SlideShare a Scribd company logo

Internal-Audit-Methodology-VV.pdf

R
robinverma31

The document discusses internal audit methodology. It covers defining internal audit, its objectives, applicability, responsibilities under CARO 2020, and standards. It then discusses the risk-based internal audit methodology which includes understanding the business and risks, identifying key processes, creating an assurance plan, analyzing processes through interviews and mapping, and assessing process risks. The document provides details on each step of the internal audit methodology.

Business
1 of 36
Downloaded 15 times
1
2
3
4
5
Most read
6
7
8
9
10
11
12
Most read
13
Most read
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Internal Audit Methodology Virtual CPE Meeting on Internal Audit - WIRC 09 January 2021 1
Background IA Methodology Internal Audit in times of COVID-19 Emerging Trends in Internal Audit 2
Background IA Methodology Internal Audit in times of COVID-19 Emerging Trends in Internal Audit 3
Internal Audit | Definition The Institute of Chartered Accountants of India defines Internal Audit as: “an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity‘s risk management and internal control system.” The Institute of Internal Auditors defines Internal Audit as: “an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Board of Directors Internal Audit Executive Management External Auditors Corporate Governance Four Pillars of Corporate Governance Private and Confidential 4
Internal Audit | Objectives Private and Confidential To strengthen governance To enhance internal control system To assist strategic risk management To assure transparency in reporting – both for internal MIS purposes and statutory purposes Compliances – external and internal Optimization of resources, costs and processes 5
Internal Audit | Applicability Private and Confidential PRIVATE COMPANIES LISTED PUBLIC COMPANIES UNLISTED PUBLIC COMPANIES Turnover >= 200 cr O/s Loans / Borrowings from Banks / PFI’s >= 100 cr Paid up Share Capital >= 50 cr O/s Deposits >=25 cr Turnover >= 200 cr O/s Loans / Borrowings from Banks / PFI’s >= 100 cr *During PFY 6
Internal Audit | CARO 2020 Private and Confidential CARO 2020 CARO 2016 Clause 3(xiv) (a) whether the company has an internal audit system commensurate with the size and nature of its business; (b) whether the reports of the Internal Auditors for the period under audit were considered by the statutory auditor. - - Key Change CARO 2020 requires the statutory auditor to assess the adequacy of the internal audit system Further, to ensure cross-leverage of work done by the internal auditor, CARO 2020 requires the statutory auditor to consider the reports of the internal auditor, while performing their own audit work. 7
Internal Audit | Responsibilities Private and Confidential Responsive Targeted Insight Based Highly Skilled Technology enabled Tailored Innovative Collaborative Core Principles Process Assurance To obtain a level of comfort on their processes Fraud detection and prevention To establish that their business is fraud free Control Framework To establish a control environment that facilitates segregation of duties and a clear reporting framework Process Driven Organization Transform the organization from being people - driven to being process – driven 8
Internal Audit | Standards on IA Private and Confidential As per SIA background - “Internal audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system”. 230 Objective of Internal Audit 320 Internal Audit Evidence 240 Using work of an expert 220 Conducting Overall Internal Audit Planning 7 Quality Assurance in Internal Audit 17 Considerations of Laws & Regulations in IA 310 Planning the Internal Audit Assignment 360 Communication with Management 18 Related Parties 210 Managing the Internal Audit Function 11 Consideration of Fraud in Internal Audit 370 Reporting Results 330 Internal Audit Documentation 12 Internal Control Evaluation 110 Nature of Assurance 5 Sampling 13 Enterprise Risk Management 6 Analytical Procedures 14 IA in Information Technology Environment 9
Background IA Methodology Internal Audit in times of COVID-19 Emerging Trends in Internal Audit 10
IA Methodology |Risk Based Internal Audit Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes The challenges of today's changing world introduce great opportunities for management and the Board and point to the necessity for competent internal auditing Especially in these times of constant change, internal auditing is critical to efficient operations, effective internal controls and risk management, strong corporate governance, and in some cases, the very survival of the organization Private and Confidential 11
IA Methodology | Life Cycle • Understand the business and identify the key business risks • Identify the critical business processes that mitigate these risks • Analyse these processes and assess the risks • Perform internal audit, with the help of standardised checklists / RCMs and extensive use of data analytics and assess the effectiveness of operating control • Report observations to the management on a set frequency • Present summary of key issues to the Audit committee • Assesses management’s progress against the agreed-upon action plan and whether its actions were performed adequately and timely Private and Confidential 12
Strategic Analysis Understand the Business • Industry information • Company information • Sources of industry wide information • PEST / SWOT analysis Key Aspects • Industry wide issues and objectives • Company’s strategic objectives • Key stakeholders • Key historical issues • Business model specific to the company Private and Confidential 13
Strategic Risk Assessment Discuss the procedure for the following, with client, for Internal Audit roll out: • Establishment of and agreement on risk rating criteria • Agreement on approach to risk assessments and facilitated discussions • Identification, assessment and analysis of risks • Performance of control environment review • Selection of key processes and interviewers- based on existing risk profile (previous internal audits conducted, identification of high-risk areas) • Documentation of results and validation with the management Private and Confidential 14
Management Assurance Plan Creation The Internal Audit Plan sets out the scope of work to be undertaken by the client’s internal audit function Based on strategic analysis and enterprise risk assessment • Determine and prioritize the areas and business processes to be reviewed • Identify the number and types of audit projects to be performed, along with associated resource requirements • Obtain input and approval of executive management and the Audit Committee, and • Establish a process to continually evaluate, update, and maintain the plan. Plan should specify the areas to be audited, estimated hours and priority of audits Private and Confidential 15
Process Analysis (1/4) Process analysis consists of three broad steps: 1. Interviews with process owner(s) 2. Process walkthroughs 3. Mapping of As – Is process maps and buy – in from process owner for As – Is understanding of the process Private and Confidential 16
Process Analysis (2/4) • Discuss process with each process owner, obtain an in-depth understanding of the processes/ sub-processes • Understand the process objectives and critical success factors • Discuss and understand how these objectives relate to the organization’s business objectives • Perform a ‘break-down’ analysis of processes into activities and sub- activities • Understand each activity in detail with focus on:  Objectives  Frequency  Roles and responsibilities  System interface, if any  Interface with other processes (handover/ takeover points of responsibility & data to/ from other activities or processes)  MIS, KPIs etc. 1. Interviews with process owner(s) Private and Confidential 17
Process Analysis (3/4) Validate process understanding by performing one or two (as necessary) walk-through / reverse walkthrough (negative) tests using transactions representative of the process being audited: • Observe the process as it is being executed • See how things work and how paper and information flows • Find out if there are any “work-arounds” to the process to make sure it works right • Inspect existing documents and observe inputs and corresponding outputs • Ask for copies of all documents and information about the flow of those documents • Examine the documents and determine who gets and who actually uses copies of the documents and why do they get the documents 2. Process Walkthrough Private and Confidential 18
Process Analysis (4/4) • Document your process understanding using one or a combination of process diagrams or structured narrative notes • Map the ‘as-is’ process flowcharts with respect to:  Inputs  Outputs  Key activities  Roles & Responsibilities  Key System interfaces  MIS  Performance Metrics • Submit as–is process documents to process owner / client team / process champion for review and confirm accuracy of the documentation. • Make changes as required and obtain “buy – in” from process owners 3. Mapping of as–is process maps and process owner buy – in Private and Confidential 19
Process Risk Assessment The ultimate objective of audit execution is to determine the effectiveness of controls over the significant risks within processes • To achieve this, we should first identify and assess the significant risks • A risk is an event that has an adverse consequence on the objective of the process / sub – process • Risks are identified by analyzing the characteristics of the processes with respect to our internal audit focus and identifying what events, actions, or inactions would adversely affect achievement of the objectives • Perform a ‘What can go wrong’ analysis to identify risks • To remove a degree of subjectivity and to ensure consistency, the risks assessed is agreed upon with the Auditee/ Process Owner Private and Confidential 20
Internal Audit Execution (1/6) Internal audit execution involves the following steps: • Developing the audit program • Testing effectiveness of controls and identification of exceptions • Extensive data analysis (where relevant) using tools such as K-Prism / MS Access / MS Excel to cover a greater sample and to ascertain financial impact • Root Cause Analysis for exceptions identified and identification of risks originating from operating ineffectiveness / non – existence of perceived controls • Developing a road map to manage / mitigate identified risks • Obtaining process owners buy-in for identified risks and recommendations Private and Confidential 21
Internal Audit Execution (2/6) Our objective now is to determine that the controls deemed to be effective over significant risks are operating effectively • Develop audit work program • Determine the process objective • Determine which controls to test and the test objective • Determine the nature of the tests • Determine documents / data required (and their source) to test effectiveness of controls and sample size for testing • Determine the timelines, frequency and person responsible for the test • Document and obtain approval of the audit program Private and Confidential 1. Developing the audit program 22
Internal Audit Execution (3/6) Why perform control testing? To check if: • Controls are operating as management understood they would operate • Controls were applied throughout the period of intended reliance and encompassed all applicable transactions • Controls resulted in the timely correction of any errors that were identified by the control being relied upon Nature of tests of controls refers to their type: • Inquiry • Observation / Walkthrough • Inspection • Re-performance • Audit assertions (CEAVOP) Private and Confidential 2. Testing effectiveness of controls and identification of exceptions 23
Internal Audit Execution (4/6) • After identifying risks originating from - operating ineffectiveness and identified design deficiencies, conduct a root cause analysis as given below:  Identify probable factors leading to the risk  Identify probable causes for occurrence of these factors • Based on above analysis, identify the source for all identified risks under various processes i.e., “are such risks driven by people, process or technology?” • Discuss the identified gaps and roots causes with the respective process owners to obtain their buy-ins Private and Confidential 3. Root Cause Analysis 24
Internal Audit Execution (5/6) • Based on impact and identified root causes, bifurcate identified risks based on level of effort required to counter risks through change/ establishment of controls: • Can be countered immediately – minor changes in processes with no / minimal system changes • Can be countered in short term – reasonable changes in key activities within a process along with change in system configurations • Can be countered in long term – significant investments involving process redesigning, system upgradation etc. • Based on discussions with process owners understand the mitigation level that the management wants to achieve for every identified risk Private and Confidential 4. Road map to manage / mitigate identified risks 25
Internal Audit Execution (6/6) • Formulate recommendations to mitigate the identified risks by suggesting improvements in process and internal control designs and obtain management’s buy ins on the same. • Define timelines and responsibilities for mitigating each of the significant risk and implementation of key recommendations based on discussions with management Private and Confidential 5. Process owner’s buy-in for identified risks and recommendations 26
Reporting • The audit report is one of the most visible deliverables, providing feedback to auditee management on the results of our audit • The report should include all the significant issues identified as a result of our audit procedures • Gather and review issues summaries for reportable items • Review management’s responses for inclusion in the report • Prioritize observations (Based on Impact or Level of effort- as agreed in audit plan) • Review for any inappropriate language • Prepare the draft report using the agreed upon format Private and Confidential 27
Issues Resolution Tracking • Throughout the delivery of our Internal Audit Methodology, issues are uncovered and reported, and ultimately action plans are agreed to by management. • As part of the follow-up process, monitor the progress of the implementation of agreed-upon management action plans • Assess management’s progress against the agreed-upon action plan and whether its actions were performed adequately and timely Private and Confidential 28
Work Paper Documentation Private and Confidential • Business understanding document • Minutes of meeting • Approved audit scope • Risk Assessment Presentation • Minutes of meeting • Internal Audit Plan • Minutes of meeting • Process Maps • Narrative Notes • Walkthrough samples • Documents / data received from process owner • Evidence of As-Is buy in from process owner • Copies of al reviewed documents • Minutes of meeting • Analysis of risk and controls in place identified in each core business process • Existing controls mapped to risk and identified design deficiencies for which controls are inadequate / non-existent • Impact – Likelihood assessment: Risk Register • Buy in document from process owner for risks identified • Minutes of meeting • Approved audit program • Approved process flow diagrams • Test summary • Control test matrix • Summary of issues and findings • Process improvement observations with buy in’s • Copy of all samples and data • Evidence of samples selected from pre -defined universe • Minutes of meeting • Internal audit report cross referenced to working papers and annexure • Transmittal letter • Client feedback form • Minutes of meeting • Updated project completion checklist • Issue resolution tracker • Minutes of meeting 29
Background IA Methodology Internal Audit in times of COVID-19 Emerging Trends in Internal Audit 30
Private and Confidential Providing insights in the changed risk and opportunity landscape “Predicting the unpredictable: dealing with risk and uncertainty” has always been a key mantra, and this holds true today with the emergence of COVID-19. There are many associated risks which are impacted by COVID-19, for example: Cyber and Fraud risks, Reputation risks, Supply Chain risks, Health & Safety, etc. • Provide new insights to top management regarding the impact on your organization’s risk and opportunity landscape • Improve structured reflections on the measures taken and anticipated. Being Agile • Discuss with the management how we can best add value in these critical times. • Not an ideal time to stick to your audit plan or other routines if this does not provide value for your organization at this point. Promote a strong risk culture Risk professionals can actively take up the role ensuring that the risk management and business continuity measures: • are clearly defined and understood, • are made visible in the organization, • involve the entire organization, • are executable and are applied by top management, • can be openly discussed, • are enforced, • are continuously improved. Internal Audit in times of Covid 19 31
Background IA Methodology Internal Audit in times of COVID-19 Emerging Trends in Internal Audit 32
Emerging Trends in Internal Audit (1/2) Private and Confidential 1. Agile Internal Audit 2. Integrated Assurance 3. Evaluating culture 4. GDPR assurance and advice 5. Cyber Internal Audit • Adopted by Innovative internal audit • Directs teams to higher risk areas and higher value work, and helps the function to attract, develop, and retain talent. • Ensures that: • internal auditors work with stakeholders in a collaborative, focused, iterative manner. • Audit results are more linked to business risks and relevant to stakeholder needs etc. • Integrated assurance aims not only to rationalize assurance activities and achieve efficiencies; it also aims to direct assurance activities to where they will create the most value for the organization. • Integrated assurance aims to align assurance activities around the drivers of value in the organization and to create visibility into risks and the effectiveness of risk management, while boosting efficiency. • Risks to culture occur when there’s misalignment between the organization’s values and leaders' actions, employee's behavior or organizational systems. • Culture has also become key to success and performance, as well as a source of legal and reputation risks. • Internal Audit can help management and the board drive the right culture, which is essential amid today’s ongoing digitalization, intense media and regulatory scrutiny, and heightened oversight expectations. • General Data Protection Regulation (GDPR) is a risk- based regulation that does not prescribe how to protect customer data; rather, it sets expectations in terms of the data, based on its sensitivity and the potential risks. • Instead of a uniform response, the regulator seeks customized approaches that protect the types of data the organization processes, geared to the risks posed to the Data. • This entails a shift from IT & compliance-based approaches to a more risk-based approach to cyber. • In making this shift, most IA groups find covering all cyber issues challenging, mainly due to lack of resources & depth of skills. • As the gap between organizational needs & IA resources grows, the function can feel overwhelmed & unsure how to proceed. Responsibility for cyber security permeates all business units, which means the related governance must span the organization and all three lines of defense must be involved— and their roles and responsibilities clarified. 33
Emerging Trends in Internal Audit (2/2) Private and Confidential 6. Workforce of the future 7. Continuous risk assessment 8. Automating Assurance 9. Robotic process automation 10. Auditing the risk & Disruptive Technologies • IA functions have been embracing alternative sourcing models for years, such as guest auditors, co-sourcing, rotational programs, & more recently crowdsourcing; indeed, about 3 quarters of IA groups use some form of alternative sourcing model • As the larger organization changes the ways in which it sources, engages, and compensates talent and as historical uses of talent evolve into automation opportunities, management must establish an appropriate governance model geared to addressing the risks inherent in these talent models & technologies. • Continuous risk monitoring, assessment, and tracking can help IA to direct its resources to where they’re most needed, a valuable departure from rotational audit plans. • This approach can change the dynamic with stakeholders, enabling IA to more effectively anticipate risks & advise management. • Leading functions are moving toward real-time risk monitoring via technology- enabled risk sensing, analytics, and visualization tools. • Continuous assessment can leverage, but is not limited to, continuous monitoring of controls. • Automation leads to higher levels of assurance as larger populations of transactions can be tested and controls can be continuously audited. • Automated assurance also enables movement of assurance-related activities to the second line, to compliance, cyber security, risk management, & similar functions or to the first line, where the risks should be managed and where people can act on the results. • There is a secondary benefit of automating assurance activities, reallocation of limited resources & potential cost savings. • Many IA groups have started to advance toward robotic process automation (RPA) and cognitive intelligence (CI) tools (collectively RPA&CI) to drive efficiency, expand capacity, boost quality, and extend audit coverage. • These disruptive technologies are winning acceptance as innovators and early adopters continue to prove their value throughout the internal audit lifecycle. • This approach enables Internal Audit to plan phases of adoption and to realize improved resource allocation, reduced costs, higher quality, and enhanced value. • Driven by the need to create value and drive efficiencies, organizations continue their rapid adoption of disruptive technologies. • IA must understand the risks of technologies in the organization, advise management on those risks, and provide assurance that they are being adequately addressed. • Practical considerations for Internal Audit to add valuable assurance including having access to testing procedures and independently reviewing sampling test cases, results generated, and issues logged. 34
Questions??? 35
Thank You! CA Vishal Vakil 9867 98 5990 36

More Related Content

PPTX
Internal audits – A General overview.pptx
ssuser14335e
 
PDF
Elevating IA
Wayne Poggenpoel
 
PDF
Value based internal auditing - Nilai Dasar Internal Audit
Dr. Zar Rdj
 
PPTX
Proposal to provide Internal Audit services
MaxPro25
 
PDF
Evolving role of internal auditing function
Debashis Gupta
 
PDF
CIA Part I review course 2017
Jack Davidsz
 
PPTX
Basics of internal audit
complianceonline123
 
PDF
Auditing activities of microfinance institutions
Frank Kabuye, CPA
 
Internal audits – A General overview.pptx
ssuser14335e
 
Elevating IA
Wayne Poggenpoel
 
Value based internal auditing - Nilai Dasar Internal Audit
Dr. Zar Rdj
 
Proposal to provide Internal Audit services
MaxPro25
 
Evolving role of internal auditing function
Debashis Gupta
 
CIA Part I review course 2017
Jack Davidsz
 
Basics of internal audit
complianceonline123
 
Auditing activities of microfinance institutions
Frank Kabuye, CPA
 

Similar to Internal-Audit-Methodology-VV.pdf (20)

PDF
The Internal Auditing Handbook.pdf
RNHolder
 
PPTX
Internal Audit effectiveness
Karan Puri
 
PPTX
CIA part 1 essentials of internal auditing
ariundalai1
 
PPT
3a 2 Internal Audit A Bane Or Boon
Rajeswaran Muthu Venkatachalam
 
PDF
Chapter 7
EasyStudy3
 
PDF
Chapter 7
EasyStudy3
 
PDF
Cia challenge-exam-for-ca-and-cpa
armk85
 
PPTX
The importance of value for money and perfomance based audits
paul young cpa, cga
 
PPTX
Audit-and-Assurance-II.pptxedfefefsferfw
mdmustofaa9
 
PDF
SFC Plan of engagement
Jonathan Lamboi
 
PPT
Internal_audit
Vishal Joshi
 
PPTX
Internal Audit Methodology
Manoj Agarwal
 
PPTX
Xybion - best practices for audit management - final
Xybion Corporation
 
PPTX
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 
PPTX
Chapter 1 auditing and internal control
jayussuryawan
 
DOCX
Audit Planning - Considerations
Ryan Vaz
 
PPT
Internal Audit : an independent service to evaluate an organisation's.ppt
SrabanAhmedMasum
 
PPTX
The role of Operational and Performance-based Auditing on Government and the ...
paul young cpa, cga
 
PPT
A Paradigm Shift in Audit Process
Padmapriya V
 
PPT
477 10 (5)
saramkhan5
 
The Internal Auditing Handbook.pdf
RNHolder
 
Internal Audit effectiveness
Karan Puri
 
CIA part 1 essentials of internal auditing
ariundalai1
 
3a 2 Internal Audit A Bane Or Boon
Rajeswaran Muthu Venkatachalam
 
Chapter 7
EasyStudy3
 
Chapter 7
EasyStudy3
 
Cia challenge-exam-for-ca-and-cpa
armk85
 
The importance of value for money and perfomance based audits
paul young cpa, cga
 
Audit-and-Assurance-II.pptxedfefefsferfw
mdmustofaa9
 
SFC Plan of engagement
Jonathan Lamboi
 
Internal_audit
Vishal Joshi
 
Internal Audit Methodology
Manoj Agarwal
 
Xybion - best practices for audit management - final
Xybion Corporation
 
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 
Chapter 1 auditing and internal control
jayussuryawan
 
Audit Planning - Considerations
Ryan Vaz
 
Internal Audit : an independent service to evaluate an organisation's.ppt
SrabanAhmedMasum
 
The role of Operational and Performance-based Auditing on Government and the ...
paul young cpa, cga
 
A Paradigm Shift in Audit Process
Padmapriya V
 
477 10 (5)
saramkhan5
 
Ad

Recently uploaded (20)

PDF
Laughter Yoga Basic Learning Workshop Manual
yeechensee
 
PDF
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
PDF
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
PDF
IFRS Notes in your pocket for study all the time
jjj81507
 
PDF
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
PPTX
5 Stages of group development guide.pptx
keerthanashanmugam201
 
PPTX
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
PDF
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
DOCX
unit 2 cost accounting- Tender and Quotation & Reconciliation Statement
MANJU N
 
PPTX
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
PPT
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
DOCX
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
PDF
How to Get Funding for Your Trucking Business
Jake Thornhill
 
PDF
A Brief Introduction About Julia Allison
Julia Allison
 
PDF
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
PPTX
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
PDF
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
PDF
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
PDF
MSPs in 10 Words - Created by US MSP Network
Mayur Gudka
 
PDF
Ôn tập tiếng anh trong kinh doanh nâng cao
thaoonguyenn2311
 
Laughter Yoga Basic Learning Workshop Manual
yeechensee
 
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
IFRS Notes in your pocket for study all the time
jjj81507
 
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
5 Stages of group development guide.pptx
keerthanashanmugam201
 
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
unit 2 cost accounting- Tender and Quotation & Reconciliation Statement
MANJU N
 
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
How to Get Funding for Your Trucking Business
Jake Thornhill
 
A Brief Introduction About Julia Allison
Julia Allison
 
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
MSPs in 10 Words - Created by US MSP Network
Mayur Gudka
 
Ôn tập tiếng anh trong kinh doanh nâng cao
thaoonguyenn2311
 
Ad

Internal-Audit-Methodology-VV.pdf

  • 1. Internal Audit Methodology Virtual CPE Meeting on Internal Audit - WIRC 09 January 2021 1
  • 2. Background IA Methodology Internal Audit in times of COVID-19 Emerging Trends in Internal Audit 2
  • 3. Background IA Methodology Internal Audit in times of COVID-19 Emerging Trends in Internal Audit 3
  • 4. Internal Audit | Definition The Institute of Chartered Accountants of India defines Internal Audit as: “an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity‘s risk management and internal control system.” The Institute of Internal Auditors defines Internal Audit as: “an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Board of Directors Internal Audit Executive Management External Auditors Corporate Governance Four Pillars of Corporate Governance Private and Confidential 4
  • 5. Internal Audit | Objectives Private and Confidential To strengthen governance To enhance internal control system To assist strategic risk management To assure transparency in reporting – both for internal MIS purposes and statutory purposes Compliances – external and internal Optimization of resources, costs and processes 5
  • 6. Internal Audit | Applicability Private and Confidential PRIVATE COMPANIES LISTED PUBLIC COMPANIES UNLISTED PUBLIC COMPANIES Turnover >= 200 cr O/s Loans / Borrowings from Banks / PFI’s >= 100 cr Paid up Share Capital >= 50 cr O/s Deposits >=25 cr Turnover >= 200 cr O/s Loans / Borrowings from Banks / PFI’s >= 100 cr *During PFY 6
  • 7. Internal Audit | CARO 2020 Private and Confidential CARO 2020 CARO 2016 Clause 3(xiv) (a) whether the company has an internal audit system commensurate with the size and nature of its business; (b) whether the reports of the Internal Auditors for the period under audit were considered by the statutory auditor. - - Key Change CARO 2020 requires the statutory auditor to assess the adequacy of the internal audit system Further, to ensure cross-leverage of work done by the internal auditor, CARO 2020 requires the statutory auditor to consider the reports of the internal auditor, while performing their own audit work. 7
  • 8. Internal Audit | Responsibilities Private and Confidential Responsive Targeted Insight Based Highly Skilled Technology enabled Tailored Innovative Collaborative Core Principles Process Assurance To obtain a level of comfort on their processes Fraud detection and prevention To establish that their business is fraud free Control Framework To establish a control environment that facilitates segregation of duties and a clear reporting framework Process Driven Organization Transform the organization from being people - driven to being process – driven 8
  • 9. Internal Audit | Standards on IA Private and Confidential As per SIA background - “Internal audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system”. 230 Objective of Internal Audit 320 Internal Audit Evidence 240 Using work of an expert 220 Conducting Overall Internal Audit Planning 7 Quality Assurance in Internal Audit 17 Considerations of Laws & Regulations in IA 310 Planning the Internal Audit Assignment 360 Communication with Management 18 Related Parties 210 Managing the Internal Audit Function 11 Consideration of Fraud in Internal Audit 370 Reporting Results 330 Internal Audit Documentation 12 Internal Control Evaluation 110 Nature of Assurance 5 Sampling 13 Enterprise Risk Management 6 Analytical Procedures 14 IA in Information Technology Environment 9
  • 10. Background IA Methodology Internal Audit in times of COVID-19 Emerging Trends in Internal Audit 10
  • 11. IA Methodology |Risk Based Internal Audit Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes The challenges of today's changing world introduce great opportunities for management and the Board and point to the necessity for competent internal auditing Especially in these times of constant change, internal auditing is critical to efficient operations, effective internal controls and risk management, strong corporate governance, and in some cases, the very survival of the organization Private and Confidential 11
  • 12. IA Methodology | Life Cycle • Understand the business and identify the key business risks • Identify the critical business processes that mitigate these risks • Analyse these processes and assess the risks • Perform internal audit, with the help of standardised checklists / RCMs and extensive use of data analytics and assess the effectiveness of operating control • Report observations to the management on a set frequency • Present summary of key issues to the Audit committee • Assesses management’s progress against the agreed-upon action plan and whether its actions were performed adequately and timely Private and Confidential 12
  • 13. Strategic Analysis Understand the Business • Industry information • Company information • Sources of industry wide information • PEST / SWOT analysis Key Aspects • Industry wide issues and objectives • Company’s strategic objectives • Key stakeholders • Key historical issues • Business model specific to the company Private and Confidential 13
  • 14. Strategic Risk Assessment Discuss the procedure for the following, with client, for Internal Audit roll out: • Establishment of and agreement on risk rating criteria • Agreement on approach to risk assessments and facilitated discussions • Identification, assessment and analysis of risks • Performance of control environment review • Selection of key processes and interviewers- based on existing risk profile (previous internal audits conducted, identification of high-risk areas) • Documentation of results and validation with the management Private and Confidential 14
  • 15. Management Assurance Plan Creation The Internal Audit Plan sets out the scope of work to be undertaken by the client’s internal audit function Based on strategic analysis and enterprise risk assessment • Determine and prioritize the areas and business processes to be reviewed • Identify the number and types of audit projects to be performed, along with associated resource requirements • Obtain input and approval of executive management and the Audit Committee, and • Establish a process to continually evaluate, update, and maintain the plan. Plan should specify the areas to be audited, estimated hours and priority of audits Private and Confidential 15
  • 16. Process Analysis (1/4) Process analysis consists of three broad steps: 1. Interviews with process owner(s) 2. Process walkthroughs 3. Mapping of As – Is process maps and buy – in from process owner for As – Is understanding of the process Private and Confidential 16
  • 17. Process Analysis (2/4) • Discuss process with each process owner, obtain an in-depth understanding of the processes/ sub-processes • Understand the process objectives and critical success factors • Discuss and understand how these objectives relate to the organization’s business objectives • Perform a ‘break-down’ analysis of processes into activities and sub- activities • Understand each activity in detail with focus on:  Objectives  Frequency  Roles and responsibilities  System interface, if any  Interface with other processes (handover/ takeover points of responsibility & data to/ from other activities or processes)  MIS, KPIs etc. 1. Interviews with process owner(s) Private and Confidential 17
  • 18. Process Analysis (3/4) Validate process understanding by performing one or two (as necessary) walk-through / reverse walkthrough (negative) tests using transactions representative of the process being audited: • Observe the process as it is being executed • See how things work and how paper and information flows • Find out if there are any “work-arounds” to the process to make sure it works right • Inspect existing documents and observe inputs and corresponding outputs • Ask for copies of all documents and information about the flow of those documents • Examine the documents and determine who gets and who actually uses copies of the documents and why do they get the documents 2. Process Walkthrough Private and Confidential 18
  • 19. Process Analysis (4/4) • Document your process understanding using one or a combination of process diagrams or structured narrative notes • Map the ‘as-is’ process flowcharts with respect to:  Inputs  Outputs  Key activities  Roles & Responsibilities  Key System interfaces  MIS  Performance Metrics • Submit as–is process documents to process owner / client team / process champion for review and confirm accuracy of the documentation. • Make changes as required and obtain “buy – in” from process owners 3. Mapping of as–is process maps and process owner buy – in Private and Confidential 19
  • 20. Process Risk Assessment The ultimate objective of audit execution is to determine the effectiveness of controls over the significant risks within processes • To achieve this, we should first identify and assess the significant risks • A risk is an event that has an adverse consequence on the objective of the process / sub – process • Risks are identified by analyzing the characteristics of the processes with respect to our internal audit focus and identifying what events, actions, or inactions would adversely affect achievement of the objectives • Perform a ‘What can go wrong’ analysis to identify risks • To remove a degree of subjectivity and to ensure consistency, the risks assessed is agreed upon with the Auditee/ Process Owner Private and Confidential 20
  • 21. Internal Audit Execution (1/6) Internal audit execution involves the following steps: • Developing the audit program • Testing effectiveness of controls and identification of exceptions • Extensive data analysis (where relevant) using tools such as K-Prism / MS Access / MS Excel to cover a greater sample and to ascertain financial impact • Root Cause Analysis for exceptions identified and identification of risks originating from operating ineffectiveness / non – existence of perceived controls • Developing a road map to manage / mitigate identified risks • Obtaining process owners buy-in for identified risks and recommendations Private and Confidential 21
  • 22. Internal Audit Execution (2/6) Our objective now is to determine that the controls deemed to be effective over significant risks are operating effectively • Develop audit work program • Determine the process objective • Determine which controls to test and the test objective • Determine the nature of the tests • Determine documents / data required (and their source) to test effectiveness of controls and sample size for testing • Determine the timelines, frequency and person responsible for the test • Document and obtain approval of the audit program Private and Confidential 1. Developing the audit program 22
  • 23. Internal Audit Execution (3/6) Why perform control testing? To check if: • Controls are operating as management understood they would operate • Controls were applied throughout the period of intended reliance and encompassed all applicable transactions • Controls resulted in the timely correction of any errors that were identified by the control being relied upon Nature of tests of controls refers to their type: • Inquiry • Observation / Walkthrough • Inspection • Re-performance • Audit assertions (CEAVOP) Private and Confidential 2. Testing effectiveness of controls and identification of exceptions 23
  • 24. Internal Audit Execution (4/6) • After identifying risks originating from - operating ineffectiveness and identified design deficiencies, conduct a root cause analysis as given below:  Identify probable factors leading to the risk  Identify probable causes for occurrence of these factors • Based on above analysis, identify the source for all identified risks under various processes i.e., “are such risks driven by people, process or technology?” • Discuss the identified gaps and roots causes with the respective process owners to obtain their buy-ins Private and Confidential 3. Root Cause Analysis 24
  • 25. Internal Audit Execution (5/6) • Based on impact and identified root causes, bifurcate identified risks based on level of effort required to counter risks through change/ establishment of controls: • Can be countered immediately – minor changes in processes with no / minimal system changes • Can be countered in short term – reasonable changes in key activities within a process along with change in system configurations • Can be countered in long term – significant investments involving process redesigning, system upgradation etc. • Based on discussions with process owners understand the mitigation level that the management wants to achieve for every identified risk Private and Confidential 4. Road map to manage / mitigate identified risks 25
  • 26. Internal Audit Execution (6/6) • Formulate recommendations to mitigate the identified risks by suggesting improvements in process and internal control designs and obtain management’s buy ins on the same. • Define timelines and responsibilities for mitigating each of the significant risk and implementation of key recommendations based on discussions with management Private and Confidential 5. Process owner’s buy-in for identified risks and recommendations 26
  • 27. Reporting • The audit report is one of the most visible deliverables, providing feedback to auditee management on the results of our audit • The report should include all the significant issues identified as a result of our audit procedures • Gather and review issues summaries for reportable items • Review management’s responses for inclusion in the report • Prioritize observations (Based on Impact or Level of effort- as agreed in audit plan) • Review for any inappropriate language • Prepare the draft report using the agreed upon format Private and Confidential 27
  • 28. Issues Resolution Tracking • Throughout the delivery of our Internal Audit Methodology, issues are uncovered and reported, and ultimately action plans are agreed to by management. • As part of the follow-up process, monitor the progress of the implementation of agreed-upon management action plans • Assess management’s progress against the agreed-upon action plan and whether its actions were performed adequately and timely Private and Confidential 28
  • 29. Work Paper Documentation Private and Confidential • Business understanding document • Minutes of meeting • Approved audit scope • Risk Assessment Presentation • Minutes of meeting • Internal Audit Plan • Minutes of meeting • Process Maps • Narrative Notes • Walkthrough samples • Documents / data received from process owner • Evidence of As-Is buy in from process owner • Copies of al reviewed documents • Minutes of meeting • Analysis of risk and controls in place identified in each core business process • Existing controls mapped to risk and identified design deficiencies for which controls are inadequate / non-existent • Impact – Likelihood assessment: Risk Register • Buy in document from process owner for risks identified • Minutes of meeting • Approved audit program • Approved process flow diagrams • Test summary • Control test matrix • Summary of issues and findings • Process improvement observations with buy in’s • Copy of all samples and data • Evidence of samples selected from pre -defined universe • Minutes of meeting • Internal audit report cross referenced to working papers and annexure • Transmittal letter • Client feedback form • Minutes of meeting • Updated project completion checklist • Issue resolution tracker • Minutes of meeting 29
  • 30. Background IA Methodology Internal Audit in times of COVID-19 Emerging Trends in Internal Audit 30
  • 31. Private and Confidential Providing insights in the changed risk and opportunity landscape “Predicting the unpredictable: dealing with risk and uncertainty” has always been a key mantra, and this holds true today with the emergence of COVID-19. There are many associated risks which are impacted by COVID-19, for example: Cyber and Fraud risks, Reputation risks, Supply Chain risks, Health & Safety, etc. • Provide new insights to top management regarding the impact on your organization’s risk and opportunity landscape • Improve structured reflections on the measures taken and anticipated. Being Agile • Discuss with the management how we can best add value in these critical times. • Not an ideal time to stick to your audit plan or other routines if this does not provide value for your organization at this point. Promote a strong risk culture Risk professionals can actively take up the role ensuring that the risk management and business continuity measures: • are clearly defined and understood, • are made visible in the organization, • involve the entire organization, • are executable and are applied by top management, • can be openly discussed, • are enforced, • are continuously improved. Internal Audit in times of Covid 19 31
  • 32. Background IA Methodology Internal Audit in times of COVID-19 Emerging Trends in Internal Audit 32
  • 33. Emerging Trends in Internal Audit (1/2) Private and Confidential 1. Agile Internal Audit 2. Integrated Assurance 3. Evaluating culture 4. GDPR assurance and advice 5. Cyber Internal Audit • Adopted by Innovative internal audit • Directs teams to higher risk areas and higher value work, and helps the function to attract, develop, and retain talent. • Ensures that: • internal auditors work with stakeholders in a collaborative, focused, iterative manner. • Audit results are more linked to business risks and relevant to stakeholder needs etc. • Integrated assurance aims not only to rationalize assurance activities and achieve efficiencies; it also aims to direct assurance activities to where they will create the most value for the organization. • Integrated assurance aims to align assurance activities around the drivers of value in the organization and to create visibility into risks and the effectiveness of risk management, while boosting efficiency. • Risks to culture occur when there’s misalignment between the organization’s values and leaders' actions, employee's behavior or organizational systems. • Culture has also become key to success and performance, as well as a source of legal and reputation risks. • Internal Audit can help management and the board drive the right culture, which is essential amid today’s ongoing digitalization, intense media and regulatory scrutiny, and heightened oversight expectations. • General Data Protection Regulation (GDPR) is a risk- based regulation that does not prescribe how to protect customer data; rather, it sets expectations in terms of the data, based on its sensitivity and the potential risks. • Instead of a uniform response, the regulator seeks customized approaches that protect the types of data the organization processes, geared to the risks posed to the Data. • This entails a shift from IT & compliance-based approaches to a more risk-based approach to cyber. • In making this shift, most IA groups find covering all cyber issues challenging, mainly due to lack of resources & depth of skills. • As the gap between organizational needs & IA resources grows, the function can feel overwhelmed & unsure how to proceed. Responsibility for cyber security permeates all business units, which means the related governance must span the organization and all three lines of defense must be involved— and their roles and responsibilities clarified. 33
  • 34. Emerging Trends in Internal Audit (2/2) Private and Confidential 6. Workforce of the future 7. Continuous risk assessment 8. Automating Assurance 9. Robotic process automation 10. Auditing the risk & Disruptive Technologies • IA functions have been embracing alternative sourcing models for years, such as guest auditors, co-sourcing, rotational programs, & more recently crowdsourcing; indeed, about 3 quarters of IA groups use some form of alternative sourcing model • As the larger organization changes the ways in which it sources, engages, and compensates talent and as historical uses of talent evolve into automation opportunities, management must establish an appropriate governance model geared to addressing the risks inherent in these talent models & technologies. • Continuous risk monitoring, assessment, and tracking can help IA to direct its resources to where they’re most needed, a valuable departure from rotational audit plans. • This approach can change the dynamic with stakeholders, enabling IA to more effectively anticipate risks & advise management. • Leading functions are moving toward real-time risk monitoring via technology- enabled risk sensing, analytics, and visualization tools. • Continuous assessment can leverage, but is not limited to, continuous monitoring of controls. • Automation leads to higher levels of assurance as larger populations of transactions can be tested and controls can be continuously audited. • Automated assurance also enables movement of assurance-related activities to the second line, to compliance, cyber security, risk management, & similar functions or to the first line, where the risks should be managed and where people can act on the results. • There is a secondary benefit of automating assurance activities, reallocation of limited resources & potential cost savings. • Many IA groups have started to advance toward robotic process automation (RPA) and cognitive intelligence (CI) tools (collectively RPA&CI) to drive efficiency, expand capacity, boost quality, and extend audit coverage. • These disruptive technologies are winning acceptance as innovators and early adopters continue to prove their value throughout the internal audit lifecycle. • This approach enables Internal Audit to plan phases of adoption and to realize improved resource allocation, reduced costs, higher quality, and enhanced value. • Driven by the need to create value and drive efficiencies, organizations continue their rapid adoption of disruptive technologies. • IA must understand the risks of technologies in the organization, advise management on those risks, and provide assurance that they are being adequately addressed. • Practical considerations for Internal Audit to add valuable assurance including having access to testing procedures and independently reviewing sampling test cases, results generated, and issues logged. 34
  • 36. Thank You! CA Vishal Vakil 9867 98 5990 36