Internal audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system.

1. Clause 49 of Listing Agreement - Responsibility of audit committee to review adequacy of internal audit function and internal audit reports

2. Section 292A of the Companies Act, 1956 - In addition, Section 292A of the Companies Act, 1956, requires public companies having paid up capital not less than Rs. 5 crores to constitute a committee of the Board, i.e., the Audit Committee. In terms of sub section 5 of the said Section, the internal auditor is required to attend and participate at the meetings of such Audit Committees.

3. Companies (Auditor’s Report) Order, 2003 - The Central Government, in terms of the power vested under Section 227(4A) of the Companies Act, 1956 had notified the Companies (Auditor’s Report) Order, 2003. Clause (vii) of the said 2003 order requires the auditor to report as follows: "whether in case of listed companies and/or other companies having paid-up capital and reserves exceeding Rs. 50 lakhs as at the commencement of the financial year concerned, or having an average annual turnover exceeding five crore rupees for a period of three consecutive financial years immediately preceding the financial year concerned, whether the company has an internal audit system commensurate with its size and nature of its business."

4. Section 581ZF of the Companies Act, 1956 requires that every Producer Company shall have internal audit of its accounts carried out by a chartered accountant, at such interval and in such manner as may be specified in articles.

5. The Securities and Exchange Board of India has mandated complete internal audit on a half-yearly basis for stock brokers/trading members/clearing members.

6. IRDA (Investment) (Fourth Amendment) Regulations, 2008 has introduced requirements of quarterly internal audit for insurers.

7. Companies going in for tapping the international capital market, especially, those seeking listing in US stock exchanges, NASDAQ, NYSE, etc., also need a strong internal audit function to meet the stringent corporate governance and internal control requirements of those stock exchanges. In this context, the US companies, having US public as investor also needs to comply with the requirements of Sections 302 and 404 of the Sarbanes Oxley Act of 2002

The Framework for Standards on Internal Audit comprises four components viz., the Code of Conduct, the Competence Framework, the Body of Standards and the Technical Guidance.

Internal audit is conducted in variant economic, legal, cultural and business environments. The organisations in which internal audit is performed differ widely in size, structure, nature of business, scale, purpose, objectives and geographical spread. Further, the internal audit activity may be performed by an entity’s employees or by some external agency. Thus, the Framework for Standards on Internal Audit applies to all the persons performing internal audit activity, irrespective of whether the function is performed in-house or by an external agency.

Scope of SIA

The SIA shall apply whenever an internal audit is carried out. The SIA(s) are mandatory from the respective date(s) mentioned in the SIA(s). However, any limitation in the applicability of a specific Standard shall be made clear in the Standard. The mandatory status of a Standard on Internal Audit implies that while carrying out an internal audit, it shall be the duty of the members of the Institute to ensure that the SIAs are followed. If, for any reason, a member has not been able to perform all or any of such activities, as mentioned in accordance with the SIAs, his report should draw attention to the material departures therefrom.

SIA 1: Planning an Internal Audit

• Planning involves developing an overall plan for the expected scope and conduct of audit and developing an audit programme showing the nature, timing and extent of audit procedures

• Develop and document a plan in consultation with those charged with governance, including the audit committee for each internal audit engagement

• Objectives of internal audit engagement as well as time and resources required for conducting the engagement be considered. Internal audit plan should also reflect risk management strategy of the entity

• Internal audit plan should cover areas such as obtaining knowledge of legal and regulatory framework within which the entity operates, obtaining knowledge of the entity’s accounting and internal control systems and policies, determining the effectiveness of internal control procedures adopted by the entity, determining the nature, timing and extent of procedures to be performed, identifying activities warranting special focus based on materiality and criticality of such activities, and their overall effect on operations of the entity, identifying and allocating staff to different activities to be undertaken

• Planning process includes obtaining knowledge of business, establishing the audit universe, establishing the objectives of engagement, establishing scope of the engagement, deciding resource allocation, preparation of audit programme

• Plan to be finalised in consultation with the appropriate authority before commencement of the work

SIA 2: Basic Principles Governing Internal audit

• Internal auditor should adhere to the basic principles governing an internal audit

• These principles are integrity, objectivity and independence, confidentiality, skills and competence, work performed by others, documentation, planning, internal audit evidence, accounting system and internal control, and internal audit conclusions and reporting

SIA 3: Internal Audit Documentation

• Internal audit documentation should be designed and properly organized to meet the requirements and circumstances of each audit. To formulate policies for standardization of internal audit documentation

• It should be sufficiently complete and detailed for an internal auditor to obtain an overall understanding of the audit

• All significant matters which require exercise of judgment, together with internal auditor’s conclusion thereon should be included in the internal audit documentation. Documentation prepared by internal auditor should enable reviewer to understand:

- the nature, timing and extent of audit procedures performed to comply with SIAs and applicable legal and regulatory requirements;

- the results of audit procedures and audit evidence obtained;

- significant matters arising during the audit and conclusions reached thereon; and

- terms and conditions of an internal audit engagement/requirements of internal audit charter, scope of work, reporting requirements, any other special conditions, affecting the internal audit

• It should cover all the important aspects of an engagement viz., engagement acceptance, engagement planning, risk assessment and assessment of internal controls, evidence obtained and examination/evaluation carried out, review of the findings, communication and reporting and follow up

• The internal audit file should be assembled within sixty days after the signing of the internal audit report.

• To formulate policies as to the custody and retention of the internal audit documentation within the framework of the overall policy of the entity in relation to the retention of documents

SIA 4: Reporting

• To review and assess the analysis drawn from internal audit evidence obtained as the basis for his conclusion on the efficiency and effectiveness of systems, processes and controls including items of financial statements

• Report clearly expressing significant observations, suggestions/recommendations based on the policies, processes, risks, controls and transaction processing taken as a whole and managements’ responses

• Report includes basic elements such as title, addressee, report distribution list, period of coverage of the report, opening or introductory paragraph, objectives paragraph, scope paragraph (describing the nature of an internal audit), executive summary (highlighting key material issues, observations, control weaknesses and exceptions), observations, findings and recommendations made by the internal auditor, comments from the local management, action taken report – action taken/not taken pursuant to the observations made in the previous internal audit reports, date of the report, place of signature and Internal auditor’s signature with membership number

• To facilitate communication and ensure that recommendations presented in final report are practical from the point of view of implementation, the internal auditor should discuss the draft with the entity’s management prior to issuing the final report. The different stages of communication and discussion should be discussion of draft, Exit meeting, formal draft, submission of final report

• When there is a limitation on the scope of internal auditor’s work, the internal auditor’s report should describe the limitation

• To state in the report that the same is to be used for the intended purpose only as agreed upon and the circulation of the report should be limited to the recipients mentioned in the report distribution list

SIA 5: Sampling

• Design and select an audit sample, perform audit procedures thereon, and evaluate sample results so as to provide sufficient appropriate audit evidence to meet the objectives of internal audit engagement unless otherwise specified by the client

• When designing an audit sample, internal auditor should consider specific audit objectives, the population from which internal auditor wishes to sample, and the sample size

• When determining the sample size, internal auditor should consider sampling risk, tolerable error and the expected error

• To select sample items in such a way that the sample can be expected to be representative of the population. This requires that all items or sampling units in the population have an opportunity of being selected

• Having carried out, on each sample item, those audit procedures that are appropriate to the particular audit objective, the internal auditor should:

• analyse the nature and cause of any errors detected in the sample;

• project the errors found in the sample to the population;

• reassess the sampling risk; and

• consider their possible effect on the particular internal audit objective and on other areas of internal audit engagement

• To evaluate the sample results to determine whether the assessment of relevant characteristics of the population is confirmed or whether it needs to be revised

SIA 6: Analytical Procedure

• To apply analytical procedures as the risk assessment procedures at the planning and overall review stages of internal audit

• Analytical procedures are analysis of significant ratios and trends including resulting investigation of fluctuations and relationships that are inconsistent with other relevant information or which deviate from predicted amounts

• Factors to be considered for analytical procedures are significance of the area being examined, adequacy of the system of internal control, availability and reliability of financial and non–financial information, the precision with which results of analytical procedures can be predicted, availability and comparability of information regarding the industry in which the organization operates, the extent to which other auditing procedures provide support for audit results. After evaluating the aforementioned factors, internal auditor should consider and use additional auditing procedures, as necessary, to achieve the audit objective

• To apply analytical procedures at or near the end of internal audit when forming an overall conclusion as to whether the systems, processes and controls as a whole are robust, operating effectively and are consistent with the internal auditor’s knowledge of the business

• When analytical procedures identify significant fluctuations or relationships that are inconsistent with other relevant information or that deviate from predicted amounts, the auditor should investigate and obtain adequate explanations and appropriate corroborative evidence

SIA 7: Quality Assurance in Internal Audit

• A system for assuring quality in internal audit should provide reasonable assurance that the internal auditors comply with professional Standards, regulatory and legal requirements, so that the reports issued by them are appropriate in the circumstance. In order to ensure compliance with the professional standards, regulatory and legal requirements, and to achieve the desired objective of internal audit, a person within the organization should be entrusted with the responsibility for the quality in the internal audit, whether done in–house or by an external agency

• In case of in–house internal audit or a firm carrying out internal audit, the person entrusted with the responsibility for the quality in internal audit should ensure that the system of quality assurance includes policies and procedures addressing leadership responsibilities for quality in internal audit, ethical requirements, acceptance and continuance of client relationship and specific engagement, as may be applicable, human resources, engagement performance, monitoring. The quality assurance framework should cover all the elements of internal audit activity

• The internal quality review framework should be designed with a view to provide reasonable assurance that the internal audit is able to efficiently and effectively achieve its objectives of adding value and strengthening the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system

• The internal quality reviews should be undertaken on an ongoing basis. The person entrusted with the responsibility for quality in internal audit should ensure that recommendations resulting from the quality reviews for improvements in the internal audit activity are promptly implemented

• Internal quality reviews are also communicated to appropriate levels of management and those charged with governance on a timely basis along with the proposed plan of action to address issues and concerns raised in the review report

• External quality review is a critical factor in ensuring and enhancing the quality of internal audit

SIA 8: Terms of Internal Audit Engagement

• Internal auditor and the auditee should agree on the terms of engagement before commencement. Terms should be approved by the Board of Directors or a relevant Committee thereof such as the Audit Committee or such other person(s) as may be authorised by the Board in this regard

• It should contain a statement in respect of the scope of internal audit engagement

• It should clearly mention that internal auditor would not be involved in the preparation of auditee’s financial statements. It should also be made clear that the internal audit would not result in the expression of an opinion or any other form of assurance on the auditee’s financial statements or any part thereof

• The terms of engagement should clearly mention the responsibility of the auditee vis-a-vis the internal auditor

• It should provide the internal auditor with requisite authority, including unrestricted access to all departments, records, property and personnel and authority to call for information from concerned personnel in the organization

• The internal auditor should have full authority on his technologies and other properties like hardware and audit tools he may use in course of performing internal audit

• It should be clear that the ownership of working papers rests with internal auditor and not the auditee

• The engagement letter should contain a condition that the report of internal auditor should not be distributed or circulated by the auditee or the internal auditor to any party other than that mutually agreed between the internal auditor and auditee unless there is a statutory or a regulatory requirement to do so

• There should be a clear understanding among internal auditor and auditee as to the basis on which the internal auditor would be compensated, including any out of pocket expense, taxes etc, for the services performed by him

• It should contain a statement that the internal audit engagement would be carried out in accordance with the professional Standards applicable to such engagement as on the date of audit

SIA 9: Communication with Management

• Internal auditor while performing audit should communicate clearly the responsibilities of internal auditor and an overview of the planned scope and timing of audit with the management

• Communication regarding the planned scope and timing of internal audit may assist the management to understand better the objectives of internal auditor’s work, to discuss issues of risk and materiality with internal auditor and to identify any areas in which they may request the internal auditor to undertake additional procedures, assist the internal auditor to understand the entity and its environment better

• Different stages of communication and discussion should be: discussion of draft; exit meeting; formal draft; and final report

• Clear communication of internal auditor’s responsibilities, planned scope and timing of internal audit and expected general content of communications helps establishing the basis for effective two–way communication

• Appropriate timing for communications will vary with the circumstances of the engagement. Relevant circumstances include significance and nature of the matter, and the action expected to be taken by management

• Where matters required by this SIA to be communicated, are orally communicated, internal auditor shall document them and when and to whom they were communicated. Where matters have been communicated in writing, the auditor shall retain a copy of the communication as part of internal audit documentation

SIA 10: Internal Audit Evidence

• To obtain sufficient appropriate evidence to enable him to draw reasonable conclusions therefrom on which to base his opinion or findings

• Scope of an internal audit is much broader in comparison to that of statutory audit. The depth of coverage of internal audit, being a management function, would also be much wider. An internal audit function normally is spread beyond checking of financial transactions and is expected to cover comments on internal control
  systems, risk management, propriety aspect of transactions

• To evaluate sufficiency of appropriate audit evidence before conclusions therefrom. The internal audit evidence should enable internal auditor to form an opinion on the scope of the terms of engagement

• The reliability of internal audit evidence depends on its source – internal or external and on its type

• When internal audit evidence obtained from one source is inconsistent with that obtained from another, or the internal auditor has doubts over the reliability of information to be used as internal audit evidence, the internal auditor shall determine what modifications to or additional audit procedures are necessary to resolve the matter

• Various methods for obtaining audit evidence include inspection, observation, inquiry and confirmation, computation and analytical review

SIA 11: Consideration of Fraud in an Internal Audit

• An internal auditor is not expected to possess skills and knowledge of a person expert in detecting and investigating frauds, he should, however, have reasonable knowledge of factors that might increase the risk of opportunities for frauds in an entity and exercise reasonable care and professional skepticism while carrying out internal audit

• A system of internal control comprise of following five elements namely control environment, entity’s risk assessment process, information system and communication, control activities and monitoring of controls. It is essential for internal auditor to gain an understanding of the components of system of internal control

• The primary responsibility for prevention and detection of frauds is that of the management of the entity. The internal auditor should, however, help the management fulfill its responsibilities relating to fraud prevention and detection

• To obtain an understanding of the various aspects of control environment and evaluate the same as to the operating effectiveness

• To evaluate the mechanism in place for supervision and assessment of internal controls to identify instances of any actual or possible breaches therein and to take corrective action on a timely basis

• To carefully review and assess conclusions drawn from audit evidence obtained. Actual or suspected fraud or any other misappropriation of assets should be immediately reported to management

• To document fraud risk factors identified as being present during internal auditor’s assessment process and document internal auditor’s response to any other factors

SIA 12: Internal Control Evaluation

• The system of internal control must be under continuous supervision by management to determine that it is functioning as prescribed and is modified, as appropriate, for changes in environment. Internal control system extends beyond those matters which relate directly to the functions of accounting system and comprises of control environment and control activities

• To examine the continued effectiveness of internal control system through evaluation and make recommendations, if any, for improving that effectiveness. To focus towards improving internal control structure and promoting better corporate governance

• To obtain an understanding of significant processes and internal control systems sufficient to plan the internal audit engagement and develop an effective audit approach, assess and evaluate the maturity of entity’s internal control, assess management’s attitudes, awareness and actions regarding internal controls and their importance in the entity

• To evaluate internal control system in an entity, based on various criteria

• To ensure segregation of duties between various functions

• Tests of control are performed to obtain audit evidence about the effectiveness of design of internal control systems

• Based on the results of tests of control, internal auditor should evaluate whether the internal controls are designed and operating as contemplated in the preliminary assessment of control risk. To consider whether internal controls were in use throughout the period

• To identify internal control weaknesses that have not been corrected and make recommendations to correct those weaknesses

• When internal controls are found to contain continuing weaknesses, internal auditor should consider whether management has increased supervision and monitoring, additional or compensating controls have been instituted and/or management accepts the risk inherent with control weakness

• To evaluate identified control deficiencies and then determine whether those deficiencies, individually or in combination, are significant deficiencies or material weaknesses

• Report to the management should provide a description of significant deficiency or material weakness in internal control. His opinion on possible effect of such weakness on entity’s control environment

SIA 13: Enterprise Risk Management

• Risk is an event which can prevent, hinder, fail to further or otherwise obstruct the enterprise in achieving its objectives. Risk may be broadly classified into Strategic, Operational, Financial and Knowledge

• ERM is a structured, consistent and continuous process of measuring or assessing risk and developing strategies to manage risk within the risk appetite. It involves identification, assessment, mitigation, planning and implementation of risk and developing an appropriate risk response policy. Management is responsible for establishing and operating the risk management framework

• ERM process consists of Risk identification, prioritization and reporting, Risk mitigation, Risk monitoring and assurance. The corporate risk function establishes the policies and procedures, and the assurance phase is accomplished by internal audit. The role of internal auditor is to provide assurance to management on the effectiveness of risk management

• Nature of internal auditor’s responsibilities should be adequately documented and approved by those charged with governance

• To review the maturity of an ERM structure by considering whether the framework so developed, inter alia protects the enterprise against surprises, stabilizes overall performance with less volatile earnings, operates within established risk appetite, protects ability of the enterprise to attend to its core business and creates a system to proactively manage risks

• To review whether the ERM coordinators in the entity report on the results of assessment of key risks at appropriate levels, which are, inter alia risk Management Committee, Enterprise Business and Unit Heads, Audit Committee

• To submit his report to the Board or its relevant Committee, delineating the following information Assurance rating (segregated into High, Medium or Low) as a result of the review, Tests conducted, Samples covered and Observations and recommendations

SIA 14: Internal Audit in an Information Technology Environment

• The overall objective and scope of an internal audit does not change in an IT environment. However, the use of a computer changes the processing, storage, retrieval and communication of financial information and the interplay of processes, systems and control procedures. This may affect the internal control systems employed by the entity. Accordingly, an IT environment may affect the procedures followed by the internal auditor in obtaining a sufficient understanding of the processes, systems and internal control system and the auditor’s review of the entity’s risk management and continuity systems

• To consider the effect of an IT environment on internal audit engagement, inter alia the extent to which IT environment is used to record, compile, process and analyse information and the system of internal control in existence in the entity with regard to flow of authorised, correct and complete data to the processing centre, the processing, analysis and reporting tasks undertaken in the installation and the impact of computer–based accounting system on the audit trail that could otherwise be expected to exist in an entirely manual system

• To have sufficient knowledge of information technology systems to plan, direct, supervise, control and review the work performed. The sufficiency of knowledge would depend on the nature and extent of the IT environment. The internal auditor should consider whether any specialised IT skills are needed in the conduct of audit, for example, the operating knowledge of a specialised ERP system

• If specialized skills are needed, the internal auditor should seek the assistance of a technical expert possessing such skills, who may either be the internal auditor’s staff or an outside professional. If the use of such a professional is planned, the internal auditor should obtain sufficient appropriate evidence that the work performed by the expert is adequate for the purposes of the internal audit

• To obtain an understanding of the systems, processes, control environment, risk–response activities and internal control systems sufficient to plan the internal audit and to determine the nature, timing and extent of the audit procedures

• When the information technology systems are significant, the internal auditor should also obtain an understanding of IT environment and whether it influences the assessment of inherent and control risks. The nature of risks and internal control characteristics in IT environments include the Lack of transaction trails, Uniform processing of transactions, Lack of segregation of functions, Potential for errors and irregularities, Initiation or execution of transactions, Dependence of other controls over computer processing, Potential for increased management supervision, Potential for the use of computer–assisted audit techniques

• To review whether the information technology system in the entity considers the confidentiality, effectiveness, integrity, availability, compliance and validity of data and information processed. To review the effectiveness and safeguarding of IT resources, including – people, applications, facilities and data

SIA 15: Knowledge of the Entity and its Environment

• To obtain knowledge of the economy, entity’s business and its operating environment, including its regulatory environment and the industry in which it operates, sufficient to enable him to review the key risks and entity–wide processes, systems, procedures and controls. To identify sufficient, appropriate, reliable and useful information to achieve the objectives of the engagement

• Prior to accepting an engagement, the internal auditor should obtain a preliminary knowledge of the industry and of the nature of ownership, management, regulatory environment and operations of the entity subjected to internal audit, and should consider whether a level of knowledge of the entity’s business adequate to perform the internal audit can be obtained

• Following the acceptance of the engagement, further and more detailed information should be obtained. To the extent practicable, the internal auditor should obtain the required knowledge at the commencement of the engagement. As the internal audit progresses, that information should be assessed, enhanced, updated, refined and validated as the internal auditor and the engagement team obtain more knowledge about the entity’s business

• In case of continuing engagements, internal auditor should update and re–evaluate information gathered previously, including information in the prior year’s working papers. The internal auditor should also perform procedures designed to identify significant changes that have taken place in the operations, control environment, technology and strategic processes since the last internal audit

• To obtain sufficient, appropriate information about the entity. An understanding of business risks facing the entity increases the likelihood of identifying risks of material misstatement in the information subject to internal audit

• Knowledge of the entity’s business is a frame of reference within which the internal auditor exercises professional judgment in reviewing the processes, controls and risk management procedures of the entity

• To ensure that the internal audit engagement team assigned to an internal audit engagement obtains sufficient knowledge of the business to enable them to carry out internal audit work delegated to them. The internal auditor should also ensure that the audit team appreciates and understands the need to be alert for additional information and the need to share that information with the internal auditor and other members of internal audit team

• To make effective use of knowledge about the business, internal auditor should consider how this knowledge acquired, affects his review of internal controls and systems taken as a whole and whether his overall entity–wide assessment of systems, procedures, controls and risk management principles are consistent with his knowledge of the entity’s business

• The information and knowledge obtained by the internal auditor on the entity and its environment should be adequately documented in the engagement working papers

SIA 16: Using the Work of an Expert

• To obtain technical advice and assistance from competent experts if the internal audit team does not possess necessary knowledge, skills, expertise or experience needed to perform all or part of the internal audit engagement

• When the internal auditor uses the work of an expert, he should satisfy himself about the competence, objectivity and independence of such expert and consider the impact of such assistance or advice on the overall result of internal audit engagement, specially in cases where the outside expert is engaged by senior management or those charged with governance

• When determining whether to use the work of an expert or not, internal auditor should consider the materiality of the item being examined, the nature and complexity of the item including the risk of error therein, the other internal audit evidence available with respect to the item

• When the internal auditor plans to use the expert’s work, he should satisfy himself as to the expert’s skills and competence. To consider the objectivity of the expert. To satisfy himself that the expert has no personal, financial or organizational interests that will prevent him from rendering unbiased and impartial judgments and opinion

• When the internal auditor intends to use the work of an expert, he should gain knowledge regarding the terms of the expert’s engagement. To seek reasonable assurance that the expert’s work constitutes appropriate evidence in support of the overall conclusions formed during the internal audit engagement. To consider whether the expert has used source data which are appropriate in the circumstances

• In exceptional cases where the work of an expert does not support related representations in the overall systems, procedures and controls of the entity, the internal auditor should attempt to resolve the inconsistency by discussions with the auditee and the expert

• The internal auditor should not, normally, refer to the work of an expert in the internal audit report

SIA 17: Consideration of Laws and Regulations in an Internal Audit

• It is the primary responsibility of management, with the oversight of those charged with governance, to ensure that the entity’s operations are conducted in accordance with the provisions of laws and regulations, including compliance with the provisions of laws and regulations that determine the reported amounts and disclosures in an entity’s financial statements

• The objectives of the internal auditor are to obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations generally recognised to have a direct effect on the determination of material amounts and disclosures in the financial statements, to perform specified audit procedures to help identify instances of noncompliance with other laws and regulations that may have a significant impact on the functioning of the entity and to respond appropriately to non–compliance or suspected non–compliance with laws and regulations identified during the internal audit

• Since the role of an internal auditor is to carry out a continuous and critical appraisal of the functioning of an entity and suggest improvements thereto, the identification of non–compliance with laws and regulations is also an inherent part of his responsibilities

• Internal auditor should obtain an Understanding of the Legal and Regulatory Framework. The internal auditor shall inquire from the management and, where appropriate, those charged with governance, as to whether the entity is in compliance with such laws and regulations; and Inspecting correspondence, if any, with the relevant licensing or regulatory authorities to help identify instances of non–compliance with other laws and regulations that may have a significant impact on the entity’s functioning

• The internal auditor shall request management and, where appropriate, those charged with governance to provide written representations that all known instances of non–compliance or suspected non–compliance with laws and regulations which impact the functioning of the entity, including the reporting framework, have been disclosed to the internal auditor

• If the internal auditor becomes aware of information concerning an instance of non–compliance or suspected non–compliance with laws and regulations, the internal auditor shall obtain an understanding of the nature of the act and circumstances in which it has occurred and further information to evaluate the possible effect on the functioning of the entity. The internal auditor may discuss the findings with those charged with governance where they may be able to provide additional audit evidence

• The internal auditor shall evaluate implications of non–compliance in relation to other aspects of internal audit, including the internal auditor’s risk assessment and the reliability of written representations, and take appropriate action

• If the internal auditor concludes that non–compliance has a significant impact on the functioning of an entity and has not been adequately dealt with by the management, the internal auditor shall report the same in accordance with SIA 4, "Reporting". If the internal auditor is precluded by management or those charged with governance from obtaining sufficient appropriate audit evidence to evaluate whether non–compliance that may be significant to the functioning of the entity has, or is likely to have, occurred, the internal auditor should report the same.