STANDARD ON INTERNAL AUDIT (SIA) 220
CONDUCTING OVERALL INTERNAL AUDIT
PLANNING
Contents
Paragraph(s)
Introduction ............................................................................................. 1
Objectives ......................... .................................................................... 2
Requirements .......................................................................................... 3
Explanatory Comments ............................................................................ 4
Effective Date .......................................................................................... 5
This Standard on Internal Audit (SIA) 220, "Conducting Overall Internal
Audit Planning," issued by the Council of the Institute of Chartered
Accountants of India should be read in conjunction with the "Preface to
the Standards on Internal Audit," "Framewor k Governing Internal
Audits" and "Basic Principles of Internal Audit" issued by the Institute.
Note: This Standard on Internal Audit (SIA) supersedes some part or all of the following
current SIAs (recommendatory in nature):
1. Standard on Internal Audit (SIA) 1, Planning an Internal Audit , issued in August,
2006.
2. Standard on Internal Audit (SIA) 15, Knowledge of the Entity and its Environment ,
issued in March, 2009
1. Introduction
1.1 Internal audit planning is conducted at two levels:
(a) An overall internal audit plan for the entire entity is prepared for
a given period of time (usually a year) and presented to the
highest governing body responsible for internal audits,
normally, the Board of Directors, or the Audit Committee.
(b) A number of specific internal audit plans are prepared for
individual assignments to be undertaken covering some part of
the entity and presented to the Chief Internal Auditor.
1.2 This Standard on Internal Audit (SIA) covers the first level of planning,
"Conducting Overall Internal Audit Planning " for the entity as a whole.
Standard on Internal Audit (SIA) 310, deals with "Planning of Internal
Audit Assignments " for a particular part of the entity.
1.3 In the case of Companies under Companies Act, 2013, it is a legal
requirement for the Audit Committee or its Board of Directors to
formulate the overall internal audit plan of the company. Companies
(Accounts) Rule 13(2) of Companies Act, 2013 provides as under:
"The Audit Committee of the company or the Board shall, in
consultation with the Internal Auditor, formulate the scope,
functioning, periodicity, and methodology for conducting the
internal audit."
The Audit Committee or the Board takes the active support of the
Chief Internal Auditor, to develop the Overall Internal Audit Plan, in
consultation with the Executive Management.
1.4 Conducting the Overall Internal Audit Planning involves the following
key elements:
(a) It is undertaken prior to the beginning of the plan period
(generally, the financial year).
(b) It is comprehensive in nature covering the entire entity.
(c) It is directional in nature and considers all the Auditable Units
(i.e., locations, functions, business units and legal entities
including third parties, where relevant), along with the
SIA 220
periodicity of the assignments to be undertaken during the plan
period.
(d) It is normally prepared by the Chief Internal Auditor (or the
Engagement Partner, where an external service provider is
appointed to conduct internal audits).
(e) The outcome of this exercise is an "Overall Internal Audit Plan"
(or the "Audit Engagement Plan," if outsourced).
1.5 Scope: This SIA deals with the Internal Auditor's responsibility to
prepare the Overall Internal Audit Plan, also referred to as the Annual
Internal Audit (Engagement) Plan. Where only part of the internal audit
activity is outsourced, this SIA shall apply to the extent the Internal
Auditor needs to plan the activities of the outsourced part of the
engagement only, as defined in their terms of engagement, which
shall also clarify the extent of the planning responsibilities.
2. Objectives
2.1 The objectives of an Overall Internal Audit (Engagement) Plan are to:
(a) ensure that the planned internal audits are in line with the
objectives of the internal audit function, as per the internal
audit charter of the entity (and terms of engagement, where it is
an outsourced engagement) and also in line with the overall
objectives of the organisation.
(b) align the organisation's risk assessment with the effectiveness
of the risk mitigation implemented through internal controls.
(c) confirm and agree with those charged with governance the
broad scope, methodology and depth of coverage of the
internal audit work to be undertaken in the defined time-period.
(d) ensure that overall resources are adequate, skilled and
deployed with focus in areas of importance, complexity and
sensitivity.
(e) ensure that the audits undertaken conform at all times with the
applicable pronouncements of the Institute of Chartered
Accountants of India.
2
Conducting Overall Internal Audit Planning
3. Requirements
3.1 The planning exercise shall follow a laid down process (Para. 4.1), the
outcome of which shall be a written document (Para. 4.8) containing
all the essential elements required to help achieve the objectives of
the plan as outlined under Paragraph 2 above. Technology
deployment (Para. 4.6) and resource allocation (Para. 4.7) shall form
essential elements of the overall internal audit plan.
3.2 The overall internal audit plan shall be reviewed and approved by the
highest governing body responsible for internal audits, normally, the
Board of Directors, or the Audit Committee.
3.3 Knowledge of the entity, its business and operating environment shall
be undertaken to determine the types of audit assignment which could
be conducted (Para. 4.2). As part of the planning process, a
discussion with management and other stakeholders shall be
undertaken to understand the intricacies of each auditable unit subject
to audit (Para. 4.3).
3.4 An Audit Universe shall be prepared prior to establishing the scope of
the overall internal audit plan (Para. 4.4). The scope shall be
consistent with the goals and objectives of the internal audit function
(and terms of engagement, where it is an outsourced engagement) as
listed in the internal audit charter. The scope shall also be in line with
the nature and extent of the assurance to be provided.
3.5 A risk based planning exercise shall form the basis of the overall
internal audit plan. The Internal Auditor shall undertake an
independent risk assessment exercise to prioritise and focus the audit
work on high risk areas, with due attention to matters of importance,
complexity and sensitivity (Para. 4.5).
3.6 The Audit Universe and the overall internal audit plan shall be
continuously monitored during the execution phase for achievement of
the objective and to identify any deviations. Certain deviations may
require to be notified to the stakeholders or even require a formal
modification to the plan. However, any significant modification to the
plan shall be done only after consultation with those who approved the
original plan. Such changes shall be formally documented, including
3
SIA 220
reasons for the change, and communicated to all impacted
stakeholders.
4. Explanatory Comments
4.1 The Planning Process (refer Para. 3.1): The Internal Auditor
conducting the overall internal audit planning shall use professional
judgement for the process to be followed in completing all essential
planning activities. A documented planning process shall be in place
which stipulates the essential inputs, steps to complete the planning
and the nature of output required to conduct a comprehensive
planning exercise.
4.2 Knowledge of the Business and its Environment (refer Para. 3.3):
The Internal Auditor shall gather all the information required to fully
understand the entity's business environment, the risks it faces and its
operational challenges.
The extent of information required shall be sufficient to enable the
Internal Auditor to identify matters which have a significant effect on
the organisation's financials. Hence, there is a need to connect the
financial aspects of the business with other business elements, such
as industry dynamics, company's business model, operational
intricacies, legal and regulatory environment, and the system and
processes in place to run its operations.
4.3 Discussion with Management and Stakeholders (refer Para. 3.3):
A key element of planning involves extensive discussion and
deliberation with all stakeholders, including executive management,
risk owners, process owners, statutory auditors etc. Their inputs are
critical in understanding the intricacies of each assignment under
consideration, in identification of important matters of relevance and to
align stakeholder expectations with audit objectives.
4.4 Audit Universe and Scope of Coverage (refer Para. 3.4): Prior to
defining the scope of internal audit, a complete identification of all the
Auditable Units (locations, functions, business units, legal entities,
including third parties where relevant) of the organisation shall be
made. This list of all the Auditable Units is, generally, referred to as
the "Audit Universe". It covers every conceivable audit assignment
which could be taken up for review during the plan period. The audit
4
Conducting Overall Internal Audit Planning
universe helps to ensure that the audit scope does not overlook any
Auditable Unit. It forms the basis from which the overall internal audit
plan is derived by consciously excluding certain units or areas from
the scope, for justifiable reasons, such as low risk.
The internal audit objectives and the nature of assurance to be
provided will also help to establish the scope of internal audit. On
certain occasions, especially in the case of outsourced engagements,
the management may define or mandate the scope and may even
restrict the coverage of certain areas or transactions. When finalising
the scope, it is important to clearly highlight any scope limitations in
the internal audit plan as part of the communication to approving body,
such as, the Audit Committee.
4.5 Risk Assessment (refer Para. 3.5): The internal auditor shall
undertake an independent risk assessment of all the Auditable Units
identified in the Audit Universe and align this with the risk assessment
conducted by the management and the statutory auditor. This is
required to prioritise and focus audit work on high risk areas, with due
attention to matters of importance, complexity and sensitivity.
The internal auditor may also plan to undertake a dedicated audit of
the company's Risk Management Framework and processes, as a
separate review or assignment.
4.6 Technology Deployment (refer Para. 3.1): A key element of the
overall internal audit planning exercise involves understanding the
extent to which:
(a) the entity has deployed information technology (IT) in its
business, operations and transaction processing, and
(b) the auditor needs to deploy IT tools, data mining and analytic
procedures, and the expertise required for conducting the audit
activities and testing procedures.
This helps to design and plan the audit more efficiently and effectively.
4.7 Resource Allocation (refer Para. 3.1): The Internal Auditor shall
prepare a detailed work schedule to estimate the time required for
each audit assignment depending on the audit attention it deserves
(on the basis of risk assessment) and maps this with the
competencies (knowledge, experience, expertise, etc.) of the
5
SIA 220
resources available. The requirements are then matched with the
limited resources available to:
(a) finalise the scope and depth of coverage of audit assignments;
(b) identify any critical skills/expertise gaps in audit team; and/or
(c) seek other means of acquiring additional resources required
(internal or external sourcing).
4.8 Documentation: To confirm compliance of audit procedures with the
SIA, all key steps undertaken in the planning process shall be
adequately documented to confirm their proper completion.
Essential documentation shall be as follows:
(a) Information gathered about the business and its operations,
systems and processes and past or known issues.
(b) Audit Universe and summary of Auditable Units.
(c) Summary of meetings and communication with key
stakeholders, with a summary of their inputs.
(d) Risk assessment documentation.
(e) Summary of available resources, their competencies and the
proper matching of their skills with the audit requirements.
(f) Final overall internal audit plan, duly approved by the
competent authorities.
5. Effective Date
5.1 This Standard is applicable for internal audits beginning on or after a
date to be notified by the Council of the Institute.
6
|