Objectives of Planning Use of Internal Audit Factors affecting Planning Process Scope of Planning Factors affecting scope of Internal Audit

STANDARD ON

INTERNAL AUDIT (SIA)

1

Planning an Internal Audit Objectives of Planning Use of Internal Audit Factors affecting Planning Process Scope of Planning Factors affecting scope of Internal

Audit. Planning process

Objective of Planning

Internal audit plan is a document defining the scope, coverage and resources, including time, required for an internal audit over a defined period.

Objectives include: suggest improvements to the

functioning of the entity. strengthen the overall governance

mechanism of the entity

Use of Internal Audit Understand, assess and evaluate the risks and

adequacies of the prevalent internal controls. Identifying areas for systems improvement Ensuring optimum utilization of the resources Ensuring proper and timely identification of liabilities Ensuring compliance with internal/ external

guidelines Safeguarding the assets of the entity Reviewing and ensuring adequacy of information

systems security and control. Reviewing and ensuring adequacy, relevance,

reliability and timeliness of management information system.

Factors affecting Planning Process

Objectives of the activity and significant risks associated with the same.

The risk management and internal control system instituted in the organization.

Selection of engagement team. Business/Industry developments. Changes in the financial reporting

framework

Scope of Planning Knowledge of the legal and regulatory framework Knowledge of the entity’s accounting, internal

control systems and policies Determining the effectiveness of the internal

control procedures Determining the nature, timing and extent of

procedures to be performed Identifying the activities warranting special focus Allocation of staff to different activities. Setting the time budget for each of the activities Identifying the reporting responsibilities

Factors affecting scope of Internal Audit

Terms of the engagement Nature of accounting system and Accounting policies

adopted. Nature of information technology system used by the

client Authorization and delegation of authority in the

systems environment The nature of management information system in

vogue and Expected audit coverage Materiality thresholds established in respect of

various areas of audit Nature and extent of audit evidence to be obtained Experience and skills of the staff Requirements of the applicable pronouncements of

the ICAI. Statutory or regulatory framework in which the

entity operates

Planning Process

Obtaining Knowledge of the Business Establishing the Audit Universe Establishing the Objectives of the

Engagement Establishing the Scope of the

Engagement Deciding the Resource Allocation Preparation of Audit Programme

STANDARD ON


2

Basic Principles Governing Internal Audit

Integrity, Objectivity and Independence Confidentiality Due Professional Care , Skills and Competence Work performed by Others and Documentation Planning Evidence Internal Control; and Risk Management System Reporting

Integrity, Objectivity and Independence

Straightforward, honest and sincere in his approach to his professional work

Maintain an impartial attitude Immediately bring any actual or apparent

conflict of interest to the attention of the appropriate level of management

Confidentiality Maintain the confidentiality of the information

acquired in the course of his work

Due Professional Care , Skills and Competence

Due professional Care to be applied: In Deciding the extent of work required

to achieve the objectives of the engagement.

In assessment of risk management Control and governance processes and Cost benefit analysis. Obtain skills and competence through

general education, technical knowledge through study and formal courses.

Work Performed by Others

Direct, supervise and review the work delegated to assistants.

No reasons to believe that he should not have relied on the work of the expert

Responsible for forming his opinion on the areas/ processes being subject to internal audit or his findings.

Documentation Document matters, providing evidence that

the audit was carried out in accordance with the Standards on Internal Audit

Planning Obtain knowledge of the legal and regulatory

framework Obtain knowledge of the entity’s accounting

and internal control systems. Determining the effectiveness of the internal

control procedures. Identifying the activities warranting special

focus Setting the time budget for each of the

activities Identifying the reporting responsibilities Benchmark the actual results of the activities.

Internal Control and Risk Management Systems

Obtain an understanding of the risk management and internal control framework.

Perform steps for assessing the adequacy. Review the adequacy. Perform risk-based audits on the basis of risk

assessment process. Evidence: obtain appropriate evidence to

draw reasonable conclusions. Reporting: Review and assess the conclusions

drawn from the evidence obtained and suggest remedial action

Standard on Internal Audit

(SIA) 3

Documentation Reviewer Use of documentation Factors affecting Documentation Matters to be Documented Identification of Preparer and

Reviewer Exceptional Circumstances Document Retention and Access

REVIEWER

Reviewer means an Individual who has: reasonable knowledge and experience of

internal audit processes reasonable knowledge of SIAs, other

relevant pronouncements of the Institute. reasonable understanding of the business

environment in which the entity operates reasonable understanding of internal

audit issues relevant to the entity’s industry

Use of Documentation

Enables an experienced internal auditor, having no previous connection with the internal audit to understand:

The nature, timing and extent of the audit procedures performed.

The results of the audit procedures and the audit evidence obtained.

Significant matters arising during the audit and the conclusions reached thereon.

Terms and conditions of an internal audit engagement, scope of work, reporting requirements, any other special conditions, affecting the internal audit.

Factors affecting Documentation

The nature and extent of the audit procedures to be performed

The identified risks of material misstatement The extent of judgment required in performing

the work. The significance of the audit evidence obtained. The nature and extent of exceptions identified. The need to document a conclusion or the basis

for a conclusion. The audit methodology and tools used.

Matters to be Documented Engagement letter or the internal audit charter Internal audit plan and programme, Chart of the

organizational structure and Progress report, MIS report.

Analytical procedures performed and results thereof

Copies of significant contracts and agreements Internal review reports Evaluation questionnaires, checklists, flowcharts Certification and representations obtained from

management Results of risk and internal control assessments

Identification of Preparer and Reviewer

Who performed that task and the date such work was completed.

Who reviewed the task performed and the date and extent of such review.

Reasons for creating particular internal audit documentation.

Source of the information contained in the internal audit documentation and

Any cross referencing to any other internal audit documentation

The preparers and reviewers of the internal audit documentation should also sign the workings.

The internal audit file should be assembled within sixty days after the signing of the internal audit report.

Exceptional Circumstances

The details of circumstances encountered along with the documentary evidence.

The new or additional audit procedures performed, audit evidence obtained, and conclusions reached and

When and by whom the resulting changes to the audit documentation were made, and reviewed.

Document Retention and Access

Formulate policies for custody and retention.

Ownership of audit documents. Access to Third party. Retention of Documents.


(SIA) 4

Reporting

Contents of the SIA Introduction Basic Elements of Internal Audit

Report Communication to Management Limitation on Scope Restriction on Usage and Report

Circulation Otherwise Than to the List of Intended Recipients

Introduction and Basic Elements of an Internal Audit Report

Introductiono To establish standards on the form and content of the internal

auditor’s report.

Basic Elements of an Audit Report Title Addressee Report Distribution List Period of coverage of the Report Opening or introductory paragraph, Objectives & scope

Paragraph Executive Summary Observations, findings and recommendations Comments from the local management and Action Taken Report Date, Place, Signature with membership number of the Internal

Auditor.

Communication to Management

Communication with the management to ensure that the recommendations in the final report are practical.

The stages of communication and discussion should be as under :› Discussion Draft › Exit Meeting › Formal Draft › Final Report

Limitation on scope and Restriction on Usage and Report Circulation

Limitation on Scope› When there is a limitation on the scope of the

work, the report should describe the limitation. Restriction on Usage and Report Circulation

Otherwise Than to the List of Intended Recipients › The Report should contain:

It should be used for intended purpose only as agreed upon.

The circulation of the Report should be limited to the recipients mentioned in the Report Distribution List.


(SIA) 5

SamplingContents of the SIA

Introduction Definitions Use of Sampling in Risk Assessment Procedures

and Tests of Controls Design of the Sample Sample Size Statistical and Non-Statistical Approaches Selection of the Sample Evaluation of Sample Results Documentation

Introduction ,Definition and Use of Sampling

Introduction To establish standards on the design and selection of an audit sample and

provide guidance on the use of audit sampling.

The SIA defines the following› Audit Sampling› Error› Population› Sampling Risk› Sampling Unit› Statistical Sampling› Tolerable Error

Use of sampling in Risk Assessment and tests of control To obtain an understanding of the entity, business and its environment, and

its internal control. Sampling of tests of controls is appropriate when application of the control

leaves audit evidence of performance Risk can be reduced by increasing sample size for both tests of controls

and tests of details.

Design and size of the sample and Statistical and non Statistical Approaches

Design of the sample› The sample should be designed considering the

specific audit objectives, the population from which the auditor wishes to sample, and the sample size

Sample Size Should be determined considering sampling risk, the

tolerable error, and the expected error. Lower the risk, greater the sample size.

Statistical and Non-Statistical Approaches Decision of using either statistical or non-statistical

sampling is a matter of the internal auditor’s professional judgment.

When applying statistical sampling, sample size may be ascertained using either probability theory or professional judgment.

Selection & Evaluation of Sample

Selection of Sample› It should be selected in such a way that the sample can be

expected to be representative of the population.› Commonly used sampling methods are:

Random selection and use of CAAT’s Systematic Selection Haphazard Selection

Evaluation of Sample Results The auditor should:

Analyse the nature and cause of any errors detected in the sample.

Project the errors found in the sample to the population. Reassess the sampling risk. Consider their possible effect on the particular internal audit

objective. Evaluate the sample results to determine if the assessment of the

relevant characteristics of the population is confirmed or not.

Documentation The documentation includes:

› Relationship between the design of the sample and specific audit objectives.

› Assessment of the expected rate of error in the population to be tested.

› Assessment of the sampling risk and the tolerable error› Assessment of the nature and cause of errors.› Rationale for using a particular sampling technique and

results thereof.› Analysis of the nature an cause of any errors detected in the

sample.› Projection of the errors found in the sample to the

population› Reassessment of sampling risk, where appropriate› Effect of the sample results on the internal audit’s objective.


(SIA) 6

Analytical Procedures

Contents of the SIA Introduction. Nature and Purpose. Analytical Procedures as Risk Assessment

Procedures and in Planning the Internal Audit. Analytical Procedures as Substantive

Procedures. Analytical Procedures in the Overall Review at

the End of the Internal Audit. Extent of Reliance on Analytical Procedures Investigating Unusual Items or Trends.

Introduction, Nature and PurposeIntroduction

To apply analytical procedures as the risk assessment procedures at the planning and overall review stages of the internal audit.

Nature and Purpose Analytical procedures include the consideration of comparisons of

the entity's financial and non-financial information. In determining the extent to which the analytical procedures should

be used, the following factors have to be considered› Significance of the area being examined.› Adequacy of the system of internal control.› Availability and reliability of financial and non-financial

information.› Precision with which the results of analytical procedures can be

predicted.› Availability and comparability of information regarding the

industry in which the organization operates.› Extent to which other auditing procedures provide support for

audit results.

Analytical Procedures as Risk Assessment Procedures and as Substantive Procedures

Analytical Procedures as Risk Assessment Procedures and in Planning the Internal Audit.› To obtain an understanding of the business, the entity

and its environment and in identifying areas of potential risk.

› Planning the internal audit for use both financial and non-financial information

Analytical Procedures as Substantive Procedures› To reduce detection risk relating to specific financial

statement assertions and assertions relating to process.

› Inquire with the management as to the availability and reliability of information needed to apply analytical procedures.

Analytical Procedures in the Overall Review at the End of audit, Extent of reliance and Investigating Unusual Items or Trends

Analytical procedure should be applied at or near the end of the internal audit when forming an overall conclusion.

Extent of Reliance on Analytical Procedures is based on the following factors› Materiality of the items involved.› Internal audit procedures directed toward the same internal audit

objectives.› Accuracy with which the expected results of analytical procedures

can be predicted.› Assessments of inherent and control risks.

Investigating Unusual Items or Trends When analytical procedures identify significant fluctuations or When relationships that are inconsistent with other relevant

information or Data that deviate from predicted amounts.

The internal auditor should investigate and obtain adequate explanations and appropriate corroborative evidence.


(SIA) 7

Quality Assurance in Internal Audit

Introduction Scope and Objective In House Internal Audit Quality Review

Internal Audit

Independent management function. Continuous and critical appraisal of

the entity Suggest improvements and strengthen

the overall governance mechanism of the entity.

Provides assurance that there is transparency in reporting, as a part of good governance.

Scope and ObjectiveScope: Applicable whenever an internal audit is

carried. Whether by internal audit department or

external firm of Professional accountants.

Objective: To Establish standards and provide guidance To Ensure Compliance with professional

standards, regulatory and legal requirements. To Improve functionalities of the

organization, Transparency in reporting and good governance.

In House Internal Audit

Leadership responsibilities for quality in internal audit

Ethical requirements Acceptance and continuance of

client relationship and specific engagement

Human resources Engagement performance Monitoring

Quality Review Internal Quality Reviews Internal Quality Reviewer Communicating the results of

Internal Quality Reviews External Quality Reviews External Quality Reviewer Communicating the results of

External Quality Reviews


(SIA) 8

Terms of Internal Audit Engagement

Introduction Elements of Terms of Engagement Withdrawal from Engagement

Introduction Agree on the terms of the engagement

before commencement of Audit. The agreed terms would need to be

recorded in an engagement letter. The responsibility of the internal auditor

to prepare the engagement letter. To be signed both by the internal

auditors as well as the auditee. Approval by Board of Directors/ Audit

Committee. Periodic review and modification of

Terms of Engagement.

Elements of Terms of Engagement

Scope Responsibility Authority Confidentiality Limitations Reporting Compensation Compliance with Standards

Withdrawal from Engagement

If unable to agree to any change in the terms or is not permitted to continue as per the original terms, then auditor should withdraw from the engagement.

Consider whether there is an obligation, contractual or otherwise, to report the withdrawal to other parties.


(SIA) 9

Communication with Management

Introduction Matters to be communicated. Communication Process Documentation

Introduction Provides a framework for matters to be

communicated with the management. Internal auditor should consider the

following: Communicate clearly the responsibilities,

scope and timing of Audit. Obtain relevant Information Provide timely observations Promote effective two way

communication.

Matters to be Communicated

1. Planned scope and Timing of Internal Audit

2. Significant findings from the Internal Audit

Stages of Communication:a) Discussion Draftb) Exit Meetingc) Formal Draftd) Final Report

Communication Process

Establishing the communication Process

Forms of Communication Timing of Communication Adequacy of the Communication

Process

Documentation

In case of Oral communication the internal auditor shall document, when and to whom they were communicated.

In case of Written communication the auditor shall retain a copy of the communication as part of the internal audit documentation.

STANDARD ON


10

INTERNAL AUDIT EVIDENCE

Introduction and Objective Audit Evidence Categories of Documentary

Evidence Modes of obtaining Audit

Evidence

Introduction and Objective

Scope and coverage are much broader than Statutory Audit.

Covers comments on internal control systems, risk management, propriety aspect of transactions.

This Standard deals with the qualitative and quantitative aspects of evidence in internal audit.

Audit Evidence

Internal audit evidence is persuasive rather than conclusive in nature

The internal auditor may obtain evidence on a selective basis by way of judgmental or statistical sampling procedures

The internal auditor’s judgement is usually influenced by:› The materiality of the item.› The type of information available.› Degree of risk of misstatement.

Categories of Documentary Evidence:

Documentary evidence originating from and held by third parties.

Documentary evidence originating from third parties and held by the entity.

Documentary evidence originating from the entity and held by third parties and

Documentary evidence originating from and held by entity.

Modes of obtaining Audit Evidence

Inspection Observation Inquiry and confirmation Computation Analytical review

STANDARD ON


11

CONSIDERATION OF FRAUD IN AN INTERNAL AUDIT

Introduction Objectives of Internal Control

System Elements of Internal Control System Responsibilities of Internal Auditor

Introduction

Fraud is defined as an intentional act by one or more individuals among management, those charged with governance, or third parties, involving the use of deception to obtain unjust or illegal advantage.

The primary responsibility for prevention and detection of frauds rests with management and those charged with governance

Objectives of Internal Control System

Internal control refers to the process designed, implemented and maintained by the management of the entity to ensure accomplishment of its following objectives:

Reliability of financial reporting. Efficiency and effectiveness in operations. Compliance with applicable laws and

regulations. Safeguarding of assets.

Elements of Internal Control System

The control environment. Entity’s risk assessment process. Information system and

communication. Control activities. Monitoring of controls.

Responsibilities of Internal Auditor

Control Environment Risk Assessment Information system and

communication Control Activities Monitoring Communication of Fraud Documentation

STANDARD ON


12

INTERNAL CONTROL EVALUATION

Introduction Factors reflected in the Control Environment Inherent Limitations of Internal Controls Role of Internal Auditor Areas to be Reviewed by Internal Auditor. Areas of Evaluation Controls present in a System Driven

Environment Tests of Control Communication of Internal Control

Weakness Disclosure

Introduction

Establish Standards and provide guidance on procedures to be followed by Internal Auditor

Communication of weakness in Internal control.

Internal control system consists of interrelated components such as Risk assessment, Control (or Operating) environment, Monitoring, etc.

Control Environment

Factors reflected in the control Environment: Entity organization Structure Functioning of BOD/ Governing Body. Management's philosophy and operating

style Management's control system. Integrity and ethical values Commitment to competence Human resource policies and practices

Inherent Limitations of Internal Controls

Cost benefit Analysis Potentiality for Human Error Circumvention of Internal controls

by parties within/ outside the entity.

Misuse of Power Manipulations by Management.

Role of Internal Auditor

Evaluation of the efficiency and effectiveness of controls

Recommending new controls where needed – or discontinuing unnecessary controls

Using control frameworks Developing control self-assessment

Areas of Review for Internal Auditor

Mission, vision, ethical and organizational value-system of the entity

Personnel allocation, appraisal system, and development policies

Accounting and financial reporting policies and compliance with applicable legal and regulatory standards

Objective of measurement and key performance indicators Documentation standards Risk management structure Operational framework Processes and procedures followed Degree of management supervision Information systems, communication channels Business Continuity and Disaster Recovery Procedures

Evaluation of Internal Control

Verify mission statement and written goals and objectives.

Assessing risks at the entity level. Assessing risks at the activity (or process)

level. Prepare Business Control Worksheet. Ensure all risks to the entity are identified. Ascertain those risks for which no controls

exist or existing controls are inadequate.

System Driven Environment

Determine whether the entity uses: Encryption tools, protocols to protect

confidential or sensitive information. Back-up and restore features to reduce

the risk of permanent loss of data. Virus protection software and Passwords that restrict user access to

networks, data and applications.

Tests of Control

Performed to obtain effectiveness of the: Design of the internal control systems. Operation of the internal controls

throughout the period. Cost Benefit analysis. Includes Inspection of Documents,

Inquiries and Observation, Re-performance , Reconciliations and Testing of Internal Controls.

Communication of Internal Control Weakness

In case of continuing internal control weaknesses, consider whether:

Management has increased supervision and monitoring;

Additional or compensating controls have been instituted; and/or

Management accepts the risk inherent with the control weakness.

Disclosure

The internal auditor in his report to the management, should provide:

A description of the significant deficiency or material weakness in internal control.

His opinion on the possible effect of such weakness on the entity’s control environment.

STANDARD ON


13

ENTERPRISE RISK MANAGEMENT

Introduction Process of ERM and Internal Audit Scope Maturity of ERM structure Disclosure

Introduction

ERM enables management: To effectively deal with risk Associated uncertainty and enhancing

the capacity to build value to the entityTypes of Risks: Strategic Operational Financial and Knowledge

Process of ERM

Enterprise Risk Management is a structured, consistent and continuous process of measuring or assessing risk and developing strategies to manage risk within the risk appetite.

Process consists of Risk identification, prioritization and reporting, Risk mitigation, Risk monitoring and assurance.

Scope of Internal Auditor’s Work

Risk maturity level Compliance with the risk management

policy In case of the risks covered by the

internal audit plan: Assess the efficiency and effectiveness

of the risk response. Assess whether the score of the

residual risk is within the risk appetite

Maturity of ERM Structure

Protects the enterprise against surprises

Stabilizes overall performance with less volatile earnings

Operates within established risk appetite

Protects ability of the enterprise to attend to its core business and

Creates a system to proactively manage risks.

Disclosure

Assurance rating (segregated into High, Medium or Low) as a result of the review

Tests conducted Samples covered and Observations and recommendations.

STANDARD ON


14

INTERNAL AUDIT IN AN INFORMATION TECHNOLOGY

ENVIRONMENT

Matters to Consider Planning Nature of Risks Reliability of ICS Review of IT Environment

Matters to Consider

The extent to which the IT environment is used

The flow of authorised, correct and complete data to the processing centre.

The processing, analysis and �reporting tasks undertaken in the installation and

The impact of computer-based �accounting system on the audit trail.

Planning

Information Technology Infrastructure

Significance and complexity of computerised processing

Determination of the organisational structure.

Determination of the availability of data

Nature of Risks

Lack of transaction trails Uniform processing of transactions Lack of segregation of functions Potential for errors and irregularities Initiation or execution of transactions Dependence of other controls over

computer processing Potential for increased management

supervision Potential for the use of CAAT.

Reliability of ICS

Authorised, correct and complete data is made available for processing.

Timely detection and correction of errors Interruption in the working of the IT

environment . Accuracy and completeness of output. Adequate data security Unauthorised amendments to the programs Safe custody of source code of application

software and data files.

Review of IT Environment

System Audit reports Reports of system breaches Reports of network failures/ virus

attacks and threats to perimeter security.

General controls Application controls Business Continuity Planning, Crisis

Management, Disaster Recovery Procedures.

STANDARD ON


15

KNOWLEDGE OF THE ENTITY AND ITS ENVIRONMENT

Introduction Acquiring Knowledge of the Entity Source of Information Using the Knowledge

Introduction

What constitutes the knowledge of an entity’s business.

Importance to the various phases of an internal audit engagement .

Techniques to be adopted in acquiring such knowledge.

Identify appropriate, reliable and useful information

Acquiring Knowledge of the Entity

Relevant industry, regulatory, and other external factors.

Nature of the entity and its Business operations.

Investment, Financing activities and Financial reporting.

Accounting policies, Business risk, objectives and strategies of the entity.

Source of Information

Previous engagement experience Business plan/organisational structure

and Internal documentation produced by the entity.

Incorporation documents and Visits to the entity premises.

Discussion with key management persons, statutory auditors, Suppliers, customers and third party agencies.

Publications related to the industry.

Using the Knowledge

Assessing risks and identifying key focus areas.

Planning and performing the internal audit effectively and efficiently.

Evaluating audit evidence. Providing better quality of service to

the client The information obtained should be

adequately documented.

STANDARD ON


16

USING THE WORK OF AN EXPERT

Introduction Need to use work of Expert Skills and Competence of Expert Evaluating the work of an Expert Disclosure

Introduction

An expert is a person, firm or other association of persons possessing special skill, expertise, knowledge and experience in a particular field.

Use expert if internal Audit Team does not possess the required knowledge.

If Expert is engaged by the senior management or those charged with governance.

Need to use work of Expert

Factors to be Considered:

Materiality of the item being examined.

Nature and complexity of the transaction.

Risk of error. Extent of Internal audit evidence

available.

Skills and Competence of Expert

The expert’s professional qualifications or membership in an appropriate professional body.

The reputation of the expert in the relevant discipline.

The knowledge and specific experience of the expert in the industry to which the auditee entity operates.

Evaluating the work of an Expert

The objectives and scope of the work Access to records, personnel and physical

properties. The ownership and custody of engagement

documentation and working papers. Confidentiality of the expert's work Expert’s relationship with the auditee Confidentiality of the auditee’s information

used by the expert. Verify the source data used, assumptions made

and methods used in obtaining the result.

Disclosure

Normally work of an expert is not required to be disclosed.

Disclose the work if it is beneficial to the reader after obtaining Prior consent of Expert.

Outline the assumptions, broad methodology and conclusions of the expert.


(SIA) 17

Consideration of Laws and Regulations in an Internal

Audit Scope and Objective. Responsibility of Management Responsibility of Internal Auditor Types of Laws and Regulations Compliance with Laws and Regulations. Audit procedures in case of Non

Compliance identified. Reporting of non compliance

Scope

To consider laws and regulations when performing an internal audit.

To test and report on compliance with specific laws or regulations.

Non compliance- Acts of omission or commission by the entity, either intentional or unintentional, which are contrary to the prevailing laws or regulations.

Non-compliance does not include personal misconduct by those charged with governance, management or employees of the entity.

Objective

To obtain sufficient appropriate audit evidence

To perform specified audit procedures

To respond appropriately to non-compliance or suspected non-compliance

Responsibility of Management

To ensure compliance with the provisions of laws and regulations

This can be achieved by assigning appropriate responsibilities to the following:

A compliance committee � A audit committee.

Responsibility of Internal Auditor

Should not assume any accountability for risk management decisions taken by the management.

Inherent limitations on the internal auditor’s ability to detect non-compliance:To many laws and regulations Non-compliance may involve conduct

designed to conceal itLegal determination by a court of law.

Types of Laws and Regulations

Laws and regulations having direct effect on Financial Statements: Obtain sufficient appropriate audit

evidence to ensure compliance.

Laws and regulations having no direct effect on Financial Statements: Undertake specified audit procedures to

identify non-compliance. May have a significant impact on the

functioning of the entity.

Compliance with Laws and Regulations.

Obtaining an Understanding of the Legal and Regulatory Framework

Laws and Regulations having Direct Effect on Financials.

Procedures to Identify Instances of Non-Compliance.

Non-Compliance brought to the Internal Auditor’s Attention through Other Audit Procedures

Written Representations Internal Audit Procedures When Non-Compliance

is Not Identified or Suspected

Internal Audit Procedures When Non Compliance is Identified

Indications of Non-Compliance with Laws and Regulations

Matters Relevant to the Internal Auditor’s Evaluation

Evaluating the Implications of Non-Compliance

Reporting of non compliance

Reporting Non-Compliance to those Charged with Governance

Reporting Non-Compliance in the Internal Auditor’s Report

If precluded from obtaining sufficient appropriate audit evidence then Report the same.

If unable to determine whether non-compliance is due to limitations imposed by the circumstances / management then evaluate the observations and findings in accordance with SIA 4.