EXPOSURE DRAFT
PROPOSED REVISION TO
STANDARD ON INTERNAL AUDIT (SIA) 000
PLANNING THE INTERNAL AUDIT ASSIGNMENT *
The Internal Audit Standards Board (IASB) of The Institute of Chartered
Accountants of India (ICAI) invites comments on proposed revision of the Standard
on Internal Audit (SIA) 000 Planning the Internal Audit Assignment.
Comments are most helpful if they indicate a clear rationale and, where applicable,
provide a suggestion for alternative wording.
Comments can be emailed either at cia@icai.in; or at iasb.program@icai.in
Last date for sending comments is June 15, 2018.
NOTE (*): This Standard on Internal Audit (SIA 000) seeks to revise and supersede some part or all
of the following current SIAs (issued in recommendatory form):
1) SIA 1: Planning an Internal Audit, issued in August 2006.
2) SIA 15: Knowledge of the Entity and its Environment, issued in March 2009.
This SIA will finally be issued as a mandatory standard from its effective date.
1
STANDARD ON INTERNAL AUDIT (SIA) 000
PLANNING THE INTERNAL AUDIT ASSIGNMENT
Contents
Paragraph(s)
Introduction ........................................................................................... 1
Objectives ......................... .............................................................. 2
Requirements ......................................................................................... 3
Explanatory Comments ........................................................................ 4
........................................................................................
Effective Date 5
2
This Standard on Internal Audit (SIA) 000, "Planning the Internal Audit
Assignment", issued by the Council of the Institute of Chartered Accountants of
India should be read in conjunction with the "Preface to the Standards on Internal
Audit", "Framework governing Internal Audits" and "Basic Principles of Internal
Audit" issued by the Institute.
1. INTRODUCTION
1.1 Internal Audit Planning is conducted at two levels:
(a) An overall internal audit plan for the whole entity is prepared for a
given period of time (usually a year) and presented to the highest
governing body responsible for internal audits, normally, the Board
of Directors, or the Audit Committee.
(b) A number of specific internal audit plans are prepared for individual
assignments to be undertaken covering parts of the entity or certain
specific areas and functions of the entity and presented to the Head
of Internal Audit.
1.2 This Standard on Internal Audit (SIA) covers the second level, the
Planning the Internal Audit Assignment for a particular part of the entity.
A separate SIA covers the first level, Conducting Overall Internal Audit
Planning of the entity as a whole.
1.3 Planning the Internal Audit Assignment involves the following key
elements:
(a) It is a subset of the Overall Internal Audit Plan;
(b) It is undertaken prior to the beginning of a particular assignment
during the course of the plan period;
(c) Assignments are specific to a part or unit of the entity, covering a
particular area, function, business unit or a subsidiary of the entity;
(d) It is specific in nature, covers the manner in which a particular audit
assignment will be conducted with details of the Unit under review,
along with subareas or processes to be audited;
(e) Assignments are generally completed during a short period of time;
(f) It is prepared by the internal auditor responsible for the assignment
(or the Engagement Staff where an external service provider is
appointed to conduct internal audits).
(g) The outcome of this exercise is generally in the form of an "Internal
Audit Assignment Plan".
3
2. OBJECTIVES
2.1 The objectives of an Internal Audit Assignment Plan are to:
(a) ensure its alignment with the objectives of the Overall Internal Audit
(Engagement) Plan and also in line with stakeholder expectations;
(b) ensure that the scope, coverage and methodology of the audit
procedures will form a sound basis for providing reasonable
assurance;
(c) allocate adequate time and resources to important aspects of the
assignment and assign appropriate skills to complex areas and
issues;
(d) ensure audit procedures are conducted in an efficient and effective
manner; and
(e) ensure the audit assignment will conform with the applicable
pronouncements of the Institute of Chartered Accountants of India
(ICAI).
3. REQUIREMENTS
3.1 The assignment planning exercise shall follow a laid down process (Para
4.1), the outcome of which shall be a comprehensive written document
(Para 4.8) containing all the essential elements required to help achieve
the objectives of assignment planning as outlined under Section 2 above.
Technology deployment (Para 4.6) and resource allocation (Para 4.7) shall
form essential elements of the Internal Audit Assignment Plan.
3.2 The Internal Audit Assignment Plan shall be reviewed and approved by
the Chief Internal Auditor (or Engagement Partner, in case of external
service provider).
3.3 A comprehensive knowledge of the Unit under review, its business and
operating environment shall be undertaken to make a determination of
the nature of audit procedures and tests to be conducted (Para 4.2). As
part of the planning process, a discussion with management and process
owners shall be undertaken to understand intricacies of each process
subject to review (Para 4.3).
3.4 A risk based planning exercise shall form the basis of the Internal Audit
Assignment Plan. The Internal Auditor shall undertake an independent
risk assessment exercise to prioritise and focus audit work on high risk
areas and processes, with due attention given to matters of importance,
complexity and sensitivity (Para 4.4).
4
3.5 An audit methodology shall be established (Para 4.5) together with the
depth and nature of audit procedures to be conducted both of which shall
be documented in an Internal Audit Programme (IAP). All audit
procedures completed shall be evidenced in the IAP with at least one level
of review and approval.
3.6 The Internal Audit Assignment Plan shall be continuously monitored
during the execution phase for achievement and to identify any
deviations. Certain deviations may require to be notified to the
stakeholders or even require a formal modification to the plan. However,
any major modification to the plan shall be done only after consultation
with those who approved the original plan. Such changes shall be
formally documented and communicated to all impacted stakeholders.
4. EXPLANATORY COMMENTS
4.1 The Planning process (Para 3.1): The internal auditor conducting the
Internal Audit Assignment Planning shall use professional judgement for
the process to be followed in completing all essential planning activities.
A documented assignment planning process shall be in place which
stipulates the essential inputs, steps to complete the planning and the
nature of output required to conduct a comprehensive planning exercise.
4.2 Knowledge of the Business and its Environment (Para 3.3): The internal
auditor shall gather all the information required to fully understand the
Unit's business environment, the risks it faces, the legal and regulatory
requirements and its day to day operational challenges.
The extent of information required shall be sufficient to enable the
internal auditor to identify matters which have a significant effect on the
Unit's financials and operations. Hence, there is a need to connect the
financial aspects of the Unit's business with the entity's business
elements, as well as external elements such as industry dynamics,
business model, operational intricacies, legal and regulatory framework
and the system and processes in place to run its operations.
4.3 Discussion with management (Para 3.3): A key element of planning
involves extensive discussion and deliberation with all stakeholders,
including Unit's executive management, risk owners, process owners,
department heads etc. Their inputs are critical in understanding
intricacies of the assignment, in identification of matters of relevance and
to align stakeholder expectations with audit objectives.
5
4.4 Risk Assessment (Para 3.4): An internal auditor shall undertake an
independent risk assessment of all aspects of the Unit under review and
align this with the risk assessment conducted by management. This is
required to prioritise and focus audit work on high risk parts of the Unit,
with due attention given to matters of importance, complexity and
sensitivity. Basis this exercise, key risk mitigations (or internal controls)
are identified for testing the effectiveness of operation. Absence of any
risk mitigations (or missing controls) could point towards process design
gaps which shall be validated and reported.
4.5 Audit methodology and depth of coverage (Para 3.5): The basic internal
audit methodology generally undertaken involves the performance of
Compliance procedures over transactions and balances so as to identify
deviations from the laid down policies and procedures.
However, the Framework governing Internal Audits, issued by the ICAI,
requires the conduct of risk based audits with a system and process focus.
Therefore, the depth of coverage shall go beyond basic compliance and
could be expanded (for example) as follows:
(a) Application of a basic process review methodology which tests the
design and operating efficiency of internal controls, questions the
process design and explores better and more efficient ways of
transaction processing;
(b) Deploying a risk based process review methodology which helps to
link the internal controls to particular vulnerabilities, evaluate the
effectiveness of internal controls, even question the process in place
and help identify alternative mitigations;
(c) Entity level control review methodology can be deployed to provide
a more holistic evaluation of governance processes such as culture,
organisation structure, oversight mechanisms and performance
measurement.
The Internal Audit Assignment Plan shall align the audit methodology
and depth of coverage (as indicated above) with the assurance to be
provided. A detailed Internal Audit Programme (IAP) is required to
document all the audit procedures to be conducted for each audit
objective, in line with the audit methodology adopted
4.6 Technology deployment (Para 3.1): A key element of the internal audit
assignment planning exercise involves understanding the extent to which:
(a) The Unit has deployed Information Technology (IT) in its business,
operations and transaction processing, especially if it is unique and
different to the overall entity; and
6
(b) The auditor needs to deploy IT tools, data mining & analytic
procedures, and the expertise required for its audit activities and
testing procedures.
This helps to design and plan the audit and testing procedures more
efficiently and effectively.
4.7 Resource allocation (Para 3.1): The internal auditor shall prepare a
detailed work schedule to estimate the time required for each audit
procedure depending on the audit attention it deserves (on the basis of
risk assessment) and map this with the competencies (knowledge,
experience, expertise etc.) of the resources available to ensure proper
resource availability and allocation.
4.8 Documentation: To confirm compliance of audit procedures with the SIA,
all key steps undertaken in the planning process shall be adequately
documented to confirm their proper completion.
Essential documentation to maintain is as follows:
(a) Planning Process documentation (or Checklists) and any tools used
in the planning process;
(b) Documentation supporting the information gathered about the
Unit's business and operations, systems and processes and past or
known issues;
(c) Summary of meetings and communication with key stakeholders,
with a summary of their inputs;
(d) Risk Assessment documentation and a review of risk mitigating
controls deployed;
(e) Summary of available resources, their competencies and the proper
matching of their skills with the audit requirements;
(f) Detailed Internal Audit Programme (IAP) which lists the specific
testing procedures to be conducted for each audit objective; and
(g) The final Internal Audit Assignment Plan, duly approved by the
Head of Internal Audit.
5. EFFECTIVE DATE
5.1 This Standard is applicable for internal audits beginning on or after.........
7
|