STANDARD ON INTERNAL AUDIT (SIA) 11
CONSIDERATION OF FRAUD IN AN INTERNAL AUDIT*
Contents
Paragraph(s)
Introduction .........................................................................1-3
Common Fraud Situations ...................................................... 4
Internal Control System ....................................................... 5-6
Elements of Internal Control System .................................. 7-12
Responsibilities of the Internal Auditor.............................. 13-18
Control Environment ...................................................... 14
Risk Assessment ........................................................... 15
Information System and Communication ......................... 16
Control Activities ............................................................ 17
Monitoring...................................................................... 18
Communication of Fraud....................................................... 19
Documentation ..................................................................... 20
Effective Date....................................................................... 21
The following is the text of the Standard on Internal Audit
(SIA) 11, Consideration of Fraud in an Internal Audit, issued
by the Council of the Institute of Chartered Accountants of
India. These Standards should be read in conjunction with the
Preface to the Standards on Internal Audit, issued by the
Institute.
In terms of the decision of the Council of the Institute of
Chartered Accountants of India taken at its 260 th meeting held
in June 2006, the following Standard on Internal Audit shall be
recommendatory in nature in the initial period. The Standards
shall become mandatory from such date as notified by the
Council.
Published in the January, 2009 issue of The Chartered Accountant.
*
Standard on Internal Audit (SIA) 11
Introduction
1. Fraud is defined as an intentional act by one or more individuals among
management, those charged with governance, or third parties, involving
the use of deception to obtain unjust or illegal advantage. A fraud could
take form of misstatement of an information (financial or otherwise) or
misappropriation of the assets of the entity.
2. The primary responsibility for prevention and detection of frauds rests with
management and those charged with governance. They achieve this by
designing, establishing and ensuring continuous operation of an effective
system of internal controls.
3. Paragraph 6 of the Standard on Internal Audit (SIA) 2, Basic Principles
Governing Internal Audit, states as follows:
"The internal auditor should exercise due professional care,
competence and diligence expected of him while carrying out the
internal audit. Due professional care signifies that the internal auditor
exercises due professional care in carrying out the work entrusted to him in
terms of deciding on aspects such as the extent of work required to
achieve the objectives of the engagement, relative complexity and
materiality of the matters subjected to internal audit, assessment of risk
management, control and governance processes and cost benefit analysis.
Due professional care, however, neither implies nor guarantees infallibility,
nor does it require the internal auditor to travel beyond the scope of his
engagement."
An internal auditor should, therefore, use his knowledge and skills to
reasonably enable him to identify indicators of frauds. However, the
internal auditor cannot be expected to possess the expertise of a person
with specialized knowledge and skills in detecting and investigating frauds.
Common Fraud Situations
4. A fraud normally occurs in situations where there is an incentive or a
pressure to commit fraud, an opportunity to commit fraud or a
2
Consideration of Fraud in an Internal Audit
rationalisation for committing fraud. Although, normally, an internal
auditor is not expected to possess skills and knowledge of a person
expert in detecting and investigating frauds, he should, however,
have reasonable knowledge of factors that might increase the risk of
opportunities for frauds in an entity and exercise reasonable care
and professional skepticism while carrying out internal audit. In
addition, the understanding of the design and implementation of the
internal controls in an entity would also help the internal auditor to assess
the risk of frauds.
Internal Control System
5. Internal control refers to the process designed, implemented and
maintained by the management of the entity to ensure accomplishment of
its following objectives:
Reliability of financial reporting;
Efficiency and effectiveness in operations;
Compliance with applicable laws and regulations; and
Safeguarding of assets.
The design and the manner of implementation and maintenance of internal
controls varies with the size and complexity of the entity.
6. Internal controls can, however, provide only reasonable assurance to the
entity with regard to accomplishments of its objectives stated in paragraph
5 above since any system of internal control is subject to inherent
limitations such as faulty human judgment, ineffective use of the
information generated for the purpose of internal controls, collusion among
two or more persons, management override of controls, faulty design of
controls, management judgments as to nature and extent of risks it wants
to assume, etc.
3
Standard on Internal Audit (SIA) 11
Elements of Internal Control System
7. A system of internal control comprise of following five elements:
the control environment;
entity's risk assessment process;
information system and communication;
control activities; and
monitoring of controls.
It is essential for the internal auditor to gain an understanding of the
components of the system of internal control. These components have
been discussed in the following paragraphs.
8. The control environment sets the tone at the top in an entity and greatly
impacts the effectiveness of internal controls. It includes the following:
the policies and procedures established by the management to
communicate and enforce the culture of integrity and ethical values
in the entity.
management's commitment to competence.
management's philosophy and operating style.
organizational structure.
assignment of authority and responsibility.
human resources policies and practices.
9. The entity's risk assessment process includes the policies and procedures
adopted by the management to identify risks that can affect the
achievement of the objectives of the entity and to distinguish risks from
opportunities. In the context of prevention of frauds, the entity's risk
assessment process would include the policies and procedures of the
management to identify and assess the risk of frauds, including the
possibility of fraudulent financial reporting and misappropriation of assets.
4
Consideration of Fraud in an Internal Audit
10. The information system and communication refers to the policies and
procedures established by the management to identify, capture and
communicate relevant information to the concerned persons in the entity
to enable them to make timely and effective decisions and discharge their
responsibilities efficiently. In the context of frauds, such policies and
procedures could take form of whistleblower policies and mechanisms,
ethics helplines and counseling, training of employees, etc.
11. The control activities refer to the policies and procedures established by
the management to ensure that the risks identified are responded to as
per the policy or the specific decision of the management, as the case
may be. In the context of frauds, the control activities include actions
taken by management to prevent or detect and correct the frauds or
breach of internal controls.
12. Monitoring refers to continuous supervision and assessment of the internal
controls to identify instances of any actual or possible breaches therein
and to take corrective action on a timely basis.
Responsibilities of the Internal Auditor
13. As discussed in paragraph 2, the primary responsibility for prevention and
detection of frauds is that of the management of the entity. The internal
auditor should, however, help the management fulfill its
responsibilities relating to fraud prevention and detection. The
following paragraphs discuss the approach of the internal auditor
regarding this.
Control Environment
14. The internal auditor should obtain an understanding of the various
aspects of the control environment and evaluate the same as to the
operating effectiveness.
Risk Assessment
15. The internal auditor should obtain an understanding of the policies
and procedures adopted by the management to identify risks that
5
Standard on Internal Audit (SIA) 11
can affect the achievement of the objectives of the entity and to
distinguish risks from opportunities and evaluate the effectiveness
of these policies and procedures. In the context of prevention of
frauds, the internal auditor should specifically evaluate the policies
and procedures established by the management to identify and
assess the risk of frauds, including the possibility of fraudulent
financial reporting and misappropriation of assets.
Information System and Communication
16. The internal auditor should assess the operating effectiveness of the
policies and procedures established by the management to identify,
capture and communicate relevant information to the concerned
persons in the entity to enable them to make timely and effective
decisions and discharge their responsibilities efficiently.
Control Activities
17. The internal auditor should assess whether the controls
implemented by the management to ensure that the risks identified
are responded to as per the policy or the specific decision of the
management, as the case may be, are in fact working effectively and
whether they are effective in prevention or timely detection and
correction of the frauds or breach of internal controls.
Monitoring
18. The internal auditor should evaluate the mechanism in place for
supervision and assessment of the internal controls to identify
instances of any actual or possible breaches therein and to take
corrective action on a timely basis.
Communication of Fraud
19. The internal auditor should carefully review and assess the
conclusions drawn from the audit evidence obtained, as the basis for
his findings contained in his report and suggest remedial action.
However, in case the internal auditor comes across any actual or
6
Consideration of Fraud in an Internal Audit
suspected fraud or any other misappropriation of assets, he should
immediately bring the same to the attention of the management.
Documentation
20. The internal auditor should document fraud risk factors identified as
being present during the internal auditor's assessment process and
document the internal auditor's response to any other factors. If
during the performance of the internal audit fraud risk factors are
identified that cause the internal auditor to believe that additional
internal audit procedures are necessary, the internal auditor should
document the same.
Effective Date
21. This Standard on Internal Audit is effective for all internal audits beginning
on or after __________________. Earlier application of the Standard is
encouraged.
7
|