- Join Our Webinars
The Companies Act 2013, (‘the Act’) ushers in a new era of corporate governance and transparency in the Indian corporate sector. The Securities and Exchange Board of India (SEBI) with the objective to align its provisions to the recently notified provisions of the Companies Act, 2013 has specifically reviewed clause 49 of the Listing Agreement, to adopt leading industry practices on corporate governance and to make the corporate governance framework more effective. With requirements of these norms warranting organizations to provide assurance to the Board of Directors and Audit Committees on adequacy of internal financial controls, effective risk management processes, Anti-fraud controls and effective legal compliance framework, the Internal Auditor would need to review and re-define its role and fulfill its role as an important vehicle and an enabler of good corporate governance. Going forward, the role of the Internal Audit Function is expected to become much more onerous as the board, management and independent directors seek increased comfort from an Internal Auditor on newer areas to comply with their oversight responsibility and legal duties. It is set to evolve into a more extensive, outward, forward looking and continuous activity playing an enhanced role in 'Integrated Assurance' - an activity to outline who provides assurance on what aspects of the entire assurance universe. Thus, Internal audit has, over the years, moved a long way forward to being a strong indispensable control tool in the hands of the management for effectively and efficiently running the affairs of the entity..
MEANING OF INTERNAL AUDIT
“Internal audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity's strategic risk management and internal control system.”
Internal auditor should be independent of the activities they audit. The internal audit function is, generally, considered independent when it can carry out its work freely and objectively. Independence permits internal auditors to render impartial and unbiased judgment essential to the proper conduct of audits.The required organizational independence from management enables unrestricted evaluation of management activities and personnel and allows internal auditors to perform their role effectively. Although internal auditors are part of company management and paid by the company, the primary customer of internal audit activity is the entity charged with oversight of management's activities. This is typically the Audit Committee, a sub-committee of the Board of Directors. Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board: Approving the internal audit charter; Approving the risk based internal audit plan; Approving the internal audit budget and resource plan; Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters; Approving decisions regarding the appointment and removal of the chief audit executive; Approving the remuneration of the chief audit executive; and Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations.
ROLE IN INTERNAL CONTROL
Internal auditing activity is primarily directed at evaluating internal control. Internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the following core objectives for which all businesses strive:
•Effectiveness and efficiency of operations.
•Reliability of financial and management reporting.
•Compliance with laws and regulations.
•Safeguarding of Assets
Management is responsible for internal control, which comprises five critical components: the control environment; risk assessment; risk focused control activities; information and communication; and monitoring activities. Managers establish policies, processes, and practices in these five components of management control to help the organization achieve the four specific objectives listed above. Internal auditors perform audits to evaluate whether the five components of management control are present and operating effectively, and if not, provide recommendations for improvement.
ROLE IN RISK MANAGEMENT
Internal auditing professional standards require the function to evaluate the effectiveness of the organization's Risk management activities. Risk management is the process by which an organization identifies, analyzes, responds, gathers information about, and monitors strategic risks that could actually or potentially impact the organization's ability to achieve its mission and objectives.
Management assesses risk as part of the ordinary course of business activities such as strategic planning, marketing planning, capital planning, budgeting, hedging, incentive payout structure, credit/lending practices, mergers and acquisitions, strategic partnerships, legislative changes, conducting business abroad, etc.
The internal audit function may help the organization address its risk of fraud via fraud risk assessment, using principles of fraud deterrence. Internal auditors may help companies establish and maintain Enterprise Risk Management processes. This process is highly valued by many businesses for establishing and implementing effective management systems and ensuring quality is maintained & professional standards are met.
ROLE IN CORPORATE GOVERNANCE
Corporate governance is the policies, processes and structures used by the organization’s leadership to direct activities, achieve objectives, and protect the interests of diverse stakeholder groups in a manner consistent with ethical standards. The internal auditor is often considered one of the "four pillars" of corporate governance, the other pillars being the Board of Directors, management, and the external auditor.
A primary focus area of internal auditing as it relates to corporate governance is helping the Audit Committee of the Board of Directors (or equivalent) perform its responsibilities effectively. This may include reporting critical management control issues, suggesting questions or topics for the Audit Committee's meeting agendas, and coordinating with the external auditor and management to ensure the Committee receives effective information.
Risk Advisory Services EXECUTION
A typical internal audit assignment involves the following steps:
1. Establish and communicate the scope and objectives for the audit to appropriate management.
2. Develop an understanding of the business area under review. This includes objectives, measurements, and key transaction types. This involves review of documents and interviews. Flowcharts and narratives may be created if necessary.
3.Describe the key risks facing the business activities within the scope of the audit.
4.Identify management practices in the five components of control used to ensure each key risk is properly controlled and monitored. Internal Audit Checklist can be a helpful tool to identify common risks and desired controls in the specific process or industry being audited.
5.Develop and execute a risk-based sampling and testing approach to determine whether the most important management controls are operating as intended.
6.Report issues and challenges identified and negotiate action plans with management to address the problems.
7.Follow-up on reported findings at appropriate intervals. Internal audit departments maintain a follow-up database for this purpose.
Audit assignment length varies based on the complexity of the activity being audited and Internal Audit resources available. Many of the above steps are iterative and may not all occur in the sequence indicated.
Risk Advisory Services REPORT
Internal auditors typically issue reports at the end of each audit that summarize their findings, recommendations, and any responses or action plans from management. An audit report may have an executive summary; a body that includes the specific issues or findings identified and related recommendations or action plans; and appendix information such as detailed graphs and charts or process information. Each audit finding within the body of the report may contain five elements, sometimes called the "5 C's":
1.Condition : What is the particular problem identified?
2.Criteria : What is the standard that was not met? The standard may be a company policy or other benchmark.
3.Cause : Why did the problem occur?
4.Consequence : What is the risk/negative outcome (or opportunity foregone) because of the finding?
5.Corrective action : What should management do about the finding? What have they agreed to do and by when?
The recommendations in an internal audit report are designed to help the organization achieve effective and efficient governance, risk and control processes associated with operations objectives, financial and management reporting objectives; and legal/regulatory compliance objectives.
Audit findings and recommendations may also relate to particular assertions about transactions, such as whether the transactions audited were valid or authorized, completely processed, accurately valued, processed in the correct time period, and properly disclosed in financial or operational reporting, among other elements.
QUALITY OF INTERNAL CONTROL AUDIT
•Objectivity - The comments and opinions expressed in the Report should be objective and unbiased.
•Clarity - The language used should be simple and straightforward.
•Accuracy - The information contained in the report should be accurate.
•Brevity - The report should be concise.
•Timeliness - The report should be released promptly immediately after the audit is concluded, within a month.