Exposure Draft of Standard on Internal Audit (SIA) 370,Reporting Results to Management (Comments to be received by March 28, 2019)
February, 28th 2019
EXPOSURE DRAFT
STANDARD ON INTERNAL AUDIT (SIA) 370
REPORTING RESULTS TO MANAGEMENT *
The Internal Audit Standards Board of The Institute of Chartered Accountants of
India (ICAI) invites comments on Standard on Internal Audit (SIA) 370, Reporting
Results to Management.
Comments are most helpful if they indicate a clear rationale and, where applicable,
provide a suggestion for alternative wording.
Comments can be e-mailed either at cia@icai.in; or at concurrentaudit@icai.in
Last date for sending comments is March 28, 2019.
* This Standard on Internal Audit seeks to revise and supersede Standard on Internal Audit (SIA) 4, Reporting, issued in
October 2008 (as recommendatory in nature). This SIA is being issued in its place as a mandatory standard from its effective
date.
STANDARD ON INTERNAL AUDIT (SIA) 370
REPORTING RESULTS TO MANAGEMENT
Contents
Paragraph(s)
Introduction ........................................................................................... 1
Objectives ......................... .............................................................. 2
Requirements ......................................................................................... 3
Explanatory Comments ........................................................................ 4
Effective Date ........................................................................................ 5
This Standard on Internal Audit (SIA) 370, Reporting Results to Management, issued by
the Council of the Institute of Chartered Accountants of India should be read in
conjunction with the "Preface to the Standards on Internal Audit," "Framework
governing Internal Audits" and "Basic Principles of Internal Audit" issued by the
Institute.
1.0 INTRODUCTION
1.1 Dissemination the results of internal audit and reporting the findings to
management, and those charged with governance, is the most critical part of
any internal audit. Reporting of results needs to be done with a certain level of
uniformity and, both the Internal Auditor and the recipient of the reports,
should have clarity with regard to the nature of assurance being provided
through these reports.
1.2 Reporting of internal audit results is generally undertaken in two stages:
a. At the end of a particular audit assignment, an "Internal Audit Report"
covering a specific area, function or part of the entity is prepared by the
Internal Auditor highlighting key observations arising from those
assignments. This report is generally issued with details of the manner in
which the assignment was conducted and the key findings from the audit
procedures undertaken. This report is issued to the auditee, with copies
shared with local and executive management, as agreed during the
planning phase.
b. On a periodic basis, at the close of a plan period, a comprehensive report
of all the internal audit activities covering the whole entity and the plan
period is prepared by the Chief Internal Auditor (or the Engagement
Partner, in case of external service provider). Such reporting is normally
done on a quarterly basis and submitted to the highest governing
authority responsible for internal audits, generally the Audit Committee.
Some part of the aforementioned Internal Audit Reports may form part of
the periodic (Quarterly) report shared with the Audit Committee.
1.3 Scope: This Standard on Internal Audit (SIA) deals with the internal auditor's
responsibility to issue only the first type of reports, the Internal Audit Report
pertaining to individual audit assignments and not to the periodic (Quarterly)
reporting for the whole entity as per the Annual/Quarterly audit plan. Also,
this SIA does not cover the form or content of the Internal Audit Report where
an assurance is being provided, for which a separate Standard on Internal
Audit (SIA) 380, Issuing Assurance Reports should be referred to.
2.0 OBJECTIVES
2.1 The objectives of issuing Internal Audit Reports on individual internal audit
assignments is to:
(a) Share with the auditee, details of all significant findings based on audit
procedures undertaken;
(b) Permit management to understand the issues and take corrective actions
in a methodical and comprehensive manner; and
(c) Provide a sound basis for any assurance being provided by the Internal
Auditor.
2.2 The overall objective of Reporting Results to Management is to provide the
receiver with a written outcome on the effectiveness of internal controls and
risk management processes to enhance governance in line with the Internal
Audit Charter (or Terms of Reference, in case of external service provider).
3.0 REQUIREMENTS
3.1 Basis the internal audit work completed, (Para 4.1) the Internal Auditor shall
issue a clear, well documented Internal Audit Report which includes the
following key elements:
(a) The fact that an internal audit has been conducted in accordance the
Standards of Internal Audit (Para 4.2);
(b) A reference to the summary of key observations covering all important
aspects, and specific to the scope of the assignment;
(c) A reference to the summary of corrective actions required (or agreed) by
management; and
(d) Nature of assurance, if any, which can be derived from the observations.
3.2 The nature of assurance, if any, to be provided shall be in line with Standard on
Internal Audit (SIA) 110, Nature of Assurance which should be pre-agreed with
the auditee at the planning stage.
3.3 The content and form of the Internal Audit Report is to be established by the
Internal Auditor based on his best professional judgement, in consultation with
the auditee and, if necessary with inputs from other key stakeholders. No
internal audit report shall be issued in final form unless a written draft of the
report has previously been shared with the auditee. (Para 4.3).
3.4 The internal audit report shall be issued within a short time frame from the
completion of the internal audit work, with the time period between
completion of assignment to final report issuance not exceeding sixty days,
unless mutually agreed with the auditee or those charged with governance.
4.0 EXPLANATORY COMMENTS
4.1 Basis of Internal Audit Report (Para 3.1): Each internal audit report is prepared
on the basis of the audit procedures conducted and the analysis of the audit
evidence gathered. Conclusions reached shall be based on all the findings and
not only on a few deviations or issues noted. Controls operating effectively
have their own importance while the risk and significance of observations
noted have a role to play on the matters to report.
4.2 Conducted in accordance with SIAs (Para 3.1): Where the internal audit is
conducted in compliance with the Standards of Internal Audit, (within the
Framework governing Internal Audits), and the internal auditor can
substantiate the same with supporting evidence and documentation, the
internal audit report shall include a statement confirming that "the internal
audit was conducted in accordance with the Standards of Internal Audit issued
by the Institute of Chartered Accountants of India".
4.3 Content and format of Internal Audit Reports (Para 3.3): The manner in which
the internal audit report is drafted and presented is a matter of professional
judgment and choice and could be influenced with preferences of the
recipients. The SIA does not mandate any particular format or list of contents
since the Internal Auditor is expected to exercise his best professional
judgement on matters regarding how and what to report. Never the less,
where some level of assurance is being provided, the form and content of the
report shall be guided by SIA 380 "Issuing Assurance Reports".
4.4 Documentation: To confirm compliance of audit procedures with this SIA, the
list of documents required is as follows:
(a) Copies of draft and final internal audit reports to be maintained, appropriately
cross referenced to individual observations.
(b) If appropriate, management action plans should be counter signed by
respective management personnel.
5.0 EFFECTIVE DATE
5.1 This Standard is applicable for internal audits beginning on or after date
to be notified by the Council of the Institute.
