SIA 220 Conducting overall Internal Audit Planning:
The Standards on Internal Audit (SIA) 220 deals with the conduction of the overall Internal Audit Planning for the whole organization. As per the Rule 13(2) of the Companies Act 2013, it is mandatory for the Audit Committee and the company Board to formulate an overall plan for the Internal Audit. The Rule 13(2) of the Companies Act 2013 states that
“The Audit Committee of the company or the Board shall, in consultation with the Internal Auditor, formulate the scope, functioning, periodicity, and methodology for conducting the internal audit.”
There are two levels or phases involved in the overall Internal audit planning. These are-
- An overall plan is made for the whole organization or entity. This is prepared for a particular provided time period which is usually a year. The plan is presented before the Audit Committee or/and board of directors that are the highest governing body for conducting the internal audit services in the company.
- Period wise audit plans are prepared specifically for the individual assignments that are to be held for covering particular parts or departments or units of entity. The plan is presented to the Chief Internal Auditor of the company.
Key elements of Conducting the Overall Internal Audit Planning:
Conducting the Overall Internal Audit Planning involves certain key elements. These inseparable key elements are-
- This activity is generally undertaken prior to the beginning or commencement of the plan period (usually financial year).
- It is normally to be prepared by the Chief Internal Auditor.
- It considers all the units of the organization that are auditable, as the Internal Audit planning is directional in nature. It also, takes into consideration the assignment’s periodicity.
- Its nature is comprehensive as it covers the entire organization.
Scope of Conducting the Overall Internal Audit Planning:
SIA 220 deals with the responsibility of the Internal Auditor for performing the overall Internal Audit Planning function. In companies where some part of the internal function has been outsourced, this standard applies to the extent where the Internal Auditor is required to plan the activities of the outsourced part of the function.
Requirements in Conducting the overall Internal Audit Planning:
Following are the mandated requirements that are must in conducting the overall Internal Audit Planning in an organization-
- The Planning Process: The Internal Auditor who is conducting the overall internal audit planning must use his best professional judgement for the processes as these will be followed for completing all the essential activities in the planning. The planning process must be documented, as it keeps in place the stipulated necessary inputs, steps for completing the planning process and nature of the output required to conduct the planning exercise.
- Knowledge of the Business and its Environment: The Auditor must collect and gather all the required information. This will help him to fully understand the business environment and culture of the entity. It will also give him a sneak peek about the operational risks and challenges faced by the company. The information required must be to an extent that is sufficient for identifying the issues having a significant effect on the financials of the entity.
- Discussion with Management and Stakeholders: Internal Audit Planning involves thorough and extensive discussion with all shareholders and members in the company. Their inputs provide a critical understanding about all the intricacies of each and every assignment being under consideration.
- Audit Universe and Scope of Coverage: A complete identification of all the units that must be audited must be done before actually defining the scope of the internal audit planning.
The list of all the Auditable Units is referred as “Audit Universe” in general terms. The audit universe helps in assuring that no auditable unit is overlooked by the scope of the audit.
- Risk Assessment: An independent risk assessment is to be undertaken by the internal auditor of all the units and department that are auditable as identified in the Audit Universe. It has to be aligned with the risk assessment that was conducted by the statutory auditor along with the management. The Risk Management framework and processes of the company require a dedicated review or assignment under a separate audit.
- Technology Deployment: A key element of the overall internal audit planning function involves a basic understanding about the:
- Deployment of Information Technology (IT) by the organization in its business operations and transactions.
- Deployment of IT tools analytic procedures, technical expertise and data mining by the auditor while conducting the testing processes and the activities of the audit. It helps to more effective and efficient Internal Audit Planning and designing.
- Resource Allocation: A detailed schedule of the work is to be prepared by the auditor for estimating the time that every audit assignment requires. The time requirement depends on the attention the audit deserves based on the involved risk assessment. The requirements have to be matched with the limited resources that are available for:
- Identifying the critical gaps in the auditing team.
- Seeking additional means and resources for the audit.
- Finalising the scope and depth of the covered areas of the audit assignments.
- Documentation: To confirm compliance of audit procedures with the SIA 220, all key steps are necessary to be undertaken in the Internal Audit Planning process. It must be documented adequately for confirming their proper and on time completion. As per the Standards on Internal Audit (SIA) Internal Audit Documentation the required documents are-
- Gathered information regarding the business, operations, procedures and systems and all the matters in the past.
- Audit Universe papers and summary of the units and departments that are auditable.
- Summary of the held meetings and communications done with the key stakeholders.
- Summary of the inputs provided by the shareholders.
- Documentation of the risk assessment.
- Summary of all the resources available, their core competencies and proper verification of their skills with the requirements of the audit.
- Final papers of the overall internal audit planning duly approved by the concerned authorities.