Académique Documents
Professionnel Documents
Culture Documents
By CA Huzeifa I. Unwala,
27 September 2012
SECTION I
4th Generation
1st Generation 2nd Generation 3rd Generation
Enterprise Wide
Controls Control Framework Business Risks
Risk Management
IIA Standards
ICAI Standards
► On Nov. 17, 1941, The IIA's Certificate of ► The Council of the Institute of Chartered Accountants of
Incorporation was filed that officially established India at its 240th meeting held on February 5, 2004
The Institute of Internal Auditors constituted a non-standing committee called
“COMMITTEE ON INTERNAL AUDIT”.
► In 1978, The IIA formally approved the Standards
for the Professional Practice of Internal Auditing ► The Council at its 282nd meeting held on November 5-7,
(Standards), which had the following purposes: 2008, has renamed the Committee on Internal Audit as
o Assist in communicating the role, scope, “INTERNAL AUDIT STANDARDS BOARD (IASB)”.
performance, and objectives of IA.
o Unify internal auditing throughout the world. ► The main function of the Internal Audit Standards Board
o Encourage improved internal auditing. (hereinafter “Internal Audit Standards Board” has been
o Establish basis for consistent measurement of referred to as “Board”) is to review the existing internal
internal auditing operations. audit practices in India and to develop Standards on
o Provide a vehicle by which internal auditing can be Internal Audit (SIAs).
fully recognized as a profession.”
► The first standard was issued in the year 2006 and as of
►IIA standards are broadly categorize under two 2011 there are 17 standards issued by the board.
heads:
o Attribute standards
o Performance standards
3 ISO Standards
7 Extensive use by auditors to intelligently cover the audit universe as 100% reperformance of
business process is not possible. A “WHAT CAN GO WRONG ANALYSIS” prior to field work will
provide focus and judgement to the auditor on where to deploy his resources.
“Risk is a part of God's game, alike for men and nations.”
- Warren Buffet
Over Simplified version of Risk Management
• Integrated Planning
The Committee of Sponsoring Organizations, known as COSO, defines enterprise risk management (ERM) as:
“…A process, effected by an entity’s board of directors, management and other personnel, applied in strategy
setting and across the enterprise, designed to identify potential events that may affect the entity, and manage
risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity
objectives.”
TRANSPARENT DISCLOSURE
BOARD COMMITMENT
Financial information disclosed
The board discusses corporate governance issues and has created Non-financial information disclosed
corporate governance committee Financials prepared according to IFRS
The company has a corporate governance champion High-quality annual report published
A corporate governance improvement plan has been created Web-based disclosure
Appropriate resources are committed
WELL DEFINED SHAREOWNER RIGHTS
Policies and procedures have been formalized and distributed to
relevant staff Minority shareowner rights are formalized
A corporate governance code has been developed Well-organized general assembly conducted
The company is publicly recognized as a corporate governance Policy on related-party transactions
leader Policy on extraordinary transactions
Clearly defined and explicit dividend policy
Internal Controls & Risk Management are they interconnected?
• Risk is the possibility of an event occurring and adversely affecting the achievement of objectives
• Control activity is the action established through policies and procedures that help ensure that
management’s directives to mitigate risks to the achievement of objectives are carried out
• The Board’s ability to paint a picture and connect the dots from the risk and control exercises determines the
success or failure of the business
COSO : The 5 Components of IC
1 Control Environment
2 Risk Assessment
3 Control Activities
5 Monitoring Activities
SECTION II
IIA STANDARDS
Year 2009,
ICAI – Standards on Internal Audit Economic crisis has led to an
increased attention on improved
risk management for regulators,
rating agencies, and boards. This
presents an opportunity and a
ICAI - SIAs challenge for Internal Auditors. Year
Standard on Internal Audit (SIA) 1-Planning an Internal Audit 2006
Standard on Internal Audit (SIA) 2- Basic Principles Governing Internal Audit 2007
Standard on Internal Audit (SIA) 3- Documentation 2007
Standard on Internal Audit (SIA) 4 - Reporting 2008
Standard on Internal Audit (SIA) 5 - Sampling 2008
Standard on Internal Audit (SIA) 6 - Analytical Procedures 2008
Standard on Internal Audit (SIA) 7 - Quality Assurance in Internal Audit 2008
Standard on Internal Audit (SIA) 8 – Terms of Internal Audit engagement 2008
Standard on Internal Audit (SIA) 9- Communication with Management 2009
Standard on Internal Audit (SIA) 10 Internal Audit Evidence 2009
Standard on Internal Audit (SIA) 11 Consideration of Fraud in an Internal Audit 2009
Standard on Internal Audit (SIA) 12, Internal Control Evaluation 2009
Standard on Internal Audit (SIA) 13, Enterprise Risk Management 2009
Standard on Internal Audit (SIA) 14, Internal Audit in an Information Technology Environment 2009
Standard on Internal Audit (SIA) 15, Knowledge of the entity and its Environment 2009
Standard on Internal Audit (SIA) 16, Using the work of an expert 2009
Standard on Internal Audit (SIA) 17, Consideration of Laws and Regulations in an Internal Audit 2010
Benchmarking of IIA standards vs. ICAI SIA
1100 Independence and Objectivity SIA 2 Basic principles governing internal audit
1110 Organisational independence Not covered
1111 Direct Interaction with Board Not covered
1120 Individual Objectivity SIA 2 Basic principles governing internal audit
1130 Impairment to Independence or Objectivity SIA 2 Basic principles governing internal audit
1200 Proficiency and Due professional care SIA 2 Basic principles governing internal audit
1210 Proficiency SIA 2 & 15 BASIC PRINCIPLES GOVERNING INTERNAL
AUDIT & knowledge of the entity and its
environment
1220 Due professional care SIA 2 & 15 BASIC PRINCIPLES GOVERNING INTERNAL
AUDIT & knowledge of the entity and its
environment
1230 Continuing Professional Development SIA 2 & 15 BASIC PRINCIPLES GOVERNING INTERNAL
AUDIT & knowledge of the entity and its
environment
Benchmarking of IIA standards vs. ICAI SIA
1300 Quality Assurance and Improvement Program SIA 7 Quality Assurance in Internal Audit
1310 Requirements of the Quality Assurance and SIA 7 Quality Assurance in Internal Audit
Improvement Program
1311 Internal assessments SIA 7 Quality Assurance in Internal Audit
1320 Reporting on the Quality Assurance and SIA 7 Quality Assurance in Internal Audit
Improvement Program
1321 Use of “Conforms with the International SIA 7 Quality Assurance in Internal Audit
Standards for the Professional Practice of
Internal Auditing”
2100 Nature of work SIA 12 & 13 Internal Control Evaluation & Enterprise Risk
Management
2110 Governance SIA 12 & 13 Internal Control Evaluation & Enterprise Risk
Management
2120 Risk Management SIA 13 Enterprise Risk Management
2130 Control SIA 12 Internal Control Evaluation
Benchmarking of IIA standards vs. ICAI SIA
2240 Engagement Work Program SIA 1 & 2 Planning & Basic Principles
2300 Performing the Engagement SIA 3, 5 & 6 Documentation , Sampling & Analytical
Procedures
2310 Identifying information Not covered
RISK ASSESSMENT
Understanding Internal Control
Avoiding wastage Corporate Laws and Corporate Adherence to all applicable legal
Filings and regulatory framework
Avoiding rework
Pre-requisite for accessing capital Adherence to code of conduct /
Reducing cost markets ethics
Public Interest
Accountability
Performance
Budget Vs Actuals
Safeguarding of Assets
Organization demonstrates a commitment Risk specific objectives Organization selects and develops
to integrity and ethical values control activities that contribute to the
Risk identification and analysis mitigation of risks
Board demonstrates independence
Consider the potential for fraud Organization selects and develops
Management establishes oversight, general control activities over
reporting lines and authority structure Identify and assess changes that could technology that contribute to the
significantly impact the system of internal mitigation of risks
Organization demonstrates a commitment control
to attract, develop and retain competent Organization deploys control activities
individuals Information and Communication (P) as manifested in policies that establish
what is expected and in relevant
Individual accountability for IC procedures to effect the policies
responsibilities Information generation and use
Internal communications
External communications
Risk assessment is the determination of quantitative or qualitative value of risk related to a situation and a
recognized threat
Risk assessment measurement is a process used to identify and evaluate risks and their potential effect
The auditor should perform risk assessment procedures to obtain an understanding of the entity and its
environment, including its internal control
Source: COSO
Risk Events/ Identification Triggers
Source: COSO
Risk Events/ Identification Triggers
Source: COSO
Risk Management Framework
On-going
Risk
Scenario Play
Benchmarking
History
Alignment with COSO Framework
ERM framework is aligned to the COSO framework and it views organization’s objectives at following levels
Risk Assessment
Risk Scenario I :
Risk Scenario 2 :
Damage to Assets
Practical Case Studies on Internal Control
Risk Scenario 3 :
Risk Scenario 4 :
Background of The client entered enters the Indian arena with its international services, dynamic
Client leaders and its mission to be pioneers in the area of Real Estate Development.
The Property is situated at the southern corridor of one of the best II Tier City of India.
Laid on a fairly undulated topography spread across three major levels, the site offers
breathtaking views of the hills and the valley.
Risk Based internal audit. The area covered under audit were;
About Assignment
• Insurance processes
• Safety & Labour compliances
• Contractor selection processes
• Fixed Assets processes
• Cash & Bank Review
• Finance & Accounts
• Book closure process
• Sales & Marketing processes
• Project execution
Case Study: Risk Based Internal Audit
Summary of findings
Risk Category (No. of Observations)
Scope Areas Percentage
High Medium Low Total
Review of Insurance Process X - - X X
Safety Compliances X X - X X
Contractor Selection Process X - - X X
Area of Concern
Thank You
The views expressed in this material are personal in nature. Any reliance should be placed only post
consultation with the author.
27 September 2012