BASIC PRINCIPLES OF
                        INTERNAL AUDIT
                                           Contents

                                                                                         Paragraph(s)
Introduction and Scope ............................................................................. 1
Objectives ................................................................................................ 2
Basic Principles ........................................................................................ 3
Effective Date ........................................................................................... 4




Standard on Internal Audit (SIA) 2, Basic Principles Governing Internal
Audit was, originally, issued by the Board in August, 2007 which was
recommendatory in nature. The revised Basic Principles of Internal
Audit is being issued as overarching document for all the Standards on
Internal Audit, and shall become mandatory from such date as notified
by the Council.





   Issued in November, 2018.
1.0   Introduction and Scope
1.1   There are a set of core principles fundamental to the internal audit
      function and activities. These basic principles of internal audit are
      critical to achieve the desired objectives as set out in the Definition
      of Internal Audit.
1.2   Scope: All internal audits shall be performed based on these basic
      principles, and departures from these principles shall be
      appropriately disclosed in internal audit report or other similar
      communication.

2.0   Objectives
2.1   The main objective of the basic principles is to ensure that:
      (i)    All internal audits are conducted with certain fundamental
             features designed to:
                 establish the credibility of the Internal Auditor (principles
                 mentioned under para. 3.1 to 3.5), and
                 outline the elements essential for performance of internal
                 audit activities (principles mentioned under para. 3.6 to
                 3.10).
      (ii)   Outcome of internal audits is of quality and is in line with the
             set objectives.

3.0   Basic Principles
3.1   Independence
      The Internal Auditor shall be free from any undue influences which
      force him to deviate from the truth. This independence shall be not
      only in mind, but also in appearance. Also, the internal auditor shall
      resist any undue pressure or interference in establishing the scope
      of the assignments or the manner in which these are conducted and
      reported, in case these deviate from set objectives.
      The independence of the internal audit function as a whole, and the
      Internal Auditor within the organisation, plays a large part in
      establishing the independence of the Internal Auditor. The overall
      organisation structure of key personnel, the position and reporting of
      the Chief Internal Auditor within this structure, along with the powers
Basic Principles of Internal Audit






        and authority which is derived from superiors further establishes the
        independence of the Internal Auditor.
        The reporting of the Internal Auditor shall be to the Board of
        Directors, or the Audit Committee, who are responsible to appoint
        the Internal Auditors as per Rule 8 of "The Companies (Meetings of
        Board and its Powers) Rules, 2014" . Many times the Internal Auditor
        has a dual reporting responsibility, wherein the administrative
        reporting is to an executive officer (e.g., MD or CEO), but functional
        reporting to the Chairman of the Audit Committee, which is the
        acceptable norm. Therefore, the internal audit function shall be
        positioned outside the functions which are subject to internal audit
        (e.g., Finance and Accounts) and the Internal Auditor shall report
        directly to the highest governing body of the Company as stated
        above.
        At times, the Internal Auditor is exposed to a different type of risk to
        independence, whereby management seeks active business support
        from the Internal Auditor. Apart from providing basic assurance and
        advisory inputs, the Internal Auditor is assigned certain operational
        responsibilities (such as risk management, compliance, system
        automation, process re-engineering, etc.). Although some limited
        operational role may be acceptable with due approvals, and for a
        short duration, the Internal Auditor shall do so only after
        communicating his limitations along the following lines:
        (a)    Unable to assume ownership or accountability of the process;
               and
        (b)    Inability to take operational decisions which may be subject to
               an internal audit later on.
3.2     Integrity and Objectivity
        The Internal Auditor shall be honest, truthful and be a person of high
        integrity. He shall operate in a highly professional manner and seen
        to be fair in all his dealings. He shall avoid all conflicts of interest
        and not seek to derive any undue personal benefit or advantage
        from his position.
        The Internal Auditor shall conduct his work in a highly objective
        manner, especially in gathering and evaluation of facts and
        evidence. He shall not allow prejudice or bias to override his
        objectivity, especially in arriving at conclusions or reporting his
        opinion.


                                      2
                                                            Basic Principles

3.3   Due Professional Care
      The Internal Auditor shall exercise due professional care and
      diligence while carrying out the internal audit. "Due professional
      care" signifies that the Internal Auditor exercises reasonable care in
      carrying out the work to ensure the achievement of planned
      objectives.
      The Internal Auditor shall pay particular attention to certain key audit
      activities, such as establishing the scope of the engagement to
      prevent the omission of important aspects, recognizing the risks and
      materiality of the areas, having required skills to review complex
      matters, establishing the extent of testing required to achieve the
      objectives within specified deadlines, etc.
      "Due Professional Care", however, neither implies nor guarantees
      infallibility, nor does it require the Internal Auditor to go beyond the
      established scope of the engagement.
3.4   Confidentiality
      The Internal Auditor shall at all times, maintain utmost confidentiality
      of all information acquired during the course of the audit work. He
      shall not disclose any such information to a party outside the internal
      audit function and any disclosure shall be on a "need to know basis".
      The Internal Auditor shall keep confidential information secure from
      others. Under no circumstance any confidential information shall be
      shared with third parties outside the company, without the specific
      approval of the Management or Client or unless there is a legal or a
      professional responsibility to do so (e.g., to share information with
      Statutory Auditors). Internal audit reports shall be addressed to
      specified internal auditees and distributed to only those who
      appointed or engaged the Internal Auditor and as per their
      directions.
3.5   Skills and Competence
      The Internal Auditor shall have sound knowledge, strong inter-
      personal skills, practical experience and professional expertise in
      certain areas and other competence required to conduct a quality
      audit. He shall undertake only those assignments for which he has
      the requisite competence.
      The Internal Auditor shall either have, or shall obtain, such skills and


                                    3
Basic Principles of Internal Audit

        competencies, as necessary for the purpose of discharging his
        responsibilities. Continuing Professional Education is a key part of
        this exercise. In addition to the basic technical skills, the Internal
        Auditor shall have the softer skills (such as interpersonal and
        communication skills) required to engage with a multitude of stake-
        holders.
        Where the Internal Auditor lacks certain expertise, he shall procure
        the required skills either though in-house experts or through the
        services of an outside expert, provided independence is not
        compromised. The objective is to ensure that the audit team as a
        whole has all the expertise and knowledge required for the area
        under review.
3.6     Risk Based Audit
        The Internal Auditor shall identify the important audit areas through a
        risk assessment exercise and tailor the audit activities such that the
        detailed audit procedures are prioritised and conducted over high
        risk areas and issues, while less time is devoted to low risk areas
        through curtailed audit procedures. Additionally, this approach shall
        ensure that risks under consideration are more aligned to the overall
        strategic and company objectives rather than narrowly focused on
        process objectives.
        A risk based audit shall ensure the following three fold objectives:
        (a)    Audit procedures need not cover the whole process and can
               be limited only to the important controls in the process;
        (b)    Establish linkage to the aspects relevant and connected with
               company and functional objectives; and
        (c)    Findings and issues highlighted are significant and important
               and time is not devoted to areas with low probability of
               significant observations.
3.7     System and Process Focus
        An Internal Auditor shall adopt a system and process focused
        methodology in conducting audit procedures. This methodology is
        more sustainable than the one adopted to test transactions and
        balances as it goes beyond "error detection" to include "error
        prevention". It requires a root cause analysis to be conducted on
        deviations to identify opportunities for system improvement or







                                      4
                                                              Basic Principles

       automation, to strengthen the process and prevent a repetition of
       such errors.
       Deployment of Information Technology by companies is widely
       prevalent and should be understood for effective internal audits. This
       is a more sustainable approach as this helps the Internal Auditor to
       move away from "people to process " and from "detection to
       prevention".
3.8    Participation in Decision Making
       In conducting internal audit assignments, the Internal Auditor shall
       avoid passing any judgement or render an opinion on past
       management decisions. As part of his advisory role, the Internal
       Auditor shall avoid participation in operational decision making which
       may be subject of a subsequent audit.
       The focus of the Internal Auditor shall remain with the quality and
       operating effectiveness of the decision making process and how
       best to strengthen it, such that the chance of flawed or erroneous
       decisions is minimised. However, the Internal Auditor is at full liberty
       to present the lessons which can be learnt from such past decisions.
3.9    Sensitive to Multiple Stakeholder Interests
       The Internal Auditor shall evaluate the implications of his
       observations and recommendations on multiple stakeholders,
       especially where diverse interests may be conflicting in nature. In
       such situations, the Internal Auditor shall remain objective and
       present a balanced view. This would permit senior management to
       make a decision using all the information and balance the strategy
       and objectives of the company with the expectations and interests of
       its multiple stakeholders.
3.10   Quality and Continuous Improvement
       The quality of the internal audit work shall be paramount for the
       Internal Auditor since the credibility of the audit reports depends on
       the reliability of reported findings. The Internal Auditor shall have in
       place a process of quality control to:
       (a)    ensure factual accuracy of the observations;
       (b)    to validate the accuracy of all findings; and


                                      5
Basic Principles of Internal Audit

        (c)    continuously improve the quality of the internal audit process
               and the internal audit reports.
        The Internal Auditor shall ensure that a self-assessment mechanism
        is in place to monitor his own performance and also that of his
        subordinates and external experts on whom he is relying to complete
        some part of the audit work. A peer review mechanism for quality
        control shall be followed to adhere to all aspects of the
        pronouncements issued by the ICAI.

4.0     Effective Date
        The Basic Principles of Internal Audit are applicable for all internal
        audits beginning on or after a date to be notified by the Council of
        the Institute.




                                      6