Miscellaneous Topics

Internal Audit as a Mgt Function

Management
Ø Mgt is a process by which affairs of entity are conducted in a manner that goals and objectives are
attained through optimum utilisation of all available resources, within legal, social, economic and
environmental constraints.
Ø Mgt is a set of 5 general functions: planning, organizing, staffing, directing and controlling.
Ø While 1st 5 functions of planning, organizing, staffing and leading are critical attributes to create &
grow stakeholder’s wealth whist controlling is to preserve stakeholder’s wealth.

Internal Audit
Ø “Internal audit provides independent assurance on effectiveness of internal controls & risk mgt
processes to enhance governance & achieve organisational objectives”.
Ø IA is expected to evaluate mgt activities & advise on areas of improving internal controls and manage
business and operational risks effectively by recommending appropriate mitigating controls.
Ø IA is important element of mgt controlling function
ü Helps mgt to set up appropriate systems & processes in place to mitigate risk while remaining
independent to operations.
ü IA is expected to report on identified gaps and areas of weak internal control
ü Identify root cause of problems & suggest appropriate mitigating steps & strengthen internal
controls environment of org.
Conclusion:
IA is seen as important function that helps mgt to achieve org. goals & work in an orderly manner.

Audit Trail
• Audit Trail (or Edit Log) is a visible trail of evidence enabling one to trace info. contained in
statements or reports back to original input source.
• Audit trails are a chronological record of changes made to data. Any change to data including creating
new data, updating or deleting data that must be recorded.

Records maintained as audit trail may include following info.:

Ø when changes were made i.e., date and time (timestamp)
Ø who made the change i.e., User Id
Ø what data was changed i.e., data/transaction reference; success/failure

In order to demonstrate that the audit trail feature was functional, operated and was not disabled,
a Co. would have to design & implement specific internal controls (predominantly IT controls) which
would be evaluated by auditors, as appropriate. Explain.
 An illustrative list of internal controls reqd to be implemented & operated are given below:
Controls to ensure that:
ü audit trail feature hasn’t been disabled or deactivated
ü access to audit trail (and backups) is disabled or restricted & access logs, whenever audit
trails have been accessed, are maintained.
ü changes to configurations of audit trail are authorized & logs of such changes are maintained.
ü User IDs are assigned to each individual and User IDs are not shared (
ü periodic backups of audit trails taken & archived as per statutory period specified under
provisions of Act.
Learn with Fun J

Internal audit plan

It should be developed in a manner that all business processes covering both financial & operational
activities are reviewed by IA function within a defined time cycle.
Also, ensuring appropriate consideration is made and adequate balance is ensured to the following:
ü Risk underlying business process
ü Value that the internal audit can provide to the organization
ü Effort involved in conducting the internal audit for a particular business process
ü Risk Appetite of organization
ü Coverage of all auditable areas within defined time range
 SA 610: Using the work of Internal Auditor (IA)

• Sole responsibility of audit opinion à External Auditor (EA)

• EA has to obtain SAAE that work of IA Function or Internal auditor providing direct assistance is
adequate for purpose of audit
Internal Audit Function: Fn. of entity that performs assurance & consulting activities to evaluate and
improve effectiveness of entity’s governance, risk mgt and internal control processes (GRC).
Direct Assistance: Use of internal auditors to perform audit procedures under direction, supervision
and review (DSR) of external auditor.
• Scope of SA:
a) Using work of IA Function in obtaining audit evidence &
b) Using IA to provide direct assistance under direction, supervision and review (DSR) of EA
• This SA doesn’t apply if entity doesn’t have IA function/I.A.

Objectives of Auditor where entity has internal audit function:

• To determine if work of IA function or direct assistance of Internal auditor can be used
• If using work of IA Function, determine whether work is adequate for Audit purpose
• If using Internal Auditor to provide Direct Asst, to DSR their work

Evaluating whether work of Internal Audit Function can be used for Audit Purpose
a. Extent to which IA function’s organizational status and relevant policies and procedures support
objectivity of internal auditors
b. Level of competence of internal audit function &
c. Whether IA function applies a systematic and disciplined approach, including quality control.

Determining Nature & Extent of work of Internal Audit Function that can be used
Types of Work of IA function that can be used by external auditor include following:
• Testing of operating effectiveness of controls.
• Substantive procedures involving limited judgment.
• Observations of inventory counts.
• Tracing transactions through the information system relevant to financial reporting.
• Testing of compliance with regulatory requirements.
• In some circumstances, audits or reviews of financial information of subsidiaries that aren’t significant
components to group (where this does not conflict with requirements of SA 600).

Learn with Fun J

 To determine adequacy of specific work performed by internal auditors for external auditor’s
purposes, external auditor shall evaluate whether:
i. Work was performed by internal auditors having adequate technical training and proficiency
ii. Work was properly supervised, reviewed and documented
iii. Adequate audit evidence has been obtained to enable internal auditors to draw reasonable
conclusions
iv. Conclusions reached are appropriate in circumstances and any reports prepared by internal auditors
are consistent with results of work performed and
v. Any exceptions or unusual matters disclosed by internal auditors are properly resolved.

Written Agreements: Prior to using IA to provide direct assistance for purposes of audit
a. From authorized representative of entity that IA will be allowed to follow external auditor’s
instructions, & entity will not intervene in work IA performs for external auditor and
b. From internal auditors that they will keep confidential specific matters instructed by external
auditor and inform about any threat to their objectivity.

Areas where Internal auditor can’t provide Direct Assistance

a. Involve making significant judgments in audit
b. Relate to higher assessed ROMM where judgment required in performing relevant audit procedures
or evaluating audit evidence gathered is more than limited
c. Relate to work with which internal auditors have been involved and which has already been, or will
be, reported to Mgt or TCWG by internal audit function or
d. Relate to decisions external auditor makes as per this SA regarding internal audit function and use
of its work or direct assistance.

Significant judgments include following:

• Assessing RoMM
• Evaluating sufficiency of tests performed
• Evaluating appropriateness of management’s use of going concern assumption
• Evaluating significant accounting estimates and
• Evaluating adequacy of disclosures in F.S, and other matters affecting auditor’s report.

Documentation: External auditor uses IA to provide direct assistance

a. Evaluation of existence and significance of threats to objectivity, and level of competence of
internal auditors used to provide direct assistance
b. Basis for decision regarding nature & extent of work performed by internal auditors
c. Who reviewed work performed and date and extent of that review in accordance with SA 230
d. Written agreements obtained from authorized representative of entity and the internal auditors
e. Working papers prepared by internal auditors who provided direct assistance on the audit
engagement.

Learn with Fun J

Factors to be considered while evaluating existence & significance of

threats to objectivity of Internal Auditor
• Extent to which IA fn’s org. status & relevant policies and procedures support objectivity of IA
• Family & personal relationships with individual responsible for aspect of entity to which work relates.
• Association with division or deptt in entity to which work relates.
• Significant financial interests in entity other than remuneration on terms consistent with those
applicable to other employees.

“If you want to fly, give up everything that Weighs you down”