Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internal Audit - Basics Risk Consulting

Published by웅인 우 Modified over 6 years ago

Similar presentations

Presentation on theme: "Internal Audit - Basics Risk Consulting"— Presentation transcript:

1 Internal Audit - Basics Risk Consulting
1 9/17/2018 CA. SANJAY JOSHI

2 Contents Regulations 1 Risk, Controls & IA 2 Internal Audit 3
Approach to Internal Audit 4 Deliverables – Report 5 Expectations vs. Performance 6 Professional Opportunities 7 9/17/2018 CA. SANJAY JOSHI

3 01 REGULATIONS 9/17/2018 CA. SANJAY JOSHI

4 INTERNAL AUDIT - REGULATIONS
Sector Regulation Requirement Remarks All Sec. 138 Companies Act did not mandate internal audit, however, Sec. 138 of CA 2013, now mandates IA. Coverage or Listed Sec. 177 CA 2013 & Clause 49 of listing agreement Audit committee to review adequacy of internal audit function internal control systems, reports of internal auditors appointment, removal and terms of remuneration of chief internal auditor Internal auditor was under an obligation to attend audit committee meetings, however, not under CA 2013. Broking BSE/NSE Circulars - all stock brokers/trading members/clearing members are directed to carry out complete internal audit Half yearly basis Insurance IRDA Investment Regulations - Scope & detail requirements of internal audit of investment function Quarterly audit Banks GOI – Master Circular Guidelines on Internal Audit, Information Systems Audit and Concurrent Audit Systems. 9/17/2018 CA. SANJAY JOSHI

5 NEW REGULATION FOR IA Regulation Requirement Remarks Sec. 138
Cent. Government to prescribe class of companies which shall mandatory appoint an internal auditor. Eligibility – Chartered Accountant, Cost Accountant or other professional as prescribed Scope – functions and activities of the co. Reporting – CG may prescribe by rules – manner & frequency of conducting and reporting for IA Scope may further requires legal guidance. IA are not subject to similar provisions of Auditors like Eligibility Remuneration Duties Rotation Fraud Rule 13 – Companies (Accounts) Rule, 2014 List of companies to have IA - mandatory Eligibility– CA whether or not having COP As an employee – Internal As a professional / firm of professionals - External Scope, Functioning, Periodicity & Methodology of IA – to be decided by Audit Committee / Board in consultation with IA Listed Cap i.r.t. preceding financial year All Listed NIL All Unlisted Public Co. Paid up capital ≥ Rs. 50 Cr, OR TO ≥ 200 Cr, OR Outstanding Loans/borrowings ≥ Rs. 100 Cr, OR Outstanding deposits ≥ 25 Cr All Pvt Ltd 9/17/2018 CA. SANJAY JOSHI

6 NEW REGULATION FOR IA Rule 13 – Companies (Accounts) Rule, 2014
Requirement Remarks Rule 13 – Companies (Accounts) Rule, 2014 Board’s (Directors) report shall also contain Rule 8 (viii) the details in respect of adequacy of internal financial controls with reference to the Financial Statements. Risk management framework based approach is adopted by SEBI. CA Rules 2014 does not prescribe any reporting guidelines unlike other issues to be reported by board. CARO – AUDITOR’S REPORT Sec. 143 (3) – Auditor’s report shall also state whether the company has adequate internal financial control system in place and the operating effectiveness of such controls; Welcome provision but ambiguity. Statutory auditor shall comment on Internal Audit System for; Listed co. OR A co. having paid up capital > 50 Lacs and Avg. Annual TO > 5 Cr for 3 Consecutive FY. However, IA was not mandatory. 9/17/2018 CA. SANJAY JOSHI

7 03 INTERNAL AUDIT 9/17/2018 CA. SANJAY JOSHI

8 INTERNAL AUDIT - CONCEPT
SIA 2, Para 3. 1 = “Internal audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s risk management and internal control system.” SATYAM – Head of the internal audit cell and an the Internal Auditor were found guilty. Facing CBI Trials and ICAI disciplinary actions. 9/17/2018 CA. SANJAY JOSHI

9 INTERNAL AUDIT - OBJECTIVES
SIA 1 – Planning: Objectives of Internal Audit to suggest improvements to the functioning of the entity; like Optimum utilization of tangible and intangible resources Safeguarding tangible and intangible resources Timely, accurate and adequate compliance framework Timeliness, adequacy and accuracy of management information systems to strengthen the overall governance mechanism of the entity, to strategize risk management as well as internal control system of the entity. 9/17/2018 CA. SANJAY JOSHI

10 ORGANOGRAM – THREE LINE OF DEFENCE
BUSINESS CORPORATE STRATEGIC BORAD/GOVERNING BODY/AUDIT COMMITTEE EXECUTIVE DIRECTOR / CFO / MD / CEO INTERNAL CONTROL FRAMEWORK MANAGERS / SBU HEAD CHAIRMAN & INDEPENDENT DIRECTOR INTERNAL AUDIT TEAM 9/17/2018 CA. SANJAY JOSHI

11 INTERNAL CONTROL SYSTEM
One of a critical success factor for any business is to design & implement an Internal Control Framework which is a best fit to management approach and attitude, business needs and regulatory demands. It is a management responsibility to design, implement and maintain ICF. ICF aims to control effectively, efficiently and timely all key business functions of the entity. Internal Control System comprises of control environment, internal audit and control procedures/systems also referred as Standard Operating Procedures (SOP), Manuals, Operating Guidelines etc. Internal Control Framework are controls being Internal Control System Financial Reporting System To control internal business operations / activities / functions For stakeholder interaction 9/17/2018 CA. SANJAY JOSHI

12 03 RISK, CONTROLS & IA 9/17/2018 CA. SANJAY JOSHI

13 RISK “Risk is an event which can prevent, hinder, fail to further or otherwise obstruct the enterprise in achieving its objectives.” Two important parameters; Likely hood of its occurrence – probability Remote, unlikely, possible, likely and almost certain Impact / Severity Insignificant (not material), minor, moderate, major, catastrophic, simply we can say high, medium and low 9/17/2018 CA. SANJAY JOSHI

14 TYPES OF RISK STRATEGIC / CORPORATE BUSINESS OPERATIONAL 9/17/2018
CA. SANJAY JOSHI

15 EXAMPLES OF TOP 3 EMERGING RISKS
? 9/17/2018 CA. SANJAY JOSHI

16 RISK & INTERNAL AUDIT: SIA 13
The internal auditor should not manage any of the risks on behalf of the management or take risk management decisions. The internal auditor should not assume any accountability for risk management decisions taken by the management. 9/17/2018 CA. SANJAY JOSHI

17 Internal Control System / Framework
Control Environment The overall attitude, awareness & actions of directors & management regarding the Internal Control System and its importance in the entity Internal Audit A separate component of internal control with the objective of determining whether Internal Controls are well designed and properly operated. Control Procedures Policies & procedures (SOP) (i.e. Internal Controls in addition to the control environment) established by management to achieve entity's specific objectives Control check over control functions 9/17/2018 CA. SANJAY JOSHI

18 HOW TO SET UP OTHER CONTROLS?
9/17/2018 CA. SANJAY JOSHI

19 04 APPROACH - IA 9/17/2018 CA. SANJAY JOSHI

20 APPROACH - IA Audit Plan Audit Program Process Flow
Knowledge of industry’s business, of entity’s business cycles Understanding of accounting, governance and internal control system Knowledge of compliance framework Audit Program Scope vs. Resource vs. Time Management Establish Audit Universe Process Flow Identify business functions under audit Perform a process walk through for each function and prepare process flow Process flow shall document existing controls, as far as practical along with risks 9/17/2018 CA. SANJAY JOSHI

21 APPROCH - IA Audit Report Risk Control Map Audit Procedures
Map Controls & Risk for each critical process Identify gaps / flows in processes – Control weakness / vulnerability, Risk uncontrolled, Evaluate and classify Risks Audit Procedures TEST OF CONTROLS - Substantive, Compliance procedures & Analytical procedures Impact analysis of risks and root cause study Audit Report Evaluate and classify Risks based on impact Draft Report followed by management review meetings Final Report with Action Taken 9/17/2018 CA. SANJAY JOSHI

22 AUDIT PLANNING – SCOPE -Risk Rating criteria – A CA Firm
The observation rating criteria and risk rating criteria are as per the pre-defined parameters specified by the client’s management, as follows: Process deficiency PD Observations related to absence of defined process or weakness in existing processes. Example : Absence of inventory holding norms Operational inefficiencies OI Observations related to non-adherence to defined process or disciple issues. Example : Non adherence to inventory norms Observation rating System limitation SL Observations related to sub-optimal utilization of system functionalities. Example : Non updation of inventory levels in ERP High H Significant / major control gap which may result into severe financial impact or major violation of laws and regulations. Medium M Deviations from controls, which may impact adversely or some weakness in existing controls or non compliance with processes / regulations Risk rating Low L All other observations not falling under above categories 9/17/2018 CA. SANJAY JOSHI

23 Illustrative risk factors / guidelines
Risk rating criteria – Risk Map - Reliance Infra Criteria High Medium Low Materiality/ Financial impact Annualized financial exposure / impact: Exceeding Rs.1 crore External audit qualifications on report and accounts Exceeding Rs. 10 Lacs but not exceeding Rs. 1 crore Annualized financial exposure: Not exceeding Rs.10 Lacs All other Observation not covered in ‘High’/ ‘Medium’ categories Operations Errors affecting significant portion of the operations/ assets of the company Policies and procedures not existent or not implemented Any control gap leading to possibility of fraud Errors affecting a large portion of the operations/ assets of the individual business Policies and procedures exist but are weak and lapses or failures are not ratified Technology High application downtime, breakdown leading to disruption of service such as invoicing Cost and time overruns in project due to factors which are controllable Significant under utilization of existing IT Platform/ System Medium application downtime, breakdown leading to disruption of critical services like invoicing, financial accounting etc. Cost and time overruns in project execution due to factors which are partially controllable Underutilization of existing IT Platform/ system leading to process inefficiencies Regulatory/ Compliance Non compliance/ significant delay towards key provisions of applicable acts/ statute leading to risk of monetary loss (Single instance more than Rs. 50,000 or total value exceeding Rs. 1 Lac / penalty & prosecution) Delay in compliance with the provisions of applicable laws/ statue leading to monetary loss. (Single instance of Rs. 20,000 to Rs. 50,000 or total value of Rs. 50,000 to Rs. 1 lac) Illustrative risk factors / guidelines 9/17/2018 CA. SANJAY JOSHI 23

24 PROCESS FLOW – MATERIAL RECEIPTS
Outsourced process Process flow Supply by vendor (Korba coalfields of SECL) Transport by Road for washing at coal washery Coal washing (at SCPL Coal washery through RNRL) Rail Transport to DTPS (after washing or directly from coalfield) In-house process Monthly GRN Bunkering Storage in coal yard (4 coal yards at DTPS) Transport to yard via underground conveyer belts Weighment of wagons at DTPS wagon tippler Note: RInfra purchases Lacs MT of coal (F Grade) per annum from M/s. South Eastern Coalfields Limited (SECL), Bilaspur (subsidiary of Coal Indian Ltd.) as per Fuel Supply Agreement under New coal distribution policy. Outsourced control: - RInfra has entered into an agreement with RNRL for liasioning (with South Eastern Railways for getting wagons), loading, supervision, weighment and movement of coal to DTPS i.e. either supply of F Grade coal directly to DTPS from SCEL coalfields OR supply of F Grade coal after washing through Spectrum Coal and Power Limited (SCPL) coal washery (RInfra has separately ordered RNRL for coal washing through SCPL). - Sainik Mining and Allied Services Limited (SMASL) is responsible for transportation of coal from coalfields to coal washery and from coal washery to railway for ultimate transport to DTPS. - Inspectorate Griffith India Private Limited is responsible for sampling and analysis of coal, i.e. quality control. In-house control: RInfra is responsible for coal handling once the coal is received at DTPS coal handling plant i.e. weighed through wagon tippler at DTPS. 9/17/2018 CA. SANJAY JOSHI 26

25 PROCESS FLOW – MATERIAL RECEIPTS
Outsourced process Process flow Imported coal supply by vendor to RNRL High sea sales (import) by RNRL to RInfra Transport by ship Anchorage ship at Dahanu Port Transport to Jetty by barges In-house process GRN per Shipment Unloading of coal in coal yard Transport of coal to DTPS coal yard in dumpers Electronic weighment of dumpers Security check & record of dumper movement in DTPS premises Note: RInfra imports 5 to 7 Lacs MT of coal, which is approximately 20 to 25% (in Mt) of total annual coal requirement of DTPS. Outsourced process: 1. Loading port (Foreign port) to Destination port (Dahanu) – RInfra imports coal from RNRL on CIF basis under High Sea Sales agreement . In transit responsibility of coal (i.e. from Loading to Destination port) belongs to RNRL. Payments is made to RInfra for the quantity received at Dahanu port as per Draft Survey Report from independent expert. 2. Destination port to DTPS Coal yard - RInfra has entered into an agreement with United Shippers Ltd. (Letter of Award – Order) for stevedoring, barging, loading, unloading, custom clearance, liasioning & follow up, handling etc. and all the associated onshore services for coal imported from RNRL. USL is responsible for taking delivery of coal from Dahanu port and delivering it to DTPS. In-house process: RInfra is responsible for coal handling once the coal is received at DTPS coal handling plant i.e. weighed through electronic weighment at DTPS. 9/17/2018 CA. SANJAY JOSHI 27

26 AUDIT EXECUTION - RISK CONTROL MATRIX
FUNCTION – PROCUREMENT AND INVENTORY Mega Process – Inventory Management Major Process – Material Receipt Sub Process Risk Class Risk Description Control Audit Procedures / Checks Evaluation Audit Observation Impact Management Action Material Receipt Unauthorized material Gate entry not done at the time of allowing entry into premises Inward Register / Security Check company policies and procedure material receipts and recording thereof Quality concern Goods received not as per PO (Purchase Order) Inspection Report Check if IT system permits creation of GRN without Gate entry in the system Approval & Price Goods received without PO Purchase Policy Check goods received vs. PO quantity, rate, description, terms etc Quantity Goods physically received is less than the invoice quantity or Goods received in excess of ordered quantity Acceptance Report Weighment / Counting controls Controls over Internal weigh bridge OR checks over accuracy of external weighment - Shortage records & analysis Compliance Delay in updating an inventory ledger or creation of GRN Material Receipt & Inventory Reconciliation - 9/17/2018 CA. SANJAY JOSHI

27 AUDIT OBSERVATION Process: Observations - Root Cause Rating 29 PD OI
SL H M L Observations - Process: Raw coal is transported to DTPS from SECL mines by railways racks. Railway charges Rs pmt of carrying capacity of racks and not for the actual weight carried. Railway freight is paid by RInfra. Fuel Supply Agreement with SECL – Clause No Overloading / under loading adjustment. 11.2 “For all other grades of coal, any idle freight for under-loading below the stenciled carrying capacity, as shown on the wagon or carrying capacity based on actual tare weight, as the case may be, plus 2 tonnes shall be borne by the seller. 11.3 Idle freight resulting from under loading of wagon, as per clause 11.2, shall be adjusted in the bills. Idle freight shall be reckoned as: (ii) For all other grades of coal, the difference between the freight charges applicable for the stenciled carrying capacity, as shown on the wagon or carrying capacity based on the actual tare weight, as the case may be, plus 2 tonnes less the actual freight payable as per the actual recorded weight of coal loaded in the wagon. As per above referred terms of FSA, SECL adjusts freight amount for under load quantity in bills. Observation: While reviewing idle freight adjustments Apr. to June’ 2010, we have observed that the under load quantity adjusted in SECL bills under load quantity observed, the details thereof are as under. After considering qty and freight for actual under load (observed at DTPS), adjusted under load (in SECL bills), the table works out that the freight adjustment by SECL for under load was short by Mt i.e. Rs Lacs. Raw coal Actual Under load (DTPS) Adjusted Under load (SECL bills) Short adjusted under load Receipts No. of Racks Qty (Mt) Freight (Rs. Lacs) APR' 10 15 4729 62.13 421 5.29 4308 56.84 MAY' 10 14 3777 49.62 772 9.56 3005 40.06 JUNE' 10 11 3357 44.10 576 7.06 2781 37.04 Total 40 11862 155.85 21.91 10094 133.94 9/17/2018 CA. SANJAY JOSHI 29

28 Evaluate recovery of short adjusted under load quantity from Vendor
Root Cause Rating PD OI SL H M L Risk/ Implications Management response Increase in cost of raw coal due to short adjusted under load freight Root cause Under load qty adjustments as per SECL bills is less than actual under load quantity. Responsibility & timeline Responsibility : Timeline : Recommendation Evaluate possibilities to claim (recover) from SECL, the freight value of under load qty short adjusted in bills. 9/17/2018 CA. SANJAY JOSHI 30

29 05 Deliverables - Report 9/17/2018 CA. SANJAY JOSHI

30 CONTENTS – IA REPORT – SIA - 4
REGULAR CONTENTS – TITLE, ADDRESEE, CC List, SCOPE, COVERAGE, PERIOD, SIGNATURE, MEMBERSHIP NO., DATE etc. ADDITIONAL AND KEY CONTENTS RISK REGISTERS (LESS FREQUENT) PROCESS MAPS / PROCESS FLOWS RISK RATING CRITRIA - IDENTIFICATION, CLASSIFICATION & CRITICALITY OF RISK IMPACT ANALYSIS and ROOT CAUSE ANALYSIS AUDITOR’S RECOMMENDATION / ACTION PLAN MANAGEMENT RESPONSE TOP MANAGEMENT REPORTS – EXECUTIVE SUMMARY, ACTION TAKEN REPORT REPORT SHOULD BE CLEAR, FACTUAL, SPECIFIC, CONCISE, UNAMBIGUOUS, UNBIASED AND TIMELY 9/17/2018 CA. SANJAY JOSHI

31 CONTENTS – IA REPORT – SIA - 4
The Report should include a description of the engagement background, internal audit methodology used and procedures performed by the internal auditor mentioning further that the internal audit provides a reasonable basis for his comments. The report should include a statement that the internal audit was planned and performed to obtain reasonable assurance whether the systems, processes and controls operate efficiently and effectively and financial information is free of material misstatement. When there is a limitation on the scope of the internal auditor’s work, the internal auditor’s report should describe the limitation. 9/17/2018 CA. SANJAY JOSHI

32 06 Expectations vs. Performance 9/17/2018 CA. SANJAY JOSHI

33 INTERNAL vs. STATUTORY AUDIT
SIMILARITIES GAPs Basic principles governing audit Independence within the organization, while externally independent Audit approach Results / deliverables differ Audit usefulness Effectiveness / usefulness varies Auditing skills expected from auditors Dynamic and versatile, expert knowledge of business processes, risks & controls Dealing with Risk Avoids risk vs. facilitates risks 9/17/2018 CA. SANJAY JOSHI

34 EXPECTATION vs. PERFORMANCE
Revenue leakages Cost savings / reductions Improvements in Internal Control Environment / Information security / confidentiality Fraud prevention / detection Value addition by process improvements / business process re-engineering Profit improvements through studies of customer preferences / market developments / dynamics / supply chain / product / service features 9/17/2018 CA. SANJAY JOSHI

35 07 Professional Opportunities 9/17/2018 CA. SANJAY JOSHI

36 INTERNAL AUDIT & PROFESSIONAL OPPORTUNITIES
PRACTICE INDUSTRY STANDARD OPERATING PROCEDURES – MAKING & IMPLEMENTATION SYSTEMS / PROCESS REVIEW RISK & CONTROL REVIEWS INTERNAL AUDIT – Pre & Post Audits FRAUD RISK REVIEW ENTERPRISE WIDE RISK MANAGEMENT FORENSIC AUDIT INDEPENDENT DIRECTOR LEAD INTERNAL AUDITOR IA TEAM MEMBER LEAD RISK MANAGER PROCESS OWNER / MANAGER FRAUD RISK CONTROLLER 9/17/2018 CA. SANJAY JOSHI

37 TARGET Listed – BSE Non-listed Autonomous Bodies Central PSU State PSU
3300 215 836 1050 MCA Data Govt./LTD PVT 64830 818780 9/17/2018 CA. SANJAY JOSHI

38 THANK YOU CA SANJAY JOSHI PARTNER GAUTAM JOSHI & CO.
W: Recommended: Disclaimer: Information and disclosures in this document are for the proposed purpose only and right to use is given to intended person/persons only. In no way it represents marketing or soliciting of the firm/persons under consideration. Unintended or unauthorized use is firmly prohibited and against the law. 9/17/2018 CA. SANJAY JOSHI

Download ppt "Internal Audit - Basics Risk Consulting"

Similar presentations

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Financial Reporting Review Board of ICAI - An Overview.

Financial Reporting Review Board of ICAI - An Overview.
Auditing Concepts.

Auditing Concepts.
ISO 9001 : 2000.

ISO 9001 : 2000.
Sarbanes-Oxley Act of 2002. 2 Benefits of Act Three quarters of the financial executives in the Oversight Systems survey said that their company had realized.

Sarbanes-Oxley Act of Benefits of Act Three quarters of the financial executives in the Oversight Systems survey said that their company had realized.
CLAUSE 41 OF THE LISTING AGREEMENT Prepared by: Tarang Doshi M. V. Damania & Co. Chartered Accountants.

CLAUSE 41 OF THE LISTING AGREEMENT Prepared by: Tarang Doshi M. V. Damania & Co. Chartered Accountants.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
1. 2 CVM’s OBJECTIVES u to stimulate the creation of savings and their investment in securities; u to promote the expansion and regular and efficient.

1. 2 CVM’s OBJECTIVES u to stimulate the creation of savings and their investment in securities; u to promote the expansion and regular and efficient.
IS Audit Function Knowledge

IS Audit Function Knowledge
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
AUDIT OF CO-OPERATIVE SOCIETIES 1SIMON RODRIGUES & ASSOCIATES.

AUDIT OF CO-OPERATIVE SOCIETIES 1SIMON RODRIGUES & ASSOCIATES.
Euseden INTERNAL AUDIT & ASSURANCE SERVICES.

Euseden INTERNAL AUDIT & ASSURANCE SERVICES.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
© 2003 The McGraw-Hill Companies, Inc., All Rights Reserved Chapter 4 Accounting for Branches Combined Financial Statements.

© 2003 The McGraw-Hill Companies, Inc., All Rights Reserved Chapter 4 Accounting for Branches Combined Financial Statements.
Audit objectives, Planning The Audit

Audit objectives, Planning The Audit
Planning an Audit The Audit Process consists of the following phases:

Planning an Audit The Audit Process consists of the following phases:
Introduction to Internal Control Systems

Introduction to Internal Control Systems

Similar presentations

Ads by Google