Hi guys, Rajat this side, here I am going to discuss my experience of Internal Audit till date, the discussion is made assuming the auditee being a Company under Indian Companies Act, and I hope it will help you a lot:
- What it is?
- Why it is carried out, is it necessary?
- Who can be an Internal Auditor?
- Difference between Statutory & Internal Audit
- How it is carried out?
- What it is?
I hope, most of you were spoon fed at some time if you were or are a CA student with the definition of Audit i.e. “Audit is an Independent examination of an entity or an organization whether profit making or not, in order express an opinion that whether financial statements reflect true and fair view for position of the entity.
As Internal Audit is also a category of Audit, So the above definition also applies to Internal Audit. Internal Audit is more of a management function, as per ICAI it is defined as below:
“Internal audit is an independent management function, which involves a continuous and
Critical appraisal of the functioning of an entity with a view to suggest improvements
Thereto and add value to and strengthen the overall governance mechanism of the entity,
Including the entity’s strategic risk management and internal control system.”
Internal Audit is concerned with the audit of functions, process, control, benchmarks, in the various departments of business. For e.g. there can be various departments of a business organization like:
In the above departments, various process are to be followed for performing their activities. For e.g. Human Resource departments perform the activities like recruitment, termination, appraisal, Salary Disbursement, Appraisal, Management of EPF, ESI, and Bonus etc. For each of these activities certain process is to be followed, like for recruiting a personnel, first of all invitation for application through newspaper and various job-portal is made, afterwards applications are analyzed and candidates are shortlisted, negotiation is made and afterwards appointment and so on. These activities are audited and observations are noted with regard to discrepancies in carrying out these activities. We will discuss this all in detail in “How Internal Audit is Carried Out”?
- Why it is Carried Out, Is it necessary?
The main aim of Internal Audit is to unveil frauds, improve functions, process, reset benchmarks, and implement controls in business at various levels, to save the interest of various stakeholders of business. It can be carried out Voluntary or due to the requirement of law, It acts as a supporting to Statutory audit, as in Company Auditor Report it is to be commented by the Statutory auditor that whether Internal Audit System exist or not with regard to nature & size of the organization. Prior to Companies Act, 2013, it was not mandatory for the companies to establish the Internal Audit System but Companies Act, 2013 made mandatory for certain class of companies for which Internal Audit is mandatory. This clause is as follows:
As per section 138 of Indian Companies Act 2013 read with Rule 13 Of Companies (Accounts) Rules, 2014, certain class of companies are required to appoint Internal Auditors. An extract of Rule 13 of Companies (Accounts) Rules, 2014 is as follows-
Rule 13 of Companies (Accounts) Rules, 2014:
Companies required to appoint internal auditor.-
The following class of companies shall be required to appoint an internal auditor or a firm of internal auditors, namely:-
(a) Every listed company; Always applicable
(b) Every unlisted public company having–
(i) Paid up share capital of fifty crore rupees or more during the preceding financial year; or
(ii) Turnover (income) of two hundred crore rupees or more during the preceding financial year; or
(iii) Outstanding loans or borrowings from banks or public financial institutions exceeding one hundred crore rupees or more at any point of time during the preceding financial year; or
(iv) Outstanding deposits of twenty five crore rupees or more at any point of time during the preceding financial year; and
(c) Every private company having–
(i) turnover of two hundred crore rupees or more during the preceding financial year; or
(ii) outstanding loans or borrowings from banks or public financial institutions exceeding one hundred crore rupees or more at any point of time during the preceding financial year.
Extract of above Rule is:
Note: Difference between Loan and Deposit in above case is Loan can only be from banks or public financial Institution but Deposits can be from anyone e.g. friends of directors, subsidiary companies, associates, etc.
- Who can be an Internal Auditor?
Since Companies Act, 2013 and Companies (Accounts) Rules, 2014 does not specify any qualification of Internal Auditor. So, Internal Auditor can be any person except statutory auditor (as per section 144), he is not necessary to be a CA/CWA/MBA, etc., he can be an employee of the company or a firm of Internal Auditors. It is on Board of the Company, to whom they appoint as Internal Auditor.
- Difference between Internal Audit & Statutory Audit?
|Particulars||Internal Audit||Statutory Audit|
|Meaning||Audit conducted in view to improve and implement functions, process, controls, benchmarks of the business departments||Audit conducted in accordance with the law for expressing opinion on transactions carried out during the year|
|Necessity||Voluntary of Mandatory||Mandatory|
|Auditor||Can be the employees of the company or hired agency||Must be external, also known as external auditors|
|Remuneration||Can be the fixed Salary of the employee or if agency hired then amount negotiated with it||Decided in Board meeting|
|Scope||Wider in Scope as it covers most of the business departments||Narrower in Scope as it generally concerned with the Finance department of the company|
|Period of audit||Can be done monthly, quarterly, half yearly or yearly depending on the size and nature of the company||Yearly for the year ending on 31st March XXXX|
|Filing of Report||Audit Report is not filed with Registrar of the companies (ROC)||Audit report has to be filed with the Registrar of Companies (ROC) within the specified period after the end of financial year|
|Extent||Sometimes, Internal Auditor acts as an Investigator also||Statutory Auditor never acts as an Investigator|
|Rotation||Rotation of Internal Auditor is not mandatory||Rotation is mandatory as per rules specified in this regard|
|Removal of Internal Auditor||Not governed in any Act||Governed by Companies Act, 2013|
Internal Audit is carried out monthly, quarterly, half yearly or yearly depending upon the size or nature of the company, Since there are enormous activities or transactions carried out in business, so it is very difficult to audit each and every event and transaction, so in this function also audit Sample is taken and reasonable assurance is obtained on that basis, in this also management is responsible for performing activities, functions and processes. In Internal Audit System, An Annual Scope is fixed generally in the start of year which states the departments which are to be audited, period and frequency of audit, branches or plants to be audited. On the basis of annual scope, internal audit function is performed.
- How it is Carried Out?
First of all, Initial Audit Requirement (IDR) is sent generally before one week of Audit Start date to the head of various departments which are to be audited. On that basis Initial Audit requirement, Data is collected from the department, which is analyzed as per the policies made by the company, and on the basis of Accounting, Auditing & Internal Audit Standards, and various acts or laws applicable to the entity, Observations are noted and discussed with the Head of Department and timeline is decided for resolving the observation is decided in meeting, and thereafter follow up is done for the timeline decided. For e.g. if one has to audit the Human Resource Department then the following IDR will be sent to Head of HR Department :
- Employee Master having complete details regarding Name, Address, Contract No., Date of Joining, Date of Reliving, Date of Birth, Qualification, Department Name and Qualification etc.
- Attendance register or Bio-metric machine report of attendance having details with time entered and time left, overtime details, etc.
- Invitation documents for various appointment made during the audit period
- Basis of Document on which personnel’s is selected
- Supporting documents for the persons appointed with regard to qualification, past experience
- Clearance report from various departments for the persons left during the audit period
- Gratuity, EPF, ESI, Bonus MIS and supporting challans for the audit period
- Salary Disbursement Report, Appraisal Report, etc.
Above is the Illustrative list, there can be more requirements on the basis of nature of the company and job of employees.
Out of above Audit requirement, some data is system based and some would be available in hard copies, both are analyzed and any deviation from the decided policy or process decided by the company for performing the activities of Human resource Department is noted in Internal Audit Report, discussed, timeline for resolving that observation is taken and follow up is made.
One more example – If one wants to do the audit of Process like “Procurement to Pay” then audit will be carried out in the following manner:
As we all studied the Operating Cycle of business in 12th Class in subject “Business Studies & Management”. Procurement to Pay audit is all about auditing one part of the Operating Cycle of the business i.e. activities carried out from procurement of raw material or Service till payment is made to Vendors:
Procurement to Pay Cycle of business is as follows:
As shown in the process above, there are so many events which are to be verified by auditor, like Whenever any raw material requirement is raised, auditor has to verify the event that whether the requirement was valid, if it was valid then if the material was in stock then reservation for that material to department will be made and if not then the user has to make a purchase requisition of material. Here auditor will verify that whether the purchase requisition is made even though the material was available in stock. It usually happens in business if the Inventory & Stores department is not taking care of the stock and is unaware about the location of stock. If auditor is satisfy with the validity of PR (Purchase Requisition) then he need to verify that whether Request for Quotation is sent to vendors of that raw material, whether it is for same quantity, as rate may vary depending upon the order of quantity, date of RFQ should be same, After RFQ is sent whether adequate quotations (generally 3 to 4) are received for that material and whether the received quotations are through e-mail or through paper, if through paper then they need to be signed, on the letterhead of supplier with date on it and on the basis of comparative statement of prices and terms of quotations received, the vendor with best terms is selected and Note for approval is made stating that out of quotations received, the X vendor has been selected. Here auditor should verify that whether it is approved by the heads of various department through the signature on note for approvals.
Sometimes, Commercial department while dealing vendors for negotiating prices, fixes its commission in cash and sometimes vendor with higher quote is selected on the basis of urgent requirement, Auditor need to verify the above events very carefully, as higher quote will lead to excess outflow and cost to the company and undue benefit to the Negotiator in Commercial department. After the selection of vendor, purchase order is created and order is placed to vendor. Here auditor needs to verify the whether the purchase order is made with same terms as agreed with vendor selected. Whether it contains details like delivery terms, payment terms, quality terms, tax implications of material, etc., after Placing Order to vendor, whether payment is made within the days agreed is to be verified as it impacts creditworthiness of the company with suppliers and in market.
Here Auditor will also review the Vendor Master (which is the part of Information system control & audit (ISCA)), he would extract the instances in which vendor details with company like PAN, TIN, LST, Excise registration no., Service tax registration no., contact no., email address, Full name, address, its vendor code, etc. These details should be updated in the master of the company as without the above company would not be able to deduct TDS, take input credit, contact its vendor, etc. Auditor would verify that whether system or accounting software of the company has a control of not allowing PAN more or less than 10 digits, 4 digit of pan other than what it can be, TIN more or less than 11 digits, Excise and Service tax registration no. more or less than 15 digits
The above events in procurement to pay cycle are illustrative, there can be more events which depends on the policy of the company.
So, as we discussed about the audit of HR department and Procurement to Pay process, auditor would analyze the activities and process of others department and would audit them accordingly.
After Auditing the various process, controls, and departments as per the audit scope, auditor needs to present all its observation under one roof and that roof is called as “Internal Audit Report”. The Internal Audit report should be very simple in language and for every fact and observation stated there, auditor should have audit evidence in support to it. The Internal Audit Report must contain:
- Audit Scope
- Name of Audit Team Members
- Its Root Cause
- Its Implication
- Recommendation for Resolving it as per Auditor
- Management Comments regarding it
- Responsible person for resolving observation
- Timeline by which such observation will get closed.
As discussed above, it can be said that Internal audit department in an organization is a profit center as it save cost of many departments and improve many functions of conducting business. That is why Companies Act, 2013 has made mandatory for certain class of companies to have an Internal Audit System in order to save the interest of various stakeholders of the business unit.
Above was my personal experience in Internal Audit function, I hope you enjoyed the reading. Comments and suggestions are always welcomed, Please feel free to write.