STANDARD ON INTERNAL AUDIT (SIA) 310
PLANNING THE INTERNAL AUDIT
ASSIGNMENT
Contents
Paragraph(s)
Introduction ...................................................................................... 1
Objectives ......................... .............................................................. 2
Requirements .................................................................................... 3
Explanatory Comments ...................................................................... 4
Effective Date ................................................................................... 5
This Standard on Internal Audit (SIA) 310, "Planning the Internal Audit
Assignment", issued by the Council of the Institute of Chartered
Accountants of India should be read in conjunction with the "Preface to
the Standards on Internal Audit", "Framework Go verning Internal
Audits" and "Basic Principles of Internal Audit" issued by the Institute.
Note: This Standard on Internal Audit (SIA) supersedes some part or all of the following
current SIAs (recommendatory in nature):
1. Standard on Internal Audit (SIA) 1, Planning an Internal Audit , issued in August,
2006.
2. Standard on Internal Audit (SIA) 15, Knowledge of the Entity and its Environment ,
issued in March, 2009
1. Introduction
1.1 Internal Audit Planning is conducted at two levels:
(a) An overall internal audit plan for the entire entity is prepared for
a given period of time (usually a year) and presented to the
highest governing body responsible for internal audits,
normally, the Board of Directors, or the Audit Committee.
(b) A number of specific internal audit plans are prepared for
individual assignments to be undertaken covering some part of
the entity and presented to the Chief Internal Auditor.
1.2 This Standard on Internal Audit (SIA) covers the second level, the
"Planning the Internal Audit Assignment " for a particular part of the
entity. Standard on Internal Audit (SIA) 220, covers the first level,
"Conducting Overall Internal Audit Planning" of the entity as a whole.
Planning the Internal Audit Assignment involves the following key
elements:
(a) It is a sub-set of the Overall Internal Audit Plan.
(b) It is undertaken prior to the beginning of a particular
assignment during the plan period.
(c) Assignments are specific to a part of the entity, covering a
particular Auditable Unit1 (location, function, business unit or a
legal entity, including third parties, where relevant).
(d) It is specific in nature, covers the manner in which a particular
audit assignment will be conducted with details of the Auditable
Unit, such as, the business activities or processes to be
audited.
(e) Assignments are, generally, completed during a short period of
time;
(f) It is prepared by the Internal Auditor responsible for the
assignment (or the Engagement Staff where an external service
provider is appointed to conduct internal audits).
1 The subject matter of an audit assignment is referred to as an Auditable Unit.
Standard on Internal Audit (SIA) 310
(g) The outcome of this exercise is, generally, in the form of an
"Internal Audit Assignment Plan".
2. Objectives
2.1 The objectives of an Internal Audit Assignment Plan are as follows:
(a) Ensure its alignment with the objectives of the Overall Internal
Audit (Engagement) Plan and also in line with stakeholder
expectations.
(b) Ensure that the scope, coverage and methodology of the audit
procedures will form a sound basis for providing reasonable
assurance.
(c) Allocate adequate time and resources to important aspects of
the assignment and assign appropriate skills to complex areas
and issues.
(d) Ensure audit procedures are conducted in an efficient and
effective manner.
(e) Ensure the audit assignment will conform with the applicable
pronouncements of the Institute of Chartered Accountants of
India (ICAI).
3. Requirements
3.1 The assignment planning exercise shall follow a laid down process
(refer Para. 4.1), the outcome of which shall be a comprehensive
written document (refer Para. 4.8) containing all the essential
elements required to help achieve the objectives of assignment
planning as outlined under Section 2 above. Technology deployment
(refer Para. 4.6) and resource allocation (refer Para. 4.7) shall form
essential features of the Internal Audit Assignment Plan.
3.2 The Internal Audit Assignment Plan shall be reviewed and approved
by the Chief Internal Auditor (or Engagement Partner, in case of
external service provider).
3.3 A comprehensive knowledge of the Auditable Unit under review, its
business and operating environment, shall be undertaken to determine
the nature of audit procedures and tests to be conducted (refer Para.
4.2). As part of the planning process, a discussion with management
2
Planning the Internal Audit Assignment
and process owners shall be undertaken to understand the intricacies
of each process considered for review (refer Para. 4.3). In addition,
the Internal Auditor shall exchange relevant information (such as
outcome of risk assessment) with the Statutory Auditor to coordinate
the audit work and procedures, as per Standard on Auditing (SA) 610,
"Using the Work of Internal Auditors".
3.4 A risk based planning exercise shall form the basis of the Internal
Audit Assignment Plan. The Internal Auditor shall undertake an
independent risk assessment exercise to prioritise and focus audit
work on high risk areas and processes, with due attention given to
matters of importance, complexity and sensitivity (refer Para. 4.4).
3.5 An audit methodology shall be established (refer Para. 4.5), together
with the depth and nature of audit procedures to be conducted, both of
which shall be documented in an Internal Audit Programme (IAP).
3.6 Certain elements of the Internal Audit Assignment Plan (especially,
those relevant to its effective execution) shall be communicated to the
Auditee and other stakeholders prior to the commencement of the
audit procedures to ensure smooth conduct of the audit.
3.7 The Internal Audit Assignment Plan shall be continuously monitored
during the execution phase for achievement of the objectives and to
identify deviations, if any. Certain deviations may require to be notified
to the stakeholders or even require a formal modification to the plan.
However, any major modification to the plan shall be done only after
consultation with those who approved the original plan. Such changes
shall be formally documented and communicated to all impacted
stakeholders.
4. Explanatory Comments
4.1 The Planning Process (refer Para. 3.1): The Internal Auditor
conducting the Internal Audit Assignment Planning shall use
professional judgement for the process to be followed in completing all
essential planning activities. A documented assignment planning
process shall be in place which stipulates the essential inputs, steps
to complete the planning and the nature of output required to conduct
a comprehensive planning exercise.
3
Standard on Internal Audit (SIA) 310
4.2 Knowledge of the Business and its Environment (refer Para. 3.3):
The Internal Auditor shall gather all the information required to fully
understand the Auditable Unit's business environment, the risks it
faces, the legal and regulatory requirements, the activities conducted
and its day to day operational challenges.
The extent of information required should be sufficient to enable the
internal auditor to identify matters which have a significant effect on
the Auditable Unit's financials and operations. Hence, there is a need
to connect the financial aspects of the Auditable Unit's business with
the entity's business elements, as well as external elements such as
industry dynamics, business model, operational intricacies, legal and
regulatory framework and the system and processes in place to run its
operations.
4.3 Discussion with Management (refer Para. 3.3): A key element of
planning involves extensive discussion and deliberation with all
stakeholders, including Auditable Unit's executive management, risk
owners, process owners, department heads etc. Their inputs are
critical in understanding the intricacies of the assignment, in
identification of matters of relevance and to align stakeholder
expectations with audit objectives.
4.4 Risk Assessment (refer Para. 3.4): An Internal Auditor shall
undertake an independent risk assessment of all aspects of the
Auditable Unit under review and align this with the risk assessment
conducted by management. This is required to prioritise and focus
audit work on high risk parts of the Auditable Unit, with due attention
given to matters of importance, complexity and sensitivity. This
exercise may involve site visits and preliminary surveys of the
Auditable Unit. Based on this exercise, key risk mitigations (or internal
controls) are identified for testing the effectiveness of operation.
Absence of any risk mitigations (or missing controls) could point
towards process design gaps which shall also be validated and
reported.
4.5 Audit Methodology and Depth of Coverage (refer Para. 3.5): The
basic internal audit methodology, generally, undertaken involves the
performance of compliance procedures over transactions and
4
Planning the Internal Audit Assignment
balances so as to identify deviations from the laid down policies and
procedures.
However, the Framework governing Internal Audits, issued by the
ICAI, requires the conduct of risk based audits with a system and
process focus. Therefore, the depth of coverage shall go beyond basic
compliance and could be expanded (for example) as follows:
(a) Application of a basic process review methodology which tests
the design and operating efficiency of internal controls,
questions the process design and explores better and more
efficient ways of transaction processing.
(b) Deploying a risk based process review methodology which
helps to link the internal controls to particular vulnerabilities,
evaluate the effectiveness of internal controls, even question
the process in place and help identify alternative mitigations.
(c) Entity level control review methodology can be deployed to
provide a more holistic evaluation of governance processes
such as organisation culture, organisation structure, oversight
mechanisms and performance measurement.
The Internal Audit Assignment Plan shall align the audit methodology
and depth of coverage (as indicated above) with the assurance to be
provided. A detailed Internal Audit Programme (IAP) is required to
document all the audit procedures to be conducted for each audit
objective in line with the audit methodology adopted.
4.6 Technology Deployment (refer Para. 3.1): A key element of the
internal audit assignment planning exercise involves understanding
the extent to which:
(a) the Auditable Unit has deployed Information Technology (IT) in
its business, operations and transaction processing, especially
if it is unique and different to the overall entity; and
(b) the auditor needs to deploy IT tools, data mining & analytic
procedures, and the expertise required for conducting the audit
activities and testing procedures.
This helps to design and plan the audit and testing procedures more
efficiently and effectively.
5
Standard on Internal Audit (SIA) 310
4.7 Resource Allocation (refer Para. 3.1): The Internal Auditor shall
prepare a detailed work schedule to estimate the time required for
each audit procedure depending on the audit attention it deserves (on
the basis of risk assessment) and map this with the competencies
(knowledge, experience, expertise etc.) of the resources available to
ensure proper resource availability and allocation.
4.8 Documentation: To confirm compliance of audit procedures with the
SIA, all key steps undertaken in the planning process shall be
adequately documented to confirm their proper completion.
Essential documentation shall be as follows:
(a) Planning Process documentation (or Checklists) and any tools
used in the planning process.
(b) Documentation supporting the information gathered about the
Auditable Unit's business and operations, systems and
processes and past or known issues.
(c) Summary of meetings and communication with key
stakeholders, with a summary of their inputs.
(d) Risk Assessment documentation and a Summary of risk
mitigating controls deployed.
(e) Summary of available resources, their competencies and the
proper matching of their skills with the audit requirements.
(f) Detailed Internal Audit Programme (IAP) which lists the specific
testing procedures to be conducted for each audit objective.
(g) The final Internal Audit Assignment Plan, duly approved by the
Chief Internal Auditor.
5. Effective Date
5.1 This Standard is applicable for internal audits beginning on or after a
date to be notified by the Council of the Institute.
6
|