STANDARD ON INTERNAL AUDIT (SIA) 8
TERMS OF INTERNAL AUDIT ENGAGEMENT*
Contents
Paragraph(s)
Introduction ............................................................................... 1-2
Terms of Engagement.................................................................. 3
Elements of Terms of Engagement ......................................... 4-22
Scope ............................................................................... 5-9
Responsibility ............................................................... 10-13
Authority ....................................................................... 14-15
Confidentiality............................................................... 16-18
Limitations ..........................................................................19
Reporting............................................................................20
Compensation ....................................................................21
Compliance with Standards ................................................22
Withdrawal from the Engagement ..............................................23
Effective Date .............................................................................24
The following is the text of the Standard on Internal Audit (SIA) 8,
Terms of Internal Audit Engagement , issued by the Council of the
Institute of Chartered Accountants of India. These Standards
should be read in conjunction with the Preface to the Standards
on Internal Audit, issued by the Institute.
In terms of the decision of the Council of the Institute of
Chartered Accountants of India taken at its 260th meeting held in
June 2006, the following Standard on Internal Audit shall be
recommendatory in nature in the initial period. The Standards
shall become mandatory from such date as notified by the
Council.
* Published in the December, 2008 issue of The Chartered Accountant.
Standard on Internal Audit (SIA) 8
Introduction
1. The purpose of this Standard on Internal Audit is to establish standards and
provide guidance in respect of terms of engagement of the internal audit
activity whether carried out in house or by an external agency. A clarity
on the terms of the internal audit engagement between the internal
auditors and the users of their services (hitherto known as "auditee") is
essential for inculcating professionalism and avoiding misunderstanding
as to any aspect of the engagement.
2. The internal auditor and the auditee should agree on the terms of the
engagement before commencement. The agreed terms would need to be
recorded in an engagement letter. Normally, it is the responsibility of the
internal auditor to prepare the engagement letter and it is to be signed both
by the internal auditors as well as the auditee.
Terms of Engagement
3. The terms of engagement of the internal audit, inter alia, define the scope,
authority, responsibilities, confidentiality, limitation and compensation of the
internal auditors. The terms of engagement should be approved by the
Board of Directors1 or a relevant Committee thereof such as the Audit
Committee or such other person(s) as may be authorised by the
Board in this regard. The terms should be reviewed by the internal
auditor and the audit committee periodically and modified suitably, if
required, to meet the changed circumstances.
Elements of Terms of Engagement
4. The following are the key elements of the terms of the internal audit
engagement:
i. Scope
ii. Responsibility
Or an equivalent authority where the entity is not in a corporate form. For example, the Board
1
of Trustees in a cooperative society.
2
Terms of Internal Audit Engagement
iii. Authority
iv. Confidentiality
v. Limitations
vi. Reporting
vii. Compensation
viii. Compliance with Standards
Each of these elements has been discussed in the following paragraphs.
Scope
5. Paragraph 3.1 of the Preface to the Standards on Internal Audit describes
internal audit as "an independent function, which involves a continuous and
critical appraisal of the functioning of an entity with a view to suggest
improvements thereto and add value to and strengthen the overall
governance mechanism of the entity, including the entity's strategic risk
management and internal control system."
6. The terms of the engagement should contain a statement in respect of
the scope of the internal audit engagement. It should clearly delineate
the broad areas of function of internal audit like evaluating internal
controls, review of business process cycle controls, risk management
and governance.
7. It should indicate areas where internal auditors are expected to make
their recommendations and value added comments.
8. The terms of engagement should clearly mention that the internal
auditor would not, ordinarily, be involved in the preparation of the
financial statements of the auditee. It should also be made clear that
the internal audit would not result in the expression, by the internal
auditor, of an opinion, or any other form of assurance on the financial
statements or any part thereof of the auditee.
3
Standard on Internal Audit (SIA) 8
9. The scope of the terms of the engagement, after delineating the broad
areas of function of internal audit, should clarify that any additional
services that are not encompassed by the engagement letter shall be
performed only on mutual agreement and with separate engagement
letter.
Responsibility
10. The terms of the engagement should clearly mention the
responsibility of the auditee vis a vis the internal auditor. The auditee
is responsible for establishing, maintaining and ensuring operating
effectiveness of a system of internal control. The auditee would also be
responsible for timely communication of material weaknesses or other
significant issues relating to internal controls, misstatements in the financial
information or similar matters to its external auditors, the Audit Committee,
the Board of Directors, regulators and to those to whom the auditee is
required to so communicate.
11. The management of the auditee is responsible for providing timely and
accurate data, information, records, personnel etc., and for extending
cooperation to the audit team.
12. Similarly, where the internal auditor has a specific responsibility, say
that arising out of a law or a regulation or a professional standard
applicable to the internal auditor, to communicate directly, the above
mentioned issues to an appropriate authority or someone within the
entity or a regulator, the terms of the engagement should contain a
clear mention of such responsibility.
13. The internal auditor has the responsibility to inform the management before
commencement of the assignment about the engagement team and the
audit plan.
Authority
14. The terms of engagement should provide the internal auditor with
requisite authority, including unrestricted access to all departments,
4
Terms of Internal Audit Engagement
records, property and personnel and authority to call for information
from concerned personnel in the organisation.
15. The internal auditor should have full authority on his technologies and
other properties like hardware and audit tools he may use in course of
performing internal audit.
Confidentiality
Confidentiality of Working Papers
16. The terms of engagement should be clear that the ownership of the
working papers rests with the internal auditor and not the auditee. It
should also be made clear that the internal auditor may, upon a
request received in this regard from the auditee, provide copies of
non proprietary working papers to the auditee. The terms should lay
down the policy and the procedures to be followed regarding requests
received for internal auditor's working papers from third parties
including external auditors.
17. The internal audit engagement may also be subject to a peer review by a
regulator, requiring the internal auditor to disclose his working papers to the
peer reviewer without the permission of the auditee. The engagement
letter should bring out this fact clearly.
Confidentiality of the Report
18. The engagement letter should contain a condition that the report of
the internal auditor should not be distributed or circulated by the
auditee or the internal auditor to any party other than that mutually
agreed between the internal auditor and the auditee unless there is a
statutory or a regulatory requirement to do so.
Limitations
19. The terms of engagement should specify clearly the limitations on
scope, coverage and reporting requirement, if any. It may also mention
that the internal auditor or any of his employees shall not be liable to the
5
Standard on Internal Audit (SIA) 8
auditee for any claims, damages, liabilities or expenses relating to the
engagement exceeding the aggregate amount of compensation agreed
upon by both the parties.
Reporting
20. The terms of the engagement should clearly lay down the
requirements as to the manner frequency of reporting and the list of
intended recipients of the internal audit report.
Compensation
21. There should be a clear understanding among the internal auditor and
the client as to the basis on which the internal auditor would be
compensated, including any out of pocket expense, taxes etc., for the
services performed by him.
Compliance with Standards
22. The terms of the internal audit engagement should contain a
statement that the internal audit engagement would be carried out in
accordance with the professional Standards applicable to such
engagement as on the date of audit.
Withdrawal from the Engagement
23. In case the internal auditor is unable to agree to any change in the
terms of the engagement and/ or is not permitted to continue as per
the original terms, he should withdraw from the engagement and
should consider whether there is an obligation, contractual or
otherwise, to report the circumstances necessitating the withdrawal to
other parties.
Effective Date
24. This Standard on Internal Audit is effective for all internal audits beginning
on or after...................................... Earlier application of the Standard is
encouraged.
6
|