IAA 181021 Full Book
Uploaded by
Audit TeamIAA 181021 Full Book
Uploaded by
Audit TeamINTERNAL AUDIT
&
ASSURANCE STANDARDS
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
(Statuory body under and Act of Parliament)
www.icmai.in
MISSION STATEMENT VISION STATEMENT
“The CMA Professionals would ethically drive “The Ins tute of Cost Accountants of India
enterprises globally by crea ng value to stakeholders would be the preferred source of
in the socio-economic context through resources and professionals for the financial
competencies drawn from the integra on of leadership of enterprises globally.”
strategy, management and accoun ng.”
ABOUT THE INSTITUTE
T he Institute of Cost Accountants of India is a Statutory body set up under an Act of Parliament in the year 1959.
The Institute as a part of its obligation, regulates the profession of Cost and Management Accountancy, enrols
students for its courses, provides coaching facilities to the students, organises professional development
programmes for the members and undertakes research programmes in the field of Cost and Management Accountancy.
The Institute pursues the vision of cost competitiveness, cost management, efficient use of resources and structured
approach to cost accounting as the key drivers of the profession. In today's world, the profession of conventional
accounting and auditing has taken a back seat and cost and management accountants are increasingly contributing
towards the management of scarce resources and apply strategic decisions. This has opened up further scope and
tremendous opportunities for cost accountants in India and abroad.
After an amendment passed by the Parliament of India, the Institute is now renamed as ''The Institute of Cost
Accountants of India'' from ''The Institute of Cost and Works Accountants of India''. This step is aimed towards
synergising with the global management accounting bodies, sharing the best practices which will be useful to large
number of trans-national Indian companies operating from India and abroad to remain competitive. With the current
emphasis on management of resources, the specialized knowledge of evaluating operating efficiency and strategic
management the professionals are known as ''Cost and Management Accountants (CMAs)''. The Institute is the 2nd
largest Cost & Management Accounting body in the world and the largest in Asia, having approximately 5,00,000
students and 85,000 members all over the globe. The Institution headquartered at Kolkata operates through four
Regional Councils at Kolkata, Delhi, Mumbai and Chennai and 108 Chapters situated at important cities in the country
as well as 11 Overseas Centres. It is under the administrative control of Ministry of Corporate Affairs, Government of
India, New Delhi.
Internal Auditing and Assurance Standards Board (IAASB)
The Institute & eminent resource persons from our profession have felt the need for the constitution of board for
Internal Audit. The Present Council for the first time has nurtured the Board to formulate and issue standards,
guidelines and advisory for the Internal Audit Function. The Cost Accountants have been recognized by the Companies
Act, 2013 and other regulatory bodies for appointment as Internal Auditors.
First Edition: October, 2021
DISCLAIMER:
The views expressed in this publication are those of author(s) which have been reviewed by the Internal Auditing & Assurance
Standards Board of the Institute of Cost Accountants of India after taking into account the suggestions, opinions and comments of
members and non-members of Institute.
Published by:
Internal Auditing & Assurance Standards Board
The Institute of Cost Accountants of India
12, Sudder Street, Kolkata - 700 016
© The Institute of Cost Accountants of India
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form, or by any means, electronic mechanical, photocopying, recording, or
otherwise, without prior permission, in writing, from the publisher.
Behind every successful business decision, there is always a CMA
Contact Details
CMA P. Raju Iyer
Vice President & Chairman
The Internal Auditing and Assurance Standards Board
E-mail: vicepresident@icmai.in
CMA Kushal Sengupta
Addl. Director
&
Secretary
Internal Auditing and Assurance Standards Board
E-mail: iaasb@icmai.in
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
Statutory Body under an Act of Parliament
www.icmai.in
Behind every successful business decision, there is always a CMA
FOREWORD
Internal audit function plays an important role in supporting the board and management of the
organisation to ensure effective implementation of governance mechanisms. The internal auditor
furnishes analysis of the activities reviewed and recommendations for improvement in those areas
where opportunities or deficiencies are identified. The internal audit can also help organisation in
reducing costs, enhancing performance and improving profits.
With the objective to development & issue of standards, guidance notes, implementation guides on the
various aspects of Internal Audit, the Council of the Institute constituted the “Internal Auditing and
Assurance Standards Board (IAASB)” in the year 2019 under the Chairmanship of CMA P. Raju Iyer, Vice
President of the Institute. The requirement of IAASB was the need of the hour considering the inclusion
of “Cost Accountants” in the scope of Internal Audit as per provisions of Companies Act, 2013 and other
legislations in force.
I am glad that IAASB has already released Guidance Notes on Internal Audit of Cement Industry,
Education Sector, Pharmaceutical Industry, Risk Based Internal Audit and an exposure draft of Guidance
Note on Internal Audit of Pharmaceutical Industry. I am happy that the IAASB has now come up with the
Internal Audit & Assurance Standards (IAAS) to provide the right guidance to the Internal Auditors to
improve their professional approach to providing an effective internal audit service.
I express my appreciation to CMA P Raju Iyer, Chairman, IAASB for all the initiatives taken under the
Board. I also express my gratitude to all members of IAASB and in particular CMA B B Goyal for their
valuable inputs and contribution in giving a concrete shape to these standards.
I wish the IAASB success in all its future endeavours.
With warm regards,
CMA Biswarup Basu
President
COMMUNIQUE
I am extremely delighted that the Internal Auditing & Assurance Standard Board (IAASB) of the Institute
under the Chairmanship of CMA P. Raju Iyer, Vice President of the Institute has come up with the Internal
Audit & Assurance Standards (IAAS) in such a short span of time.
Internal audit is an independent appraisal and consulting activity designed to add value and improve an
organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk management, control and
governance processes. The internal auditors are expected to ensure that the organisation is not
deviating from any material compliance instructed by any regulatory or governing body. Section 138 of
the Companies Act 2013 prescribes that a Cost Accountant can be appointed as an Internal Auditor by
the Board of the company to conduct internal audit of its functions and activities.
I congratulate CMA Biswarup Basu, President of the Institute, CMA P. Raju Iyer, Vice President of the
Institute & Chairman, IAASB for bringing out these standards. I also congratulate and thank all our
eminent contributors for their valuable contribution.
I am confident that these principle based IAAS will guide the internal auditors in establishing uniform
evaluation criteria, methods, processes and practices, and enable them to provide the Board of the
organisation, an insight into organisation efficiency and effectiveness with which the activities are being
carried out within the defined regulatory framework.
My best wishes to IAASB for its all future endeavours.
With warm regards,
CMA (Dr.) Balwinder Singh
Immediate Past President,
Chairman, Training & Education Facilities and
Placement Committee and
Cost Accounting Standards Board
PREFACE
Internal audit is critical in protecting and enhancing organizational value as it improves efficiency
of operations, evaluates risks and protects assets, assesses organizational controls and ensures legal
compliance. It also ensures that your business processes runs with governance and in accordance with
organisation policies and procedures.
Section 138 of the Companies Act, 2013 prescribes that a Cost Accountant can be appointed as an Internal
Auditor by the Board or Audit Committee of the company to conduct internal audit of its functions and
activities. The changing environment requires the internal audit function to have dynamic planning to
be able to adapt at the same speed as the strategic risks exposure changes time to time. Hence, the role of
Internal Auditors assumes additional importance in the current dynamic environment. To promote the
role of CMAs in the domain area of Internal Audit, the Council of the Institute constituted the “Internal
Auditing and Assurance Standards Board (IAASB)” in the year 2019, with the active participation of all
stakeholders.
The IAASB in its authority to issue standards, prepare guidance notes and develop adequate guidance
on Internal Audit for specific Industry /Service Sectors, has already released Guidance Note on Risk
Based Internal Audit and three industry specific Guidance Note on Internal Audit of Cement Industry,
Education Sector and Pharmaceutical Industry. Further, the IAASB has also issued an Exposure Draft of
Guidance Note on Internal Audit on Power Sector inviting the views/comments/ suggestions from the
stakeholders of the Institute.
I am delighted to present the Internal Audit & Assurance Standards (IAAS) prepared by the IAASB and
I am sure that these standards will provide the pathway to the members for carrying out an effective
internal audit activity. These standards are principle based which would help industries as well as
internal auditors in performance of audit activities related to all the audit aspects i.e. performance audit,
operational audit, forensic audit, system audit and transaction audit.
I wish to express my sincere thanks to CMA Biswarup Basu, President and CMA (Dr.) Balwinder Singh,
Immediate Past President of the Institute for their guidance and support as always.
I would like to place on record my gratitude to all the members of IAASB for their valuable input and
contribution in preparing these standards. I also extend sincere gratitude to CMA B.B. Goyal, Co-opted
Member of IAASB for his enormous support and guidance in finalising the Internal Audit & Assurance
Standards (IAAS).
With warm regards,
CMA P Raju Iyer
Vice President, ICAI &
Chairman, Internal Auditing & Assurance Standards Board
CONTENTS
Details Page
Foreword
Communique
Preface
Introduction to the Internal Audit & Assurance Standards 1
Category-I: Standards on General Principles of Internal Audit
IAAS-1: Objectives, Authority and Charter 6
IAAS-2: Internal Audit Engagement 7
IAAS-3: Independence, Integrity and Objectivity 10
IAAS-4: Proficiency and Due Professional Care 13
IAAS-5: Using the work of an Expert 15
IAAS-6: Quality Assurance and Continuous Improvement 17
IAAS-7: Communication and Confidentiality 20
IAAS-8: Risk Based Internal Audit 23
IAAS-9: Technology Driven Internal Audit 25
IAAS-10: Enhancing Governance Through Internal Audit 30
IAAS-11: Internal Audit of Cost Records 32
Category-II: Standards on Principles related to Internal Audit Process
IAAS-21: Internal Audit Planning 35
IAAS-22: Internal Audit Sampling 38
IAAS-23: Analysis and Evaluation 41
Details Page
IAAS-24: Internal Audit Evidence 43
IAAS-25: Internal Audit Documentation 46
IAAS-26: Disclosure and Reporting 48
IAAS-27: Monitoring Progress 49
Glossary to the Internal Audit & Assurance Standards 50
Appendices
Appendix-I: Model Internal Audit Charter 57
Appendix-II: Model Internal Audit Engagement Letter 59
Appendix-III: Illustrative Internal Audit Plan 61
Appendix-IV: Internal Audit Report Template 66
INTERNAL AUDIT & ASSURANCE STANDARDS
INTRODUCTION TO THE INTERNAL AUDIT &
ASSURANCE STANDARDS
Legal Requirements for Internal Audit
Section 138 (1) of the Companies Act 2013 provides that such class or classes of companies
as may be prescribed shall be required to appoint an internal auditor, who shall either be a
chartered accountant or a cost accountant, or such other professional as may be decided by the
Board to conduct internal audit of the functions and activities of the company. Sub-section (2)
provides that the Central Government may, by rules, prescribe the manner and the intervals in
which the internal audit shall be conducted and reported to the Board.
Rule 13 (1) of the Companies (Accounts) Rules, 2014 provides that the following class of
companies shall be required to appoint an internal auditor, which may be either an individual
or a partnership firm or a body corporate, namely:-
• every listed company;
• every unlisted public company having –
(i) paid up share capital of fifty crore rupees or more during the preceding financial
year; or
(ii) turnover of two hundred crore rupees or more during the preceding financial year;
or
(iii) outstanding loans or borrowings from banks or public financial institutions exceeding
one hundred crore rupees or more at any point of time during the preceding financial
year; or
(iv) outstanding deposits of twenty-five crore rupees or more at any point of time during
the preceding financial year; and
• every private company having –
(i) turnover of two hundred crore rupees or more during the preceding financial year;
or
(ii) outstanding loans or borrowings from banks or public financial institutions exceeding
one hundred crore rupees or more at any point of time during the preceding financial
year:
Securities and Exchange Board of India (SEBI)’s Listing Obligations and Disclosure
Requirements (LODR) Regulations prescribe that the Internal Auditor may report directly to
the Audit Committee [or the Board] and the role of Audit Committee shall include:
− reviewing, with the management, performance of internal auditors;
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 1
INTERNAL AUDIT & ASSURANCE STANDARDS
− reviewing the adequacy of internal audit function, if any, including the structure of the
internal audit department, staffing and seniority of the official heading the department,
reporting structure coverage and frequency of internal audit;
− reviewing the appointment, removal, and terms of remuneration of the chief internal
auditor;
− reviewing internal audit reports relating to internal control weaknesses;
− discussion with internal auditors of any significant findings and follow up there on; and
− reviewing the findings of any internal investigations by the internal auditors into matters
where there is suspected fraud or irregularity or a failure of internal control systems of a
material nature and reporting the matter to the board.
Companies (Auditor’s Report) Order, 2020 requires that the auditor’s report shall include a
statement whether the company has an internal audit system commensurate with the size and
nature of its business; and whether the reports of the Internal Auditors for the period under
audit were considered by the statutory auditor.
In addition, Companies (Cost Records and Audit) Rules, 2014 require the Cost Auditor to
certify whether the company has adequate system of internal audit of cost records which is
commensurate to nature and size of its business.
Besides abovementioned provisions in the Companies Act, Reserve Bank of India has mandated
Risk-based internal audit in all commercial banks, unban cooperative banks, and NBFCs;
Insurance Regulatory and Development Authority has introduced requirements of quarterly
internal Audit of insurance companies; and SEBI has mandated half-yearly internal audit for
stockbrokers, trading members, & clearing members.
Companies seeking listing in overseas stock exchanges (NASDAQ, NYSE, etc.), need a strong
internal audit function to meet with stringent corporate governance and internal control
requirements.
With these developments, the internal audit has attained considerable significance and its
scope has widened in Indian companies.
Objectives of Internal Audit
Internal Audit (IA) is an independent assurance and consulting activity performed to provide
value addition to the entity’s operations to achieve its objectives. It helps to evaluate and
improve the effectiveness of internal control, risk management and governance processes.
IA provides an assurance relating to effectiveness of operations, reliability of financial
management and reporting, efficiency of systems & processes, and compliance with laws and
regulations. IA also provides safeguard against potential fraud, waste, or abuse and value
adding consultancy to the management to improve the entity’s operations and efficiency of
resource utilization.
2 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
While attaining these objectives, the three ‘E’s of audit – Efficiency, Effectiveness, & Economy,
must be followed by the internal audit team.
Scope of Internal Audit
With the passage of time, role & scope of internal audit has widened, reflecting change in its
focus from financial statements & transactions and to the operations & management audit.
Hence, the scope of internal audit includes following activities:
- Financial – to support management and statutory financial auditors by providing assurance
on the reliability of financial statements, & internal financial controls,
- Operational – to ensure efficient and effective conduct of operations of a company,
- Performance – to ensure efficient use of resources to obtain the entity’s objectives,
- Risk management – to ensure adequacy & effectiveness of risk management & control
systems,
- Management or Strategic – to ensure effectiveness of management policies & strategies,
- Compliance – to ensure compliance with the applicable laws, & regulations,
- Costing – to support management and statutory cost auditors by providing assurance on
the effectiveness of cost accounting systems & cost flows,
- Information Systems – to ensure smooth functioning of information technology systems,
and data access, protection, confidentiality, effectiveness, integrity, availability, compliance,
and validity,
- Environmental – to ensure compliance with the environmental laws and regulations, and
- Special Assignment – relate to investigation on fraud and corruption, or any other special
service with the approval of the Audit Committee/ Board.
Standards - Purpose and Compliance Requirements
Internal Audit & Assurance Standards (IAAS) are a set of principle-based minimum requirements
that are issued by and under the authority of the Council of The Institute of Cost Accountants of
India (hereinafter referred to as “Institute”).
Internal auditing is conducted in diverse legal environments for entities that vary in size,
complexity, nature, and structure. It may be performed by the entity’s own employees or by
external firms. But conformance with these Standards is essential in meeting the responsibilities
of internal auditor in performing the internal audit activities. Members of the Institute, whether
in service or in practice, must comply & conform while performing internal audit functions or
services in any entity, individually or as member of the team. These Standards also provide the
basis to evaluate responsibilities of the management in areas relating to internal audit and also
the performance of internal auditors.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 3
INTERNAL AUDIT & ASSURANCE STANDARDS
All other professionals, who are not members of the Institute, are also advised to follow the
requirements of these Standards while executing or are part of the team executing any internal
audit engagement.
Framework of the Standards
The Internal Audit & Assurance Standards comprise two categories.
Category-I: Standards on General Principles of Internal Audit. It includes the following
Standards:
IAAS 1 - Objectives, Authority and Charter
IAAS 2 - Internal Audit Engagement
IAAS 3 - Independence, Integrity and Objectivity
IAAS 4 - Proficiency and Due Professional Care
IAAS 5 - Using the work of an Expert
IAAS 6 - Quality Assurance and Continuous Improvement
IAAS 7 - Communication and Confidentiality
IAAS 8 - Risk Based Internal Audit
IAAS 9 - Technology Driven Internal Audit
IAAS 10 - Enhancing Governance Through Internal Audit
IAAS 11 - Internal Audit of Cost Records
Category-II: Standards on Principles related to Internal Audit Process. It includes the following
Standards:
IAAS 21 - Internal Audit Planning
IAAS 22 - Internal Audit Sampling
IAAS 23 - Analysis and Evaluation
IAAS 24 - Internal Audit Evidence
IAAS 25 - Internal Audit Documentation
IAAS 26 - Disclosure and Reporting
IAAS 27 - Monitoring Progress
4 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
Structure of the Standards
The Internal Audit & Assurance Standards consist of two parts; both have equal authority and
application.
• Part-I covers the statements of main principles and core requirements for the professional
practice of internal auditing. These are set out in bold italic type.
• Part-II includes Application Guidance to the requirements. These paragraphs are set out in
plain type.
All terms used in the Internal Audit & Assurance Standards, including those relevant to the
practice of internal auditing, have been defined and included in the Glossary appended at the
end of Standards.
Standards Setting Process
Issue of Internal Audit & Assurance Standards follows an extensive consultation process.
First, exposure drafts of the Standards, including Introduction and Glossary, are prepared by
a Group of Technical Experts constituted by the Internal Audit and Assurance Standard Board
(IAASB). These Standards are thoroughly discussed, clause-by-clause, in the IAASB. Finally,
the exposure draft of these Standards is hosted on the Institute website and published in
Management Accountant journal for comments of all stakeholders and public at large. Copies of
exposure draft of these standards are also circulated to the concerned Government authorities,
regulatory bodies, professional institutes, past Presidents, members of the Central & Regional
Councils and all Chapters and Centers in India & abroad. Based on the comments received, the
IAASB finalize these Standard for consideration by the Council of the Institute. After approval
by the Council, the Standards are issued.
While formulating the Standards, the IAASB takes into consideration the applicable laws, rules,
and regulations. However, if a particular Standard or any part thereof is inconsistent with a
law, provisions of the law shall prevail.
Effective Date
The Standards are effective for all internal audit services & engagements effective from the
first day of April, 2022.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 5
INTERNAL AUDIT & ASSURANCE STANDARDS
CATEGRY-I : STANDARDS ON GENERAL PRINCIPLES
OF INTERNAL AUDIT
IAAS 1 – OBJECTIVES, AUTHORITY AND CHARTER
This standard deals with specific nature, purpose, and objective of the internal audit. It also
addresses responsibilities and authorities of the chief internal auditor in performing internal
audit functions and its activities. This standard is to be read in conjunction with the applicable
law, rules, and regulations alongwith relevant ethical requirements.
Requirements
1.1 The purpose, objectives, authority, and responsibility of the internal audit activity
must be formally defined in a Charter of Internal Audit. It must also include the
nature and scope of audit, assurance and consulting services included in the internal
audit activity.
1.2 The authority to define and approve the internal audit charter lies with the Audit
Committee/ Board unless law prescribes otherwise.
1.3 The mandatory nature of the core principles and requirements of internal auditing,
as set out in the IAA Standards, must be recognized in the internal audit charter.
1.4 The Chief Internal Auditor must periodically review the internal audit charter and
present it to the Audit Committee/ Board for approval.
1.5 The Chief Internal Auditor has the overall responsibility to ensure the achievement
of the objectives of the internal audit function through a well-documented internal
audit plan & process.
1.6 The internal audit assignment plan shall be continuously monitored during the
execution phase for achievement of the objectives and to identify deviations, if any.
1.7 When professional judgment & circumstances justify non-conformance with
these Standards, it must be disclosed to the Audit Committee/Board for approval,
alongwith the impact and reasons of non-conformance or deviation.
Application Guidance
1.8 The Charter of Internal Audit is the principal document that defines the scope of internal
audit activities within the entity. It lays down all important aspects of internal audit.
An indicative list of areas covered in the internal audit charter is given below. Model
Internal Audit Charter is placed at Appendix-I.
6 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
− Purpose, & objectives of internal audit,
− Scope of internal audit activities commensurate with the size and nature of entity’s
business,
− Conformance with the principles of internal auditing laid down in the Internal Audit
& Assurance Standards,
− Independence and access to records and personnel,
− Authority and responsibility of the Chief Internal Auditor,
− Accountability and Reporting structure of the Chief Internal Auditor,
− Quality assurance by the Chief Internal Auditor, and
− Conformance with the applicable laws & regulations.
1.9 The nature of audit, assurance, and consulting services to be provided by the internal
auditor must be defined in the internal audit charter. If these services are outsourced
to parties outside the entity, their nature & scope should also be clearly laid out in the
internal audit charter.
1.10 The internal audit charter establishes the internal audit activity’s position within
the entity, including the nature of functional reporting relationship with the Audit
Committee/ Board; and authorizes access to relevant records, personnel, etc.
1.11 As per the provisions laid down in the Companies Act 2013 and the SEBI’s LODR
Regulations, the authority to define and approve the internal audit charter lies with the
Audit Committee/ Board.
1.12 The Charter of Internal Audit must be periodically reviewed by the Chief Internal Auditor,
discussed with the senior management, and presented to the Audit Committee / Board
for approval.
1.13 When non-conformance with the Standards impacts the overall scope or operation of the
internal audit activity, the chief of internal audit must disclose the non-conformance and
the impact to the Audit Committee and the Board.
IAAS 2 – INTERNAL AUDIT ENGAGEMENT
This standard deals with the framework of internal audit engagement terms; responsibility
of the Chief Internal Auditor in agreeing these terms with the management of the entity;
and creating a duly signed internal audit engagement letter, more so when such services are
outsourced.
Requirements
2.1 The Chief Internal Auditor must agree to the terms of the internal audit engagement
with management.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 7
INTERNAL AUDIT & ASSURANCE STANDARDS
2.2 The agreed terms of the internal audit engagement must be recorded in the internal
audit engagement letter or other suitable form of written agreement and must
include the objective and scope of internal audit; responsibilities of internal auditor;
responsibilities of management; and applicable form and content of the reporting
framework.
2.3 If law or regulation prescribes in sufficient detail the terms of the internal audit
engagement referred to above, the internal auditor need not record them in a
written agreement, except for the fact that such law or regulation applies and that
the management acknowledges and understands its responsibilities.
2.4 The nature, objectives and scope of internal audit engagement must be reviewed, if
there is change in the circumstances and there is reasonable justification for doing
so. If the terms of the internal audit engagement are changed, the chief internal
auditor and management must agree and record the new terms of engagement in a
supplementary engagement letter or other suitable form of written agreement.
2.5 The scope of the engagement must include availability and access of chief internal
auditor to the relevant systems, records, personnel, etc. and including those records
under the control of third parties.
2.6 Internal auditors must conduct a preliminary assessment of the risks relevant to
the activity under review. Engagement objectives must reflect the results of this
assessment.
2.7 The internal audit engagement must include evaluation of nature, extent, purpose,
pricing and value of all related party transactions and their compliance with the
extant laws and regulations.
2.8 The internal audit engagement document must clearly define the nature and extent
of assurance services and consulting or advisory services. In case of assurance
services, the chief internal auditor must agree to express an opinion in order to
enhance the confidence of the assurance user about the outcome of internal audit.
2.9 In performing consulting engagements, the chief internal auditor must ensure that
the scope of the engagement is sufficient to address the agreed-upon objectives. If
chief internal auditor develops reservations about the scope during the engagement,
these reservations must be discussed with the client to determine whether to continue
with the engagement.
2.10 The chief internal auditor shall not assume any management responsibility either
while performing assurance role or providing consulting services.
2.11 The chief internal auditor must determine appropriate and sufficient resources to
achieve engagement objectives based on an evaluation of the nature and complexity
of each engagement, time constraints, and available resources.
8 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
Application Guidance
2.12 Before agreeing and accepting and internal audit engagement, the Chief Internal Auditor
must completely understand the following:
- Objective of internal audit
- Area, nature, and scope of the internal audit
- No. of internal auditor to be appointed
- Applicable reporting framework
- Entity’s business and its environment
- Reporting periods
- Statutory deadline
- Applicable law, rules, and regulations
2.13 The management of the entity and the Chief Internal Auditor should discuss and agree to
the terms of the internal audit engagement, whether performed by the internal team or
outsourced to a party outside the entity. The role of management in agreeing the terms
of the internal audit engagement for the entity depend on its governance structure and
relevant law or regulation.
2.14 The internal audit engagement objectives, scope and responsibilities must be drawn in
compliance with the Charter of Internal Audit and approved by the Audit Committee/
Board.
2.15 In recuring internal audit engagement, the Chief Internal Auditor shall review and
assess whether circumstances require the terms of engagement to be revised to ensure
its relevance and scope with the changing circumstances or any other changes with the
nature or timing. If found relevant, agreed changes shall be further placed and approved
by the Audit Committee/ Board.
2.16 When internal audit is performed by a party outside the entity, the agreed terms of the
internal audit engagement must be recorded in the internal audit engagement letter
or other suitable form of written agreement. A sample engagement letter is placed at
Appendix-II.
2.17 The form and content of the internal audit engagement letter may vary for each entity.
Information included in the engagement letter on the internal auditor’s responsibilities
may be based on Internal Audit & Assurance Standards. An internal audit engagement
letter may include the following:
i) Elaboration of the objectives and scope of the internal audit, including reference
to applicable laws, regulations, standards, ethical and other pronouncements of
professional bodies to which the internal auditor adheres;
ii) Responsibilities of the internal auditor and that of the management;
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 9
INTERNAL AUDIT & ASSURANCE STANDARDS
iii) Arrangements regarding the planning and performance of the internal audit,
including the composition of the engagement team;
iv) Applicable form and content of the reporting framework; and
v) The basis on which fees are computed and any billing arrangements.
2.18 When relevant, the following points may also be considered in the internal audit
engagement letter:
i) Arrangements concerning the involvement of experts in some aspects of internal
audit.
ii) Arrangements concerning the involvement of external auditors and other staff of
the entity.
iii) Arrangements to be made with the previous internal auditor, if any.
iv) Any restriction of the internal auditor’s liability when such possibility exists.
v) Any obligations to provide internal audit working papers to other parties.
2.19 Internal auditors should ascertain the extent to which management has established
adequate criteria to evaluate governance, risk management, and controls and to
determine whether objectives and goals have been accomplished. If adequate, internal
auditors may use such criteria in their evaluation. If inadequate, internal auditors may
identify appropriate evaluation criteria through discussion with management and/or
the Board.
2.20 The established scope of internal audit should be sufficient to achieve the objectives of the
engagement. The internal audit team should have appropriate mix of knowledge, skills,
and other competencies needed to perform the engagement. Internal auditor should
have sufficient resources needed to accomplish the engagement with due professional
care.
2.21 Consulting engagement objectives should be consistent with the entity’s values,
strategies, and objectives and should clearly address the governance, risk management,
and control processes to the extent agreed upon with the client.
2.22 When an external service provider serves as the internal audit activity, the provider
must make the entity aware that it has the responsibility for maintaining an effective
internal audit activity.
IAAS 3 – INDEPENDENCE, INTEGRITY AND OBJECTIVITY
This standard explains the rules of conduct to be followed by the chief internal auditor in
performing internal audit activity. This standard also establishes objectivity of the entity and
the chief internal auditor.
10 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
Requirements
1.1 The internal audit activity must be independent, and the Internal Auditor must
be free from any undue influences which force him to deviate from the truth. This
independence must be not only in mind, but also in appearance.
1.2 The Internal Auditors must be objective in performing their work. The internal
auditor must resist any undue pressure or interference in establishing the scope
of the assignments or the manner in which these are conducted and reported, in
case these deviate from set objectives i.e. the internal audit activity must be free
from interference in determining the scope of internal auditing, performing work,
and communicating results. The Chief Internal Auditor must disclose any such
interference to the Audit Committee/ Board.
1.3 The Chief Internal Auditor must report to the Audit Committee and the Board i.e. at
a level within the entity that allows the internal auditor to fulfill its responsibilities.
The chief internal auditor may have administrative reporting to a different level
within the entity.
1.4 The Internal Auditor must be honest, truthful and be a person of high integrity.
Internal auditors must have an impartial, unbiased attitude and avoid any conflict
of interest. The integrity of the internal auditor establishes trust and thus provides
the basis for reliance on their judgements.
1.5 If independence or objectivity is impaired in fact or appearance, the Chief Internal
Auditor must disclose such impairment to the Audit Committee/ Board.
1.6 The internal auditors must refrain from performing such assurance engagements
or providing such consulting services or assessing specific operations for which they
were previously responsible.
1.7 Assurance engagements for functions over which the chief internal auditor has
responsibility must be overseen by a party outside the internal audit activity.
1.8 Internal auditors may provide such assurance services where they had previously
performed consulting services, provided the nature of the consulting did not impair
objectivity and the services are performed by different engagement team.
1.9 Internal auditors may provide consulting services relating to operations for which
they had previous responsibilities. If internal auditors have potential impairments
to independence or objectivity relating to proposed consulting services, they must
disclose to the client prior to accepting the engagement.
1.10 Where the Chief Internal Auditor has or is expected to have roles and/or
responsibilities that fall outside of internal auditing, safeguards must be in place to
limit impairments to independence or objectivity.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 11
INTERNAL AUDIT & ASSURANCE STANDARDS
Application Guidance
1.11 Independence is the freedom from those conditions that threaten the ability of the internal
auditors to perform their responsibilities in an unbiased manner. The independence of
the internal audit function and the internal audit team plays a large part in establishing
the independence of the internal audit activity. The overall organisation structure of key
personnel, the position and reporting of the Chief Internal Auditor within this structure,
along with the powers and authority which is derived from superiors establishes the
independence of the internal auditor. Therefore, to achieve the degree of independence
necessary to effectively carry out the responsibilities of the internal audit activity,
the Chief Internal Auditor should have direct and unrestricted access to the senior
management, Audit Committee, and the Board.
1.12 Independence of internal audit activity can be achieved through a dual-reporting
relationship. The Chief Internal Auditor should report directly to the Audit Committee/
Board, who are responsible to appoint the Internal Auditors as per Rule 8 of “The
Companies (Meetings of Board and its Powers) Rules, 2014”. The Chief Internal Auditor
may have dual reporting responsibility, wherein the administrative reporting is to an
executive officer (e.g. MD or CEO), but functional reporting to the Chairman of the Audit
Committee/Board. Threats to independence must be managed at the individual auditor,
engagement, functional, and organizational levels.
1.13 Objectivity is an unbiased mental attitude that allows internal auditors to perform
engagements in such a manner that they believe in their work product and that no quality
compromises are made. Objectivity requires that internal auditors do not subordinate
their judgment on audit matters to others. Threats to objectivity must be managed at the
individual auditor, engagement, functional, and organizational levels.
1.14 The internal auditor should operate in a highly professional manner and seen to be fair
in all his dealings. Any conflict of interest in which he has a competing professional or
personal interest is unethical & improper. It may affect his independence and objectivity.
Such conflict of interest can create an appearance of impropriety that can undermine
confidence in the internal auditor, the internal audit activity, and the profession.
Therefore, he should avoid all conflicts of interest and not seek to derive any undue
personal benefit or advantage from his position. Chief Internal Auditor must periodically
obtain information from internal auditing staff concerning potential conflicts of interest
and bias. Staff assignments of internal auditing must be rotated periodically whenever it
is practicable to do so.
1.15 To ensure independence and objectivity, the internal audit function should be positioned
outside the functions which are subject to internal audit (e.g. Finance and Accounts) and
the Internal Auditor should report directly to the highest governing body of the entity.
1.16 Impairment to organizational independence and individual objectivity may include,
but is not limited to, personal conflict of interest, scope limitations, restrictions on
12 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
access to records, personnel, and properties, and resource limitations, such as funding.
The determination of appropriate parties to which the details of an impairment
to independence or objectivity must be disclosed is dependent upon the nature
of impairment, expectations of the management and the chief internal auditor’s
administrative and functional reporting framework.
1.17 While assigning assurance or consulting engagements, the Chief Internal Auditor may
be exposed to a different type of risk to independence, whereby he is assigned certain
operational responsibilities (such as risk management, compliance, etc.). Chief Internal
auditor may accept such operational role for a short duration only after communicating
his limitations to assume ownership or accountability of the process; and his inability to
take operational decisions which may be subject to an internal audit later.
IAAS 4 – PROFICIENCY AND DUE PROFESSIONAL CARE
This standard explains the Internal Auditors’ responsibilities to use proficiency and due
professional care in performing internal audit activities to accomplish the objective of internal
audit engagement.
Requirements
1.1 Internal audit engagements must be performed with proficiency and due professional
care.
1.2 The internal auditors must either have or obtain such skills and competence as are
necessary for the purpose of discharging their responsibilities. The internal auditors
may acquire required skills and competence through general education, or technical
knowledge obtained through study and formal courses.
1.3 The internal audit team collectively must possess or obtain the knowledge, skills,
and other competencies needed to perform its responsibilities.
1.4 The chief internal auditor may obtain technical advice and assistance from competent
experts if the internal audit team does not possess the necessary knowledge,
skills, expertise, or experience needed to perform all or part of the internal audit
engagement.
1.5 Although, normally, an internal auditor is not expected to possess skills and knowledge
of a person expert in detecting and investigating frauds, he must, however, have
reasonable knowledge of factors that might increase the risk of opportunities for
frauds in an entity and exercise reasonable care and professional skepticism while
carrying out internal audit. An internal auditor must, therefore, use his knowledge
and skills to reasonably enable him to identify indicators of frauds.
1.6 Internal auditors must apply the care and skill expected of a reasonably prudent
and competent internal auditor. “Due Professional Care”, however, neither implies
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 13
INTERNAL AUDIT & ASSURANCE STANDARDS
nor guarantees infallibility, nor does it require the internal auditor to go beyond the
established scope of the engagement.
1.7 Internal auditors must exercise due professional care by considering the extent of
work needed to achieve the engagement’s objectives; adequacy and effectiveness of
governance, risk management, and control processes; and the cost of assurance in
relation to its potential benefits.
1.8 In exercising due professional care, internal auditors must consider the use of
technology-based audit and other data analytic techniques.
1.9 The internal audit team must perform all activities to achieve its objectives as
outlined in the internal audit charter or engagement letter. The Chief Internal
Auditor must effectively manage the internal audit activity to ensure it achieves its
objectives and adds value to the entity.
1.10 The internal auditors must decline the consulting engagement if they lack the
knowledge, skills, or other competencies needed to perform all or part of the
engagement.
Application Guidance
1.11 Proficiency means the ability to apply knowledge to situations likely to be encountered
and to deal with them without extensive recourse to technical research and assistance.
Proficiency in applying internal audit standards, procedures, and techniques is required
in performing engagements.
1.12 Due professional care calls for the application of care and skill expected of a reasonably
prudent and competent person in the same or similar circumstances. Professional
care should be appropriate to the complexities of the engagement being performed.
In exercising due professional care, internal auditors shall use extensive alertness
to the possibility of intentional wrongdoing, errors and omissions, inadequate
controls, inefficiency, waste, ineffectiveness, and conflicts of interest and recommend
improvements to promote compliance with acceptable procedures and practices.
1.13 The internal auditors should have sound knowledge, strong inter-personal skills,
practical experience, professional expertise, and other competencies required to conduct
a quality audit. They should undertake only those assignments for which they have the
requisite competence.
1.14 The internal auditors shall obtain such skills and competencies as are necessary for the
purpose of discharging their responsibilities. In addition to the basic auditing & technical
skills, they should have adequate knowledge and expertise in softer skills (such as
information technology and communication skills).
1.15 Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the
manner in which it is managed or controlled by the entity but are not expected to have
the expertise of a person whose primary responsibility is detecting and investigating
14 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
fraud.
1.16 Internal auditors must have sufficient knowledge of information technology, control
systems, machine learning, data analytics and other technology-based audit techniques
to perform their assigned work. However, information technology audit should be
conducted only by those internal auditors having requisite knowledge, skill, and
expertise.
1.17 Where the chief internal auditor and the audit team lacks certain expertise, he shall
obtain the required assistance and support either from the in-house experts or through
the services of an outside expert.
1.18 Internal auditors must exercise due professional care during a consulting engagement
by considering the needs and expectations of clients, including the nature, timing,
and communication of engagement results; the extent of work needed to achieve the
engagement’s objectives; and the cost of consulting engagement in relation to its potential
benefits.
1.19 The internal audit activity is effectively managed when:
• It is undertaken in a systematic, disciplined, and professional manner by the internal
audit team having required knowledge, skills, and competencies;
• It achieves the purpose, objectives and responsibility included in the internal audit
charter or engagement letter;
• It conforms with the Internal Audit & Assurance Standards; and
• Its outcomes add value to the entity.
1.20 The internal audit activity adds value to the entity and its stakeholders when it considers
strategies, objectives, and risks; strives to offer ways to enhance governance, risk
management, and control processes; and objectively provides relevant assurance.
IAAS 5 – USING THE WORK OF AN EXPERT
This standard applies when the Chief Internal Auditor relies upon the work done by an Expert,
to provide assurance in performing internal audit engagements. This standard explains the
Chief Internal Auditor’s responsibility to do proper evaluation before using the work done by
an Expert.
Requirements
1.1 In conducting internal audit assignments, the Chief Internal Auditor may seek the
assistance and place reliance on the work of an expert.
1.2 The expert may either be an employee of the entity, or the internal auditor’s staff or
an outside professional who possess specialized domain knowledge and skills.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 15
INTERNAL AUDIT & ASSURANCE STANDARDS
1.3 The chief internal auditor must take assistance of an expert in highly technical and
complex matters where the required expertise is not available within the internal
audit team. The engagement of expert would depend on the risk assessment,
materiality, and importance of the subject matter of internal audit.
1.4 The chief internal auditor may have the authority to select, appoint and engage
the expert. The chief internal auditor must conduct an independent evaluation of
the qualifications and credentials of the expert and validate his independence and
objectivity if he is selected and engaged by the management.
1.5 The chief internal auditor must participate in defining the scope, approach, and
work to be conducted by the expert. The chief internal auditor must evaluate the
work completed by the expert including the relevance and reasonableness of the
expert’s assumptions, methods, findings or conclusions and their consistency with
other audit findings & evidence.
1.6 The chief internal auditor must be responsible for the conclusions and opinions
incorporated in the internal audit report and may not refer to the work of an expert
in the report, unless specifically mandated otherwise by the assurance user.
Application Guidance
1.7 An Expert is a person or an entity, who possesses certain specialized skills and expertise
in a particular area, field, or discipline.
1.8 The chief internal auditor may seek the assistance and place reliance on the work of
an Expert in specialized areas such as Information Technology, Engineering, Banking,
Actuarial Services, Forensic Audit, Taxation, Risk Modelling, Intellectual Property, etc.
1.9 An expert is generally engaged to help in an internal audit assignment where the required
skills are not available within the internal audit team or function. The Expert can be an
employee of the entity, provided he fulfils all criteria relating to his independence and
objectivity.
1.10 The objectives of using the work of an expert are to ensure that the internal audit
procedures are conducted in complex and specialised areas with the assistance and
support from competent experts who possess the necessary knowledge and expertise, so
as to ensure that the outcome of internal audit is credible, reliable, and meet the expected
quality standards.
1.11 Where the expert has any relationship with the entity management or has any personal,
financial, or organisational interests, the objectivity of the expert may get compromised
and it may prevent the rendering of an unbiased and impartial report.
1.12 It is necessary that relevant confidentiality & ethical requirements that apply to the chief
internal auditor also to apply to the auditor’s expert. Additional requirements may be
imposed by the entity or by law or regulation.
16 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
1.13 Where the chief internal auditor plans to incorporate the findings of the work of the
expert as part of his internal audit report, he must participate in defining the plan and
procedures of the expert.
1.14 During and after completion of the work by the expert, the chief internal auditor should
evaluate the outcome of the expert’s findings to validate the quality of work performed
and the reliability of his findings.
1.15 In exceptional cases, where the findings of the expert are not consistent with other
audit evidence, the internal auditor should attempt to resolve the inconsistency through
discussions and in extreme situations, may conduct additional procedures or engage
another expert to resolve the inconsistencies.
IAAS 6 – QUALITY ASSURANCE AND CONTINUOUS IMPROVEMENT
Requirements
1.1 The internal auditors must have such skills and competence as are necessary for the
purpose of discharging their responsibilities.
1.2 The internal auditors must, through study or formal courses, obtain such skills and
competence as are necessary for the purpose of discharging their responsibilities.
1.3 Internal auditors must enhance their knowledge, skills, and other competencies
through continuing professional development.
1.4 The chief internal auditor must develop and maintain a quality assurance and
improvement program that covers all aspects of the internal audit activity.
1.5 The chief internal auditor must develop a system to ensure quality in internal
audit and provide reasonable assurance that the internal auditors comply with
professional standards, and regulatory & legal requirements. A person within the
entity should be entrusted with this responsibility, irrespective whether the internal
audit is done in-house or by an external agency.
1.6 The quality assurance and improvement program must include both internal and
external assessments.
1.7 Internal assessments must include:
o Ongoing monitoring of the performance of the internal audit activity; and
o Periodic self-assessments or assessments by other persons within the entity with
sufficient knowledge of internal audit practices.
1.8 External assessments must be conducted at least once every five years by a qualified,
independent assessor or assessment team from outside the entity. The chief internal
auditor must discuss with the Audit Committee/Board:
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 17
INTERNAL AUDIT & ASSURANCE STANDARDS
o The form and frequency of external assessment; and
o The qualifications and independence of the external assessor or assessment
team, including any potential conflict of interest.
1.9 The chief internal auditor must communicate the results of the quality assurance
and improvement program to senior management, Audit Committee, and the Board.
Disclosure should include:
o The scope and frequency of both the internal and external assessments;
o The qualifications and independence of the assessor(s) or assessment team,
including potential conflicts of interest;
o Conclusions of assessors; and
o Corrective action plans.
1.10 Indicating that the internal audit activity conforms with the professional Standards,
and regulatory and legal requirements is appropriate only if supported by the
results of the quality assurance and improvement program.
1.11 Engagements must be properly supervised to ensure objectives are achieved, quality
is assured, and staff is developed.
Application Guidance
1.12 A quality assurance and improvement program are designed to enable an evaluation
of the internal audit activity’s conformance with the professional Standards and an
evaluation of whether internal auditors apply the ethical requirements. The program
also assesses the efficiency and effectiveness of the internal audit activity and identifies
opportunities for improvement.
1.13 Ongoing monitoring is an integral part of the day-to-day supervision, review, and
measurement of the internal audit activity. Ongoing monitoring is incorporated into
the routine policies and practices used to manage the internal audit activity and uses
processes, tools, and information considered necessary to evaluate conformance with
the professional Standards, and regulatory, legal & ethical requirements.
1.14 A person within the entity is entrusted with the responsibility to establish policies and
procedures designed to provide reasonable assurance on the following:
o Quality in internal audit, whether done in-house or by an external agency;
o Internal auditors’ compliance with the professional Standards, and regulatory and
legal requirements;
o Internal auditors’ compliance with the relevant ethical requirements;
o Assessment of the internal audit team members’ capabilities, competence, and
commitment;
18 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
o That the reports issued by the internal auditors are appropriate in the circumstances;
and
o These policies and procedures relating to the system of quality assurance are relevant,
adequate, operating effectively and complied with in practice.
1.15 The internal audit quality assurance framework must address the following:
o Developing an internal audit manual clearly defining the specific role and
responsibilities, policies and procedures, documentation requirements, reporting
lines and protocols, targets and training requirements for the staff, internal audit
performance measures and the indicators.
o Ensuring that the internal audit staff at all levels is appropriately trained and
adequately supervised and directed on all assignments.
o Establishing a formal process of feedback from the users of the internal audit services,
such as the senior management executives, etc. Some of the attributes on which
the feedback may be sought include quality, timeliness, value addition, efficiency,
innovation, effective communication, audit team, time management. The responses
received from the users of the internal audit services should also be shared with the
appropriate levels of management.
o Establishing appropriate performance criteria for measuring the performance of the
internal audit function. In case the internal audit activity is performed by an external
agency, the contract of the engagement should contain a clause for establishment
of performance measurement criteria and periodic performance review. These
performance measurement criteria should be approved by the management.
1.16 External assessments may be accomplished through a full external assessment, or a self-
assessment with independent external validation. The external assessor must conclude
as to conformance with the professional Standards, and regulatory, legal & ethical
requirements.
1.17 An independent assessor or assessment team means not having either an actual or a
perceived conflict of interest and not being a part of, or under the control of, the entity
to which the internal audit activity belongs. The chief internal auditor should encourage
oversight by the Audit Committee/Board in the external assessment to reduce perceived
or potential conflicts of interest.
1.18 The external quality review should be done by a professionally qualified person
having an in-depth knowledge and experience of, inter alia, the professional Standards
applicable to the internal auditors, the processes and procedures involved in the internal
audit generally and those peculiar to the industry in which the entity is operating. The
external quality reviewer should be appointed in consultation with the person entrusted
with the responsibility for the quality in internal audit, senior management, and audit
committee/Board.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 19
INTERNAL AUDIT & ASSURANCE STANDARDS
1.19 The form, content, and frequency of communicating the results of the quality assurance
and improvement program is established through discussions with senior management,
audit committee and the Board. It should be the responsibility of chief internal auditor
and as enshrined in the internal audit charter.
1.20 To demonstrate conformance with the professional Standards, and regulatory, legal
& ethical requirements, the results of external and periodic internal assessments are
communicated upon completion of such assessments, and the results of ongoing
monitoring are communicated at least annually. The results include the assessor’s or
assessment team’s evaluation with respect to the degree of conformance.
1.21 The extent of supervision required will depend on the proficiency and experience of
internal auditors and the complexity of the engagement. The chief internal auditor has
overall responsibility for supervising the engagement, whether performed by or for the
internal audit activity, but may designate appropriately experienced members of the
internal audit activity to perform the review. Appropriate evidence of supervision must
be documented and retained.
IAAS 7 – COMMUNICATION AND CONFIDENTIALITY
This standard explains the chief internal auditor’s responsibility to establish regular
communication with the management and Audit Committee/Board on various aspects covering
the internal audit functions, activities, and results.
Requirements
1.1 The chief internal auditor must determine the appropriate person(s) within the
entity’s governance structure with whom to communicate. The chief internal
auditor must communicate and interact directly with the senior management, Audit
Committee, and the Board.
1.2 The chief internal auditor must establish a written communication process and
protocol with management, which is shared and agreed with them. All communication
must be accurate, objective, clear, concise, constructive, complete, and timely.
1.3 The chief internal auditor must be satisfied that communication with person(s)
with management responsibilities adequately informs all of those with whom the
internal auditor would otherwise communicate in their governance capacity.
1.4 The chief internal auditor must communicate with the senior management, Audit
Committee, and the Board an overview of the planned scope and timing of the
internal audit.
1.5 The chief internal auditor must report periodically to senior management, Audit
Committee, and the Board on the
o Internal audit activity’s purpose, authority, responsibility, and performance
relative to its plan and on its conformance with the professional Standards and
ethical requirements; and
20 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
o Significant risk and control issues, including fraud risks, governance issues, and
other matters that require the attention of senior management, Audit Committee
and/or the Board.
1.6 The chief internal auditor must communicate with the senior management, Audit
Committee and the Board, the responsibilities of the internal auditor and the fact
that the audit of any matter does not relieve management of their responsibilities.
1.7 The chief internal auditor must communicate with the senior management, Audit
Committee and the Board, a statement that the audit team and others in the firm
as appropriate, have complied with relevant ethical requirements regarding
independence; and related safeguards have been applied to eliminate identified
threats to independence or reduce them to an acceptable level.
1.8 The chief internal auditor is responsible and must communicate the engagement
results to appropriate parties who can ensure that the results are given due
consideration.
1.9 The chief internal auditor must not communicate the engagement results to parties
outside the entity without the written consent of management, unless otherwise
mandated by legal, statutory, or regulatory requirements. When releasing
engagement results to parties outside the entity, the communication must include
limitations on distribution and use of the results.
1.10 If a final communication contains a significant error or omission, the chief internal
auditor must communicate corrected information to all parties who received the
original communication.
Application Guidance
1.11 The frequency and content of reporting should be determined by the chief internal
auditor in consultation with the senior management, Audit Committee, and the Board.
1.12 Matters that may contribute to effective two-way communication include discussion
about the purpose of communications. Where the purpose is clear, the chief internal
auditor, and the senior management, Audit Committee and the Board would have
mutual understanding of relevant issues and the expected actions arising from the
communication process.
1.13 The communication process will vary with the circumstances, including the size and
governance structure of the entity, how the entity operates, and the internal auditor’s
view of the significance of matters to be communicated. Difficulty in establishing effective
two-way communication may indicate that the communication between the internal
auditor and the senior management, Audit Committee and the Board is not adequate for
the purpose of internal audit.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 21
INTERNAL AUDIT & ASSURANCE STANDARDS
1.14 The appropriate timing for communications will vary with the circumstances of the
engagement. Relevant circumstances include the significance and nature of the matter,
and the action expected to be taken by the senior management, Audit Committee, and the
Board.
1.15 The chief internal auditor’s reporting and communication to the senior management,
Audit Committee and the Board must include information about the internal audit
charter, independence of the internal audit activity, audit plan and progress against the
plan, resource requirements and results of audit activities.
1.16 The internal audit must be conducted in compliance with the applicable professional
Standards and legal, regulatory & ethical requirements. The chief internal auditor
must communicate to the senior management, Audit Committee, and the Board, that
the engagements have been conducted in conformance with the applicable Standards
and Requirements. In case of any nonconformance with the applicable professional
Standards and legal, regulatory & ethical requirements, the chief internal auditor must
communicate to the senior management, Audit Committee and the Board, the reasons
for nonconformance.
1.17 The chief internal auditor is responsible for communicating the final results of all
engagements to clients. Final communication of engagement results must include
applicable conclusions, as well as applicable recommendations and/or action plans.
Where appropriate, the internal auditors’ opinion should be provided. An opinion must
consider the expectations of senior management, Audit Committee, and the Board, and
must be supported by sufficient, reliable, relevant, and useful information.
1.18 During consulting engagements, governance, risk management, and control issues
may be identified. Whenever these issues are significant to the entity, these must be
communicated to senior management, Audit Committee, and the Board. Communication
of the progress and results of consulting engagements will vary in form and content
depending upon the nature of the engagement and the needs of the client.
1.19 The senior management, Audit Committee and the Board may wish to provide information
to third parties. In some cases, disclosure to third parties may be illegal or otherwise
inappropriate. When a written communication prepared for the senior management,
Audit Committee and the Board is provided to third parties, it may be important in
the circumstances that the third parties be informed that the communication was not
prepared with them in mind and any restrictions on disclosure or distribution to third
parties.
1.20 The chief internal auditor is responsible for reviewing and approving the final
engagement communication before issuance and for deciding to whom and how it will
be disseminated. When the chief internal auditor delegates these duties, he or she retains
overall responsibility.
22 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
IAAS 8 – RISK BASED INTERNAL AUDIT
This standard explains the internal auditor’s role & responsibility to review the entity‘s risk
management & internal control system during an internal audit engagement and provide an
assurance on its effectiveness.
Requirements
1.1 The Chief Internal Auditor must ensure that the entity has designed, implemented,
and maintains effective and efficient risk management & internal control system.
The chief internal auditor should obtain an understanding of the various aspects of
the control environment and evaluate the same as to the operating effectiveness.
1.2 The internal audit must assist the entity to accomplish its objectives by bringing a
systematic, & disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.
1.3 The internal audit must evaluate and provide an assurance relating to effectiveness
of operations, reliability of financial management systems and reporting,
safeguarding the assets, and compliance with laws and regulations.
1.4 The internal audit activity must evaluate the potential for the occurrence of fraud
and how the entity manages fraud risk.
1.5 By following Risk Based Internal Audit (RBIA), the internal auditor may be able to
conclude that the management has identified, assessed and responded to risks above
and below the risk appetite; the responses to risks are effective but not excessive in
managing inherent risks within the risk appetite; where residual risks are not in
line with the risk appetite, action is being taken to remedy that; risk management
processes, including the effectiveness of responses and the completion of actions, are
being monitored by management to ensure these continue to operate effectively and
risks, responses and actions are being properly classified and reported.
1.6 The internal auditing assurance role in Enterprise Risk Management (ERM) would
include evaluating and giving assurance on risk management processes; reporting
of risks; and reviewing the management of key risks. These assurance activities form
part of the wider objective of giving assurance on risk management.
1.7 The internal auditing consulting role in ERM would include facilitating Identification
& evaluation of risks; coaching management in responding to risks; coordinating
ERM activities; consolidated reporting on risks; maintaining & developing the ERM
framework; championing establishment of ERM; and developing risk management
strategy for the entity’s Board approval.
1.8 As a safeguard, chief internal auditor may not undertake the responsibilities for
setting the risk appetite; imposing risk management processes; management
assurance on risks; taking decisions on risk responses; implementing risk responses
on management’s behalf; and accountability for risk management.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 23
INTERNAL AUDIT & ASSURANCE STANDARDS
1.9 The chief internal auditor may not manage any of the risks on behalf of the
management or take risk management decisions or assume any accountability for
risk management decisions taken by the management.
1.10 During consulting engagements, internal auditors must address risk consistent
with the engagement’s objectives and be alert to the existence of other significant
risks. Internal auditors must incorporate knowledge of risks gained from consulting
engagements into their evaluation of the entity’s risk management processes.
1.11 When the chief internal auditor concludes that management has accepted a level of
risk that may be unacceptable to the entity, he must rediscuss the matter with senior
management. If the chief internal auditor determines that the matter has not been
resolved, he must communicate the matter to the Audit Committee and the Board.
Application Guidance
1.12 The term “Internal Control” refers the process designed, implemented, and maintained
by management to provide reasonable assurance about the achievement of an entity’s
objectives with regard to reliability of financial reporting, effectiveness and efficiency of
operations, and compliance with applicable laws and regulations. The term “controls”
refers to any aspect(s) of the components of internal control.
1.13 A control including internal control is always designed to respond (mitigate) to a possible
risk at the entity, activity, and transaction level. A control that does not address a risk is
obviously redundant. So, a risk must exist before it can be mitigated by a management
control. The chief internal auditor shall obtain an understanding of the various aspects
of the control environment and evaluate such controls as to the operating effectiveness.
1.14 Risk is defined as the possibility of an event occurring that will have an impact on the
achievement of objectives. Risk is measured in terms of impact and likelihood. Therefore,
Risk management is the continuing process to identify, analyze, evaluate, and treat loss
exposures and monitor risk control and financial resources to mitigate the adverse
effects of loss. Internal Audit to provide assurance that those risks have been properly
managed. This is achieved through Risk Based Internal Audit (RBIA).
1.15 Risk based internal auditing (RBIA) is a methodology that links internal auditing to
an entity’s overall risk management framework. RBIA allows internal audit to provide
assurance to the Board that risk management processes are managing both inherent
risks & control risks effectively, in relation to the risk appetite.
1.16 Enterprise-wide risk management (ERM) is a structured, consistent, and continuous
process across the whole entity for identifying, assessing, & deciding on responses to
and reporting on opportunities and threats that affect the achievement of its objectives.
1.17 The internal auditor makes an assessment to determine whether risk management
processes are effective to support an entity’s mission & objectives; that significant
risks are identified and assessed; that appropriate risk responses are selected that
24 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
align risks with the entity’s risk appetite and relevant risk information is captured and
communicated in a timely manner across the entity’s staff, management, and the Board
to carry out their responsibilities.
1.18 The internal audit activity may gather the information to support this assessment during
multiple engagements. The results of these engagements, when viewed together, provide
an understanding of the entity’s risk management processes and their effectiveness.
1.19 The identification of risk accepted by management may be observed through an assurance
or consulting engagement, monitoring progress on actions taken by management as
a result of prior engagements, or other means. It is not the responsibility of the chief
internal auditor to resolve the risk.
1.20 Internal Audit may add value by reviewing critical control systems and risk management
processes; performing effectiveness review of management’s risk assessments and the
internal controls; providing advice in the design and improvement of control systems
and risk mitigation strategies; implementing a risk-based approach to planning and
executing the internal audit process; ensuring that internal audit’s resources are directed
at those areas most important to the entity; challenging the basis of management’s risk
assessments and evaluating the adequacy and effectiveness of risk treatment strategies;
facilitating ERM workshops; and defining risk tolerances where none have been identified,
based on internal audit experience, judgment, and consultation with management.
1.21 Management is in a unique position to perpetrate fraud because of its’ ability to
manipulate records and prepare fraudulent financial statements by overriding
controls that otherwise appear to be operating effectively. Although the level of risk of
management override of controls varies from entity to entity, the risk is nevertheless
present in all entities. Due to the unpredictable way in which such override could occur,
it is a significant risk of material misstatement due to fraud.
1.22 If the internal auditor identifies a misstatement and has reason to believe that it is or
may be the result of fraud and that management (in particular, senior management) is
involved, the internal auditor must re-evaluate the assessment of the risks of material
misstatement due to fraud and its resulting impact on the nature, timing, and extent
of audit procedures to respond to the assessed risks. The internal auditor must also
consider whether circumstances or conditions indicate possible collusion involving
employees, management or third parties when reconsidering the reliability of evidence
previously obtained.
IAAS 9 – TECHNOLOGY DRIVEN INTERNAL AUDIT
This standard explains the use of technology in performing the internal audit assignment
and also deals with the chief internal auditor’s understanding of technology in assessment of
internal control and associated risks.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 25
INTERNAL AUDIT & ASSURANCE STANDARDS
Requirements
1.1 The internal auditor must consider the IT environment in designing audit procedures
to review the systems, processes, controls, and risk management framework of the
entity.
1.2 The internal auditor must review the robustness of the IT environment and
understand any weakness or deficiency in the design and operation of an IT control
within the entity.
1.3 The use of technology does not change the overall objective and scope of internal
audit. However, this may affect the entity’s processes, operations, internal control
systems and risk management. Accordingly, the chief internal auditor must consider
the effect of technology on internal audit engagement, including its use in data
analytics.
1.4 In planning the portions of the internal audit which may be affected by the IT
environment, the internal auditor must obtain an understanding of the significance
and complexity of the IT activities and the availability of the data for use in the
internal audit.
1.5 The chief internal auditor must review whether the information technology system
in the entity considers the confidentiality, effectiveness, integrity, availability,
compliance and validity of data and information processed. The chief internal auditor
must also review the effectiveness and safeguarding of IT resources, including –
people, applications, facilities, and data.
1.6 The chief internal auditor must have sufficient knowledge of the information
technology systems to plan, direct, supervise, control, and review the work performed.
The sufficiency of knowledge would depend on the nature and extent of the IT
environment. The chief internal auditor should consider whether any specialised IT
skills are needed in the conduct of internal audit activities, for example, the operating
knowledge of a specialised ERP system.
1.7 If specialized skills are needed, the chief internal auditor must seek the assistance
of a technical expert possessing such skills, who may either be the internal auditor’s
staff or an outside professional. If the use of such a professional is planned, the
chief internal auditor must obtain sufficient appropriate evidence that the work
performed by the expert is adequate for the purposes of the internal audit.
1.8 The chief internal auditor must understand the significance of data analysis, data
analysis technology, associated risks & challenges and the opportunities, trends,
and advantages of making use of data analysis technology.
1.9 The internal auditors must learn the interplay of major technology led disruptions
caused by Robotic Process Automation (RPA), Artificial Intelligence (AI) and
Machine Learning (ML) and monitor their impact on the business processes and
26 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
risk management. These technologies are fast impacting and accelerating the
automation efforts. The internal auditors must re-draw audit procedures suited in
such environment.
1.10 The internal auditor must assess their data analytical capabilities, strengths, and
weaknesses. The internal auditors must learn to use data more intelligently to
deduce critical business analytical insights, build a framework of data, people, and
technology to administer analytics, groom analytical users and leaders, and set and
monitor SMART targets for analytical pursuits.
Application Guidance
1.11 IT system uses technology to capture, classify, summarize, and report data in a meaningful
manner to all users. It includes an enterprise resource planning (ERP) system. The use
of IT changes the processing, storage, retrieval and communication of financial & non-
financial information and the interplay of processes, systems, and control procedures.
1.12 The internal auditor shall obtain an understanding of the systems, processes, control
environment, risk-response activities, and internal control systems sufficient to plan the
internal audit and to determine the nature, timing, and extent of the audit procedures.
Such an understanding would help the internal auditor to develop an effective audit
approach.
1.13 Information Technology systems may generate reports that might be useful in performing
substantive tests (particularly analytical procedures). The potential for use of computer-
assisted audit techniques may permit increased efficiency in the performance of internal
audit procedures or may enable the auditor to economically apply certain procedures to
the entire population of transactions.
1.14 When the information technology systems are significant, the chief internal auditor
should also obtain an understanding of the IT environment and whether it influences the
assessment of inherent and control risks.
1.15 The internal auditor must assess inherent and control risks for material assertions related
to significant processes and systems. These assertions apply to significant processes
and systems for example - sales, procurement, inventory management, production,
marketing, human resources, and logistics.
1.16 If the internal auditor is not able to rely on the effectiveness of IT environment as a
result of the review, he may perform such substantive testing or test of IT controls, as
deemed fit in the circumstances. The internal auditor should apply his professional
judgment and skill in reviewing the IT environment and assessing the interfaces of such
IT infrastructure with other business processes.
1.17 The internal auditor must assess and review the reliance which the management of
the entity places on the outsourced agency, in case where such information processing
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 27
INTERNAL AUDIT & ASSURANCE STANDARDS
has been outsourced to the outside party. The risks associated with such outsourced
services must be considered by the internal auditor considering the review of IT controls
prevalent in such outside entity. The internal auditor must also review the extent to which
the entity’s controls provide reasonable assurance regarding the completeness, validity,
reliability and availability of the data and information processed by such outsourced
agency.
1.18 Computer Assisted Audit Techniques (CAATs) are computer programs that the internal
auditor uses as part of the audit to process data of audit significance to improve the
effectiveness and efficiency of the audit process.
1.19 General Audit Software applications can be used by the internal auditor for transaction
testing, compliance review, fraud investigation, MIS reporting, advanced statistical
forecasting and correlation, large database reconciliation of electronic data from different
industry verticals and for intelligent analysis of electronic data from key business
processes. General Audit Software gives internal auditor the power to sift through
Windows network security event logs to extract the entries that may have a security
impact or identify deviations from corporate policy, security breaches and inappropriate
usage.
1.20 Data Analysis may help the internal auditors meet their auditing objectives. By analysing
data, internal audit can detect changes or vulnerabilities in organizational processes and
potential weaknesses that could expose the entity to undue or unplanned risk. This helps
identify emerging risk and target internal audit resources to effectively safeguard the
entity from excessive risk and improve overall performance. This also enables internal
audit to identify changes in the organizational processes.
1.21 By analysing data from a variety of sources against control parameters, business rules
and policies, internal audit may provide fact-based assessments of how well automated
controls are operating. Data analysis technology also may be used to determine if semi-
automated or manual controls are being followed by seeking indicators in the data.
By analysing 100 percent of relevant transactions and comparing data from diverse
sources, the internal audit can identify instances of fraud, error, inefficiencies and / or
non-compliance.
1.22 Embarking on an increased focus on data analysis using technology may have obstacles
and challenges such as underestimating the effort required to implement correctly, lack
of senior management and Audit Committee support, lack of sufficient understanding of
the data and what it means and the need to develop expertise to appropriately evaluate
the exceptions and anomalies observed in the analysis. The chief internal auditor may
address these obstacles by preparing a well-structured audit plan that commits sufficient
resources and time.
1.23 Data Analytics is a science of analysing the raw data in a structured manner and making
decisions based on it. It provides deeper view & helps in 3600 profiling of the business. It
also helps in early detection of risks in the audit process. Data analytics may be effectively
28 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
used in three stages i.e. audit planning, execution, and reporting. Therefore, the internal
audit team should have or take help of an IT expert. For remotely doing audit, the internal
auditors may undertake analysis of the data using data analytics that would also help to
identify the frauds or areas where internal controls are missing.
1.24 The chief internal auditor must document the internal audit plan, nature, timing, and
extent of audit procedures performed and the conclusions drawn from the evidence
obtained. In an internal audit in IT environment, some or all the audit evidence may be in
the electronic form. The chief internal auditor must satisfy himself that such evidence is
adequately and safely stored and is retrievable in its entirety as and when required.
1.25 Under the COSO Guidance on Monitoring Internal Control Systems, 2009 - periodical,
one-time and ad hoc review of controls is not effective as controls can fail, deteriorate,
or become irrelevant during the intermittent period resulting into fraud, abuse, wastage,
and non-compliance. Continuous auditing allows the user to monitor the functioning
of the controls during the intermittent period’s referred to as blind-spots. The internal
auditors are able to meet this challenge by doing continuous auditing i.e. by performing
audit-related activities on a more continuous or continual basis.
1.26 The internal auditor may give effective suggestions in the following areas, more so if
Cloud Computing Services are used by the client
- Reduction in Capital Expenditure
- Economies of Scale
- Controlling Operation Expenditure
- Administration & Performance of Cloud Service
- Corporate IT Governance Issues
- Customer Support
- Capital Investments
- Vendors’ availability, Effectiveness and Experience
- SLAs (Service Level Agreements) and Monitoring including Contract Terms, Types of
Service, Penalties, Changes in Business conditions, Problems Resolution Processes
- Billing and Accounting for the usage only
- Access Control
- Authorization & Authentication
- External Threats – Removal and Protection
- IT Security – Hardware and Software
- Control of Data
- Costs of Cloud Computing
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 29
INTERNAL AUDIT & ASSURANCE STANDARDS
IAAS 10 – ENHANCING GOVERNANCE THROUGH INTERNAL AUDIT
This standard explains the role of Chief Internal Auditor in enhancing governance through
internal audit activities. This standard also enables the internal auditor to add value to the
governance of the entity.
Requirements
1.1 The internal audit activity must evaluate and contribute to the improvement of the
entity’s governance, risk management, and control processes using a systematic,
disciplined, and risk-based approach.
1.2 The internal audit team must perform proactively and efficiently in improving the
entity’s performance and conformance governance. The internal audit activities
must enhance value for the entity’s operations and internal auditors’ evaluations
must offer new insights with substantial future impact.
1.3 The internal audit activity must assess and make appropriate recommendations to
improve the entity’s governance processes for:
o Making strategic and operational decisions;
o Overseeing risk management and control;
o Promoting appropriate ethics and values within the entity;
o Ensuring effective performance management and accountability;
o Communicating risk and control information to appropriate areas of the entity;
and
o Coordinating the activities of, and communicating information among, the board,
external and internal auditors, other assurance providers, and management.
1.4 The internal audit activity must evaluate the design, implementation, and
effectiveness of the entity’s ethics-related objectives, programs, and activities.
1.5 The internal audit activity must assess whether the information technology
governance of the entity supports the entity’s strategies and objectives.
Application Guidance
1.6 Governance is the set of responsibilities and practices exercised by the Board and
executive management with the goal of providing strategic directions, ensuring that
objectives are achieved, ascertaining that risks are managed appropriately, and verifying
that the entity’s resources are used responsibly.
1.7 Among all audits, ‘Internal Audit’ has become most valuable tool for the management as
it assists the entity to accomplish its objectives; to evaluate and improve the adequacy
& effectiveness of its operations, internal controls, governance processes, and the risk
management & control systems.
30 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
1.8 The internal audit provides assurance to the Board & Audit Committee relating to
reliability of financial management and reporting, efficiency of systems, processes and
governance, and compliance with various laws and regulations.
1.9 The internal audit provides an assurance to the management on the adequacy and
effectiveness of its systems, processes, and controls by undertaking review of the
enterprise risk management (ERM) system and adequacy & effectiveness of internal
controls that should cover the strategic, operational, financial, compliance, reporting and
reputational risks.
1.10 The internal audit performs very critical role in organizational governance by
understanding and evaluating all components of enterprise governance, and providing
value added support for its improvement. Therefore, the internal auditors must possess
& upgrade the necessary knowledge, skill, competence, and expertise to succeed as a
valuable source for the Audit Committee and the Board.
1.11 Therefore, Companies Act 2013 provides for mandatory requirement of internal audit in
all listed companies and large number of unlisted public and private companies. These
companies are required to appoint an internal auditor, who shall either be a chartered
accountant or a cost accountant, or such other professional as may be decided by the
Board to conduct internal audit of the functions and activities of the company. Further,
the Audit Committee of the company or the Board shall, in consultation with the Internal
Auditor, formulate the scope, functioning, periodicity and methodology for conducting
the internal audit.
1.12 Internal Audit can add value by
− Reviewing critical control systems and risk management processes,
− Performing effectiveness review of management’s risk assessments and the internal
controls,
− Providing advice in the design and improvement of control systems and risk
mitigation strategies,
− Implementing a risk-based approach to planning and executing the internal audit
process,
− Ensuring that internal audit’s resources are directed at those areas most important
to the entity,
− Challenging the basis of management’s risk assessments and evaluating the adequacy
and effectiveness of risk treatment strategies,
− Facilitating ERM workshops, and
− Defining risk tolerances where none have been identified, based on internal audit
experience, judgment, and consultation with management.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 31
INTERNAL AUDIT & ASSURANCE STANDARDS
1.13 In all entities, the governance framework now focuses on long-term sustainable value
creation. Implementing and maintaining a sustainability management system in an
entity is a continuous process. Internal auditors play an important role in formulating
the required strategy framework and sustainability policy.
IAAS 11 – INTERNAL AUDIT OF COST RECORDS
This standard explains the significance of including internal audit of cost records in the
internal audit charter and the role of Chief Internal Auditor to provide assurance to the Audit
Committee and Board on the effectiveness of cost accounting system, cost flow process, control
mechanism, and reporting framework.
Requirements
1.1 The scope, functions, and activities of internal audit as embedded in the internal
audit charter approved by the Audit Committee/Board must include internal audit of
cost accounting records of the entity, besides audit of financial records, operations,
internal financial controls, legal & regulatory compliance, risk management,
governance process, etc.
1.2 The internal audit must provide assurance to the Audit Committee and Board relating
to reliability of financial management and reporting, efficiency of operations,
internal control systems, processes and governance, effectiveness of cost accounting
system, cost flow process, cost reporting framework, and compliance with various
laws and regulations.
1.3 The internal auditor must use the product & service unit-wise, SKU-wise, business
vertical-wise, and customer group-wise cost data to evaluate efficiency, productivity,
& effectiveness of a plant, department, function, technology, process, product,
activity, machine, material, customer, market, etc. with the objectives to review &
design business strategy for enhanced value creation and sustainability.
1.4 The internal audit of the cost records must assure the management that the cost
information, which is the basis of their evaluation of performance, risk management
and control, is reliable and reported timely.
1.5 The work of internal audit function relating to cost analytics and performance optics
may be used by the external auditors after evaluating the following:
(a) The extent to which organizational status and relevant policies and procedures
of the internal audit function support the objectivity of the internal auditors;
(b) The level of competence of the internal audit function;
(c) Whether the internal audit function applies a systematic and disciplined
approach, including quality control;
32 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
(d) Whether the work of the internal audit function had been properly planned,
performed, supervised, reviewed, and documented;
(e) Whether sufficient appropriate evidence had been obtained to enable the
internal audit function to draw reasonable conclusions; and
(f) Whether conclusions reached are appropriate in the circumstances and the
reports prepared by the internal audit function are consistent with the results
of the work performed.
Application Guidance
1.6 The chief internal auditor must have adequate understanding and knowledge of the
entity, its size, nature of activities, business processes, major inputs & outputs, key
personnel, regulatory set-up, applicable cost and financial reporting framework, internal
control systems, risk management policy, IT architecture, etc.
1.7 The purpose of maintaining robust cost accounting system, cost data analysis & reporting,
and performance analysis is to determine whether the entity is performing well and to
identify areas, activities, processes, products, services, etc. that requires improvement.
1.8 The cost performance data aims to discover various drivers of costs and profitability
and their impact on the performance variables with the objective of helping the entity
to improve margins and profitability; to optimize resource allocation and utilization
thereof; to optimize the product and services portfolio; to monitor performance of the
entity in various areas; and to know whether the management is meeting its set goals &
objectives.
1.9 Section 148 of Companies Act, 2013 provides for prescribed class of companies to
maintain cost records and audit of these records. As part of these provisions, Central
Government notified the Companies (Cost Records and Audit) Rules, 2014. These Rules
require the cost auditor to certify whether or not, based on his opinion, the company has
adequate system of internal audit of cost records which to his opinion is commensurate
to its nature and size of its business. Therefore, the internal audit scope must include
audit of cost records of the entity, irrespective of its inclusion/ exclusion from the
requirements under Companies Act, 2013.
1.10 The cost accounting requires three-dimensional data viz. quantity, rate & value,
compared to the financial accounting that largely require one dimensional data viz.
values only. Further, the cost accounting system also requires distinct identification of
products/services, product lines, cost centers, etc. Hence, cost records are different from
the financial records, though some books and records are common to both. Therefore,
internal audit of cost records would require not only the audit of common books of
account and records, but also the specific books and records covering the following
areas:
− Capacity Determination; Production Records; Sales Records; Materials Cost;
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 33
INTERNAL AUDIT & ASSURANCE STANDARDS
Employee Cost; Utilities; Direct Expenses; Repairs and Maintenance; Overheads
– Production Overheads, Administrative Overheads and Selling & Distribution
Overheads; Transportation Cost; Royalty and Technical Know-how; Research and
Development Expenses; Quality Control Expenses; Pollution Control Expenses;
Service Department Expenses; Packing Expenses; Interest and Finance Costs; Fixed
Assets and Depreciation; Work-in-Progress and Finished Stock; Records of Physical
Verification; Captive Consumption; By-Products and Joint Products; Adjustment
of Cost Variances; Reconciliation of Cost and Financial Accounts; Related Party
Transactions; Expenses or Incentives on Exports; and Cost Statements
1.11 Cost Auditing Standard 104 - Knowledge of Business, its Processes and the Business
Environment provides that if an entity has an internal audit function, inquiries of the
appropriate individuals within the function may provide information that is useful to
the cost auditor in obtaining an understanding of the entity and its environment, and
in identifying and assessing risks of material misstatement at the cost statement and
assertion levels. If based on responses to the cost auditor‘s inquiries, it appears that there
are findings that may be relevant to the entity‘s audit; the cost auditor may consider it
appropriate to read related reports of the internal audit function.
1.12 In carrying out his duties and discharging his audit responsibilities, the external auditor
may also derive much assistance from the internal auditor‘s intimate knowledge of the
accounting system and technical knowledge of the business, particularly in connection
with the various processes of manufacture, key points of controls, stocks-in-process,
physical existence of fixed assets, depreciation charges, inter-connection between
various operational activities, the ascertainment of liabilities, the adequacy and
effectiveness of financial as well as non-financial controls and the risks and chances of
fraud or misappropriation, and also intercompany transactions.
34 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
CATEGRY-II : STANDARDS ON PRINCIPLES RELATED
TO INTERNAL AUDIT PROCESS
IAAS 21 – INTERNAL AUDIT PLANNING
This Standard explains responsibility of the Chief Internal Auditor to formulate internal audit
plan & overall audit strategy, set objectives & scope of internal audit, and draw internal audit
procedures & activities.
Requirements
1.1 The Chief Internal Auditor must prepare an overall internal audit plan for the
entity as a whole for a given period of time (usually a year) and present to the Audit
Committee and Board of Directors who are responsible for internal audits. The
internal audit plan must include the nature, extent and timing of risk assessment,
audit procedures & other activities and determine inter-se priorities consistent to
entity goals.
1.2 Rule 13(2) of the Companies (Accounts) Rule, 2014 provides that the Audit Committee
of the company or the Board shall, in consultation with the Internal Auditor,
formulate the scope, functioning, periodicity, and methodology for conducting the
internal audit. Accordingly, the Audit Committee or the Board must approve the
internal audit plan, in consultation with the Chief Internal Auditor.
1.3 The Chief Internal Auditor must undertake a comprehensive knowledge of the entity,
its business and operating environment to determine comprehensive scope of audit
assignment, nature of audit procedures and tests to be conducted. As part of the
planning process, a discussion with management and other stakeholders must be
undertaken to understand the intricacies of each unit subject to audit. Other key
members of the internal audit team must be involved in planning the audit, including
participating in discussion with the management.
1.4 A risk-based planning exercise must form the basis of the overall internal audit plan.
The Chief Internal Auditor must undertake an independent risk assessment exercise
to prioritise and focus the audit work on high-risk areas, with due attention to
matters of importance, complexity, and sensitivity. The input of senior management,
Audit Committee and the Board must be considered in this process. The Chief Internal
Auditor must establish a risk-based plan to determine the priorities of the internal
audit activity, consistent with the entity’s goals.
1.5 The Chief Internal Auditor must identify and consider the expectations of senior
management, the board, and other stakeholders for internal audit opinions and
other conclusions.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 35
INTERNAL AUDIT & ASSURANCE STANDARDS
1.6 The Chief Internal Auditor must communicate the internal audit activity’s plans
and resource requirements, including significant interim changes, to senior
management, Audit Committee and the Board for review and approval. The Chief
Internal Auditor must ensure that internal audit resources are appropriate,
sufficient, and effectively deployed to achieve the approved plan. The Chief Internal
Auditor must also communicate the impact of resource limitations.
1.7 The Chief Internal Auditor must formulate an overall audit strategy that sets the
scope, timing, and direction of the audit. The Chief Internal Auditor must update the
overall audit strategy and the audit plan as required during the course of audit.
1.8 The Chief Internal Auditor must establish policies and procedures to guide the
internal audit activity. The Chief Internal Auditor must plan the nature, extent and
timing of the direction and supervision of the internal audit team members and the
review of their work.
1.9 The Chief Internal Auditor should share information, coordinate activities, and
consider relying upon the work of other internal and external assurance and
consulting service providers to ensure proper coverage and minimize duplication of
efforts.
1.10 The Chief Internal Auditor may consider accepting consulting engagements based
on the potential to improve management of risks, add value, and improve the entity’s
operations. Accepted consulting engagements must be included in the internal audit
plan.
1.11 The internal audit plan must be continuously monitored during the execution phase
for achievement of the objectives and to identify any deviations. All significant
deviations must be communicated and discussed with the management. Any
modifications in the internal audit plan must be approved by the Audit Committee
and Board of Directors.
1.12 The Chief Internal Auditor must document the internal audit plan, and overall
audit strategy. Any significant changes made therein during the course of audit
engagement must also be documented alongwith the reasons for the changes.
Application Guidance
1.13 Prior to entering the planning phase, the chief internal auditor must ensure that his
appointment related all formalities have been complied with.
1.14 Planning an audit is not a discrete phase, but rather a continuous and iterative process.
Planning includes scheduling and determining the priorities of audit procedures and
their inter-dependence. The chief internal auditor must use his professional judgement
for the process to be followed in completing all essential planning activities.
1.15 To develop the risk-based plan, the chief internal auditor should consult with senior
management, audit committee and the Board and obtain an understanding of the entity’s
36 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
strategies, key business objectives, associated risks, and risk management processes.
The chief internal auditor must review and adjust the plan, as necessary, in response to
changes in the entity’s business, risks, operations, programs, systems, and controls.
1.16 The purpose of an internal audit plan is to align internal audit objectives with the
entity’s goals and stakeholder expectations; to clearly lay down the scope, coverage,
and methodology of audit procedures; to assign appropriate skills to complex issues;
to allocate adequate time and resources to important aspects of the assignment and to
ensure audit procedures are conducted in an efficient and effective manner.
1.17 In planning the engagement, internal auditors must consider:
• The strategies and objectives of the activity being reviewed and the means by which the
activity controls its performance.
• The significant risks to the activity’s objectives, resources, and operations and the means
by which the potential impact of risk is kept to an acceptable level.
• The adequacy and effectiveness of the activity’s governance, risk management, and
control processes compared to a relevant framework or model.
• The opportunities for making significant improvements to the activity’s governance, risk
management, and control processes.
1.18 The nature and extent of planning activities varies according to the size and complexity of
the entity’s activities, number of areas/activities to be covered, the audit team members’
previous experience with the entity and the industry, and any changes in circumstances
that occur during the audit.
1.19 The audit plan is more detailed than the overall audit strategy as it includes the nature,
timing, and extent of audit procedures to be performed by audit team members. Planning
for these audit procedures takes place over the course of the audit as the audit plan
for the engagement develops. For example, planning of the auditor’s risk assessment
procedures occurs early in the audit process. However, planning the nature, timing
and extent of specific further audit procedures depends on the outcome of those risk
assessment procedures.
1.20 A key element of the internal audit assignment planning exercise involves understanding
the extent to which the entity has deployed Information Technology (IT) in its business,
operations, and transaction processing, especially if it is unique and different to the overall
entity; and the auditor needs to deploy IT tools, data mining & analytic procedures, and
the expertise required for conducting the audit activities and testing procedures. This
helps to design and plan the audit and testing procedures more efficiently and effectively.
1.21 The Internal Auditor shall prepare a detailed work schedule to estimate the time required
for each audit procedure depending on the audit attention it deserves on the basis of risk
assessment and map this with the competencies i.e. knowledge, experience, expertise
etc. of the resources available to ensure proper resource availability and allocation.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 37
INTERNAL AUDIT & ASSURANCE STANDARDS
1.22 Internal auditors must develop and document a plan for each engagement, including the
engagement’s objectives, scope, timing, and resource allocations. The plan must consider
the entity’s strategies, objectives, and risks relevant to the engagement. A model internal
audit plan is placed at Appendix-III.
1.23 When planning an engagement for parties outside the entity, internal auditors must
establish a written understanding with them about objectives, scope, respective
responsibilities, and other expectations, including restrictions on distribution of the
results of the engagement and access to engagement records.
1.24 Internal auditors must also establish an understanding with consulting engagement
clients about objectives, scope, respective responsibilities, and other client expectations.
For significant engagements, this understanding must be documented.
1.25 In coordinating activities, the chief internal auditor may rely on the work of other
assurance and consulting service providers, but with a clear understanding that he is
still accountable and responsible for ensuring adequate support for conclusions and
opinions reached by the internal audit activity.
1.26 To comply audit procedures with IAAS, all the key steps undertaken in the planning
process shall be appropriately and adequately documented to confirm their completion.
Essential documentation shall be information gathered about the entity and its
business processes and environments, entity’s operations and systems, risk assessment
documentation, resources available etc.
IAAS 22 – INTERNAL AUDIT SAMPLING
This standard deals with use of audit sampling in performing the audit procedures and selection
of audit sample to gather audit evidence in performing audit activities. It also provides pre-
requirements for the use of audit sampling methods; practical aspects of selection of audit
sample from large population; and performing test of controls & test of details to develop
reasonable basis to draw conclusions.
Requirements
1.1 When designing the audit sampling, the chief internal auditor must consider the
purpose of the audit procedure, characteristics of the population, its sufficient size
and selection of items in such a way that each sampling unit in the population shall
have the chance for testing in order to reduce sampling risk to an acceptably low
level.
1.2 When using either statistical or non-statistical sampling methods, the internal
auditor must design and select an audit sample, perform audit procedures thereon,
and evaluate sample results so as to provide sufficient appropriate audit evidence to
meet the objectives of the internal audit engagement.
38 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
1.3 The internal auditor must perform audit procedure, appropriate to the purpose, on
each item selected and if the audit procedure is not applicable to the selected item,
the auditor must perform the audit procedure on replacement items.
1.4 If the internal auditor is unable to apply the designated audit procedure, or suitable
alternative procedures, to a selected item, the internal auditor must treat that
item as a deviation from the prescribed control, in the case of tests of controls, or a
misstatement, in the case of tests of details.
1.5 The internal auditor must investigate the nature and causes of any deviation or
misstatement identified, and thereby evaluate their possible effect on the purpose
of audit procedure and on other areas of audit. The internal auditor must project
misstatements found in the sample to the population for the purpose of tests of
details.
1.6 Sampling risk can be reduced by increasing sample size for both tests of controls and
tests of details. Non-sampling risk can be reduced by proper engagement planning,
supervision, monitoring and review.
1.7 The internal auditor must ensure that the use of audit sampling has provided a
reasonable basis for conclusions about the population tested and thereby must
evaluate the results derived from sample tested.
Application Guidance
1.8 An internal auditor will not be able to test 100% of the transactions within a set of
financial statements as this will be far too costly and impracticable. Instead, he will use a
technique known as ‘audit sampling’.
1.9 Audit sampling is the use of audit procedures to less than 100% of the items within an
account balance or class of transactions. Its overall objective is to enable internal auditor
to obtain and evaluate evidence about some of the characteristics of the items selected
in order to form a conclusion about the population sampled.
1.10 The need for audit sampling arises from the increasing complexities in business, internal
auditor’s time involved, and the volume of transactions involved in the business.
1.11 The purpose of audit sampling is to obtain evidence, to fulfil the audit objectives set by
the auditor, which enables the internal auditor to test the validity and accuracy of the
transactions.
1.12 Having carried out, on each sample item, those audit procedures that are appropriate
to the particular audit objective, the internal auditor should analyse the nature and
cause of any errors detected in the sample; project the errors found in the sample to
the population; reassess the sampling risk; and consider their possible effect on the
particular internal audit objective and on other areas of the internal audit engagement.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 39
INTERNAL AUDIT & ASSURANCE STANDARDS
1.13 The internal auditor shall consider the following steps in planning, selecting, and
performing test thereupon, and evaluating the results derived from audit sampling:
→ Planning the audit sampling - state the objective of audit test; decide whether
audit sampling applies; define attributes and expectation conditions, population &
sampling unit; specify the tolerable expectation rate & acceptable risk of assessing
control risk; estimate population expectation rate; and determine the initial sample
size.
→ Selecting audit sampling and performing the tests - select the audit sampling and
perform the audit procedures.
→ Evaluating the audit sampling the results - generalize from the sample to population;
analyze exceptions; and decide the acceptability of the population.
1.14 The internal auditor should evaluate the sample results to determine whether the
assessment of the relevant characteristics of the population is confirmed or whether it
needs to be revised.
1.15 There are many methods of selecting samples; few are indicated below. The internal
auditor shall apply his professional judgement in selecting the relevant method.
• Random Selection
• Systematic Selection
• Monetary unit sampling
• Value Weighted Selection
• Haphazard selection
• Block selection
1.16 Audit Sampling can use either a statistical or a non-statistical approach. The internal
auditor shall determine the selection to use a statistical or non-statistical sampling
approach on the basis of professional judgement. However, sample size is not a valid
criterion to distinguish between statistical and non-statistical approaches. The method
of sample selection will affect not only the sample sizes used but also the method by
which errors will be evaluated.
1.17 There is an inverse relationship between sample size and materiality and a direct
relationship between sample size and the desired level of assurance. A lower materiality
requires the internal auditor to use larger sample. As desired assurance for a given
materiality amount increases, sample size increases.
1.18 In the design of the sample, the internal auditor should consider the audit objectives,
population, stratification, sample size and sampling risk. The internal auditor shall
also include the following consideration when designing an audit sampling. These
considerations shall also assist internal auditor in defining what constitutes a deviation
40 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
or misstatement and what population to be used for sampling.
− Specific purpose to be achieved,
− Combination of audit procedure that is likely to best achieve audit purpose,
− Nature of audit evidence sought,
− Factors of possible deviation or misstatement conditions or other characteristics
relating to audit evidence, and
− Circumstances relevant to the purpose of audit procedures shall also be included for
the purpose of evaluation of deviation or projection of misstatement.
IAAS 23 – ANALYSIS AND EVALUATION
This standard explains the purpose of design and application of specified procedures during
the internal audit activities in evaluation of derived audit findings and forming the overall
audit conclusions.
Requirements
1.1 Internal auditors must design and perform substantive analytical procedures that
assist the internal auditors when forming an overall opinion.
1.2 Internal auditors must identify, analyze, evaluate, and document sufficient
information to achieve the engagement’s objectives.
1.3 Internal auditors must identify sufficient, reliable, relevant, and useful information
to achieve the engagement’s objectives.
1.4 Internal auditors must base conclusions and engagement results on appropriate
analyses and evaluations.
1.5 Internal auditors may apply analytical procedures as the risk assessment procedures
at the planning and overall review stages of the internal audit.
1.6 In determining the extent to which the analytical procedures should be used, the
internal auditor may consider the significance of the area being examined, adequacy
of the system of internal control, and the availability and reliability of financial
and non-financial information. After evaluating these factors, the internal auditor
should consider and use additional auditing procedures, as necessary, to achieve the
audit objective.
1.7 Internal auditors must apply analytical procedures as risk assessment procedures
to obtain an understanding of the business, the entity, and its environment and in
identifying areas of potential risk.
1.8 Internal auditors should apply analytical procedures at or near the end of the internal
audit when forming an overall conclusion as to whether the systems, processes and
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 41
INTERNAL AUDIT & ASSURANCE STANDARDS
controls as a whole are robust, operating effectively and are consistent with the
internal auditor’s knowledge of the business.
1.9 When an overall opinion is issued, it must consider the strategies, objectives, and
risks of the entity, and the expectations of senior management, the Board, and other
stakeholders. The overall opinion must be supported by sufficient, reliable, relevant,
and useful information.
Application Guidance
1.10 “Analytical procedures” means the analysis of significant ratios and trends, including
the resulting investigation of fluctuations and relationships in both financial and non-
financial data that are inconsistent with other relevant information or which deviate
significantly from predicted amounts. Analytical procedures provide the internal auditor
with an efficient and effective means of assessing information collected in an audit. The
assessment results from comparing such information with expectations identified or
developed by the internal auditor.
1.11 Analytical procedures are used to assist the internal auditor as risk assessment
procedures to obtain initial understanding of the entity and its environment and
thereafter in planning the nature, timing, and extent of other internal audit procedures.
1.12 Analytical procedures may identify differences that are not expected (or absence of
differences when they are expected), which may have arisen on account of factors such
as errors, frauds, unusual or non-recurring transaction or events, etc.
1.13 Analytical procedures used as risk assessment procedures help to identify matters that
have audit implications. Some examples are unusual transactions or events, amounts,
ratios, and trends.
1.14 Analytical procedures include the consideration of comparisons of the entity’s information
with the information for previous years or periods or with anticipated results or with
similar industry norms or averages.
1.15 Various methods may be used to perform analytical procedures. These methods range
from performing simple comparisons to performing complex analyses using advanced
statistical techniques. Analytical procedures may be applied to the entity’s overall results
or to each service, operation, or function separately.
1.16 Different types of analytical procedures provide different levels of assurance. Analytical
procedures can provide persuasive evidence or may eliminate the need for further
verification by means of tests of details, provided the ratios are correctly calculated.
1.17 The application of planned analytical procedures is based on the expectation that
relationships among performance data exist and continue in the absence of known
conditions to the contrary. However, the suitability of a particular analytical procedure
will depend upon the internal auditor’s assessment of how effective it will be in detecting
42 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
a misstatement that, individually or when aggregated with other misstatements, may
cause the financial statements to be materially misstated.
1.18 In addition to being a risk assessment procedure, analytical procedures can also be used
as further audit procedures in obtaining evidence about a financial statement assertion.
This would be a substantive analytical procedure in performing an overall review of the
financial statements at, or near, the end of the audit.
1.19 Most analytical procedures are not very detailed or complex. They often use data
aggregated at a high level, which means the results can only provide a broad initial
indication about whether a material misstatement may exist.
1.20 Substantive procedures are performed by the chief internal auditor to gather evidence
regarding the underlying assertions that are embedded in account balances and
underlying classes of transactions; and detect material misstatements.
IAAS 24 – INTERNAL AUDIT EVIDENCE
This standard explains what constitutes audit evidence and enable the Chief Internal Auditor
to design and perform audit procedures in such a manner to obtain sufficient appropriate audit
evidence to be able to draw reasonable conclusions to provide basis to form his audit opinion.
Requirements
1.1 The chief internal auditor must design and perform internal audit procedures
that are appropriate in the circumstances for the purpose of obtaining sufficient
appropriate audit evidence that can form the basis of audit findings and allow
reliable conclusions to be drawn from those audit findings.
1.2 The chief internal auditor must consider the relevance and reliability of the
information to be used as audit evidence when designing and performing the
internal audit procedures. The reliability of audit evidence depends on its source,
type, thoroughness and may also depend on the timing of audit procedures.
1.3 Evidence collected through various audit procedures must be complementary and
relevant to the objectives of the internal audit procedure conducted. The evidence
must be obtained from reliable sources with consistency between various evidence
collected.
1.4 If information to be used as audit evidence has been prepared using the work of a
management’s expert, the chief internal auditor may, to the extent necessary, having
regard to the significance of that expert’s work for the internal auditor’s purposes,
evaluate the competence, capabilities, and objectivity of that expert; obtain an
understanding of work of that expert; and evaluate the appropriateness of that
expert’s work as audit evidence for the relevant assertion.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 43
INTERNAL AUDIT & ASSURANCE STANDARDS
1.5 The chief internal auditor must evaluate whether the information is sufficiently
reliable for the audit purpose, including, as necessary in the given circumstances
obtaining audit evidence about the accuracy and completeness of the information;
and evaluating whether the information is sufficiently precise or detailed for the
cost auditor’s purposes.
1.6 The chief internal auditor must obtain sufficient appropriate audit evidence
regarding compliance with various laws and regulations that may have material
effect on the disclosures in the financial statements.
1.7 The chief internal auditor must obtain sufficient appropriate audit evidence about
management’s assertion that a related party transaction was conducted on terms
equivalent to those prevailing in an arm’s length transaction.
1.8 The chief internal auditor must determine means of selecting items for testing that
are effective in meeting the purpose of internal audit procedures, when designing
tests of controls and tests of details for obtaining audit evidence.
1.9 The chief internal auditor must determine extent of modification or addition to
internal audit procedures that are necessary to resolve the matter and must also
consider the effect of matter, if any, on the other aspects of internal audit, if the audit
evidence obtained from one source is inconsistent with that obtained from another;
or the chief internal auditor has doubts over the reliability of information to be used
as audit evidence.
Application Guidance
1.10 Audit evidence is necessary to support the internal auditor’s opinion and internal
audit report. It is cumulative in nature and is primarily obtained from internal audit
procedures performed during the course of the internal audit. It may, however, also
include information obtained from other sources.
1.11 Audit evidence comprises both information that supports and corroborates management’s
assertions, and any information that contradicts such assertions. In addition, in some
cases the absence of information is used by the internal auditor, and therefore, also
constitutes audit evidence.
1.12 The chief internal auditor shall apply internal audit procedures to obtain and evaluate
audit evidence in forming the audit opinion. Such internal audit procedures can
include inquiry, inspection, observation, recalculation, re-performance, and analytical
procedures, often in some combination.
1.13 The chief internal auditor shall obtain sufficient appropriate audit evidence which are
closely interrelated. Sufficiency is the measure of quantity of audit evidence, whereas
appropriateness is the measure of the quality of audit evidence. Obtaining more audit
evidence, however, may not compensate for its quality. The relevance and reliability in
44 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
providing support for the conclusions on which the internal auditor’s opinion shall be
based on appropriateness.
1.14 The reliability of information to be used as audit evidence, and therefore of the audit
evidence itself, is influenced by its source and its nature, and the circumstances under
which it is obtained, including the controls over its preparation and maintenance where
relevant.
1.15 The internal audit procedures may be used as risk assessment procedures, tests of
controls or substantive procedures, depending on the context on which they are applied
by the chief internal auditor.
1.16 The nature and timing of the audit procedures to be used may be affected by the fact that
some of the internal data and other information may be available only in electronic form
or only at certain points or periods in time that may not be retrievable after a specified
period of time. Accordingly, the chief internal auditor may find it necessary as a result
of the entity’s data retention policy to perform audit procedures at a time when the
information is available.
1.17 Relevance of audit evidence refers to its relationship to the assertion or to the objective
of the control being tested. The relevance of audit evidence depends on the design &
timing of the internal audit procedure used to test the assertion or control.
1.18 An understanding of the relevant field of expertise may be obtained in conjunction with
the internal auditor’s determination of whether the internal auditor has the expertise to
evaluate the work of the management’s expert, or whether the internal auditor needs an
expert for this purpose.
1.19 Considerations when evaluating the appropriateness of the management’s expert’s work
as audit evidence for the relevant assertion may include the relevance and reasonableness
of that expert’s findings or conclusions, their consistency with other audit evidence, and
whether they have been appropriately reflected in the internal statements.
1.20 When using information produced by the entity as audit evidence, the internal auditor
should evaluate whether the information is sufficient and appropriate for purposes of
the internal audit by performing procedure to test the accuracy and completeness of the
information or test the controls over the accuracy and completeness of that information;
and also evaluate whether the information is sufficiently precise or detailed for purposes
of the internal audit.
1.21 If audit evidence obtained from one source is inconsistent with that obtained from
another, or if the internal auditor has doubts about the reliability of information to be
used as audit evidence, the internal audit procedures necessary to resolve the matter
and should determine the effect, if any, on other aspects of the internal audit.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 45
INTERNAL AUDIT & ASSURANCE STANDARDS
IAAS 25 – INTERNAL AUDIT DOCUMENTATION
The standard deals with the chief internal auditor’s responsibility to prepare complete and
sufficient audit document of the engagement under preview. This standard also explains
certain key requirements in the process of collection, preparation, retention, and subsequent
review of internal audit documentation.
Requirements
1.1 As part of the audit documentation, the Chief Internal Auditor must record the
nature, timing, and extent of completion of all internal audit activities and audit/
testing procedures performed, relevant audit evidence obtained, and conclusions
reached.
1.2 The Chief Internal auditor must document sufficient, reliable, relevant, and useful
information to support the engagement results and conclusions. The chief internal
auditor must also record the significant matters that arises during the audit, and
any material departures from law or regulation, and standards.
1.3 The Audit Documentation must be complete and sufficient to support the analysis
conducted on the audit evidence, the identification of findings, the formulation
of audit observations and the drafting of the internal audit reports based on the
findings.
1.4 If, in exceptional circumstances, internal auditor performs any new or additional
audit procedures or draws new conclusions, after the date of internal audit report,
then the internal auditor must document such circumstances and details of such
procedures performed including the changes required in internal audit report, if
any.
1.5 The internal audit documentation and assembling of all working paper files must be
completed prior to the issuance of final internal audit report.
1.6 The Chief Internal Auditors must develop and document policies and guidelines
explaining the manner and the medium in which internal audit documentation will
be prepared, reviewed, stored, and finally discarded.
1.7 The internal audit documentation and working paper files must be retained and
preserved for the period prescribed by law or regulation.
1.8 The Chief Internal Auditor must control access to the internal audit documents and
records. The Chief Internal Auditor must obtain the approval of senior management
and/or legal counsel prior to releasing such records to external parties, as
appropriate.
46 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
Application Guidance
1.9 Audit Documentation means the records, in physical or electronic form, including
working papers prepared by and for, or obtained and retained by the internal auditor, in
connection with the performance of various audit activities and procedures conducted,
including evidence gathered, information collected, notes taken, audit findings &
conclusions drawn, and meetings & discussions held.
1.10 Internal Audit working papers are the documents which record all audit evidence
obtained during audit. Such documents are used to support the internal audit work
done in order to provide assurance that the audit was performed in accordance with
the relevant Internal Audit & Assurance Standards and in conformance of the legal &
regulatory requirements.
1.11 The extent of working papers is a matter of professional judgement. They may cover
the detailed aspects of the internal audit or may include the daily work sheets or daily
maintained by each member of the internal audit staff engaged on the assignment.
1.12 All significant matters which require exercise of judgment, together with the internal
auditor’s conclusion thereon, must be included in the internal audit documentation.
1.13 Content and form of audit documentation will depend on a number of factors such as
the size and complexity of the operations of the entity, the extent of computerization of
records, the assessed risks, the audit methodology and tools used, and the nature of the
audit procedure performed.
1.14 Internal audit documentation, including audit work papers, must be collated and arranged
logically in files (electronic or otherwise) and retained to support the performance of
internal audit.
1.15 The audit documents should have self-custody, easy but protected accessibility. If the
data / information / audit evidence is in electronic form, it must be retrievable only with
proper authorization. The electronic documents should have proper and safeguarded
password protection and back up mechanism.
1.16 A safeguard should be taken so that the documentation or audit evidence is not altered,
or additions or deletions made without the knowledge of the proper authority. The
documentation should be fully protected from physical loss or damage. The audit
documents should be divided in sections and properly indexed with serial numbers.
1.17 The Chief Internal Auditor must develop policies governing retention of engagement
records, regardless of the medium in which each record is stored, and their release to
the internal and external parties. These policies must be consistent with the entity’s
guidelines and comply with any regulatory or other requirements. The real test will be
the full confidentiality of internal audit documents and records.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 47
INTERNAL AUDIT & ASSURANCE STANDARDS
IAAS 26 – DISCLOSURE AND REPORTING
This standard explains the chief internal auditor’s responsibility to communicate, and
report matters related with or arising during the audit to Audit Committee/ Board or senior
management of the entity. This standard also explains the reporting requirement of internal
audit report.
Requirements
1.1 The Chief Internal Auditor must communicate and report significant difficulties,
if any, encountered during the audit; significant matters, if any, arising from the
audit; and deficiencies in internal controls, if any, identified during the audit giving
description of the deficiencies and an explanation of their potential effects.
1.2 The Chief Internal Auditor shall communicate and report in writing with audit
committee/Board or senior management regarding significant findings from
the internal audit if in the chief internal auditor’s professional judgment, oral
communication would not be adequate. Written communications need not include
all matters that arose during the course of the audit.
1.3 The Chief Internal Auditor must issue a clear, and well documented internal audit
report which includes overview of the objectives, scope, and approach of the audit
assignments; an executive summary of key observations covering all important
aspects of the assignment; a summary of the corrective actions required (or agreed
by management) for each observation; and the nature of assurance, if any, which
can be derived from the observations.
1.4 The Chief Internal Auditor, based on his best professional judgement and in
consultation with the client, may decide the content, form, and structure of the
internal audit report.
1.5 Before issue of internal audit report, the Chief Internal Auditor must share and
discuss the draft report with the management.
1.6 The internal audit report must be issued within a reasonable time frame from the
completion of the internal audit work.
Application Guidance
1.7 Regular communication with the Audit Committee/ Board and senior management is
essential at various stages of the internal audit process to bring clarity and consensus
between the Chief Internal Auditor and the Audit Committee/ Board and senior
management with regard to the scope, approach, and timing of an internal audit and to
the achievement of internal audit objectives.
1.8 The Chief Internal Auditor shall communicate significant matters, difficulties, and
deficiencies in writing. This reflects the importance attached to such matters and may
assist management and Audit Committee/ Board in fulfilling their various responsibilities.
48 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
1.9 The Chief Internal Auditor must issue interim internal audit report at the close of a plan
period. Normally, such reporting is done on a quarterly basis.
1.10 The Chief Internal Auditor must issue final internal audit report at the end of a particular
audit assignment highlighting key observations arising from such assignment.
1.11 The framework of internal audit report is decided by the Chief Internal Auditor based on
his best professional judgement and discussion with the management, or as prescribed
by law or regulation.
IAAS 27 – MONITORING PROGRESS
This standard explains the chief internal auditor’s responsibilities to monitor the action taken
by the entity on the reported observations and recommendations.
Requirements
1.1 The Chief Internal Auditor must establish and maintain a follow-up system to
monitor the management actions on the disposition of results communicated to the
management.
1.2 The Chief Internal Auditor must monitor and ensure that the management actions
have been effectively implemented or the management has not accepted the results
communicated to the management.
1.3 The Chief Internal Auditor must monitor and ensure that the senior management
has accepted the risk of not taking action on the reported observations and
recommendations.
1.4 The Chief Internal Auditor must monitor the disposition of results of consulting
engagements to the extent agreed upon with the client.
Application Guidance
1.5 The responsibility to implement the action plans and internal audit results,
recommendations, and suggestions remains with the management.
1.6 The Chief Internal Auditor is responsible for continuously monitoring the closure of
prior audit issues through a timely implementation of action plans included in the past
audits.
1.7 The Chief Internal Auditor shall periodically report status of all prior issues to the Audit
Committee/ Board and senior management. Such ‘Action Taken Report’ should include
issues closed and issues pending closure alongwith reasons for the delays.
1.8 In case of delays or ineffective implementation of the agreed corrective actions, the
Chief Internal Auditor shall escalate such delays and concerns to the senior management
and Audit Committee/ Board. In case of justified reasons for delayed or ineffective
implementation, the Chief internal auditor may agree to the revised action plan.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 49
INTERNAL AUDIT & ASSURANCE STANDARDS
GLOSSARY TO THE INTERNAL AUDIT & ASSURANCE
STANDARDS
Add Value: The internal audit activity adds value to the entity (and its stakeholders) when it
provides objective and relevant assurance, and contributes to the effectiveness and efficiency
of governance, risk management, and control processes.
Analytical Procedures: means evaluation of financial information through analysis of
possible relationship among both financial and non-financial data. Analytical procedures
also encompass such investigation as is necessary of identified fluctuations or relationships
that are inconsistent with other relevant information or that differ from expected values by a
significant amount.
Appropriateness (of audit evidence): The measure of the quality of internal audit evidence
i.e. its relevance and reliability in providing support for the conclusions on which the auditor’s
opinion is based.
Arm’s length transaction: A transaction conducted on such terms and conditions as between
a willing buyer and a willing seller who are unrelated and reacting independently of each other
and pursuing their own best interest.
Assurance Services: An objective examination of evidence for the purpose of providing an
independent assessment on governance, risk management, and control processes for the
entity. Examples may include financial, performance, compliance, system security, and due
diligence engagements.
Audit documentation: Audit Documentation means the records, in physical or electronic form,
including audit procedures performed & working papers prepared by and for, or obtained and
retained by the auditor, in connection with the performance of internal audit.
Audit evidence: It refers to all the information used by the internal auditor in arriving at the
conclusions on which the internal auditor’s opinion is based. Audit Evidence includes both
information contained in the accounting records underlying the financial statements and other
information.
Audit file: Audit file means one or more folders or other storage media, in physical or electronic
form, containing the records that comprise the audit documentation for a specific engagement.
Audit plan: A record of the planned nature, timing and extent of risk assessment procedures
and further audit procedures at the assertion level in response to the assessed risks.
Audit risk - Audit risk is the risk of expressing an inappropriate audit opinion on financial
statements that are materially misstated. Audit risk is a function of risks of material
misstatement and detection risk.
50 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
Audit sampling: The application of audit procedure to less than 100% of items within a
population of audit relevance such that all sampling units have a chance of selection in order to
provide the internal Auditor a reasonable basis to draw conclusions about the entire population.
Audit team: All partners and staff performing the engagement, and any individuals engaged by
the firm or a network firm who perform procedures on the engagement. This includes external
experts engaged by the firm or a network firm.
Audit working papers: Audit working papers are the documents which record all audit
evidence obtained during audit. Such documents are used to support the audit work done
in order to provide assurance that the audit was performed in accordance with the relevant
Standards.
Audit: Audit is an independent examination of financial and other related information of
an entity whether profit oriented or not, irrespective of its size or legal form, when such an
examination is conducted with a view to expressing an opinion thereon.
Auditee: Auditee means a company or any other entity for which audit is being carried out.
Auditor: Auditor is used to refer to the person or persons conducting the audit, usually the
audit partner or other member of the audit team, or, as applicable, the firm.
Auditor’s expert: An individual or entity possessing expertise in a field other than accounting
or auditing, whose work in that field is used by the auditor to assist the auditor in obtaining
sufficient appropriate audit evidence. An auditor’s expert may be either an auditor’s internal
expert (who is a partner or staff, including temporary staff, of the auditor’s firm or a network
firm), or an auditor’s external expert.
Board: The highest-level governing body (e.g., a board of directors, a supervisory board, or
board of governors or trustees) charged with governance and responsibility to direct and/or
oversee the entity’s activities and hold senior management accountable. Generally, the board
members are not part of management.
Chief Internal Auditor: Chief internal auditor describes the role of a person in a senior position
responsible for effectively managing the internal audit activity in accordance with the internal
audit charter and the ‘requirements’ of the Internal Audit & Assurance Standards.
Compliance: Adherence to policies, plans, procedures, laws, regulations, contracts, or other
requirements.
Conflict of Interest: Any relationship that is, or appears to be, not in the best interest of the
entity. A conflict of interest would prejudice an individual’s ability to perform his or her duties
and responsibilities objectively.
Consulting Services: Advisory and related client service activities, the nature and scope of
which are agreed with the client, are intended to add value, and improve an entity’s governance,
risk management, and control processes without the internal auditor assuming management
responsibility.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 51
INTERNAL AUDIT & ASSURANCE STANDARDS
Control: Any action taken by management, the audit committee, the board, and other parties to
manage risk and increase the likelihood that established objectives and goals will be achieved.
Deficiency in Internal Control: This exists when (a) a control is designed, implemented, or
operated in such a way that it is unable to prevent, or detect and correct, misstatements in
the financial statements on a timely basis; or (b) a control necessary to prevent, or detect and
correct, misstatements in the financial statements on a timely basis is missing.
Detection risk: the risk that the procedures followed by the auditor to reduce audit risk to
an acceptable low level will not detect a misstatement that exists and that could be material,
either individually or when aggregated with other misstatements.
Engagement Objectives Broad statements developed by internal auditors that define intended
engagement accomplishments.
Engagement Opinion: The rating, conclusion, and/or other description of results of an
individual internal audit engagement, relating to those aspects within the objectives and scope
of the engagement.
Engagement: A specific internal audit assignment, task, or review activity, such as an internal
audit, control self-assessment review, fraud examination, or consultancy. An engagement may
include multiple tasks or activities designed to accomplish a specific set of related objectives.
Error: An unintentional misstatement, including the omission of an amount or a disclosure, in
financial statements.
Ethical Requirements: Means relevant provisions of Cost and Works Accountants Act, Rules
and Regulations, Code of Professional Ethics, Internal Audit & Assurance Standards, and other
Statements issued by the Institute of Cost Accountants of India.
Expertise: Skills, knowledge, and experience in a particular field.
Firm: Firm means a sole practitioner, partnership including LLP (Limited Liability Partnership),
or any other entity of professional accountants as may be permitted by law and constituted
under applicable Act & Regulations.
Fraud risk factors: Events or conditions that indicate an incentive or pressure to commit
fraud or provide an opportunity to commit fraud.
Fraud: Any illegal act characterized by deceit, concealment, or violation of trust. It includes an
intentional act involving the use of deception to obtain an unjust or illegal advantage. These
acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated
by parties and entities to obtain money, property, or services; to avoid payment or loss of
services; or to secure personal or business advantage.
52 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
Governance: The combination of processes and structures implemented by the board to
inform, direct, manage, and monitor the activities of the entity toward the achievement of its
objectives. It includes the role of persons or entities with responsibility for overseeing the
strategic direction of the entity and obligations related to the accountability of the entity.
Impairment: Impairment to organizational independence and individual objectivity may
include personal conflict of interest, scope limitations, restrictions on access to records,
personnel, and properties, and resource limitations (funding).
Independence: The freedom from conditions that threaten the ability of the internal audit
activity to carry out internal audit responsibilities in an unbiased manner.
Information Technology Controls: Controls that support business management and
governance as well as provide general and technical controls over information technology
infrastructures such as applications, information, infrastructure, and people.
Internal Audit Activity: A department, division, team of consultants, or other practitioner(s)
that provides independent, objective assurance and consulting services designed to add value
and improve an entity’s operations. The internal audit activity helps an entity accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of governance, risk management and control processes.
Internal Audit Charter: The internal audit charter is a formal document that defines the
internal audit activity’s purpose, authority, and responsibility. The internal audit charter
establishes the internal audit activity’s position within the entity; authorizes access to records,
personnel, and physical properties relevant to the performance of engagements; and defines
the scope of internal audit activities.
Internal audit function: A function of an entity that performs assurance and consulting
activities designed to, amongst other things, examining, evaluating, and monitoring the
adequacy and effectiveness of the entity’s governance, risk management, and internal control
processes.
Internal auditors: Those individuals who perform the activities of the internal audit function.
Internal auditors may belong to an internal audit department or equivalent function.
Internal control: The process designed, implemented, and maintained by the management,
and other personnel to provide reasonable assurance about the achievement of an entity’s
objectives with regard to reliability of financial reporting, effectiveness and efficiency of
operations, and compliance with applicable laws and regulations. The term “controls” refers to
any aspects of one or more of the components of internal control.
Management: The person(s) with executive and governance responsibility for the conduct of
the entity’s operations.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 53
INTERNAL AUDIT & ASSURANCE STANDARDS
Management’s expert: An individual or organisation possessing expertise in a field other
than accounting and auditing, whose work in that field is used by the entity in preparing the
financial/ cost statements.
Misstatement: A difference between the amounts, classification, presentation or disclosure
of a reported financial/ cost statement item and the amount, classification, presentation,
or disclosure that is required for the item to be in accordance with the applicable financial
reporting framework. Misstatements can arise from error or fraud.
Non-compliance: Acts of omission or commission by the entity, either intentional or
unintentional, which are contrary to the prevailing laws or regulations. Such acts include
transactions entered into by, or in the name of, the entity, or on its behalf, by the management,
or employees. Non-compliance does not include personal misconduct (unrelated to the entity’s
business activities) by the entity’s management, or employees.
Non-sampling risk: The risk that the auditor reaches an erroneous conclusion for any reason
not related to sampling risk.
Objectivity: An unbiased mental attitude that allows internal auditors to perform engagements
in such a manner that they believe in their work product and that no quality compromises are
made. Objectivity requires that internal auditors do not subordinate their judgment on audit
matters to others.
Overall audit strategy: Overall Audit Strategy sets the scope, timing, and direction of the
audit, and guides the development of the detailed audit plan.
Overall Opinion: The rating, conclusion, and/or other description of results provided by
the Chief Internal Auditor addressing, at a broad level, governance, risk management, and/
or control processes of the entity. An overall opinion is the professional judgment of the chief
internal auditor based on the results of a number of individual engagements and other activities
for a specific time interval.
Population: The entire set of data from which a sample is selected and about which the internal
auditor wishes to draw conclusions.
Professional judgement: The application of relevant training, knowledge, experience, and
objectivity, within the context provided by auditing, accounting, and ethical standards, in making
informed decisions about the courses of action that are appropriate in the circumstances of the
audit engagement.
Professional skepticism: An attitude that includes a questioning mind, being alert to
conditions which may indicate possible misstatements due to error or fraud, and a critical
assessment of audit evidence.
Related party: A related party as defined in the applicable law and regulations.
54 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
Risk assessment procedure: The audit procedures performed to obtain an understanding of
the entity and its environment, including the entity’s internal control, to identify and assess the
risks of material misstatement, whether due to fraud or error, at the financial/ cost statement
and assertion levels.
Risk Management: A process to identify, assess, manage, and control potential events or
situations to provide reasonable assurance regarding achievement of the entity’s objectives.
Risk of material misstatement: The risk that the financial/ cost statements are materially
misstated prior to audit. This consists of two components: (a) Inherent risk: The susceptibility
of an assertion about a class of transaction, account balance, or disclosure to a misstatement
that could be material, either individually or when aggregated with other misstatements,
before consideration of any related controls. (b) Control risk: The risk that a misstatement that
could occur in an assertion about a class of transaction, account balance, or disclosure and that
could be material, either individually or when aggregated with other misstatements, will not
be prevented, or detected and corrected, on a timely basis by the entity’s internal control.
Risk: The possibility of an event occurring that will have an impact on the achievement of
objectives. Risk is measured in terms of impact and likelihood.
Sampling risk: The risk that the internal auditor’s conclusion based on a sample may be
different from the conclusion if the entire population were subjected to the same audit
procedure. Sampling risk can lead to two types of erroneous conclusions: (i) In the case of a
test of controls, that controls are more effective than they actually are, or in the case of a test
of details, that a material misstatement does not exist when in fact it does. (ii) In the case of a
test of controls, that controls are less effective than they actually are, or in the case of a test of
details, that a material misstatement exists when in fact it does not.
Significance: The relative importance of a matter within the context in which it is being
considered, including quantitative and qualitative factors, such as magnitude, nature, effect,
relevance, and impact. Professional judgment assists internal auditors when evaluating the
significance of matters within the context of the relevant objectives.
Significant deficiencies in Internal Control: A deficiency or combination of deficiencies in
internal control that, in the internal auditor’s professional judgment, is of sufficient importance
to merit the attention of management.
Significant risk: An identified and assessed risk of material misstatement that, in the auditor’s
judgment, requires special audit consideration.
Standard: A professional pronouncement promulgated by the Internal Audit & Assurance
Standards Board that delineates the requirements for performing a broad range of internal
audit activities and for evaluating internal audit performance.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 55
INTERNAL AUDIT & ASSURANCE STANDARDS
Statistical sampling: An approach to sampling by random selection and use of probability
theory to evaluate sample results, including measurement of sampling risk.
Substantive procedure: The procedures performed by an internal auditor to create evidence
and detect whether there are any material misstatements at the assertion level in regard to the
completeness, validity, and accuracy of the accounting records of an entity.
Sufficiency (of audit evidence): The measure of the quantity of audit evidence. The quantity
of the audit evidence needed is affected by the auditor’s assessment of the risks of material
misstatement and also by the quality of such audit evidence.
Technology-based Audit Techniques: Any automated audit tool, such as generalized audit
software, test data generators, computerized audit programs, specialized audit utilities, and
computer-assisted audit techniques (CAATs).
Tests of controls: An audit procedure designed to evaluate the operating effectiveness of
controls in preventing, or detecting and correcting material misstatements at the assertion
level.
Tolerable error: Means the maximum error in a population that the internal auditor is willing
to accept.
Tolerable misstatement: A monetary amount set by the internal auditor in respect of which
he seeks to obtain an appropriate level of assurance that the said level is not exceeded by the
actual misstatement in the population.
Tolerable rate of deviation: A rate of deviation from prescribed internal control procedures
set by the internal auditor in respect of which he seeks to obtain an appropriate level of
assurance that the rate of deviation set by him is not exceeded by the actual rate of deviation
in the population.
Written representation: A written statement by management provided to the internal
auditor to confirm certain matters or to support other audit evidence. Written representations
in this context do not include financial statements, cost statements, the assertions therein, or
the supporting books and records.
56 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
Appendix -I
model internal audit charter
Introduction – The charter should include:
A brief about the Internal Auditing including its’ role, objectives, scope, and outcomes
expected, etc.
Brief about the internal audit activity’s responsibilities as defined by the Audit Committee/
Board.
The internal auditors’ strict accountability for confidentiality and safeguarding records and
information.
Authority – The charter should include:
The authority of internal auditor to have full, free, and unrestricted access to any and all of
records, physical properties, and personnel pertinent to carrying out any engagement.
The Chief Internal Auditor to have free and unrestricted access to the Audit Committee/
Board.
The Chief Internal Auditor’s authority to engage experts with the prior approval of Audit
Committee/ Board or the senior management.
Organization – The charter should include:
The Chief Internal Auditor will report functionally to the Audit Committee/ Board and
administratively to the Chief Executive Officer.
Audit Committee/ Board shall review & approve the internal audit charter, internal audit
plan, internal audit budget and resource plan.
Audit Committee/ Board shall approve the appointment and the remuneration of the Chief
Internal Auditor.
Audit Committee/ Board shall monitor the performance of Chief Internal Auditor.
Independence and Objectivity – The charter should include:
The internal audit activity to remain free from interference by any element in the
organization, including matters of audit selection, scope, procedures, frequency, timing, or
report content etc.
Internal auditors shall have no direct operational responsibility or authority over any of
the activities audited. Nor it will assume any management responsibility.
Internal auditors will exhibit the highest level of professional objectivity & integrity.
Internal auditors will not be unduly influenced by their own interests or by others in
forming judgments, conclusions & opinions.
Chief Internal Auditor will confirm to the Audit Committee/ Board about the organizational
independence of internal audit activity.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 57
INTERNAL AUDIT & ASSURANCE STANDARDS
Responsibility – The charter should include:
The scope of internal auditing encompasses, but is not limited to, the examination and
evaluation of the adequacy and effectiveness of the organization’s
Governance structure & process,
Risk management policy, risk exposure, identification & mitigation plan,
Internal controls systems,
Reliability and integrity of information and data flow,
Compliance with approved policies, plans, & procedures,
Systems established to ensure compliance with applicable laws, and regulations,
Means for safeguarding the assets,
Resource utilization, and
Internal & External audits.
Internal Audit Plan – The charter should include:
Chief Internal Auditor shall submit to the Audit Committee/ Board or senior management
an internal audit plan for review and approval.
The internal audit plan shall consist of a work schedule as well as budget and resource
requirements for defined period of internal audit, alongwith the impact of resource
limitations.
Chief Internal Auditor shall review and modify the plan, as necessary, in response to
changes in the entity’s business, risks, operations, programs, systems, and controls.
Any significant deviations from the approved internal audit plan shall be communicated to
the Audit Committee/ Board or senior management.
Reporting and Monitoring – The charter should include:
Chief Internal Auditor to prepare and issue internal audit report on conclusion of each
internal audit engagement.
Communication of internal audit results/findings to the Audit Committee/ Board.
The internal audit report to include management’s response and corrective action taken or
to be taken [alongwith timetable for anticipated completion of action] regarding specific
findings and recommendations.
Chief Internal Auditor to be responsible for appropriate follow-up on engagement findings
and recommendations.
Quality Assurance and Improvement Program – The charter should include:
Details of quality assurance and improvement program.
Evaluation of conformance with the Standards and Code of Ethics.
Assessment of the efficiency and effectiveness of the internal audit activity.
Identification of opportunities for improvement.
58 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
Appendix -II
model internal audit engatement letter
The entity shall prepare the Engagement Letter after discussions with the Chief Internal
Auditor [or the Audit Partner of the firm proposed to be engaged]. It will be signed by its Chief
Executive Officer [or by the authorized representative]. The terms of engagement should
include brief details of the following key elements:
A brief about the role, objectives, scope, and responsibilities of the internal audit. It should
indicate areas where internal auditors are expected to make their recommendations and
value-added observations & suggestions. In addition, the engagement terms must clarify
the areas of assurance and consulting services to be performed by the internal audit.
Brief details of responsibilities of the entity for establishing, & maintaining the internal
control systems; preparation of financial statements, & cost statements; formulating key
policies, governance framework & risk management system; and timely share requisite
data, information, records, etc. with the internal auditor.
Internal auditors to have no direct operational responsibility or authority over any of the
activities audited. Nor it will assume any management responsibility.
Internal audit to prepare & preserve the audit documents & working papers and possess
ownership thereof. Internal audit documents to be shared with the management, on request.
Must specify the internal audit’s accountability for confidentiality and safeguarding the
data, records, and information.
The authority of internal auditor to have full, free, and unrestricted access to all records,
properties, and personnel relevant to the proposed engagement. The chief internal auditor
to have free and unrestricted access to the Audit Committee/ Board and his authority to
engage experts with the prior approval of management.
Functional and Administrative reporting framework of the chief internal auditor, including
his complete independence, objectivity & integrity.
Reporting requirements, manner & frequency. Chief internal auditor’s responsibility to
prepare the internal audit charter, internal audit plan, internal audit budget and resource
plan; to prepare and issue internal audit reports on conclusion of each internal audit
engagement; and to communicate & present internal audit results/findings to the Audit
Committee/ Board.
Internal audit to provide quality assurance and improvement program; comply & conform
with the Internal Audit & Assurance Standards, Code of Ethics, and applicable laws &
regulations.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 59
INTERNAL AUDIT & ASSURANCE STANDARDS
The basis upon which the compensation is established, the manner of its review and
revision, and the ancillary charges (out of pocket expenses, taxes, etc.). The letter should
clearly specify the mode of payment for the services performed by the internal audit.
The time period of appointment, the timelines for completion of all arrangement related
to the engagement, effective date, and the conditions for cessation or termination of
appointment.
Finally, the mode of acceptance of the engagement by the chief internal auditor.
Note: While writing about the role, objectives, scope, responsibility, etc. of the internal audit,
reliance may be placed upon the requirements as per various Internal Audit & Assurance
Standards, model internal audit charter and internal audit plan annexed in this document.
60 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
Appendix -III
illustrative internal audit plan
Name of Chief Internal Auditor / Engagement Partner:
Particulars of the Entity:
Prepared by: Approved by:
Precursor to the preparation of Internal Audit Plan – Internal Auditor to have adequate
understanding and knowledge of the following:
The nature of the entity, its size, ownership and governance structure, management &
organisational structure, marketing set-up, etc.,
The nature of activities, business processes, major inputs & outputs, outsourcing, joint &
by-products, etc.,
Key personnel in all departments including in Finance, Accounts, Costing, IT, Administration,
Production, Purchase, Sales, etc.,
Relevant industry, regulatory, and other external factors including the applicable financial
reporting framework & cost reporting framework,
The entity’s selection and application of financial accounting policies, cost accounting
policies, purchase policy, sales policy, pricing policy, export/import policy, etc.,
Related parties and nature of transactions with them,
The entity’s internal control systems, including whether management has created and
maintained a culture of honesty and ethical behaviour,
The entity’s risk identification system, assessment process, and management policy for risk
mitigation, and
IT architecture, systems and programmes in use, IT policy, authorization checks, controls
on data access & for changes therein; and security of data.
Key Planning Considerations
- Significant changes in business environment
- Significant changes in IT environment
- Review of movements in internal controls/ risks/ financials
- Overall trends in financials
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 61
INTERNAL AUDIT & ASSURANCE STANDARDS
- Emerging issues that could impact the entity and regulatory changes
- Annual exchange of views with external auditors, IFC team, IT auditors, etc.
- Annual fraud risk assessment
- Team & individual members conform to Code of Ethics and Standards
- Impact of C-19 on audit strategy (on -site/off -site)
Key inputs for planning
• Results of preliminary activities as specified above
• Knowledge from previous audits and other engagements with the company
• Knowledge of business
• Nature and scope of the audit
• Statutory deadlines and reporting format
• Relevant factors determining the direction of the audit efforts
• Nature, timing, and extent of resources required for the audit
• Document the Audit Plan and share it with the company
Basic Features of the Internal Audit Plan
- Define Scope
- Purpose of Audit (Regulatory/Non- Regulatory/ Voluntary/Mandatory)
- Schedule of the Audit
- Timing of Communication
- Engagement Terms
- Management Personal
- Team Planning/ Allocation of Work
- Result of Inquiries
- Result of Analytical Procedures
- Observations and Inspection
- Information gathered in previous audit for reliance to current period
- SWOT Analysis - Strengths, Weakness, Opportunities, & Threats
- PEST Analysis - Political, Economic, Social, & Technological
62 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
- Materiality Level
- Evaluation of controls
- Audit Procedures
- Audit Evidence / Audit Findings
- Written Representation
- Audit Documentation
- Conclusions
Steps for Planning the Internal Audit
• Timing [dates] and duration [no. of days] of audit period
• Level and number of audit personal to be deployed
• Audit partner to be deployed - his expected days & dates
• Draw up an overall audit plan and audit strategy
• Formulate appropriate audit procedures
• Decide the materiality levels
• Decide sampling levels
• Formulate the Test of controls
• Formulate the Test of details
• Draw Substantive procedures to be followed
• Draw Analytical procedures to be followed
• Formulate risk assessment strategies & procedures
• Methodology to measure material misstatements
• Plan discussions with key personnel of the company
• Plan discussion with the previous internal auditor & cost/ financial auditor
Steps for Execution of Audit
• Perform the audit checks and procedures, as planned
• Collect all required audit evidence enabling the auditor to form his opinion
• validate their relevance and reliability
• check their accuracy, completeness, and sufficiency
• check the source and consistency
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 63
INTERNAL AUDIT & ASSURANCE STANDARDS
• Prepare draft observations & discuss with key management personnel
• Prepare final audit report
Steps for Audit Documentation
• Document the audit plan, audit program, and audit strategy
• Document the audit procedures performed
• Document all working papers
• Document all the audit evidence obtained
• Document draft observations and discussions
• Document final report
• Preserve all documents in a bound folder/file for the prescribed period
Internal Audit Plan – Entity’s Key Risk Areas (illustrative)
Identified Risk Category Risk Mitigation Target
Cyber Security Issues High IT
Non-performance of Contracts Medium Contract Management
Failure to adequately manage occupational stress Medium Human Resources
Fraud, theft, and misuse of assets Medium Key Financial System
Unsatisfactory procurements Medium Procurement System
Failure to protect intellectual property Medium IP Management
Statutory non-compliance Low Compliance Procedures
Internal Audit – Performance Indicators (illustrative)
Performance Indicator Target
Operational Internal Audit Plan to be By March for the following year
submitted
Percentage of audit work executed by the 70-80 percent
qualified staff
Issue of draft interim reports Within ten working days of the work being
completed
Issue of final interim reports Within ten working days of the receipt of
management response on the draft report
Issue of annual Internal Audit Report By April for the previous year
Chief Internal Auditor’s attendance at the 100 percent
Audit Committee meetings
64 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
Internal Audit Planning Schedule (illustrative)
Work By Whom Time / Likely Dates Remarks
(days)
First meeting with Chief Internal Auditor To explain the
the MD/CEO internal audit plans
& procedures;
to discuss and
get approval for
the overall audit
strategy & plan
Meetings with the Chief Internal Auditor Explain the internal
Functional Heads alongwith the team audit plans &
procedures; to
confirm that the
relevant records are
available
Meeting with the Audit Manager Explain the internal
operating Staff alongwith the team audit plans &
procedures
Plant/Unit visits Audit Manager To understand the
alongwith the team production process
& unit operations
Discussion on Chief Internal Auditor Internal review and
the company’s alongwith the team this would form the
systems and basis of the depth
procedures of audit required
and also the audit
risk assessment
procedures to be
followed
Meetings with the Chief Internal Auditor To present the
Functional Heads alongwith the team initial findings and
observations
Meeting with the Chief Internal Auditor To present the
MD/CEO alongwith the team initial findings and
observations
Meeting with the Chief Internal Auditor To discuss the draft
MD/CEO alongwith the team internal audit report
Audit Committee Chief Internal Auditor To present the final
internal audit report
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 65
INTERNAL AUDIT & ASSURANCE STANDARDS
Appendix -IV
internal audit report template
Draft Forwarding Letter
The Chairman
Audit Committee/ Board of Directors
M/s _______________________________
Subject: Internal Audit Report for the period from _______________ to _______________.
Sir,
Enclosed herewith we submit Internal Audit Report of M/s _____________________________________
(Name of the Entity) conducted by _________________________________ (Name of the Internal Audit
Firm) for the period from _______________ to _______________ issued on _______________.
We shall make our presentation before the Audit Committee/ Board of Directors, as per
their convenience, covering details of vital/ significant findings, observations, suggestions,
and recommendations. These have been discussed with the Chief Executive Officer & Chief
Finance Officer, including all Functional Heads, in a meeting held on _____________________.
Accordingly, the management’s response on each of our findings, observations, suggestions,
and recommendations has been included at appropriate place(s) in the report. In addition,
brief details of outstanding statutory and internal audit observations are also given.
Yours faithfully
(Authorized Signatory)
Enclosure
Internal Audit Report of M/s _____________________________________ (Name of the Entity)
conducted by _________________________________ (Name of the Internal Audit Firm) for the
period from _______________ to _______________.
66 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
INTERNAL AUDIT & ASSURANCE STANDARDS
Executive Summary
Prepare Executive Summary of the Internal Audit Report focusing mainly on the audit period;
audit team; objectives & scope; areas covered; audit methodology/strategy employed by the
internal audit team; and key findings, observations, suggestions, & recommendations. The
summary should be as brief as possible. It should also include a summation of outstanding
statutory and internal audit observations.
Detailed Internal Audit Report
1. Introduction – this section should include brief details of the Auditee (entity audited);
period covered under current audit; duration of internal audit (indicate dates); brief
description of duties/functions of the management; structure of the internal audit team;
status of outstanding audit observations, & recommendations, etc.
2. Objectives & Scope – this section should elaborate on the objectives and scope of the
internal audit engagement; special areas (if any) assigned by the management, or any
other special service undertaken with the approval of the Audit Committee/ Board. The
scope should include (i) audit of key risk areas identified by the Internal Audit team/
management, and evaluation of adequacy and effectiveness of controls designed to
mitigate these risks; and (ii) identification of strengths and weaknesses in design and
operation of the internal control systems and provide guidance for removing deficiencies
noted during audit.
3. Methodology – this section should refer to the methodology & audit procedures adopted,
and audit strategy followed for conduct of internal audit engagement viz. sampling,
sample size used for checking records, the number of records checked, type of records
checked, analysis made, record of observations, discussions held, etc. It should also
include checklists (if any) used during the engagement.
4. Findings & Observations – this section will include the strengths & weaknesses in the
functioning of office, units, control systems, functional departments, maintenance
of records etc. observed during the audit engagement. The comments under these
categories should elaborate each significant audit observation in the order of materiality
and highlight its consequence, or impact. Each audit observation may be structured
as audit objective, criteria followed, existing condition/situation, causes of deviation,
consequences or impact, & corrective action suggested. Wherever possible, the audit
findings should be accompanied by graphs and charts to improve the visibility of the
analysis and findings. Photographs could also be used as corroborative evidence.
5. Recommendations – this will include recommendations of the Internal Audit Team on
the observed shortcomings, weaknesses & non-compliances. This could be presented in
a box of highlighted print.
6. Conclusion – this would constitute the chief internal auditor’s overall opinion about the
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 67
INTERNAL AUDIT & ASSURANCE STANDARDS
functioning of the entity audited. The strengths of the entity may be highlighted in this
section along with areas needing attention and corrective action.
7. Action Taken Report – this would elicit the actions to be taken and already taken by the
entity in respect of audit observations & recommendations.
8. Acknowledgement – this section could acknowledge in brief the cooperation by the entity
(or otherwise). Any observations should be stated in a factual and not in the form of an
opinion (praise or accusation).
9. Glossary – this section would have a Glossary of terms explaining technical and uncommon
terms used in the Internal Audit Report.
10. References – this section should list all published material utilized and referred to in
developing the Internal Audit Report.
Signature ______________________________________
Date & Place __________________________________
Firm Name ___________________________________
(Name & Membership Number of Chief Internal Auditor/ Engagement Partner)
Guidance Notes:
1. The Executive Summary should be restricted to a few (2-3) pages. Considering that brevity
in presentation is desirable, the detailed Internal Audit Report should ideally not be more
than 15-20 pages. However, there may be cases which may necessitate a longer report.
Final decision in this regard may be taken by the Chief Internal Auditor.
2. The audit evidence, data, information, documents etc. obtained in support of audit
observations form part of the working papers for each audit engagement and should not be
annexed to the Internal Audit Report. These, however, should be linked / indexed properly
and kept in safe custody for any future reference and examination.
3. Internal Audit Report should follow proper numbering format for each heading, sub-
heading, para, table, graph, chart, etc. Audit observations & recommendations should be so
numbered as to facilitate simple referencing subsequently.
68 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
Statutory Body under an Act of Parliament
www.icmai.in
Behind every successful business decision, there is always a CMA
You might also like
- Guidance Note On Internal Audit of General Insurance CompaniesNo ratings yetGuidance Note On Internal Audit of General Insurance Companies128 pages
- Guidance Note On Internal Audit Life Insurance CompaniesNo ratings yetGuidance Note On Internal Audit Life Insurance Companies232 pages
- Cma Icmai Professional Development Cma Rakesh Choudhary Election Manifesto 2022-23No ratings yetCma Icmai Professional Development Cma Rakesh Choudhary Election Manifesto 2022-2325 pages
- Instruments of Monetary Policy in IndiaNo ratings yetInstruments of Monetary Policy in India156 pages
- Cost and Management Audit: The Institute of Cost Accountants of India100% (1)Cost and Management Audit: The Institute of Cost Accountants of India808 pages
- Guidance Note On Internal Audit of Commercial BanksNo ratings yetGuidance Note On Internal Audit of Commercial Banks324 pages
- Financial Accounting 12th Edition by C William ThomasNo ratings yetFinancial Accounting 12th Edition by C William Thomas313 pages
- Guidance Note On Risk Based Internal AuditNo ratings yetGuidance Note On Risk Based Internal Audit81 pages
- What Are The Roles and Responsibilities of A QA Leader100% (1)What Are The Roles and Responsibilities of A QA Leader3 pages
- ACC 543 WK 4 - Apply Signature Assignment Flexible BudgetNo ratings yetACC 543 WK 4 - Apply Signature Assignment Flexible Budget17 pages
- Introduction To Customer Segmentation v2No ratings yetIntroduction To Customer Segmentation v220 pages
- 63f6cedfe8d858001835faa6 - ## - Material Cost - E-Notes - Udesh Regular - Group 1No ratings yet63f6cedfe8d858001835faa6 - ## - Material Cost - E-Notes - Udesh Regular - Group 152 pages
- CPA Auditing And Attestation Exam Pathway 2025/2026 Version: Refine Your Techniques With A Collection Of 600 Practice QuestionsFrom EverandCPA Auditing And Attestation Exam Pathway 2025/2026 Version: Refine Your Techniques With A Collection Of 600 Practice QuestionsNo ratings yet
- The Indian Partnership Act 1932 Clearly Defines A PartnershipNo ratings yetThe Indian Partnership Act 1932 Clearly Defines A Partnership8 pages
- INBUSTRADE - Topic9 International Channels of DistributionNo ratings yetINBUSTRADE - Topic9 International Channels of Distribution35 pages
- Prospectus Syll-2016 Revised 20-11-2019No ratings yetProspectus Syll-2016 Revised 20-11-201968 pages
- Gui Ideonr Risk Bas Sed Inte Ernal Au Udit Pla N: Discl AimerNo ratings yetGui Ideonr Risk Bas Sed Inte Ernal Au Udit Pla N: Discl Aimer205 pages
- Corporate Governance - Effective Performance Evaluation of the BoardFrom EverandCorporate Governance - Effective Performance Evaluation of the BoardNo ratings yet
- Libro Como Establecer Una Funcion de Auditoria Interna ManualNo ratings yetLibro Como Establecer Una Funcion de Auditoria Interna Manual193 pages
- AUDIT FUNCTION STRATEGY (Driving Audit Value, Vol. I ) - The best practice strategy guide for maximising the audit added value at the Internal Audit Function levelFrom EverandAUDIT FUNCTION STRATEGY (Driving Audit Value, Vol. I ) - The best practice strategy guide for maximising the audit added value at the Internal Audit Function levelNo ratings yet
- How To Configure An Extra Information Type (EIT) in ORACLE HRMS - 2No ratings yetHow To Configure An Extra Information Type (EIT) in ORACLE HRMS - 26 pages
- 04 Developing Resources and CapabilitiesNo ratings yet04 Developing Resources and Capabilities28 pages
- Full Payment Acknowledgment Receipt: Hundred Seventy Three Thousand Pesos (P8,973,000,00), inNo ratings yetFull Payment Acknowledgment Receipt: Hundred Seventy Three Thousand Pesos (P8,973,000,00), in1 page
- MADONDO JOSEPH OGS 2207 Final HHHHHHHJJJJJNo ratings yetMADONDO JOSEPH OGS 2207 Final HHHHHHHJJJJJ6 pages
- Comprehensive Manual of Internal Audit Practice and Guide: The Most Practical Guide to Internal Auditing PracticeFrom EverandComprehensive Manual of Internal Audit Practice and Guide: The Most Practical Guide to Internal Auditing Practice5/5 (1)
- A Study of the Supply Chain and Financial Parameters of a Small BusinessFrom EverandA Study of the Supply Chain and Financial Parameters of a Small BusinessNo ratings yet