, there is no audit involvement.
ii. The operating management does not perceive any specific role of the internal auditors in strategic risk management.
iii. The Internal Auditor is expected not to be a part of the decision. In this way, he/she retains their independence. If he is a part of this process, it may be a barrier to his independence at a later date, when the decision might not achieve the desired objectives. The Internal Auditor’s role as an assurance provider may get compromised if the internal auditor is involved in decision making.
One of the internal audit team members pointed out however that if he gets additional information at a later date, should he not then advise review of the decision rather than wait for issuance of the report?
This change was therefore sought to be introduced and highlighted specifically for discussion. The CAE took a stand that while the Internal Auditor could be a part of the Strategic Risk Management process, it should be seen as a ‘facilitator role’ and not as member of the decision making team.
2. While the Audit Plan was provided to the Audit Committee for approval, there was hardly any debate on the same and it was approved. The CAE thought that in the current practice, they were not really benefiting from the experience and knowledge of the Audit Committee Members. He therefore thought it fit to arrange for meetings with each of the Audit Committee Members to gain individual input prior to the next Audit Committee Meeting, where his first report would be presented. These meetings helped the CAE improve the audit plan.
3. The Risk Based Audit Planning process as currently implemented ( Refer article of BCAJ IAS article in March/April, 2003) was generally found to be robust. The process included the following –
a. Identify the Audit Universe (comprehensive list of Audit Areas),
b. Established weights and ranks for criteria which will form the basis of ranking the audit areas and cut off score
c. Applying criteria to the various audit areas
d. Arrive at scores for each area
e. Applying the Cut off criteria and shortlisting the areas of audit for the year. This forms a part of the Annual Audit Plan.
4. The revised Annual Audit Plan was also reviewed alongwith the first report. In order to ensure continuing relevance of the audit plan, a process of a half yearly review of the audit plan with the Audit Committee was suggested and approved.
For the Audit Engagement or Each Specific Audit Project –
A brainstorming on the issues and difficulties faced by the Audit Team Members in Audit Engagements was undertaken. A few of the difficulties that came up from all members was –
- the general appreciation of raising the right business issues in the audit reports,
- the adequacy of time for performance of the audit – at times, key areas of audit were left out given the demands of completing the report.
- the team members voiced their concern that the response that the CAE gets from officials was not the same as that received by them. They felt that the auditees employees did not give the required seriousness, which resulted in avoidable delays.
The team thought of the options that the Standard provided towards overcoming these difficulties. The following were the guidelines that they felt could overcome the difficulties –
1. Preliminary Review – A visit by the CAE along with the audit team members of the audit area was planned to be conducted 15 days prior to the actual start date. This audit visit was to understand the business process area and operational realities within which the team performs, the expectations of the auditee and the auditor are discussed and firmed up, the data and time requirements from the auditees are discussed and the JOINT objectives of the audit process are laid down. The auditee’s person-in-charge is made aware of the audit objectives, methodology and the ways that risk and control needs to be looked at within the Risk Management Framework implemented. Apprehensions of the Auditee team are laid to rest in these interactions. This meeting is also sought to be used as a means to improve auditee’s person-in-charge responses.
2. Audit Engagement Planning – The Prelimi-nary Review meeting was also to be used to study past reports . The larger participa-tion of all team members in identification of potential risk and control focus in each area was scheduled for at least once a fortnight in such a way that no area is taken up without the inputs received from all team members.
These measures would also ensure that the issues that are relevant to the organisation and the auditee team are addressed. This will also ensure that there is an ongoing value addition out of the audit process.
3. The CAE decided to improve the following areas –
a. Resource allocation in line with the scope
The knowledge and skills required for each audit was sought to be formally identified and matched with the ability of the team members. In case there was a mismatch, the CAE considered the option of training a team member in the area in advance and also involving an outside professional for the specific aspect of audit as part of the on the job training for the team. The option of including a guest auditor from within the organisation also was considered.
b. Detailed Audit Programme with specific priority for audit checks
Normally the Audit Programmes were packed with all possible tests to be con-ducted during an audit for all identified risks and controls. The team decided to identify which controls significantly mitigate the risk (Key Control). Single control mitigating multiple risks were also sought to be specifically identified in a list of controls. The audit priority was focused on key controls. This focus improved audit effectiveness.
Conclusions
These measures were implemented in the quarter and some significant improvements were observed. The gaps identified vis a vis the standard and the measures already taken and thus impact were shared with the Audit Committee. The initia-tives taken were highly appreciated by the Audit Committee members.
All the action of CAE were based on Internal audit standard issued by the Institute of Chartered Accountant of India.
EXHIBIT 1 – Standards of Internal Audit – 1 of The Institute of Chartered Accountants of India The internal auditor should, in consultation with those charged with governance, including the audit commit-tee, develop and document a plan for each internal audit engagement to help him conduct the engagement in an efficient and timely manner.
The internal audit plan should be comprehensive enough to ensure that it helps in achieving of the above overall objectives of an internal audit. The internal audit plan should, generally, also be consistent with the goals and objectives of the internal audit function as listed out in the internal audit charter as well as the goals and objectives of the organisation. An internal audit charter is an important document defining the position of the internal audit vis a vis the organisation. The internal audit charter also outlines the scope of internal audit as well as the duties, responsibilities and powers of the internal auditor(s). In case the entire internal audit or the particular internal audit engagement has been out-sourced, the internal auditor should also ensure that the plan is consistent with the terms of engagement.
A plan once prepared should be continuously reviewed by the internal auditor to identify any modifications required to bring the same in line with the changes, if any, in the audit environment. However, any major modification to the internal audit plan should be done in consultation with those charged with governance. Further, the internal auditor should also document the changes to the internal audit plan.
Internal audit plan should cover areas such as:
- Obtaining the knowledge of the legal and regulatory framework within which the entity operates.
- Obtaining the knowledge of the entity’s accounting and internal control systems and policies.
- Determining the effectiveness of the internal control procedures adopted by the entity.
- Determining the nature, timing and extent of procedures to be performed.
- Identifying the activities warranting special focus based on the materiality and criticality of such activities, and their overall effect on operations of the entity.
- Identifying and allocating staff to the different activities to be undertaken.
- Setting the time budget for each of the activities.
- Identifying the reporting responsibilities.
The internal audit plan should also identify the benchmarks against which the actual results of the activities, the actual time spent, the cost incurred would be measured.
The internal auditor should obtain a level of knowledge of the entity sufficient to enable him to identify events, transactions, policies and practices that may have a significant effect on the financial information.
The audit universe and the related audit plan should also reflect changes in the management’s course of action, corporate objectives, etc. The internal auditor should periodically, say half yearly, review the audit universe to identify any changes therein and make necessary amendments, to make the audit plan responsive to those changes.
The establishment of such objectives should be based on the auditor’s knowledge of the client’s business, especially a preliminary understanding and review of the risks and controls associated with the activities forming the subject matter of the internal audit engagement.
The internal auditor should also document the results of his preliminary review so conducted.
For this purpose, the internal auditor should prepare an audit work schedule, detailing aspects such as:
- activities/ procedures to be performed;
- engagement team responsible for performing these activities/ procedures and
- time allocated to each of these activities/ procedures.
18. While preparing the work schedule, the internal auditor should have regard to aspects such as:
- any significant changes to the entity’s missions and objectives, business processes, and management’s strategies to counter these changes, for example, changes in the entity’s controls structure or changes in the risk assessment and management structures
- any changes or proposed changes to the governance structure of the entity. The engagement work schedule should, however, be flexible enough to accommodate any unanticipated changes as well as professional judgment of the engagement team in the components of the audit universe as discussed above. The work schedule should also reflect the internal auditor’s assessment of risks associated with various areas covered by the particular internal audit engagement and the priority attached thereto.
19. The internal auditor should also prepare a formal internal audit programme listing the procedures essential for meeting the objective of the internal audit plan. Though the form and content of the audit programme and the extent of its details would vary with the circumstances of each case, yet the internal audit programme should be so designed as to achieve the objectives of the engagement and also provide assurance that the internal audit is carried out in accordance with the Standards on Internal Audit.
