BASIC PRINCIPLES OF
INTERNAL AUDIT
Contents
Paragraph(s)
Introduction and Scope ............................................................................. 1
Objectives ................................................................................................ 2
Basic Principles ........................................................................................ 3
Effective Date ........................................................................................... 4
Standard on Internal Audit (SIA) 2, Basic Principles Governing Internal
Audit was, originally, issued by the Board in August, 2007 which was
recommendatory in nature. The revised Basic Principles of Internal
Audit is being issued as overarching document for all the Standards on
Internal Audit, and shall become mandatory from such date as notified
by the Council.
Issued in November, 2018.
1.0 Introduction and Scope
1.1 There are a set of core principles fundamental to the internal audit
function and activities. These basic principles of internal audit are
critical to achieve the desired objectives as set out in the Definition
of Internal Audit.
1.2 Scope: All internal audits shall be performed based on these basic
principles, and departures from these principles shall be
appropriately disclosed in internal audit report or other similar
communication.
2.0 Objectives
2.1 The main objective of the basic principles is to ensure that:
(i) All internal audits are conducted with certain fundamental
features designed to:
establish the credibility of the Internal Auditor (principles
mentioned under para. 3.1 to 3.5), and
outline the elements essential for performance of internal
audit activities (principles mentioned under para. 3.6 to
3.10).
(ii) Outcome of internal audits is of quality and is in line with the
set objectives.
3.0 Basic Principles
3.1 Independence
The Internal Auditor shall be free from any undue influences which
force him to deviate from the truth. This independence shall be not
only in mind, but also in appearance. Also, the internal auditor shall
resist any undue pressure or interference in establishing the scope
of the assignments or the manner in which these are conducted and
reported, in case these deviate from set objectives.
The independence of the internal audit function as a whole, and the
Internal Auditor within the organisation, plays a large part in
establishing the independence of the Internal Auditor. The overall
organisation structure of key personnel, the position and reporting of
the Chief Internal Auditor within this structure, along with the powers
Basic Principles of Internal Audit
and authority which is derived from superiors further establishes the
independence of the Internal Auditor.
The reporting of the Internal Auditor shall be to the Board of
Directors, or the Audit Committee, who are responsible to appoint
the Internal Auditors as per Rule 8 of "The Companies (Meetings of
Board and its Powers) Rules, 2014" . Many times the Internal Auditor
has a dual reporting responsibility, wherein the administrative
reporting is to an executive officer (e.g., MD or CEO), but functional
reporting to the Chairman of the Audit Committee, which is the
acceptable norm. Therefore, the internal audit function shall be
positioned outside the functions which are subject to internal audit
(e.g., Finance and Accounts) and the Internal Auditor shall report
directly to the highest governing body of the Company as stated
above.
At times, the Internal Auditor is exposed to a different type of risk to
independence, whereby management seeks active business support
from the Internal Auditor. Apart from providing basic assurance and
advisory inputs, the Internal Auditor is assigned certain operational
responsibilities (such as risk management, compliance, system
automation, process re-engineering, etc.). Although some limited
operational role may be acceptable with due approvals, and for a
short duration, the Internal Auditor shall do so only after
communicating his limitations along the following lines:
(a) Unable to assume ownership or accountability of the process;
and
(b) Inability to take operational decisions which may be subject to
an internal audit later on.
3.2 Integrity and Objectivity
The Internal Auditor shall be honest, truthful and be a person of high
integrity. He shall operate in a highly professional manner and seen
to be fair in all his dealings. He shall avoid all conflicts of interest
and not seek to derive any undue personal benefit or advantage
from his position.
The Internal Auditor shall conduct his work in a highly objective
manner, especially in gathering and evaluation of facts and
evidence. He shall not allow prejudice or bias to override his
objectivity, especially in arriving at conclusions or reporting his
opinion.
2
Basic Principles
3.3 Due Professional Care
The Internal Auditor shall exercise due professional care and
diligence while carrying out the internal audit. "Due professional
care" signifies that the Internal Auditor exercises reasonable care in
carrying out the work to ensure the achievement of planned
objectives.
The Internal Auditor shall pay particular attention to certain key audit
activities, such as establishing the scope of the engagement to
prevent the omission of important aspects, recognizing the risks and
materiality of the areas, having required skills to review complex
matters, establishing the extent of testing required to achieve the
objectives within specified deadlines, etc.
"Due Professional Care", however, neither implies nor guarantees
infallibility, nor does it require the Internal Auditor to go beyond the
established scope of the engagement.
3.4 Confidentiality
The Internal Auditor shall at all times, maintain utmost confidentiality
of all information acquired during the course of the audit work. He
shall not disclose any such information to a party outside the internal
audit function and any disclosure shall be on a "need to know basis".
The Internal Auditor shall keep confidential information secure from
others. Under no circumstance any confidential information shall be
shared with third parties outside the company, without the specific
approval of the Management or Client or unless there is a legal or a
professional responsibility to do so (e.g., to share information with
Statutory Auditors). Internal audit reports shall be addressed to
specified internal auditees and distributed to only those who
appointed or engaged the Internal Auditor and as per their
directions.
3.5 Skills and Competence
The Internal Auditor shall have sound knowledge, strong inter-
personal skills, practical experience and professional expertise in
certain areas and other competence required to conduct a quality
audit. He shall undertake only those assignments for which he has
the requisite competence.
The Internal Auditor shall either have, or shall obtain, such skills and
3
Basic Principles of Internal Audit
competencies, as necessary for the purpose of discharging his
responsibilities. Continuing Professional Education is a key part of
this exercise. In addition to the basic technical skills, the Internal
Auditor shall have the softer skills (such as interpersonal and
communication skills) required to engage with a multitude of stake-
holders.
Where the Internal Auditor lacks certain expertise, he shall procure
the required skills either though in-house experts or through the
services of an outside expert, provided independence is not
compromised. The objective is to ensure that the audit team as a
whole has all the expertise and knowledge required for the area
under review.
3.6 Risk Based Audit
The Internal Auditor shall identify the important audit areas through a
risk assessment exercise and tailor the audit activities such that the
detailed audit procedures are prioritised and conducted over high
risk areas and issues, while less time is devoted to low risk areas
through curtailed audit procedures. Additionally, this approach shall
ensure that risks under consideration are more aligned to the overall
strategic and company objectives rather than narrowly focused on
process objectives.
A risk based audit shall ensure the following three fold objectives:
(a) Audit procedures need not cover the whole process and can
be limited only to the important controls in the process;
(b) Establish linkage to the aspects relevant and connected with
company and functional objectives; and
(c) Findings and issues highlighted are significant and important
and time is not devoted to areas with low probability of
significant observations.
3.7 System and Process Focus
An Internal Auditor shall adopt a system and process focused
methodology in conducting audit procedures. This methodology is
more sustainable than the one adopted to test transactions and
balances as it goes beyond "error detection" to include "error
prevention". It requires a root cause analysis to be conducted on
deviations to identify opportunities for system improvement or
4
Basic Principles
automation, to strengthen the process and prevent a repetition of
such errors.
Deployment of Information Technology by companies is widely
prevalent and should be understood for effective internal audits. This
is a more sustainable approach as this helps the Internal Auditor to
move away from "people to process " and from "detection to
prevention".
3.8 Participation in Decision Making
In conducting internal audit assignments, the Internal Auditor shall
avoid passing any judgement or render an opinion on past
management decisions. As part of his advisory role, the Internal
Auditor shall avoid participation in operational decision making which
may be subject of a subsequent audit.
The focus of the Internal Auditor shall remain with the quality and
operating effectiveness of the decision making process and how
best to strengthen it, such that the chance of flawed or erroneous
decisions is minimised. However, the Internal Auditor is at full liberty
to present the lessons which can be learnt from such past decisions.
3.9 Sensitive to Multiple Stakeholder Interests
The Internal Auditor shall evaluate the implications of his
observations and recommendations on multiple stakeholders,
especially where diverse interests may be conflicting in nature. In
such situations, the Internal Auditor shall remain objective and
present a balanced view. This would permit senior management to
make a decision using all the information and balance the strategy
and objectives of the company with the expectations and interests of
its multiple stakeholders.
3.10 Quality and Continuous Improvement
The quality of the internal audit work shall be paramount for the
Internal Auditor since the credibility of the audit reports depends on
the reliability of reported findings. The Internal Auditor shall have in
place a process of quality control to:
(a) ensure factual accuracy of the observations;
(b) to validate the accuracy of all findings; and
5
Basic Principles of Internal Audit
(c) continuously improve the quality of the internal audit process
and the internal audit reports.
The Internal Auditor shall ensure that a self-assessment mechanism
is in place to monitor his own performance and also that of his
subordinates and external experts on whom he is relying to complete
some part of the audit work. A peer review mechanism for quality
control shall be followed to adhere to all aspects of the
pronouncements issued by the ICAI.
4.0 Effective Date
The Basic Principles of Internal Audit are applicable for all internal
audits beginning on or after a date to be notified by the Council of
the Institute.
6
|