SIA 1: Planning an Internal Audit

1

Whether an overall plan for the expected scope and conduct of audit and an audit programme showing the nature, timing and extent of audit procedures have been developed

2

Whether a plan in consultation with those charged with governance, including the audit committee for each internal audit engagement has been developed and documented

3

Whether objectives of internal audit engagement as well as time and resources required for conducting the engagement has been considered in planning

4

Whether Internal audit plan covers following areas:

• Obtaining knowledge of legal and regulatory framework within which the entity operates

• Obtaining knowledge of the entity’s accounting and internal control systems and policies

• Determination of the effectiveness of internal control procedures adopted by the entity

• Determination of the nature, timing and extent of procedures to be performed

• Identification of activities warranting special focus based on materiality and criticality of such activities and their overall effect on operations of the entity

• Identification and allocating staff to different activities to be undertaken

5

Whether planning process includes:

• Obtain knowledge of business

• Establishment of the audit universe

• Establishment of the objectives of engagement

• Establishment of scope of the engagement

• Deciding of resource allocation

• Preparation of audit programme

6

Whether plan has been finalised in consultation with the appropriate authority before commencement of the work

SIA 2: Basic Principles Governing Internal Audit

1

Whether Internal auditor has adhered to the basic principles governing an internal audit.

These principles are:

• Integrity

• Objectivity and Independence

• Confidentiality

• Skills and Competence

• Work Performed by Others

• Documentation

• Planning

• Internal Audit Evidence

• Accounting System and Internal Control

• Internal Audit Conclusions and Reporting

SIA 3: Internal Audit Documentation

1

Whether Internal audit documentation has been designed and properly organized to meet the requirements and circumstances of each audit. Whether policies for standardization of internal audit documentation have been formulated

2

Whether it is sufficiently complete and detailed for an internal auditor to obtain an overall understanding of the audit

3

Whether all significant matters which require exercise of judgment, together with internal auditor’s conclusion thereon has been included in the internal audit documentation.

4

Whether Documentation prepared by internal auditor has enabled reviewer to understand:

• the nature, timing and extent of audit procedures performed to comply with SIAs and applicable legal and regulatory requirements;

• the results of audit procedures and audit evidence obtained;

• significant matters arising during the audit and conclusions reached thereon; and

• terms and conditions of an internal audit engagement/ requirements of internal audit charter, scope of work, reporting requirements, any other special conditions, affecting the internal audit

5

Whether it has covered all the important aspects of an engagement viz.,

• engagement acceptance,

• engagement planning,

• risk assessment and assessment of internal controls,

• evidence obtained and examination/ evaluation carried out,

• review of the findings,

• communication and reporting and follow up

6

Whether the internal audit file has been assembled within sixty days after the signing of the internal audit report.

7

Whether policies as to the custody and retention of the internal audit documentation within the framework of the overall policy of the entity in relation to the retention of documents have been formulated

SIA 4: Reporting

1

Whether the analysis drawn from internal audit evidence obtained as the basis for internal auditors conclusion on the efficiency and effectiveness of systems, processes and controls including items of financial statements have been review and assess

2

Whether report clearly express significant observations, suggestions/ recommendations based on the policies, processes, risks, controls and transaction processing taken as a whole and managements’ responses

3

Whether report includes basic elements such as:

• title,

• addressee,

• report distribution list,

• period of coverage of the report,

• opening or introductory paragraph,

• objectives paragraph,

• scope paragraph (describing the nature of an internal audit),

• executive summary (highlighting key material issues, observations, control weaknesses and exceptions),

• observations, findings and recommendations made by the internal auditor,

• comments from the local management,

• action taken report – action taken/ not taken pursuant to the observations made in the previous internal audit reports,

• date of the report,

• place of signature and

• Internal auditor’s signature with membership number

4

Whether the internal auditor has discussed the draft report with the entity’s management prior to issuing the final report To facilitate communication and ensure that recommendations presented in final report are practical from the point of view of implementation.

5

Whether the following different stages of communication and discussion has been followed:

• Discussion of draft,

• Exit meeting,

• Formal draft,

• Submission of final report

6

Whether there has been a limitation on the scope of internal auditor’s work. If yes, whether the internal auditor’s report has described the limitation

7

Whether disclaimer para as to o state in the report that the same is to be used for the intended purpose only as agreed upon and the circulation of the report should be limited to the recipients mentioned in the report distribution list

SIA 5: Sampling

1

Whether the internal auditors has:

• Designed and selected an audit sample,

• Performed an audit procedures thereon, and

• Evaluated sample results so as to provide sufficient appropriate audit evidence to meet the objectives of internal audit engagement unless otherwise specified by the client

2

Whether while designing an audit sample, internal auditor has considered specific audit objectives, the population from which internal auditor wishes to sample, and the sample size

3

Whether while determining the sample size, internal auditor has considered sampling risk, tolerable error and the expected error

4

Whether the sample items has been selected in such a way that the sample can be expected to be representative of the population. This requires that all items or sampling units in the population have an opportunity of being selected

5

Having carried out, on each sample item, those audit procedures that are appropriate to the particular audit objective, whether the internal auditor has:

• Analyzed the nature and cause of any errors detected in the sample;

• Projected the errors found in the sample to the population;

• Reassessed the sampling risk; and

• Considered their possible effect on the particular internal audit objective and on other areas of internal audit engagement

6

Whether the sample results has been evaluated to determine whether the assessment of relevant characteristics of the population is confirmed or whether it needs to be revised

SIA 6: Analytical Procedure

1

Whether analytical procedures has been applied as the risk assessment procedures at the planning and overall review stages of internal audit

2

Whether the Analytical procedures includes analysis of significant ratios and trends including resulting investigation of fluctuations and relationships that are inconsistent with other relevant information or which deviate from predicted amounts

3

Whether the following factors has been considered for analytical procedures:

• Significance of the area being examined,

• Adequacy of the system of internal control,

• Availability and reliability of financial and non–financial information,

• Precision with which results of analytical procedures can be predicted,

• Availability and comparability of information regarding the industry in which the organization operates,

• Extent to which other auditing procedures provide support for audit results.

Whether after evaluating the aforementioned factors, internal auditor has considered and use of additional auditing procedures, as necessary, to achieve the audit objective

4

Whether analytical procedures has been applied at or near the end of internal audit when forming an overall conclusion as to whether the systems, processes and controls as a whole are robust, operating effectively and are consistent with the internal auditor's knowledge of the business

5

When analytical procedures identify significant fluctuations or relationships that are inconsistent with other relevant information or that deviate from predicted amounts, whether the auditor has investigated and obtained adequate explanations and appropriate corroborative evidence

SIA 7: Quality Assurance in Internal Audit

Whether system for assuring quality in internal audit has provided reasonable assurance that the internal auditors comply with professional Standards, regulatory and legal requirements, so that the reports issued by them are appropriate in the circumstance.

Whether a person within the organization has been entrusted with the responsibility for the quality in the internal audit in order to ensure compliance with the professional standards, regulatory and legal requirements, and to achieve the desired objective of internal audit

In case of in–house internal audit or a firm carrying out internal audit, whether the person entrusted with the responsibility for the quality in internal audit has ensured that the system of quality assurance includes:

• Policies and procedures addressing leadership responsibilities for quality in internal audit,

• Ethical requirements,

• Acceptance and continuance of client relationship and specific engagement, as may be applicable,

• Human resources,

• Engagement performance,

• Monitoring.

The quality assurance framework should cover all the elements of internal audit activity

Whether the internal quality review framework has been designed with a view to provide reasonable assurance that the internal audit is able to efficiently and effectively achieve its objectives of adding value and strengthening the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system

Whether the internal quality reviews has been undertaken on an ongoing basis.

Whether the person entrusted with the responsibility for quality in internal audit has ensured that recommendations resulting from the quality reviews for improvements in the internal audit activity are promptly implemented

Whether the Internal quality reviews has also been communicated to appropriate levels of management and those charged with governance on a timely basis along with the proposed plan of action to address issues and concerns raised in the review report

Whether the external quality review is a critical factor in ensuring and enhancing the quality of internal audit

SIA 8: Terms of Internal Audit Engagement

Whether the Internal auditor and the auditee has agreed on the terms of engagement before commencement. Whether the terms have been approved by the Board of Directors or a relevant Committee thereof such as the Audit Committee or such other person(s) as may be authorised by the Board in this regard

Whether it contains a statement in respect of the scope of internal audit engagement

Whether it has clearly mentioned that internal auditor would not be involved in the preparation of auditee’s financial statements.

Whether it has also made clear that the internal audit would not result in the expression of an opinion or any other form of assurance on the auditee’s financial statements or any part thereof

Whether the terms of engagement has clearly mentioned the responsibility of the auditee vis-a-vis the internal auditor

Whether it has provided the internal auditor with requisite authority, including unrestricted access to all departments, records, property and personnel and authority to call for information from concerned personnel in the organization

Whether the internal auditor have full authority on his technologies and other properties like hardware and audit tools he may use in course of performing internal audit

Whether it is clear that the ownership of working papers rests with internal auditor and not the auditee

Whether the engagement letter has contained a condition that the report of internal auditor has been not be distributed or circulated by the auditee or the internal auditor to any party other than that mutually agreed between the internal auditor and auditee unless there is a statutory or a regulatory requirement to do so

Whether there is a clear understanding among internal auditor and auditee as to the basis on which the internal auditor would be compensated, including any out of pocket expense, taxes etc, for the services performed by him

Whether it contains a statement that the internal audit engagement would be carried out in accordance with the professional Standards applicable to such engagement as on the date of audit

SIA 9: Communication with Management

Whether the Internal auditor while performing audit has communicated clearly the responsibilities of internal auditor and an overview of the planned scope and timing of audit with the management

Whether communication regarding the planned scope and timing of internal audit has been made to management to assist them to understand better the objectives of internal auditor’s work, to discuss issues of risk and materiality with internal auditor and to identify any areas in which they may request the internal auditor to undertake additional procedures, assist the internal auditor to understand the entity and its environment better

Whether different stages of communication and discussion are:

• Discussion of draft;

• Exit meeting;

• Formal draft; and

• Final report

Whether there is a clear communication of internal auditor’s responsibilities, planned scope and timing of internal audit and expected general content of communications which helps in establishing the basis for effective two–way communication

Where matters required by this SIA to be communicated, are orally communicated, whether the internal auditor has documented them and when and to whom they were communicated. Where matters have been communicated in writing, whether the auditor has retained a copy of the communication as part of internal audit documentation

SIA 10: Internal Audit Evidence

Whether the internal auditor has obtained sufficient appropriate evidence to enable him to draw reasonable conclusions there from on which to base his opinion or findings

Whether internal auditor has evaluated sufficiency of appropriate audit evidence before conclusions there from. Whether the internal audit evidence has enabled internal auditor to form an opinion on the scope of the terms of engagement

When internal audit evidence obtained from one source is inconsistent with that obtained from another, or the internal auditor has doubts over the reliability of information to be used as internal audit evidence, whether the internal auditor has determined what modifications to or additional audit procedures are necessary to resolve the matter

Whether the following methods has been used for obtaining audit evidence:

• Inspection,

• Observation,

• Inquiry and Confirmation,

• Computation and Analytical Review

SIA 11: Consideration of Fraud in an Internal Audit

A system of internal control comprise of following five elements namely:

• Control environment,

• Entity’s risk assessment process,

• Information system and communication,

• Control activities and

• Monitoring of controls.

Whether internal auditor has gained an understanding of the components of system of internal control

Whether internal auditor has obtained an understanding of the various aspects of control environment and evaluated the same as to the operating effectiveness

Whether conclusions drawn from audit evidence obtained has been reviewed and assessed. Whether the actual or suspected fraud or any other misappropriation of assets has been immediately reported to management

Whether the fraud risk factors identified as being present during internal auditor’s assessment process and document internal auditor’s response to any other factors has been documented

SIA 12: Internal Control Evaluation

Whether the system of internal control is under continuous supervision by management to determine that it is functioning as prescribed and is modified, as appropriate, for changes in environment.

Whether the continued effectiveness of internal control system through evaluation and make recommendations, if any, for improving that effectiveness has been examined.

Whether internal auditor has obtained an understanding of significant processes and internal control systems sufficient to plan the internal audit engagement and develop an effective audit approach, assess and evaluate the maturity of entity’s internal control, assess management's attitudes, awareness and actions regarding internal controls and their importance in the entity

Whether internal control system in an entity has been evaluated based on various criteria

Whether internal auditor has ensured segregation of duties between various functions

Whether internal auditor has performed tests of control to obtain audit evidence about the effectiveness of design of internal control systems

Based on the results of tests of control, whether internal auditor has evaluated that the internal controls are designed and operating as contemplated in the preliminary assessment of control risk.

Whether internal auditor has identified internal control weaknesses that have not been corrected and make recommendations to correct those weaknesses

When internal controls are found to contain continuing weaknesses, whether internal auditor has considered that management has increased supervision and monitoring, additional or compensating controls have been instituted and/ or management accepts the risk inherent with control weakness

Whether internal auditor has evaluated identified control deficiencies and then determine whether those deficiencies, individually or in combination, are significant deficiencies or material weaknesses

Whether internal auditor has reported to the management that provides a description of significant deficiency or material weakness in internal control.

SIA 13: Enterprise Risk Management

ERM process consists of:

• Risk identification,

• prioritization and reporting,

• Risk mitigation,

• Risk monitoring and assurance.

The corporate risk function establishes the policies and procedures, and the assurance phase is accomplished by internal audit.

Whether the internal auditor has been provided assurance to management on the effectiveness of risk management

Whether nature of internal auditor’s responsibilities has been adequately documented and approved by those charged with governance

Whether the internal auditor has reviewed the maturity of an ERM structure by considering whether the framework so developed, inter alia protects the enterprise against surprises, stabilizes overall performance with less volatile earnings, operates within established risk appetite, protects ability of the enterprise to attend to its core business and creates a system to proactively manage risks

Whether the internal auditor has reviewed the ERM coordinators in the entity report on the results of assessment of key risks at appropriate levels, which are, inter alia risk Management Committee, Enterprise Business and Unit Heads, Audit Committee

Whether the internal auditor has submitted his report to the Board or its relevant Committee, delineating the following information Assurance rating (segregated into High, Medium or Low) as a result of the review, Tests conducted, Samples covered and Observations and recommendations

SIA 14: Internal Audit in an Information Technology Environment

Whether the internal auditor has considered the effect of an IT environment on internal audit engagement, inter alia the extent to which IT environment is used to record, compile, process and analyse information

Whether the internal auditor has sufficient knowledge of information technology systems to plan, direct, supervise, control and review the work performed.

If specialised skills are needed, whether the internal auditor has sought the assistance of a technical expert possessing such skills, who may either be the internal auditor's staff or an outside professional. If the use of such a professional is planned, whether the internal auditor has obtained sufficient appropriate evidence that the work performed by the expert is adequate for the purposes of the internal audit

Whether the internal auditor has obtained an understanding of the systems, processes, control environment, risk–response activities and internal control systems sufficient to plan the internal audit and to determine the nature, timing and extent of the audit procedures

When the information technology systems are significant, whether the internal auditor has obtained an understanding of IT environment and whether it influences the assessment of inherent and control risks.

The nature of risks and internal control characteristics in IT environments include:

• Lack of transaction trails,

• Uniform processing of transactions,

• Lack of segregation of functions,

• Potential for errors and irregularities,

• Initiation or execution of transactions,

• Dependence of other controls over computer processing,

• Potential for increased management supervision,

• Potential for the use of computer–assisted audit techniques

Whether the internal auditor has reviewed the information technology system in the entity considers the confidentiality, effectiveness, integrity, availability, compliance and validity of data and information processed. Whether the internal auditor has reviewed the effectiveness and safeguarding of IT resources, including – people, applications, facilities and data

SIA 15: Knowledge of the Entity and its Environment

Whether the internal auditor has obtained knowledge of the economy, entity’s business and its operating environment, including its regulatory environment and the industry in which it operates, sufficient to enable him to review the key risks and entity–wide processes, systems, procedures and controls. To identify sufficient, appropriate, reliable and useful information to achieve the objectives of the engagement

Prior to accepting an engagement, Whether the internal auditor has obtained a preliminary knowledge of the industry and of the nature of ownership, management, regulatory environment and operations of the entity subjected to internal audit, and whether considered a level of knowledge of the entity’s business adequate to perform the internal audit can be obtained

Whether following the acceptance of the engagement, further and more detailed information has been obtained. To the extent practicable, whether the internal auditor has obtained the required knowledge at the commencement of the engagement. As the internal audit progresses, whether that information has been assessed, enhanced, updated, refined and validated as the internal auditor and the engagement team obtain more knowledge about the entity’s business

In case of continuing engagements, whether internal auditor has updated and re–evaluated information gathered previously, including information in the prior year's working papers. Whether the internal auditor has also performed procedures designed to identify significant changes that have taken place in the operations, control environment, technology and strategic processes since the last internal audit

Whether the internal auditor has obtained sufficient, appropriate information about the entity. An understanding of business risks facing the entity increases the likelihood of identifying risks of material misstatement in the information subject to internal audit

Whether the internal auditor has ensured that the internal audit engagement team assigned to an internal audit engagement obtains sufficient knowledge of the business to enable them to carry out internal audit work delegated to them.

Whether the internal auditor has ensured that the audit team appreciates and understands the need to be alert for additional information and the need to share that information with the internal auditor and other members of internal audit team

Whether the internal auditor has made effective use of knowledge about the business, whether the internal auditor has considered how this knowledge acquired, affects his review of internal controls and systems taken as a whole and whether his overall entity–wide assessment of systems, procedures, controls and risk management principles are consistent with his knowledge of the entity’s business

Whether the information and knowledge obtained by the internal auditor on the entity and its environment has been adequately documented in the engagement working papers

SIA 16: Using the Work of an Expert

Whether the internal auditor has obtained technical advice and assistance from competent experts if the internal audit team does not possess necessary knowledge, skills, expertise or experience needed to perform all or part of the internal audit engagement

When the internal auditor uses the work of an expert, whether he has satisfied himself about the competence, objectivity and independence of such expert and considered the impact of such assistance or advice on the overall result of internal audit engagement, specially in cases where the outside expert is engaged by senior management or those charged with governance

When determining whether to use the work of an expert or not, whether internal auditor has considered the materiality of the item being examined, the nature and complexity of the item including the risk of error therein, the other internal audit evidence available with respect to the item

When the internal auditor plans to use the expert's work, whether he has satisfied himself as to the expert's skills and competence. Whether he has considered the objectivity of the expert.

Whether he has satisfied himself that the expert has no personal, financial or organizational interests that will prevent him from rendering unbiased and impartial judgments and opinion

When the internal auditor intends to use the work of an expert, whether he has gained knowledge regarding the terms of the expert's engagement. Whether he has sought reasonable assurance that the expert's work constitutes appropriate evidence in support of the overall conclusions formed during the internal audit engagement.

Whether he has considered that the expert has used source data which are appropriate in the circumstances

In exceptional cases where the work of an expert does not support related representations in the overall systems, procedures and controls of the entity, whether the internal auditor has attempted to resolve the inconsistency by discussions with the auditee and the expert

Whether the internal auditor has not refer to the work of an expert in the internal audit report

SIA 17: Consideration of Laws and Regulations in an Internal Audit

Whether the internal auditor has obtained sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations generally recognised to have a direct effect on the determination of material amounts and disclosures in the financial statements

Whether the internal auditor has obtained an Understanding of the Legal and Regulatory Framework.

Whether the internal auditor has inquired the management and, where appropriate, those charged with governance, as to whether the entity is in compliance with such laws and regulations; and Inspecting correspondence, if any, with the relevant licensing or regulatory authorities to help identify instances of non–compliance with other laws and regulations that may have a significant impact on the entity’s functioning.

Whether the internal auditor has been requested management and, where appropriate, those charged with governance to provide written representations that all known instances of non–compliance or suspected non–compliance with laws and regulations which impact the functioning of the entity, including the reporting framework, have been disclosed to the internal auditor

If the internal auditor becomes aware of information concerning an instance of non–compliance or suspected non–compliance with laws and regulations, whether the internal auditor has obtained an understanding of the nature of the act and circumstances in which it has occurred and further information to evaluate the possible effect on the functioning of the entity.

Whether the internal auditor has discussed the findings with those charged with governance where they may be able to provide additional audit evidence

Whether the internal auditor has evaluated implications of non–compliance in relation to other aspects of internal audit, including the internal auditor’s risk assessment and the reliability of written representations, and take appropriate action

If the internal auditor concludes that non–compliance has a significant impact on the functioning of an entity and has not been adequately dealt with by the management, whether the internal auditor has reported the same in accordance with SIA 4, “Reporting”. If the internal auditor is precluded by management or those charged with governance from obtaining sufficient appropriate audit evidence to evaluate whether non–compliance that may be significant to the functioning of the entity has, or is likely to have, occurred, whether the internal auditor has reported the same