Internal Audit
Internal Audit
Internal Audit
Rajkumar S. Adukia
B.Com (Hons.), LL.B, AICWA, FCA
radukia@vsnl.com/rajkumarfca@gmail.com
093230 61049/ 093221 39642
PREFACE
Internal Auditing has gained so much importance that conducting it has been made mandatory
by regulators for listed and other specified companies.
Internal Audit began in modest manner during the Second World War when organisations found
it difficult to maintain operational efficiency and control. Companies appointed special staff (i.e.
present day internal auditors) to review operations and report to them .The task assigned to
internal auditors varied from routine check on finance and operations to appraisal of financial &
operational activities.
Earlier, internal audit was largely voluntary, management appointed internal auditors when
they felt the need. With increased complexities in business, frauds and scams internal audit has
become essential for most organisations. Be it SEC in United States or SEBI in India, regulators
are prescribing mandatory internal audits. The range of activities undertaken by internal audit
teams has increased. They cover a whole gamut of operations ranging from review of finance &
operations to providing assurance and consulting services.
This book attempts to cover some aspects of this vast body of knowledge. It includes basic
procedural aspects of internal audit, standards of conduct as well as and contemporary issues
like corporate governance.
I have dedicated this book to the profession and industry. I shall appreciate from our readers
and all concerned, any questions on various issues which can be included in our future editions
or responded through
We will also appreciate from our readers friendly criticisms , suggestions and calling attention
to errors which might have inadvertently crept in.
INDEX
Section I: Foundation of Internal auditing
1.1 What is internal auditing?
1.2 History and background
1.3 Purpose of internal auditing
1.4 Scope of internal auditing
1.5 Role of auditors
1.6 Organisational Independence and Objectivity
1.7 Professionalism
Section V: CAATs
5.1 Definition
5.2 Need
5.3 Techniques
5.4 Commonly used Audit Software
Thus, internal audit activity can play an important role and support the board and
management in fulfilling an essential component of their governance mechanisms. The internal
auditor furnishes analysis, appraisals, recommendations, counsel and information concerning
the activities reviewed. The internal auditor can suggest ways for reducing costs, enhancing
revenues, and improving profits.
A Partnership...
It is worth remembering that internal audit works in partnership with management and
provides the board, the audit committee and executive management assurance that risks are
held at bay and the organization’s corporate governance is strong and effective. They work in
the same team and want the organisation to be and remain successful.
.
1.2 History and background
In 1930s, growth and expansion made it increasingly difficult for organizations to maintain
control and operational efficiency. The World War further expanded organizations’
responsibilities for scheduling, managing with limited materials and labourers, complying with
government regulations, and an increased emphasis on cost finding. It was difficult for
management to observe all the operating areas or be in touch with everybody. Then, special
staff was appointed to report on happenings in the company who later came to be known as
‘Internal Auditors’.
The internal auditing function varied greatly between organisations and a number of internal
auditors pushed vigorously for greater understanding and recognition of the internal auditing
function. One such person was John B. Thurston, head of the internal auditing function at the
North American utility company. He is credited with being the person most responsible for the
creation of The Institute. He was joined by Robert B. Milne, general auditor of the Columbia
Engineering Corporation, and Victor Z. Brink, a former auditor and Columbia University
educator who authored the first major book on internal auditing. They gathered friends and
associates from the utilities industries, public accounting firms, and other industries, 25 of
whom agreed to participate in forming a new organization for internal auditors.
On November 17, The IIA’s Certificate of Incorporation was filed which officially established
The Institute of Internal Auditors’ name; recognized The Institute as a membership corporation;
and identified corporation’s specific purposes
This assurance from the management is fundamental. There is a need for additional assurance
from a different source. Internal audit can be the key source providing objective assurance that
all the significant risks have been identified, risk management process is working effectively
and efficiently, risks are being reported and controls are effective. As part of this work, the
internal audit activity will provide advice, coaching and facilitation services to assist executive
management in carrying out their responsibilities.
The external auditors have to express an opinion on accuracy and fairness of financial
information. The scope of internal audit is much wider than statutory/external audit. It should
ideally cover all the organisation’s activities. They include:
Financial audit –accuracy, completeness and fairness of financial statements
Operational audit- effectiveness and efficiency of operations
Safeguarding of assets
Review of projects
Management audit
Fraud detection- developing fraud exposures for every audit and detecting red
flags
Review of effectiveness of internal control
Compliance with laws, regulations, policies and procedures
Preservation of ethical culture – monitor the ethical climate and report on red
flags that may compromise ethics
Providing advise on reducing waste or inefficiency
The auditor’s opinion on the truth, fairness, accuracy etc. of the financial statement imposes a
larger responsibility on the auditor, which transcends the relationship with the client. The
external auditor has to maintain total independence from the client. The auditor is supposed to
be a watchdog. Government, creditors, investors and the business and financial community rely
on the independence, objectivity and integrity of the auditors for maintaining confidence in
operations of a company.
Internal Audit is a service to management. Its functions include examining and evaluating
internal control and providing assurance to the management. It is a part of the organisation's
system of internal control and its scope includes ALL aspects of internal control, not just
financial control. The scope of internal audit is much wider than statutory/external audit as
discussed in detail above. It should ideally cover all the organisation’s activities.
External auditors have to express an opinion on accuracy and fairness of financial information.
An external audit programme encompasses a full-scope financial statement audit, an attestation
of internal controls over financial reporting, or other agreed-upon external audit procedures.
Although internal and external auditors have different and clearly defined roles they do share
the same broad purpose of serving the public by helping to ensure the highest standards of
regularity and propriety for the use resources and in promoting efficient, effective and
economic administration.
The internal audit activity should be independent from the activities it audits. It should
also be free from interference in determining the scope of its work, in performing its duties and
in communicating the results. To maintain its independence, it should have “solid-line”
reporting relationship to the audit committee with a “dotted-line” reporting relationship to a
senior executive in the organization for administrative purposes i.e. it should report
functionally to those responsible for governance (which can be the audit committee, the board
of directors, or another appropriate body) and administratively to an appropriately senior level
within the organisation.
The audit committee should safeguard internal audit independence by regularly
reviewing and approving the internal audit charter and mandate.
Administrative matters relate to the organisation’s management structure; and the
reporting line for them should facilitate the activity’s day-to-day operations. The chief audit
executive should have the appropriate seniority in the organisation so that the person has
sufficient authority. This will reinforce the organisational status of internal auditing and
support its unrestricted access to staff and information.
In the current scenario, the demands for professionalism, knowledge and integrity has
increased manifold. To be effective, auditors must serve as objective assurance providers and
advisors to the other participants in the governance process like Board of Directors and the
audit committee; provide guidance on improving operational efficiency and control; evaluate
risk and advise the management on risk identification, risk tolerance and risk management.
The scope on internal audit has widened and may cover the whole gamut of
organisation’s activities. It is the internal auditor's task to operate within the framework of
professionalism to assist the company in achieving the highest-quality results and long-term
objectives. This calls for clear and concise guidance that can be readily adopted and followed
regardless of the industry, audit specialty, or sector.
Proficiency
Internal auditors need to have the knowledge and skills to perform their individual
responsibilities. If the knowledge, skills, or other competencies needed to perform all or part of
the engagement are not available within the internal audit staff, then the chief audit executive
should obtain competent advice and assistance from outside the activity.
Though the internal auditors are not expected to have the expertise of a person whose primary
responsibility is detecting and investigating fraud, they should have sufficient knowledge to
identify the indicators of fraud.
The internal auditor is expected to apply due professional care which is expected from a
reasonably prudent and competent internal auditor. The internal auditor should exercise due
professional care by considering the:
• Extent of work
Internal auditors should enhance their knowledge, skills, and other competencies through
continuing professional development.
Professional Behaviour
Internal auditors need to act professionally and maintain the good reputation of the
profession. The organisation should benefit from the internal audit activity in its risk
management and internal control process.
An auditor’s responsibility is not limited to satisfy the needs of an individual employer.
The standards of the accountancy profession are heavily determined by the public interest, for
example - Internal auditors provide assurance about a sound internal control system which
enhances the reliability of the external financial information of the employer. Accountancy and
audit bodies like IIA and IFAC have formulated some important principles of behaviour.
Independence
The Institute of Internal Auditors Code of Ethics provides internal auditors with sufficient
mechanism for reporting of audit results, findings, opinion or information. The auditor can
report to the appropriate level of management and there should be no need to report in an
unauthorized manner to anyone outside the organisation.
Only if the matter is not resolved satisfactorily, or the services of auditor are terminated due to
that, he should secure the advice of outside counsel.
Section 2. Types of Internal Audit
2.1Financial Audit
This type of audit involves a thorough review of a department’s records and reports, in order to
check that assets and liabilities are properly recorded on the balance sheet, and, all profits and
losses are properly assessed.
In financial audits, significance or materiality is usually defined as a monetary value
Consequently, planning decisions mainly involve the intended degree of audit assurance and
the extent of audit work required to provide it. The requirements will vary from one
organisation to another and applicable laws and regulations. Some activities common to most
audits:
○ Risk assessment
○ Defining Materiality
○ Financial statement assertions
○ Financial analysis of cash flow statement
○ Compliance and substantiative procedures
○ Analytical procedures
Meeting these objectives involves verification of:
○ Revenue
○ Sales
○ Bank deposits
○ Bank reconciliation
○ Accounts payable
○ Accounts receivable
○ Disbursements
○ Assets
2.2Operational Audit
This type of audit involves a thorough review of a department’s operating procedures and
internal controls. They deal with broad performance issues, focusing on whether funds and
resources have been economically, efficiently and effectively managed to fulfill the mission and
objectives. An operational audit includes elements of a compliance audit, a financial audit, and an
information systems audit. In particular, management audits examine and report on matters
related to any or all of the following:
• the adequacy of management systems, controls and practices, including those intended
to control and safeguard assets, to ensure due regard to economy, efficiency and
effectiveness;
• the extent to which resources have been managed with due regard to economy and
efficiency; and,
• the extent to which programs, operations or activities of an entity have been effective.
clear or well defined. The first step would be to brainstorm along with the client and
define the scope and objectives of audit. It is also necessary to decide the exclusions to
the scope.
2. Set audit objectives -The second step would be to set audit objectives. Appropriate
audit evidence can be gathered only when objectives are clear. Three elements need to
be identified-criteria, cause and effect. They will be concerned with whether the
operating objectives will be met.
Review and update the audit objectives after the preliminary survey.
3. Set scope- To manage expectations on what will be achieved by the audit by setting the
a. Operating standards
b. Organisation chart
c. Nature of operations
d. Operating reports
e. Senior management
f. Prior audit papers, if available
g. Internet
h. Industry, trade journals and publications
i. Files and papers
5. Preliminary survey: preliminary survey is essential to gain a working knowledge of the
internal controls. This step takes place throughout the audit process. Methods to review
would include
a. Responses of interviewing staff to control questions in the Internal Control
Questionnaire would indicate areas of control weakness to concentrate on
b. Prepare flow charts or narrative descriptions
c. Walk-through and limited system testing
gain sufficient evidence on the objective of the audit. The testing is aimed at significant
controls that have previously been assessed as adequate to evaluate their effectiveness,
and those controls assessed as inadequate to verify that the required results are not
being consistently achieved.
9. Report: the report should inform the recipients of the issues or opportunities for
2.3Grant Audit
Grant audits include financial and operational elements, but the focus is on compliance with the
financial terms of grant agreements. Usually, when the grant is given, the receiver is obligated to
review grants to determine whether funds are spent for the purpose for which the funds have
been received.
VERIFICATION OF GRANTS:
1. Obtain copies of the Grant application and award documentation (grant file) which specify
the purpose and scope of work to be done with the funds provided.
2. Review the reporting requirements, if any, included in the grant/sponsorship agreement.
Determine whether the record keeping/reporting process satisfies the requirements. Note
discrepancies.
3. Determine whether there are limitations on the use of these funds and test to see if they
were observed. Note any exceptions.
4. Verify that the amount of the grant noted in the above documentation was actually received
and deposited in the bank account maintained for that purpose. Note any exceptions.
5. Ensure that any unused funds and/or interest earned are returned to the granting agency.
Test to determine compliance with such requirements. Note discrepancies.
2.4Project Audit
Project audits include review of project cost and performance terms. Usually, project is a large
and complex activity and the entity may not have the appropriate internal expertise to negotiate
and manage these contracts.
• Project management reviews to ensure controls are in place to mitigate project risks or to
identify the strengths and improvements required for future projects;
• Organizational or operational reviews to ensure the organizations goals and objectives
will be achieved; and,
• Specific technology reviews to ensure security and controls are in place
2.6Compliance Audit
Various programmes and contracts and grants have specific rules and regulations that must be
followed in order to maintain funding. Audits in these areas are usually restricted to
verification that recipients are in compliance with the established guidelines. Compliance audit
would include compliances with:
Laws and regulations
Policies
Standards
Contracts
Taking the help of an expert: Auditors may seek help of legal counsel in
designing tests of compliance with laws and regulations
evaluating the results of those tests
Auditors also may find it necessary to rely on the work of legal counsel when audit
objectives require testing compliance with provisions of contracts or grant agreements.
The internal audit function may be provided by in-house staff or an outsourced team. Whether
internal audit is a part of the organisation or not its structure would depend on:
○ Geographical locations
○ Control risks
○ Environment
To be effective it needs a strong leader who has the support of both the authorising body (audit
committee, in most cases) and senior management. The Chief Audit Executive must be a person
who understands the overall organisation and has the qualities of a leader:
○ Co-ordinate activities
○ Mediate conflicts
apply to the internal auditing organisation. This understanding should be in writing in the
form of a charter.
Audit is a service oriented job, its biggest assets are its people . The firm needs to have policies
and procedures to provide reasonable assurance that they have the sufficient personnel, with
the capabilities, competence and the principles to perform their assigned responsibilities.
It should have policies to address recruitment, performance evaluation, professional
advancements, compensation and career development.
Hiring
The firm needs to recruit personnel with appropriate characteristics to meet their needs. Given
below are certain illustrative procedures which the department/firm may adopt:
1. Designate an appropriately qualified person to manage the human resource function
2. Establishing criteria to evaluate personal characteristics such as integrity, competence,
and motivation.
3. Having additional procedures for hiring experienced personnel like reference checks.
4. Deciding on methods of recruitment like media ads, professional institutions or
universities or recruitment agencies and coordinating with them.
5. Training the interviewers and others participating in the recruitment process on the
expectations and requirements of the firm.
Engagement Assignment
The responsibility for each engagement should be assigned to a specific partner. The
partner assigned to the work has the capability, competence and time to handle the
engagement and the workload and availability of the partners is monitored so that they
can provide devote adequate time to discharge the responsibility There should be policies
and procedures requiring that:
1. Team members: The members should be assigned based on factors such as:
○ Engagement size and complexity.
○ Specialized experience and expertise required.
○ Personnel availability and involvement of supervisory personnel.
○ Timing of the work to be performed.
○ Continuity and rotation of personnel.
○ Opportunities for on-the-job training.
2. The firm should assign appropriate staff with the necessary capabilities,
competence and time to perform engagements in accordance with
professional standards and regulatory and legal requirements.
3. The capabilities and competence considered when assigning engagement
teams, and in determining the level of supervision required, would include:
1. An understanding of, and practical experience with, engagements of a
similar nature and complexity through appropriate training and
participation.
2. Knowledge of professional standards and regulatory and legal
requirements.
3. Appropriate technical knowledge
4. Knowledge of client industry.
5. Ability to apply professional judgment.
6. An understanding of the firm’s quality control policies and procedures.
Internal Audit needs a mission statement or audit charter outlining the purpose, objectives,
organisation, authorities, and responsibilities of the internal auditor, audit staff, audit
management, and the audit committee. A big part of the management profession is creating and
enforcing policies and procedures. Policies interpret and tailor laws that apply to an organisation;
serving as a written record for good practices the management wants to emphasize and enforce in
the organisation, whether or not there are legal implications. While policies are general,
procedures are specific.
Every audit assignment should be planned carefully prior to its start. Circumstances may occur
which might call for unscheduled reviews or there might be pressures to begin special audit
without delay. However, a properly planned audit will almost always have better audit results. A
long-range audit plan should be developed which should be reviewed at regular intervals.
Pre engagement activity –Matters to be considered before accepting new assignment would be:
i. Gathering information on the integrity, competence of the management
ii. Past experience, if any with the management
iii. Communication with previous auditors
iv. Significant accounting policies of the client
v. Assessment of Management’s ability to have effective and efficient
internal control
vi. Financial viability of the entity
iii. Methods used by entity to process information: The methods used need to be considered
as the methods influence the design of internal control. The extent of computer
processing and the complexity of processing will influence nature, timing and extent of
audit procedures.
iv. Determining audit objectives: Objectives based on management’s needs, nature of prior
work, available resources and time is an important aspect of planning. General
objectives would be part of audit plan and they should be re-examined before each audit
and defined in detail before each audit.
v. Audit Scheduling: on the basis of annual plan and preliminary survey the manpower
requirements and time budgets need to be fixed. The following factors need to be
considered.
– nature of audit
– complexity of work
– staff availability
– special skills required
– audit period
vi. The auditor should consider whether specialized skills are needed for any area such as
the effect of computer processing on the audit, to understand the controls, or to design
and perform audit procedures. If specialized skills are needed, the auditor should seek
the assistance of a professional possessing such skills.
• Find out whether there are areas which management would like to be included in the
audit
• Discuss, finalise and inform auditee
○ Audit period
○ Estimated start date and duration
○ Names of audit staff
○ Facilities required like space, computer systems etc.
A. The objective of preliminary survey is to get familiar with the areas being audited. Some
of the methods would be :
a. Information about structure and activities of areas being audited:
i. Organisational chart
ii.Key Personnel and their major areas of responsibility
b. Financial information
i. Sources of revenue
ii.Nature of expenditure
c. Prior working papers and audit reports and information about past activities
d. Information about any separate audit in the area being audited.
e. Review any departmental policies and procedures manuals, flowcharts, or
control narratives that may exist.
f. Any activity /area which the management requests to be included
Determining an audit’s objectives is the most crucial step in planning an internal audit. Audit
objectives refer to the specific goals of the audit. An audit may have several audit objectives.
Objectives are based on management’s needs, nature of prior work, available resources and time
is an important aspect of planning. General objectives would be part of audit plan and they
should be re-examined before each audit and defined in detail before each audit. Audit objectives
should be reviewed with the management or those who have requested the audit.
Audit objectives often focus on substantiating that internal controls exist to minimise risks These
audit objectives include assurance with regard to:
Internal auditing activity’s role with regard to Risk Management is to provide objective
assurance to the board on the effectiveness of an organisation's ERM activities in managing key
business risks and that the system of internal control is operating effectively. The Chief Audit
Executive (CAE) has to ensure that the internal audit activity maintains its independence and
objectivity when providing assurance and consulting services.
The Institute of Internal Auditor’s (IIA) position paper The Role of Internal Auditing in
Enterprise-wide Risk Management provides guidance to the internal auditor as to what roles
internal auditing should and should not play throughout the ERM process. The internal audit
activity can be involved in providing assurance that risks are identified, reported, evaluated,
mitigated and reviewed regularly.
Prepare an engagement memorandum or auditee that communicates final objectives and any
changes to planned completion of audit.
The internal auditor should send a letter of engagement to the management stating: -
This is very critical step as it allows auditor to determine the scope and extent of audit effort. It
is done in advance of detailed testing and analysis work. The auditors can familiarise
themselves with the system and control structure. Typically the audit team would consider:
• The organisational structure and the responsibilities of key members.
• Manuals of policies and procedures and applicable regulations.
• Management reports and minutes of meeting.
• Walkthrough of activity
• Discussions with key personnel
The field survey is the initial contact point and might take one or two days depending on the
size of the audit.
The completion of field survey helps the auditor to understand key systems and processes. If
the information during preliminary audit planning is imperfect , the audit team can make
adjustments to planned audit scope .
4.2 Audit programme
After the conclusion of preliminary survey, the auditor has a fair idea of the audit objectives and
the control systems. At this stage the audit programme should be made providing the proposed
procedures, budgeting and basis for controlling the audit. The audit programme will prevent the
auditor from going off the scope pursuing irrelevant items and help in completing the audit
project in an efficient manner.
• The audit team holds a meeting with the audit supervisor to decide on the priority / high
risk areas and tests to be conducted.
• Provide a general overview of the auditee's operations. Include in the narrative statistical
and monetary information, locations, authority, staffing and main duties and
responsibilities.
• The programme should consist of detailed directions for carrying out the assignment.
• Have the final programme reviewed by Audit supervisor and Audit manager.
• All major changes must be documented in writing and the reason documented.
• The audit programme should contain a statement of the objectives of the area being
reviewed. These objectives would be achieved through the detailed audit programme
procedure. Objectives should fit within the overall scope of the audit.
• Every audit procedure should help answer one of the objectives and every objective
should be addressed in the procedures or steps.
• The tests have to be designed in such a manner that they achieve their objectives. Use
imagination, ingenuity and intelligence in creating audit steps responsive to objectives.
• The goals should be made amply clear by prefacing major steps with : to test whether . . .;
or, to determine that . .
TIME BUDGET
• At the planning phase an estimated time budget should be prepared to control the audit
and complete it efficiently. The detailed project time budget should be completed at the
conclusion of the preliminary review. The time budget should be approved by the audit
manager and audit administration. This budget will include all time necessary to
complete the audit, from assignment through issuance of the final report.
Planning should continue throughout the audit. Audit objectives, scope, and methodologies
are not determined in isolation. They have to be determined together, as the considerations in
determining each often overlap.
Audit Evidence
Evidential matter obtained during the course of the audit provides the documented basis for the
auditor's opinions, findings, and recommendations as expressed in the audit report.
Types of audit evidence
Evidence may be categorized as physical, documentary, testimonial, and analytical.
Test of Evidence
Internal auditors are obligated by professional standards to collect sufficient, competent, relevant,
and useful information to provide a sound basis for audit findings and recommendations.
They would usually hold true but they might not be valid in all cases.
a. Evidence obtained from a credible third party is more reliable than that secured from the
auditee.
b. Evidence developed under an effective system of management controls is more
competent than that obtained where such controls are weak or nonexistent.
c. Evidence obtained by the auditors themselves through direct physical examination,
observation, computation, and inspection is more competent than evidence obtained
indirectly.
d. Original documents provide more competent evidence than copies.
e. Person providing the evidence: Information obtained from a person having knowledge
of the area would be more reliable
f. Objective evidence would be more reliable than the evidence which require judgment.
The sufficiency, competence and relevance of evidence depends on the source of information.
Programme step procedures should be in enough detail so that an experienced auditor could
carry out the task with normal supervision. An audit causes disruption and interruptions in the
day-to-day operations of an enterprise and it is advisable that the auditors provide a tentative
schedule of the planned audit work (unless it is a surprise audit ). Documentation should be
kept for each step that would generally be in the form of working papers.
Review and Evaluation of Internal Control Environment
The auditor will have to review the internal control structure .The effectiveness and efficiency of
the internal control will determine the extent of tests to be performed. This evaluation will also
provide assurance on whether the systems are functioning properly. The auditor should
provide for tests in the audit programme which could be in the form of interviews, internal
control questionnaires , checklists, audit tests.
Matters to be considered while evaluating internal controls
• Identification of risks
• Internal control structure put in place to prevent, detect, correct undesired events
• Whether the control structure is functioning as desired
The Auditor performs tests to validate processes and controls. This would include performance
of substantive testing which tests the efficiency of internal control to ensure completeness,
accuracy or validity of the accounts or transactions .
Given below are the various tests that the auditor would perform:
Tests involving continuing interaction with client staff and other parties
• Facilitated meetings
• Interviewing
• Questioning
• Surveys
• Confirmation/Representation
Tests carried on by audit team
• Observation and Inspection
• Documentation Review
• Analytical review
• Data Analysis
• Vouching & Verifying
• Reconciliation
• Recalculation & Valuation
Facilitated Meetings
Inquiry involves meeting of concerned officials from different departments and key
stakeholders affected like customers and vendors. This method requires lot of efforts in
organising such a meeting. A facilitator is required so that the group does not diverge from its
objectives Example: meeting of purchasing , accounts payable ,stores and user department to
understand the cycle of purchases
Interview: Direct interaction facilitates greater understanding of the business processes as the
interviewer can seek clarifications and details on the spot. It has all the advantages of face-to-
face communication like establishment of rapport, personal opinions on issues and solutions.
The type of information received depends on the skills of the interviewer. The interviewer has
to make the person feel at ease and glean significant information.
Questioning:This is the most pervasive technique and should be used with care so that the
auditee is not needlessly alienated .The auditor may seek management reaction through
questioning in case of deficiencies or error.
Surveys:Surveys are commonly used to gauge perceptions of a business activity. They are an
efficient method of reaching a large number of people .The administrator does not require any
special training and the responses can be quantified.
It requires lot of time and skills to create the survey document. People may give inappropriate
or inaccurate replies, as there is less sincerity in filling up survey forms.
Confirmation/ Representation: Usually there are standard formats for confirmation which
are sent by the auditor to the relevant party. The responses are mailed directly to the auditor.
Observation and Inspection: These methods are used to understand processes and
activities. Observing involves a careful, knowledgeable look at documents processed,
activities and assets. These tests need to be corroborated with other evidence as it would be
time consuming or even impossible to observe large number of activities. Also random
observation will not provide adequate evaluation.
Documentation Review: This is the most widely used method and a large number of data can
be objectively verified. This involves a review of existing reports and documents to identify
controls, to understand the business or process, and to provide evidence in supporting audit
conclusion.
Analytical review: Analytical auditing procedures provide an efficient and effective method of
comparing relationship among data. As the relationship among data is compared against a pre-
defined expected relationship which is expected to continue in the absence of unusual or non
recurring transactions.
Some Analytical tests are trend analysis, benchmarking and ratio analysis
Data analysis & exception tests: This involves analysis and query of historical data files to
identify trends, exceptions. It can be used to understand volume or magnitude of events to
understand whether they are significant. It is used for identifying duplicates or gaps in
sequences or aging summary of receivables
Vouching & Verifying:It is another very popular method .The transactions or events are verified
against supporting documents for accuracy and validity. Examination of accounting transactions
against bills, attendance register against wage payments are some examples.
Reconciliation :It is an audit test to match two sets of data which provides similar information
and analyse the variances between them. It may help in detecting frauds or errors.
Recalculation & Valuation tests: The auditor may recalculate certain figures like interests or
instalments payable on a loan to verify the accuracy .the auditor may also take the help of an
external expert to revalue certain expensive assets.
• List of all accounts (numbers and account titles) maintained by your unit.
• Statement of Account and annual statements for the three fiscal years for the
department.
• Key departmental productivity and performance measures for the past three
fiscal years i.e., productivity measures used for budgeting purposes, etc.
Mr. <Name>
CEO, <Company Name> Limited
<Address>
Dear Mr. <CEO>
A routine conformance audit of <Company Name> is scheduled for the period <dates>,
200X. This audit will include the main office at <office name>as well as the two sub-branches at
<location1> and <location2>.
We would like to schedule a pre-audit meeting with your management personnel before
June XX at a time and date convenient to you and an exit meeting 20 days from the beginning of
the review process. The pre-audit meeting will help in introducing the audit team to company
management, provide a review of the audit process and inform the management of the audit
process and regulatory responsibilities. The exit meeting will summarize the audit results and
identify specific post-audit responsibilities where applicable.
The review will emphasise on the controls in the recently implemented financial system. We
will need to access your financial accounting system and its reports. We plan to use some
automated testing on your files .Please arrange for the system access and working space for our
audit team.
Should you require any further information or clarification, please contact the audit
manager<name>, at <number>.
Yours truly,
<Name>
<Designation>
Membership No. <Number>
Section 5 . Computer Assisted Audit Techniques
5.1.Meaning
5.2 Need for CAATs
5.3 Determining the need for CAATs
5.4 Types of CAATs
5.5 Commonly used Audit Software
Internal auditors require audit evidence to support their audit conclusions. With
automation, it is a challenge to internal auditors to review, and understand these paperless
documents and procedures to support their audit conclusions. It is not enough to audit around
the computer or select and review items from output reports and display screens. Internal
auditor can have greater reliance and independence if they use their own specialized file
retrieval procedures. This can be achieved by using computer assisted auditing techniques. A
CAAT is auditor controlled and can be run on production data to test, summarise or analyse
data on computer files.
Auditors make use of computer-assisted audit techniques (CAATs) to improve audit coverage
by reducing the cost of testing and sampling procedures that otherwise would be performed
manually. With the widespread use of computerized financial and other record keeping, using
CAATs has now become a necessity for audit of most organisations. CAATs provide reasonable
evidence required to support audit conclusions in paperless environment. They provide a more
efficient and reliable method to review items recorded in computer files.
CAATs may be used in performing various audit procedures like:
Tests of transactions and balances, such as recalculating interest;
Analytical review procedures, such as identifying inconsistencies or significant
fluctuations;
Compliance tests of general controls and application controls;
Sampling programs to extract data for audit testing;
Penetration testing.
With the use of Audit Software, auditors can directly obtain evidence to the quality of records
produced and maintained by client’s systems. Various software whether off the shelf,
specialized or customized are a useful tool in the hands of the auditor to gain access to
manipulate the data maintained in the computer systems to achieve audit objectives.
• Audit objectives are constantly changing. Newer areas may be required to be audited;
different approach may have to be used.
• Auditor may have a broad understanding of systems but they do not have specific
knowledge or experience with particular hardware, software being used.
• File access :The file access functions enable different file structures to be accessed.
• File reorganization: Sorting data, merging data, comparing data can be done
Audit tasks
Audit software can help in the accomplishment of various audit tasks:
• Examining the quality of data
• Examine the system processes
• Do analytical reviews
• CaseWare IDEA
• Microsoft Access
Section 5. Audit Workpapers
5.1 Importance
5.2 Functions
5.3 Organisation
5.3.1 Document organisation
5.3.2 CAAT workpapers
5.4 Review of workpapers
5.5 Retention and Custody
The work performed is documented in workpapers. The workpapers serve as the connecting
link between the audit assignment, the auditor's fieldwork, and the final report. Workpapers
contain the records of planning and preliminary surveys, audit procedures, fieldwork, and
other documents relating to the audit. Most importantly, the workpapers document the
auditor's conclusions and the reasons those conclusions were reached. As each Audit Step in the
Audit Procedures is satisfied, the audit supervisor should request review of the related
workpapers.
5.2 Functions
Workpapers should be economical to prepare and to review. It is important to achieve a proper
balance of completeness and conciseness. Only what is essential should be included.
• Working papers record the information obtained and the analyses made during the
audit process.
• Working Papers serve the following purpose
– Aid in the planning, performance, and review of audits
– Document whether the audit objectives were achieved
– A support for audit reports
– Record information
– Document audit findings and accumulate evidence
– Basis for supervisory review
– Support and evidence for issues like fraud, lawsuits
– Basis /reference for subsequent audit
– Document whether the audit objectives were achieved
– Facilitate third-party reviews
– Aid to peer review
– Provide a basis for evaluating the Internal Audit's quality assurance programme
– Aid in the professional development of the Internal Audit staff
Specimen:
Workpaper Header
ABC Associates
Client ___________________
Period __________________
Prepared by ____________________ Date ____________________
Reviewed by ____________________ Date ____________________
(in-charge)
Reviewed by ____________________ Date ____________________
(Manager)
5.3 Organisation
Auditors today use a wide variety of formats to prepare workpapers. Audit workpapers may be
in the form of paper, tape, disk, diskette, film, or other media. Regardless of the media used
workpapers should provide a standard framework for documenting internal audit activities. If
the audit workpapers are in the form of media other than paper, consideration should be given
to generating backup copies. If the Internal Auditor is reporting on financial information, the
audit workpapers should document whether the accounting records agree or reconcile with
such financial information.
The Internal Auditor should establish standard audit workpaper files, stationary, indexing, and
other related matters. Standardized audit workpapers, such as questionnaires and audit
programmes, may improve the efficiency of an audit and facilitate the delegation of audit work.
Workpapers for computer assisted audit techniques follow a different approach than
conventional audit. An auditor may use different automated procedures to perform audit.
CAAT uses specialised auditor -developed or –controlled routines to perform audit test and
analysis procedures.
The CAAT workpapers should have detailed description of CAAT procedures, timing,
problems encountered. Some requirements would be:
○ Description of application and process being tested
○ Audit objectives, files to be accessed, cut off dates
○ Description of software being used
○ Documentation of CAAT tests performed
○ Schedule of CAAT processes with documentation.
Audit workpapers and audit reports are key tangible outputs of the audit process. As the audit
report is supported by the workpapers, it is essential that adequate workpapers are available to
support the report. The best way to establish a level of confidence is that internal audit
management performs adequate levels reviews of all workpapers
Section 7. Audit Reports and Communication
An audit report is the only output of the Internal Auditor’s work, which people outside the
Internal Audit function get to see. It is a formal document summarizing the work done and
reports the findings and recommendations. It is a means of communicating all of the auditor's
work to management. The report must concisely present the total essence of the audit effort.
Findings must be supported by sufficient evidence and be within the audit's scope and
objectives. Each recommendation must fit the facts of the finding and materially reduce the
potential risk as indicated by the facts of the finding. It is not important what an auditor
believes; the important thing is what the auditor can prove. Auditor beliefs, without proper
documentation will not be carried to the report.
Whether audit report is a formally written document or an informal one it should have the
following information:
○ Findings
○ Description of findings
○ Suggestions and Recommendations
○ Documentation of plans and Views of auditee
With today’s technology and ever changing requirements, audit results can be reported in a
wide spectrum of formats. Certain common approaches to reporting are presented:
• Oral Reports
• Interim reports
• Descriptive (regular) reports
• Summary audit reports
Oral Reports: This mode of communication should be supplementary to written reports. This
mode might be used for reporting any findings, which may need emergency action, or as an
oral presentation as a prelude to the formal written report.
Regular reports: in most audit assignments a detailed descriptive report is given at the
conclusion. A general format of such a report is given under “Form and content of audit
report”.
Summary Audit report: Such reports summarise the audit report and describe the range of
content. Such reports could be a summary of more than one report.
The format of report would be guided by the company procedures and nature of work. A
general format is suggested below:
Cover Page - A cover page showing the department name, audit title, audit number and audit
date should be on each report. Lengthy reports may have an index.
Cover Letter - A letter should be written and signed by the Director /partner and made a part
of the audit report. It will be as brief as possible.
Introduction - Describe the type of engagement (regular scheduled, special request, etc.) and the
authority of the audit (agenda, special request). The name of the organization or activity being
audited and provide any background information necessary. This can include nature and goals,
volume or value, activities, location, staffing, etc.
Statement of Objectives - The audit objectives are stated in the report and are the same ones
that appeared in the detailed audit programme.
Statement of Scope - This section should describe the depth and coverage of audit work
conducted to accomplish the audit's objectives. It would contain the calendar dates for the test
work and a date for the evaluation of internal controls.
Statement of Methodology - The statement on methodology should clearly explain the
evidence gathering and analysis techniques used to accomplish the audit's objectives.
Statement of Auditing Standards - The report should include a statement that the audit was
made in accordance with auditing standards and disclose when applicable standards were not
followed.
Audit Conclusions - The auditor must conclude on the stated audit objectives in the order in
which they appeared in the report. The auditor should conclude in the negative or affirmative
on each objective.
3) Effect - This is also known as risk (either actual or potential). Describe or show the actual
or potential effect on the condition. The risks could be inaccuracy, inefficiency, loss to assets.
Provide a monetary value to the effect. If this is not possible, say so and emphasize the
potential.
4) Cause – The cause needs to be mentioned only when it is not obvious or it is something other
than obvious one.
5) Recommendations - Set out in simple, yet specific language, a remedy that management
can follow to effectively correct the condition. In multiple part actions, a numbered step by-
step solution assists in breaking down the recommendation into an easily understandable
process. Emphasize that solutions other than those presented may be acceptable if it
minimizes the condition stated in the finding.
General Comments - This section is reserved for points of interest that are of lesser magnitude
than findings, but of interest to management.
The audit report must be written in a neutral tone and flawless in its accuracy, logic, clarity,
grammar and spelling. It is the only output of the auditor's professional efforts, which is seen by
outsiders.
ACCURACY - Reports must be completely and scrupulously factual; every condition and
recommendation must be based on evidence that is supportable in the work file. The evidence
must be sufficient to support the findings and recommendations and at the same time, be in
agreement with the stated objectives of the audit.
CLARITY - Means making the reader understand what the auditor is trying to say while writing
the report.
CONCISENESS - This means cutting out what is superfluous. Eliminate what is irrelevant and
immaterial. The content of the report depends on the report reader. The report cannot supply
both sufficient details for the operating manager and a summary for the executive. The report is
written for senior management. The Internal auditor can either provide a separate report to the
operating management or details for the operating manager/supervisor can be provided upon
request.
TONE - The report should be courteous and factual. It should not be petty, but should sound
like the voice of management.
GRAMMAR AND SPELLING - All auditors are expected to use acceptable grammar, sentence
structure and context. Additionally, spelling should be accurate.
It is desirable that during the course of the audit, a framework of the final report is developed
so that the needed information is obtained on time. This will prevent delays in the report
writing process. Important and sensitive findings should be shared with responsible managers
immediately upon verification by the audit staff; memo reports may be used in this process.
As findings are completed, they are inserted in the proper sections of the report. The audit
report is a process in itself, which starts with identification of findings, preparation of draft
report, discussions of findings with the concerned people, management responses to audit
findings and issuance of final report. An internal audit function may alter or skip any of the
steps outlined below to suit its needs and purpose.
G. Dissemination of report
a. The persons to whom the report is to be delivered will vary from organisation to
organisation and from one assignment to another. Some of the recipients could
be the Corporate Vice President, for Administration or the Vice President for
Business and Finance, the Department Head, the CFO, the CEO, the Board of
directors and the Audit Committee.
b. In some organisations the BOD and the Audit committee may be presented with
sAudit Committee with periodic summaries of audit findings, with access to
summaries or full reports if requested.
c. In certain organisations the report is published on the website. In that case, Copy
the report file to the share drive for eventual publication on the web page. Take
the original paper copy of the letter to the management and the signature page
from the report to the webmaster. Those two pages will be scanned and
converted into a PDF format document and inserted into the report posted on the
share drive.
Mr. <Name>
CEO, <Company Name> Limited
<Address>
Dear Mr. <CEO>
The audit team has concluded an operational review of the internal control structure and
the recently implemented financial system SAP. The objective of our review was to evaluate
controls in the financial system, compliance with policy & regulations and the effectiveness and
efficiency of the current organisation authority structure.
The review covered operations of the period <date> to <date>. Please find enclosed two
copies of the Audit Report of <Company Name> Limited completed on June XX, 200X. I am
pleased to inform you that the review found that the financial department is well managed with
generally good controls. However, controls need to be strengthened in few areas and
documentation policies need to be more strictly enforced for travel expenses. A summary of the
most significant audit findings are provided in Part II of the report.
The company must respond in writing to each audit finding. The proposed Corrective
Action Plan should detail both short term corrective action to correct the specific deficiencies
cited and, where applicable, long term corrective action. Long term corrective action should
focus on modifying the system to prevent recurrence of similar deficiencies in the future.
We wish to express our appreciation for the co-operation extended to the audit team by
you and your staff during the audit.
Yours truly,
Yours truly,
<Name>
<Designation>
Membership No. <number>
Specimen Internal audit Report
AUDIT NAME
AUDIT REPORT
TABLE OF CONTENTS
PAGE
INTRODUCTION
Background
Audit Perspective
Scope & Objectives
EXECUTIVE SUMMARY
I.
II.
III.
APPENDIX
AUDIT NAME
DATE
INTRODUCTION
Background
Audit Perspective
(E.g., The scope of the audit was financial and operational in nature . This routine audit
was conducted on AAA Foods Limited during the period of (month) (year). The
audit covered the period from dd-mm-yyyy to dd-mm-yyyy . The audit was
performed to ensure that financial data was properly recorded and adequate operational
procedures exist in all the operationalareas. The audit was conducted in accordance
with the applicable Accounting & Auditing Standards. Included reviews in the
following areas:
a) Royalty payments;
b) Rent received from sub tenants;
c) compliance with Food safety and hygiene regulations ;
d) Cash receipts; and
e) Credit card receivables .
• Verify that credit card receivables were correctly accounted, applied and
payments received from the credit card company.
7652741
Page 68 of 80
• Determine whether food safety inspections have been regularly carried
out at various locations and appropriate hygiene levels are maintained.
• Whether royalty has been calculated correctly and has been paid to the
brand owners timely.
• Whether contract has been drawn up with sub tenants and floor space,
rent and facilities has been has been agreed upon.
.
Note: Audit is used in the report when actual tests are performed to corroborate
the opinion. Review is used in the report when no tests are performed to
corroborate the opinion. Comment should speak directly as to what was done,
i.e., if a test was performed, the word test should be used. If a review was
performed, the word review should be used.
Company - General
AAA Foods Limited
Provide information on background of company and its operations .Provide details
of functions and personnel in departments. Mention whether any major change in
the organisation since the last audit. (E.g. the company has opened new food centres
at 12 more locations. The staff strength has risen to 15,000. The company is now
undertaking a massive exercise to centralize its processing and accounting at the
main office).
Audit Synopsis
Mr. R. Xyz, senior partner of XYZ associates was in charge of the audit. The audit
was conducted in accordance with auditing standards and policy & procedures
detailed in the AAA Food Limited’s manual .These techniques included interviews
with key personnel, review of approved documents, sampling of relevant files, and
random inspections throughout AAA Food Limited’s system.
The audit entry meeting was held in AAA Food Limited’s main office on <date>.
During this meeting, the audit manager briefed the operator’s management on the
audit process and the team's audit plans. The officials of the company were regularly
updated on audit progress and of all audit findings submitted. The audit was
completed and the exit meeting was held in AAA Food Limited’s main office on
<date> with the senior officials namely<name>.
7652741
Page 69 of 80
Audit Findings identify a situation where a company policy, procedure, or activity
does not conform to policies & procedures specified in the company’s internal audit
manual or to the applicable regulatory standard. The company must respond in
writing to each audit finding, detailing short term corrective action to correct the
specific examples listed, and long term systemic corrective action to prevent
recurrence of similar situations.
XYZ Associates will monitor implementation of AAA Food Limited’s Corrective
Action Plan through the audit follow-up process
7652741
Page 70 of 80
EXECUTIVE SUMMARY
The executive summary is intended to provide an overview of the audit process, and
summarise the significant findings (discussed in the detailed audit report) and the
conclusions reached. The reader should not frame an opinion solely on the basis of
this summary. The detailed report should be read to obtain the complete
understanding of the background, ramifications, and recommendations.
General
The audit examined AAA Foods Limited’s operations and finance divisions using
applicable checklists referenced from the Internal Audit Manual. A total of xx
operations and xy finance audit findings are reported. . These findings identified
examples of non-conformance to the standards, regulations AAA Foods Limited’s
policies or procedures. A number of the findings were administrative in nature and
can be easily corrected, whereas others were systemic and will require particular
attention to ensure that corrective actions are effective in addressing the identified
system faults.
Audit Opinion
Relevant Findings
7652741
Page 71 of 80
AUDIT NAME
INTERNAL AUDIT OPINION
AUDITOR-IN-CHARGE DATE
(E.g. In our opinion, we found the financial transactions were properly recorded
and the operational procedures adequate for the period under audit. However,
there is still some scope for improving operating efficiency and effectiveness
which are discussed in this audit report.
The areas requiring immediate attention are: <area>, which currently lack
some essential elements; <area>, which require a detailed system to ensure
that all requirements have been met; and procedures to monitor and report
on <area> activities.
The above deficiencies notwithstanding, the review revealed that AAA Foods
Limited is maintaining strict quality control standards and that a
knowledgeable, competent management team has been assembled to oversee
its staff and employees that have the ability and desire to operate within the
regulatory framework. The company’s response upon learning of any
deficiency was immediate and indicative of their focus on quality control.
7652741
Page 72 of 80
AUDIT NAME
DETAIL REPORT
Overview
Pages X through XX outlines the specific findings resulting from our substantive audit
testing. These issues are discussed in detail in our report and are categorized first on the
basis of departments .Within each division, the major primary findings (significant
internal control deficiencies and items potentially having a significant or adverse effect
on the unit’s operations) are mentioned first and then other matters (items of a lesser
nature requiring attention, but not likely to have a significant or adverse effect on the
unit’s operations).
Primary Findings
I. COMMENT
Finding
Ramifications/Implications
Recommendation(s)
Auditee's Response
Other Matters
II. COMMENT
Finding
Ramifications/Implications
Recommendation(s)
Auditee's Response
7652741
Page 73 of 80
Section 8. Relationship management
To top it all and ensure that internal audit is effective, communication is most
crucial. Sound governance requires effective interaction among the board, management,
the external auditor, and the internal auditor.
The audit committee should be composed of board members who have the
knowledge and experience of the organisation’s business. They should have the skills to
evaluate financial and management controls, and the ability, experience, and willingness
to act for the good of the organisation and its stakeholders. They should have the time to
find out enough about the organisation so that they can effectively challenge the
executive management.
7652741
Page 74 of 80
The audit committee and the internal audit team need to maintain a strong
positive relationship.
The chief audit executive has to report on its findings to the audit committee any
deficiencies that have been detected and the audit committee also has to enquire in
depth from internal audit into complex issues. The internal audit activity is answerable
to the audit committee and not management.
The chief audit executive should attend audit committee meetings and discuss
the charter, review the audit plan, staffing requirements, audit findings and status of
implementation of recommendations.
The audit committee has to assess the performance of the internal audit team to review
whether the activity is effective and capable to be the agent of the of the audit committee
in the organization. It may also act as facilitator between the internal audit, executive
management and the statutory auditors to ensure proper allocation of work and ensure
good corporate governance.
Reports
Within the management, there are different levels. The audit report has to be designed
to suit the interest, needs and requirements of different levels of management. All the
7652741
Page 75 of 80
levels need to know as to what is happening in the areas of their concern and internal
audit report can serve as one of the vehicles of information. However the degree of
detail required by each is different. The local office needs an in- depth report with all the
details and documentation so that follow up actions /rectifications can be taken. The
regional offices would need general information on the operations and performance of
the local office. The top management needs to be informed of serious issues and frauds
and information on problems across offices etc. Thus, as the levels go up the details
required are less.
For easy readability and distribution, the report could have an executive summary, a
main report divided by functional areas and lastly recommendations. Thus, each level
gets focused information according to their needs.
Oral communications
Formal written communications are necessary and but informal communications cannot
be ignored altogether. It can help draw management’s attention towards important
issues. Debriefings minimise the chance of something important passing unnoticed
because of other priorities and pressures.
Overview
An audit report consists of details of the audit assignment of the audited unit. At some
point it also needs to see things from a larger perspective- to focus on the forest rather
than the trees. On the basis of recurring observations and trends, it would be possible to
identify areas which need more attention, policy changes or guidance.
Internal audit and statutory audit have different objectives. The primary
objective of statutory auditors is to express an opinion on accuracy and fairness of
financial statements. The focus of the report is on objectivity, accuracy and brevity. They
focus on historical financial data. The objectives of internal audit are much wider. They
are involved in operational audits, management audits, review of processes, practices &
procedures and other assignments.
However, the statutory auditors need to understand the functioning and
operations of the enterprise and the internal control systems. Not only that, they have to
7652741
Page 76 of 80
include in their report an opinion on the state of internal controls in the organisations.
Thus, if they co-ordinate their efforts there would not be any overlapping nor would
there be any gaps. Every aspect of the organisation could be covered without
duplication of work and improve service to management and the audit committee.
Internal and external auditors both are equally important.
There should be sufficient liaison between the auditors .Both should share information
regarding scope, audit programme and audit findings. However, several factors
determine the type of relationship. Some chief audit executives (CAEs) are of the
opinion that the relationship should be arms-length relationship while others feel that
there should be a close working relationship.
It is finally up to the organisation and the auditors to decide as to what type of
relationship best fits an organization taking into account its resources and time and
issues.
Benefits of co ordination
Varied strengths increase effectiveness
By the nature of their responsibilities, internal auditors spend a lot of time working for
the same company. This gives them a better understanding of the culture and working
of the organisation. The external auditors on the other hand have exposure to wider
variety of financial issues as they have multiple clients.
Increase in efficiency
Coordination increases efficiency. When the audit is not properly coordinated, external
auditors may duplicate work already performed by the internal auditors.
Cost reduction
Coordination reduces the time and efforts which the external auditor would expend on
redundant work thus, reducing the audit fees.
7652741
Page 77 of 80
Better understanding of each others work
Coordination would imply that the auditors communicate and consult with each other
their plans and findings. This will lead to clearer understanding of respective audit roles
and requirements and a better understanding by each group of auditors.
Building co-operation
Approval
External and internal auditors owe allegiance to different set of people .The internal
auditor is accountable to the management. When the external auditor needs assistance
from the internal auditor, he has to first inform the management /governing body and
seek their approval.
Commitment
As discussed earlier, both the auditors work with different objectives and
responsibilities. Given this situation when the need for coordination arises, it requires
commitment. They have to adjust and plan the work to satisfy each others needs.
Communication
Communication is sine qua non for success of any coordination process. . There should
be frequent and open communication between internal and external auditors. They
should decide on timing and nature of communication-it may be written or electronic or
face to face or telephonic or combination of whatever format is suitable.
Trust
There needs to be mutual confidence between both groups of auditors. This confidence
is enhanced when the auditors are members of professional bodies and are bound by
their professional standards and code of conduct. When the external auditor requires
direct assistance or needs to rely on the work in certain area, he may conduct procedures
to get specific assurance. There also needs to be confidence that any information
exchanged is treated professionally and with integrity.
7652741
Page 78 of 80
Areas of co-operation
Internal control
Corporate governance
Reporting and financial statements
Compliance with laws
Anti Fraud measures
Performance indicators
Testing
○ systems
○ programs
Liaison between company and external auditors
○ Ensure that all information, documentation is provided to internal
auditor
○ Audit of dispersed organizations
○ Follow up on audit issues and implementation of recommendations
Internal Audit is gaining more importance with the regulators. The role of Statutory
Auditors is confined to reporting on financial accuracy and application of accounting
principles and standards. Market regulators are interested not only in financial results
but also concerned that business operations are conducted in a manner so that all
foreseeable risks are addressed by appropriate internal control mechanism and three are
no revenue leakages.
Internationally, the relationship with regulators is significant in the financial services
sector due to the Basel Committee on Banking Supervision. In India, increasing number
of regulators are demanding internal audit of entities under their supervision. RBI, NSE,
NSDL, SEBI all insist on internal audit of operations of entities under them. Not only
that The Companies (Auditor’s) Report Order, 2003 states that,
7652741
Page 79 of 80
“Internal Auditing is applicable to: -
1. Listed Company
Only the internal audit activity can provide a objective assurance to the market regulator
that
the operations are in compliance with laws and regulations set up by them,
internal control exists in all the key risk areas,
internal control framework is functioning effectively and
gaps if any are identified reported and prompt action is taken to rectify the same.
7652741
Page 80 of 80