STANDARD ON INTERNAL AUDIT (SIA) 11
    CONSIDERATION OF FRAUD IN AN INTERNAL AUDIT*

Contents
                                                                        Paragraph(s)
Introduction .........................................................................1-3
Common Fraud Situations ...................................................... 4
Internal Control System ....................................................... 5-6
Elements of Internal Control System .................................. 7-12
Responsibilities of the Internal Auditor.............................. 13-18
        Control Environment ...................................................... 14
        Risk Assessment ........................................................... 15
        Information System and Communication ......................... 16
        Control Activities ............................................................ 17
        Monitoring...................................................................... 18
Communication of Fraud....................................................... 19
Documentation ..................................................................... 20
Effective Date....................................................................... 21

     The following is the text of the Standard on Internal Audit
     (SIA) 11, Consideration of Fraud in an Internal Audit, issued
     by the Council of the Institute of Chartered Accountants of
     India. These Standards should be read in conjunction with the
     Preface to the Standards on Internal Audit, issued by the
     Institute.
     In terms of the decision of the Council of the Institute of
     Chartered Accountants of India taken at its 260 th meeting held
     in June 2006, the following Standard on Internal Audit shall be
     recommendatory in nature in the initial period. The Standards
     shall become mandatory from such date as notified by the
     Council.

    Published in the January, 2009 issue of The Chartered Accountant.
*
Standard on Internal Audit (SIA) 11

Introduction
1.   Fraud is defined as an intentional act by one or more individuals among
     management, those charged with governance, or third parties, involving
     the use of deception to obtain unjust or illegal advantage. A fraud could
     take form of misstatement of an information (financial or otherwise) or
     misappropriation of the assets of the entity.

2.   The primary responsibility for prevention and detection of frauds rests with
     management and those charged with governance. They achieve this by
     designing, establishing and ensuring continuous operation of an effective
     system of internal controls.

3.   Paragraph 6 of the Standard on Internal Audit (SIA) 2, Basic Principles
     Governing Internal Audit, states as follows:

     "The internal auditor should exercise due professional care,
     competence and diligence expected of him while carrying out the
     internal audit. Due professional care signifies that the internal auditor
     exercises due professional care in carrying out the work entrusted to him in
     terms of deciding on aspects such as the extent of work required to
     achieve the objectives of the engagement, relative complexity and
     materiality of the matters subjected to internal audit, assessment of risk
     management, control and governance processes and cost benefit analysis.
     Due professional care, however, neither implies nor guarantees infallibility,
     nor does it require the internal auditor to travel beyond the scope of his
     engagement."

     An internal auditor should, therefore, use his knowledge and skills to
     reasonably enable him to identify indicators of frauds. However, the
     internal auditor cannot be expected to possess the expertise of a person
     with specialized knowledge and skills in detecting and investigating frauds.

Common Fraud Situations
4.   A fraud normally occurs in situations where there is an incentive or a
     pressure to commit fraud, an opportunity to commit fraud or a

                                       2
                               Consideration of Fraud in an Internal Audit

     rationalisation for committing fraud. Although, normally, an internal
     auditor is not expected to possess skills and knowledge of a person
     expert in detecting and investigating frauds, he should, however,
     have reasonable knowledge of factors that might increase the risk of
     opportunities for frauds in an entity and exercise reasonable care
     and professional skepticism while carrying out internal audit. In
     addition, the understanding of the design and implementation of the
     internal controls in an entity would also help the internal auditor to assess
     the risk of frauds.






Internal Control System
5.   Internal control refers to the process designed, implemented and
     maintained by the management of the entity to ensure accomplishment of
     its following objectives:

          Reliability of financial reporting;
          Efficiency and effectiveness in operations;
          Compliance with applicable laws and regulations; and
          Safeguarding of assets.

     The design and the manner of implementation and maintenance of internal
     controls varies with the size and complexity of the entity.

6.   Internal controls can, however, provide only reasonable assurance to the
     entity with regard to accomplishments of its objectives stated in paragraph
     5 above since any system of internal control is subject to inherent
     limitations such as faulty human judgment, ineffective use of the
     information generated for the purpose of internal controls, collusion among
     two or more persons, management override of controls, faulty design of
     controls, management judgments as to nature and extent of risks it wants
     to assume, etc.




                                         3
Standard on Internal Audit (SIA) 11

Elements of Internal Control System
7.   A system of internal control comprise of following five elements:

            the control environment;
            entity's risk assessment process;
            information system and communication;
            control activities; and
            monitoring of controls.

     It is essential for the internal auditor to gain an understanding of the
     components of the system of internal control. These components have
     been discussed in the following paragraphs.

8.   The control environment sets the tone at the top in an entity and greatly
     impacts the effectiveness of internal controls. It includes the following:
            the policies and procedures established by the management to
            communicate and enforce the culture of integrity and ethical values
            in the entity.
            management's commitment to competence.
            management's philosophy and operating style.
            organizational structure.
            assignment of authority and responsibility.
            human resources policies and practices.

9.   The entity's risk assessment process includes the policies and procedures
     adopted by the management to identify risks that can affect the
     achievement of the objectives of the entity and to distinguish risks from
     opportunities. In the context of prevention of frauds, the entity's risk
     assessment process would include the policies and procedures of the
     management to identify and assess the risk of frauds, including the
     possibility of fraudulent financial reporting and misappropriation of assets.

                                        4
                              Consideration of Fraud in an Internal Audit

10.   The information system and communication refers to the policies and
      procedures established by the management to identify, capture and
      communicate relevant information to the concerned persons in the entity
      to enable them to make timely and effective decisions and discharge their
      responsibilities efficiently. In the context of frauds, such policies and
      procedures could take form of whistleblower policies and mechanisms,
      ethics helplines and counseling, training of employees, etc.

11.   The control activities refer to the policies and procedures established by
      the management to ensure that the risks identified are responded to as
      per the policy or the specific decision of the management, as the case
      may be. In the context of frauds, the control activities include actions
      taken by management to prevent or detect and correct the frauds or
      breach of internal controls.

12.   Monitoring refers to continuous supervision and assessment of the internal
      controls to identify instances of any actual or possible breaches therein
      and to take corrective action on a timely basis.

Responsibilities of the Internal Auditor
13.   As discussed in paragraph 2, the primary responsibility for prevention and
      detection of frauds is that of the management of the entity. The internal
      auditor should, however, help the management fulfill its
      responsibilities relating to fraud prevention and detection. The
      following paragraphs discuss the approach of the internal auditor
      regarding this.

Control Environment

14.   The internal auditor should obtain an understanding of the various
      aspects of the control environment and evaluate the same as to the
      operating effectiveness.

Risk Assessment

15.   The internal auditor should obtain an understanding of the policies
      and procedures adopted by the management to identify risks that

                                      5
Standard on Internal Audit (SIA) 11

      can affect the achievement of the objectives of the entity and to
      distinguish risks from opportunities and evaluate the effectiveness
      of these policies and procedures. In the context of prevention of
      frauds, the internal auditor should specifically evaluate the policies
      and procedures established by the management to identify and
      assess the risk of frauds, including the possibility of fraudulent
      financial reporting and misappropriation of assets.

Information System and Communication

16.   The internal auditor should assess the operating effectiveness of the
      policies and procedures established by the management to identify,
      capture and communicate relevant information to the concerned
      persons in the entity to enable them to make timely and effective
      decisions and discharge their responsibilities efficiently.

Control Activities






17.   The internal auditor should assess whether the controls
      implemented by the management to ensure that the risks identified
      are responded to as per the policy or the specific decision of the
      management, as the case may be, are in fact working effectively and
      whether they are effective in prevention or timely detection and
      correction of the frauds or breach of internal controls.

Monitoring

18.   The internal auditor should evaluate the mechanism in place for
      supervision and assessment of the internal controls to identify
      instances of any actual or possible breaches therein and to take
      corrective action on a timely basis.

Communication of Fraud
19.   The internal auditor should carefully review and assess the
      conclusions drawn from the audit evidence obtained, as the basis for
      his findings contained in his report and suggest remedial action.
      However, in case the internal auditor comes across any actual or
                                     6
                               Consideration of Fraud in an Internal Audit

      suspected fraud or any other misappropriation of assets, he should
      immediately bring the same to the attention of the management.

Documentation
20.   The internal auditor should document fraud risk factors identified as
      being present during the internal auditor's assessment process and
      document the internal auditor's response to any other factors. If
      during the performance of the internal audit fraud risk factors are
      identified that cause the internal auditor to believe that additional
      internal audit procedures are necessary, the internal auditor should
      document the same.
Effective Date
21.   This Standard on Internal Audit is effective for all internal audits beginning
      on or after __________________. Earlier application of the Standard is
      encouraged.




                                        7