Exposure Draft of Framework Governing Internal Audits (Comments to be received by January 17, 2018)
December, 29th 2017
FRAMEWORK GOVERNING INTERNAL AUDITS*
(Last date for comments January 17, 2018)
The Internal Audit Standards Board of The Institute of Chartered Accountants of
India (ICAI) invites comments on the proposed Framework Governing Internal
Comments are most helpful if they indicate a clear rationale and, where applicable,
provide a suggestion for alternative wording. Comments can be e-mailed at
firstname.lastname@example.org; email@example.com. Last date for sending comments is January 17, 2018.
The Framework for the Standards on Internal Audit was originally issued in August 2007 and was
recommendatory in nature. It is now being revised and would be mandatory from its effective date.
FRAMEWORK GOVERNING INTERNAL AUDITS
Introduction and Scope ....................................................................... 1
Objective .............................................................................................. 2
Definition of Internal Audit ......................... ............................. 3
The Framework ..................................................................................... 4
Components of the Framework ......................................................... 5
Effective Date ........................................................................................ 6
1.0 INTRODUCTION AND SCOPE
1.1 Internal audits are conducted within a defined framework that lays down the
boundaries and identifies, in a broad manner, how the internal audit activity is
performed. This framework provides the required clarity on key components
of the audit activity and helps aggregate all aspects of the internal audit
process in a cohesive manner thereby ensuring standardisation of key
requirements governing internal audit assignments.
1.2 Scope: All activities of an internal audit life cycle are included, such as,
scoping and planning, gathering & review of evidence, fieldwork testing,
physical observations, documentation, using the work of other experts,
evaluating controls and systems, communication and reporting of results.
2.1 The main objective of a framework is:
(i) To provide clarity on key components which govern the overall internal
audit process and how it's conducted;
(ii) To ensure that all internal audits are performed by deploying certain
basic principles, designed to ensure high quality of outcome;
(iii) To provide a high degree of comfort to the auditee on the reliability of
the assurance provided or advice given; and
(iv) To provide high credibility to the internal audit reports and other
communications issued by the internal auditor.
2.2 The overall objective of the Framework is to promote professionalism in the
conduct of an internal audit assignment by the internal auditor and to ensure
basic minimum standards of quality worthy of the qualification of the internal
auditor and to promote the credibility of the internal audit report issued.
3.0 DEFINITION OF INTERNAL AUDIT*
3.1 An Internal Audit is defined as follows:
"Internal audit provides independent assurance on effectiveness of internal controls,
risk management processes and contributes to enhancing governance for achieving
3.2 A brief explanation of the key terms used above is as follows:
(i) Independence: Internal audit should be an independent function,
achieved through the position, organization structure and reporting of
the internal auditor.
This definition is currently in Exposure Draft stage and may get modified prior to finalisation.
(ii) Internal controls and risk management are an integral part of
management function and business operations. An internal auditor is
expected to evaluate the design and operating effectiveness of internal
controls and risk management processes (including reporting processes)
as designed and implemented by the management.
(iii) Governance is a set of relationships between the company and its various
stakeholders and provides the structure through which the company's
objectives are set, and the constant performance monitoring required to
help attain them.
(iv) Organizational objectives incorporate the interests of all stakeholders and
include compliance with internal policies and procedures and laws and
(v) Advisory role: At certain times, in addition to providing assurance, the
internal auditor may adopt an advisory role to help an organization
achieve its objectives, provided this does not compromise the
independence of the internal auditor.
3.3 This definition forms the basis of all the Standards on Internal Audit (SIA)
issued by the IASB. Hence, all internal audit activities are conducted applying
the above definition as a basis.
4.0 THE FRAMEWORK
4.1 The Framework governing Internal Audits comprises four key components,
all directed at establishing the credibility of the Internal Auditor and the
manner in which the Internal Audit Process is executed. All the components
are inherent in the whole internal audit process and implicitly form part of the
SIAs, even though they may not be mentioned explicitly in the SIAs.
4.2 The key components of the framework are as follows:
(i) Code of Ethics;
(ii) Basic Principles governing an Internal Audit:
Integrity & Objectivity;
Due professional care;
Skills and Competence;
Risk based approach;
Systems & process focus;
Participation in decision making;
Concern for multiple stakeholders; and
Quality and continuous improvement.
(iii) Internal Audit Charter; and
(iv) Compliance with IASB Pronouncements.
Each of these components is fully explained in the next Section.
5.0 COMPONENTS OF THE FRAMEWORK
5.1 The Code of Ethics
Every internal auditor is bound by a written code of ethics, issued by an
organisation and/or the institute of his qualification. This commits the internal
auditor to ethical standards applied with utmost integrity and sincerity.
A member of the Institute of Chartered Accountants of India, carrying out an
internal audit activity, is additionally governed by:
(a) the requirements of the Chartered Accountants Act, 1949;
(b) the Code of Ethics issued by the Institute of Chartered Accountants of
(c) other relevant pronouncements of the Institute of Chartered Accountants
One of these requirements includes the need to obtain a no objection certificate
from the previous internal auditor at the time of changeover.
5.2 Basic Principles governing an Internal Audit:
There are a set of basic fundamental principles which govern internal audit to
ensure the achievement of desired objectives in the best possible manner.
These ten basic principles are listed below which are designed to lay out the
credibility of the internal auditor (first five principles) and the manner in
which the internal auditor is expected to perform his duties (last five
The Internal Auditor should be free from any undue influences which force
him to deviate from the truth. He should be independent not only in mind but
also in appearance. Hence he should not undertake any assignment which
might appear to be in conflict with his independence or jeopardise his
objectivity. Also, there should be no external pressure or interference on the
internal auditor in establishing the scope of his assignments, the manner in
which he conducts his work or reports his findings.
The independence of the internal audit function as a whole, as placed within
the organisation also plays a large part in establishing the independence of the
internal auditor. The overall organisation structure of key personnel, the
position and reporting of the Chief Internal Auditor within this structure
along with the powers and authority which he derives from his superiors
helps to further establish his independence.
The Internal Audit function should be positioned outside of the functions
which are subject to internal audit and ideally, the Chief Internal Auditor
should report directly to the highest governing authority of the Company
(generally the Chairman of the Board Audit Committee). However, many
times the Chief Internal Auditor has a dual reporting responsibility, wherein
he administratively reports to an executive officer (e.g., MD or CEO), but
functionally into the Chairman of the Audit Committee, which is also
Sometimes the internal auditor is exposed to a different type of risk to his
independence, whereby management seeks active business support from the
internal auditor. Apart from providing basic assurance and advisory inputs,
he is assigned certain operational responsibilities (such as risk management,
compliance, system automation, process re-engineering, etc.). Although some
limited operational role may be acceptable for a short duration of time, the
Internal Auditor should do so only after defining his limitations along the
(a) Unable to assume ownership or accountability of the process; and
(b) Inability to take operational decisions which may be subject to an audit
5.2.2 Integrity & Objectivity
The internal auditor should be honest, truthful and a person of high integrity.
He must operate in a highly professional manner and seen to be fair in all his
dealings. He should not seek to derive any undue personal benefit from his
position or in the performance of his duty.
He must conduct his work in a highly objective manner, especially in the
gathering and evaluation of facts and evidence matter. He must not allow
prejudice or bias to override his objectivity, especially in arriving at
5.2.3 Due Professional Care
The internal auditor should exercise due professional care and diligence
expected of him while carrying out the internal audit. Due professional care
signifies that the internal auditor exercises reasonable care in carrying out the
work entrusted to him to ensure the achievement of planned objectives.
The internal auditor has to pay particular attention to certain key aspects, such
as establishing the scope of the engagement so as not to miss out any
important aspects, recognizing the risks and materiality of the areas, having
required skills to review complex matters, establishing the extent of testing
required to achieve the objectives, etc.
Due professional care, however, neither implies nor guarantees infallibility,
nor does it require the internal auditor to go far beyond the established scope
of the engagement.
The internal auditor should at all times, maintain the utmost confidentiality of
all information acquired during the course of his audit work. He should not
disclose any such information to a party outside of the Internal Audit function
and that also on a "need to know basis".
The internal auditor should keep confidential information away from other
employees of the entity and under no circumstances should confidential
information be shared with third parties outside of the company, without the
specific authority of the management/client or unless there is a legal or a
professional responsibility to do so (e.g., to share information with Statutory
Auditors). Internal audit reports should be addressed to specified internal
auditees and distributed to only those who appointed/engaged the Internal
5.2.5 Skills and Competence
The internal auditor should have sound knowledge, strong inter-personal
skills, practical experience, expertise in certain areas and other competence
required to conduct a high-quality audit. He should undertake only those
assignments for which he has the requisite competence.
The internal auditor should either have, or obtain, such skills and competence,
as necessary for the purpose of discharging his responsibilities. Continuing
Professional Education is a key part of this exercise. In addition to the basic
technical skills, the internal auditor should have the softer skills (such as
interpersonal/communication skills) required to engage with a multitude of
Where the internal auditor believes he is lacking in certain expertise, he is
expected to procure the required skills either though in-house experts or
through the services of an outside expert, provided their independence is not
compromised. Key is to ensure that the audit team as a whole has all the
expertise and knowledge of the area under review.
5.2.6 Risk based approach
Risk based internal audits are designed to link the audit procedures with the
risks which impact the achievement of organisational objectives. The internal
auditor identifies the important audit areas through a risk assessment exercise
(using impact and probability of errors as a basis) and tailors the audit activity
such that detailed audit procedures are conducted over high risk areas/issues
while less time is devoted to low risk areas through curtailed audit
procedures. Additionally, it ensures that risks under consideration are more
aligned to the overall strategic and company objectives rather than narrowly
focused on process objectives.
This risk based approach therefore ensures these three fold objectives:
(a) Audit procedures need not cover the whole process and can be limited to
only the important controls in the process;
(b) Provide a linkage to aspects more relevant and connected with broader
company & functional objectives; and
(c) Findings and issues highlighted are significant and important and time is
not wasted on areas with low probability of significant observations.
5.2.7 System and Process Focus
A system and process based internal audit goes beyond transaction and
balance audits (focussed to error detection), to review the design and inter-
linkage of the controls (focussed on error prevention). A root cause analysis
conducted on each exception helps to identify opportunities to improve the
systems or to automate the process with the objective to prevent a repetition of
such errors. This is a more sustainable approach as it helps the internal auditor
to move away from people to process and from detection to prevention.
5.2.8 Participation is decision making
In conducting internal audit assignments, the internal auditor should avoid
passing judgement or render an opinion on past management decisions. As
part of his advisory role, the internal auditor should avoid participation in
operational decision making which may be subject to a subsequent audit.
The focus of the internal auditor should remain with the quality and operating
effectiveness of the decision making process and how best to strengthen it,
such that the chance of flawed or erroneous decisions is minimised. However,
the internal auditor is at full liberty to present the lessons could be learnt from
such past decisions.
5.2.9 Balancing of multiple stakeholder interests
The internal auditor needs to evaluate the implication of his observations and
recommendations on multiple stakeholders, especially where their interests
maybe conflicting in nature. In such situations, the internal auditor should
remain objective and present a balanced view to the auditee. This would allow
senior management to take the final call since they are generally privy to the
full information and best placed to balance the strategy/objectives of the
company with expectations/interests of the diverse stakeholders.
5.2.10 Quality and continuous improvement
The quality of the internal audit work should be paramount in the mind of the
internal auditor since the credibility of the audit reports depends on the
reliability of the findings. The Chief Internal Auditor should have in place a
process of quality control to:
(a) ensure factual accuracy of the observations and validate the accuracy of
all findings; and
(b) continuously improve the quality of the internal audit process and the
internal audit reports.
The Internal auditor also has to ensure that a self assessment mechanism is in
place to monitor his own performance and also that of his subordinates and
external experts on whom he is relying to complete some part of the audit
5.3 Internal Audit Charter
The constitution and establishment of the Internal Audit function within the
organisation is generally articulated in a formal document called the Internal
Audit Charter. It defines all important aspects of the functioning of the
Internal Audit department and provides clarity to the Internal Auditor
regarding the manner in which the internal audit work is undertaken and how
his responsibility is to be discharged.
Typical key contents of the Charter are as follows (indicative list):
(a) Vision & Mission of the Internal Audit function
(b) Purpose & Objectives
(c) Scope & Approach
(d) Accountability & Authority
(e) Roles & Responsibility
(f) Reporting structure
(h) Standards of audit practice
The Internal Audit Charter is generally reviewed and approved by the highest
governing body of the organisation; either the Board of Directors or the Audit
Committee. It's important that the governing body is aware and in agreement
with its contents in order to support the internal audit agenda.
Where the Internal Audit charter is absent, it's recommended that a formal
document of this nature be put in place and used as the basis on which the
internal audits will be conducted. Where the Internal Audit function is
completely outsourced to an outside agency, a similar document should be
developed as part of the terms of reference of the engagement.
The Internal Audit Charter should be reviewed periodically to ensure that it
stays relevant to the changing needs and expectations of the board members,
its management and the organisation. It is the responsibility of the Chief
Internal Auditor to ensure periodic review and revision.
5.4 Compliance with IASB Pronouncements
The IASB has issues a number of Standards, Guidelines and Clarifications
(collectively referred to as Pronouncements) on Internal Audit and this body
of pronouncements has to be complied with by the internal auditor. These
pronouncements are designed to provide the internal auditor with all the
information required to deliver a high quality service and thus maintain
reliability and credibility of his work.
If, for any reason, a member is unable to comply with any of the mandatory
requirements, in accordance with the SIAs, his internal audit report should
draw attention to the material departures therefrom. Any significant
deviations from the procedures outlined in the pronouncements could also be
viewed as shortcoming in taking due professional care.
A peer review mechanism for quality control is to be followed to ensure that
members have adhered to all aspects of the pronouncements.
6.0 EFFECTIVE DATE
6.1 This Framework governing Internal Audits is applicable for all internal audits
beginning on or after .......
6.2 In the first year of its implementation, this Framework will be mandatory only
for internal audits conducted on Listed Companies, and thereafter, it will
become mandatory for internal audits conducted on all companies subject to
internal audit as per Companies Act, 2013 (Refer Preface to the Framework
and Standards on Internal Audit, Section 4.1).