Changing

Dynamics of
Internal
Audit
Successful internal auditors must have the
hard edge of technical audit skills and the
commercial acumen to garner the respect of
the leadership team because they have
something important to contribute.

The
rapidly
changing business
environment
continues to require
astute
responsiveness
from
the
audit
profession

A REPORT ON
DYNAMIC CHANGES IN INTERNAL AUDIT

SUBMITTED IN PARTIAL FULFILLMENT FOR THE AWARD OF

MASTERS IN MANAGEMENT STUDIES

UNDER THE GUIDANCE OF

Mrs. Nehal Joshipura
(FACULTY GUIDE)
&
Mr. Trushar Chheda
(INDUSTRY MENTOR)

SUBMITTED BY
Mohit Kumar Baldewa
M.M.S-FINANCE (BATCH: 2015-2017)

DURGADEVI SARAF INSTITUTE OF MANAGEMENT STUDIES,

RAJASTHANI SAMMELAN CAMPUS, S.V. ROAD, MALAD (W), MUMBAI400064.

Certificate from the Faculty Guide

This is to certify that Mr. Mohit Kumar Baldewa has completed the Summer
Internship Project name DYNAMIC CHANGES IN INTERNAL AUDIT with the

Desai Haribhakti Consultancy during the month of May & June 2016
under my guidance.
To the best of my knowledge the Report submitted by him is original: No part
of the report has been submitted for award of any other degree fellowship or
other similar titles or prizes.

Place: Mumbai
Date:

Signature
Mrs. Nehal Joshipura

Students Declaration

I Mohit Kumar Baldewa hereby declare that this Report presented by me

to Durgadevi Saraf Institute of Management Studies, in partial completion of
the MMS under the title DYNAMIC CHANGES IN INTERNAL AUDIT had
been done under the guidance of Prof. Nehal Joshipura as well as Industry
Mentor Mr. Trushar Chheda (Partner) Risk Advisory Services, Desai Haribhakti
Consultancy during May July 2016.

Place:

Mohit Kumar Baldewa

Date:

Acknowledgement

I wish to express my deep sense of gratitude to Desai Haribhakti

Consultancy. and in particular Mr. Trushar Chheda (Partner) Risk Advisory
Services for the timely guidance, inspiration and encouragement in the
conduct for my Summer Internship Project work.
I take this opportunity to thanks Prof. Nehal Joshipura for her able guidance
and valuable suggestions, which helped me in completing the project work,
in time.
I take immense pleasure in thanking Dr. C. Babu, Director, Durgadevi Saraf
Institute of Management Studies, for having permitted me to carry out this
project.

Executive Summary
Mandatory reporting on Internal Financial
Controls (IFC)
The Companies Act 2013 has significantly expanded applicability of internal
financial controls to cover all aspects of operations of the company.

Strengthening enterprise risk assessment

processes
As per the Companies Act 2013, Section 134 and 177 there are specific
requirements that a company needs to comply with in respect to Enterprise
Risk Management.

Comprehensive legal compliance framework

The Companies Act, 2013, Clause 49 of the listing agreement, the
government is seeking to make Directors of companies responsible for
devising proper system to help ensure compliance with Provisions of All
Applicable Laws and that such systems are adequate and operating
effectively.

Assessing fraud risk vulnerabilities

Under the new act, liability and punishment for fraud is extended to every
individual who has been a party to it deliberately, including the auditors of
the company.

Contents
Introduction to Internal Audit....................................................................................10
Industry Profile......................................................................................................... 11
Company Profile....................................................................................................... 13
Theory of Internal Audit............................................................................................ 14
Scope & Objectives of the Project............................................................................. 16
Methodology............................................................................................................. 18
Data Collection & Analysis........................................................................................ 19
Findings of the Study................................................................................................ 21
Conclusion & Recommendation................................................................................22
Appendices............................................................................................................... 24
Bibliography............................................................................................................. 26

Introduction to Internal Audit

Internal

auditing is

an

objective assurance and consulting activity

independent,

designed

to

add

value

and

improve an organization's operations. It helps an organization accomplish its

objectives by bringing a systematic, disciplined approach to evaluate and
improve

the effectiveness of risk

management, control,

and

governance processes.[1] Internal auditing is a catalyst for improving an

organization's governance, risk management and management controls by
providing insight and recommendations based on analyses and assessments
of

data

and

business processes.

With

commitment

to integrity and accountability, internal auditing provides value to governing

bodies and senior management as an objective source of independent
advice. Professionals called internal auditors are employed by organizations
to perform the internal auditing activity.
The scope of internal auditing within an organization is broad and may
involve topics such as an organization's governance, risk management and
management controls over: efficiency/effectiveness of operations (including
safeguarding of assets), the reliability of financial and management
reporting, and compliance with laws and regulations. Internal auditing may
also involve conducting proactive fraud audits to identify potentially
fraudulent acts; participating in fraud investigations under the direction of
fraud investigation professionals, and conducting post investigation fraud
audits to identify control breakdowns and establish financial loss.
Internal auditors are not responsible for the execution of company activities;
they advise management

and

the Board

of

Directors (or

similar oversight body) regarding how to better execute their responsibilities.

As a result of their broad scope of involvement, internal auditors may have a

variety of higher educational and professional backgrounds.

Role in internal control

Internal auditing activity is primarily directed at evaluating internal control.
Under the Committee of Sponsoring Organizations

of the Treadway

Commission [COSO] Framework, internal control is broadly defined as a

process, affected by an entity's board of directors, management, and other
personnel,

designed

to

provide

reasonable

assurance

regarding

the

achievement of the following core objectives for which all businesses strive:

Effectiveness and efficiency of operations.

Reliability of financial and management reporting.

Compliance with laws and regulations.

Safeguarding of Assets

Management is responsible for internal control, which comprises five critical

components: the control environment; risk assessment; risk focused control
activities;

information

Managers

establish

and

communication;

policies,

processes,

and

and

monitoring

practices

in

activities.
these

five

components of management control to help the organization achieve the

four specific objectives listed above. Internal auditors perform audits to
evaluate whether the five components of management control are present
and

operating

effectively,

and

if

not,

provide

recommendations

for

improvement.
Role in risk management
Internal auditing professional standards require the function to evaluate the
effectiveness

of

the

organization's Risk

management activities.

Risk

management is the process by which an organization identifies, analyzes,

responds, gathers information about, and monitors strategic risks that could
actually or potentially impact the organization's ability to achieve its mission
and objectives.
Under

the COSO enterprise

risk

management

(ERM)

Framework,

an

organization's strategy, operations, reporting, and compliance objectives all

have associated strategic business risks - the negative outcomes resulting
from internal and external events that inhibit the organization's ability to
achieve its objectives. Management assesses risk as part of the ordinary
course of business activities such as strategic planning, marketing planning,

capital

planning,

budgeting,

hedging,

incentive

payout

structure,

credit/lending practices, mergers and acquisitions, strategic partnerships,

legislative

changes,

conducting

business

abroad,

etc. Sarbanes-

Oxley regulations require extensive risk assessment of financial reporting

processes.

Corporate

legal

counsel

often

prepares

comprehensive

assessments of the current and potential litigation a company faces. Internal

auditors may evaluate each of these activities, or focus on the overarching
process used to manage risks entity-wide. For example, internal auditors can
advise management regarding the reporting of forward-looking operating
measures to the Board, to help identify emerging risks; or internal auditors
can evaluate and report on whether the board and other stakeholders can
have reasonable assurance the organization's management team has
implemented an effective enterprise risk management program.
In larger organizations, major strategic initiatives are implemented to
achieve objectives and drive changes. As a member of senior management,
the Chief Audit Executive (CAE) may participate in status updates on these
major initiatives. This places the CAE in the position to report on many of the
major risks the organization faces to the Audit Committee, or ensure
management's reporting is effective for that purpose.
The internal audit function may help the organization address its risk
of fraud via a fraud risk assessment, using principles of fraud deterrence.
Internal auditors may help companies establish and maintain Enterprise Risk
Management processes.[6] This process is highly valued by many businesses
for establishing and implementing effective management systems and
ensuring quality is maintained & professional standards are met [7] Internal
auditors also play an important role in helping companies execute a SOX 404
top-down risk assessment. In these latter two areas, internal auditors
typically are part of the risk assessment team in an advisory role.

Role in corporate governance

Internal auditing activity as it relates to corporate governance has in the past
been generally informal, accomplished primarily through participation in
meetings and discussions with members of the Board of Directors. According
to COSO's ERM framework, governance is the policies, processes and
structures used by the organizations leadership to direct activities, achieve
objectives, and protect the interests of diverse stakeholder groups in a
manner consistent with ethical standards. The internal auditor is often
considered one of the "four pillars" of corporate governance, the other pillars
being the Board of Directors, management, and the external auditor.
A primary focus area of internal auditing as it relates to corporate
governance is helping the Audit Committee of the Board of Directors (or
equivalent) perform its responsibilities effectively. This may include reporting
critical management control issues, suggesting questions or topics for the
Audit Committee's meeting agendas, and coordinating with the external
auditor and management to ensure the Committee receives effective
information. In recent years, the IIA has advocated more formal evaluation of
corporate governance, particularly in the areas of board oversight of
enterprise risk, corporate ethics, and fraud.

Industry Profile
The current scenario All organizations are subject to fraud risks and there
have been several instances in the past couple of decades when frauds have
led to the downfall of organizations as a whole. Some notable examples
include, Enron and WorldCom in the USA and Satyam near home. The current
economic slowdown has brought to surface a number of high profile frauds
like the Reebok and Citibank cases thereby increasing the focus on fraud risk
management. Global regulations like the US Foreign Corrupt Practices Act
(FCPA),

UK

Bribery

Act,

Sarbanes

Oxley

Act

have

increasingly

put

responsibility on the management of organizations to implement an effective

fraud risk management framework. In the wake of increasing incidents of
frauds in the financial service sector, the Reserve Bank of India (RBI)
introduced guidelines for comprehensive Fraud Risk Management (FRM)
system for banks. With increased regulatory focus and widespread negative
impact of frauds, the managements and senior executives are increasingly
concerned about the vulnerability and exposure of their businesses/
organizations to frauds and whether or not they are adequately protected. A
recent survey undertaken by Deloitte for fraud in Indian banks indicated that
more than half the frauds were detected by internal audit reviews. This
brings into focus the role of internal audit in fraud risk management.
As the mandate and role of internal audit continue to evolve, managements
are increasingly counting on internal audit functions in their efforts for
managing fraud risks and keeping organizations protected. Increasingly, the
internal audit function is not to monitor and detect but also to investigate
fraud incidences when they arise. The role of internal audit in fraud risk
management by way of preventing, detecting and investigating fraud has
amplified as a result of economic uncertainty and increased focus of certain
organization's management on fraud risks.

Company Profile

As the world is converging into a single global entity, technology is blurring

the lines between geographies, services and solutions. And in this era of a
flat, borderless word, DHC is committed to going beyond service into value
addition in the true sense of the word. To understanding not just what our
customers want, but what their business needs; to meeting not just
immediate requirements, but providing long term solutions; to being not just
reactive to client needs but being proactive to solve their future issues.
Because at DHC, we believe there's a thin line between 'delivering a service'
and 'delivering value'.
The Values that help us Create Value
Our bedrock of values is the compass by which we orient operations on every
platform -from management to dealings with our clients to our brand of
service.
The core values that drive us
Partner Driven Approach
We cater to all our clients with personalized attention and meet their
business challenges with ease and finesse.
Extraordinary Client Service
Our client-centric approach is built around highly customized services
through continuous innovation to deliver value to our clients. We provide
support to our customers that they can rely on and encompasses all the
requirements to the best of our ability. We believe in ' total client

satisfaction'.
Vibrant & Long-lasting Client Relationships
Our client relationships are more than just business partnerships. We
endeavor to understand the person as well as their business and build a
vibrant and long lasting relationship.
Trust, Reliability and Transparency
For a relationship to flourish, it must be based on trust, reliability and
transparency - values that we hold sacred.
We provide a whole range of accounting, assurance, advisory and
consulting services both nationally and internationally through our four
service divisions.
We are a full service organization with complete focus on niche services.
Our services are not static but are completely tailor- made as per the
changing needs of our clients. We continually ensure that our services are
internationally bench marked.
Within all our services divisions we have service specialists and sector
specialists to ensure seamless services to our clients.

DHC services can be broadly classified as follows:

R

Theory of Internal Audit

While planning their annual audit plan, internal auditors should consider the
assessment of fraud risk and review managements fraud management
capabilities periodically. They should regularly and closely communicate with
those responsible for risk assessments in the organization and also others in
key

roles

throughout

the

organization,

to

ensure

timely

fraud

risk

management. Internal auditors, during their assignments, should spend an

adequate time and attention to evaluating the framework and internal
controls related to fraud risk management. It is also imperative to have a
well-defined response plan to handle potential frauds uncovered during an
internal audit assignment.

Scope & Objectives of the Project

Internal

Audit

Department

provides

management

with

information,

appraisals, recommendations, and counsel regarding the activities examined

and other significant issues.
The department executes an approved audit plan and will perform the
following tasks in accordance with its overall strategy:
Verify the existence of assets and recommend proper safeguards for

their protection;

Evaluate the adequacy of the system of internal controls;

Recommend improvements in controls;

Assess compliance with policies and procedures and sound business

practices;
Assess compliance with state and federal laws and contractual

obligations.
Review

operations/programs

to

ascertain

whether

results

are

consistent with established objectives and whether the operations/programs

are being carried out as planned;
Investigate reported occurrences of fraud, embezzlement, theft, waste,

etc.

Independence is essential to the effectiveness of the internal audit function.

In carrying out the duties and responsibilities, the Director of Internal Audit
will issue reports to the Vice President and General Counsel in charge of the
internal audit function, Senior Vice President, and the Vice President
concerned. The Director of Internal Audit will meet with the Finance and

Audit Committee of the Board of Trustees periodically to report the plans for
audit activity, the results of audit activity, and to provide any other
information required. The Director of Internal Audit has direct access to the
President and the Board should matters of immediate significance arise
which demand such attention.

Methodology
Internal audit execution
A typical internal audit assignment involves the following steps:
1. Establish and communicate the scope and objectives for the audit to
appropriate management.
2. Develop an understanding of the business area under review. This
includes objectives, measurements, and key transaction types. This
involves

review

of

documents

and

interviews.

Flowcharts

and

narratives may be created if necessary.

3. Describe the key risks facing the business activities within the scope of
the audit.
4. Identify management practices in the five components of control used
to ensure each key risk is properly controlled and monitored. Internal
Audit Checklist can be a helpful tool to identify common risks and
desired controls in the specific process or industry being audited.
5. Develop and execute a risk-based sampling and testing approach to
determine whether the most important management controls are
operating as intended.

6. Report issues and challenges identified and negotiate action plans with
management to address the problems.
7. Follow-up on reported findings at appropriate intervals. Internal audit
departments maintain a follow-up database for this purpose.
Audit assignment length varies based on the complexity of the activity being
audited and Internal Audit resources available. Many of the above steps are
iterative and may not all occur in the sequence indicated.
In addition to assessing business processes, specialists called Information
Technology (IT) Auditors review Information technology controls.

Data Collection & Analysis

Source: India Banking Fraud Survey 2014

Findings of the Study

The Companies Act 2013, (the Act) ushers in a new era of corporate
governance and transparency in the Indian corporate sector. The Securities
and Exchange Board of India (SEBI) with the objective to align its provisions
to the recently notified provisions of the Companies Act, 2013 has
specifically reviewed clause 49 of the Listing Agreement, to adopt leading
industry practices on corporate governance and to make the corporate
governance framework more effective.
With requirements of these norms warranting organizations to provide
assurance to the Board of Directors and Audit Committees on adequacy of
internal financial controls, effective risk management processes, Anti-fraud
controls and effective legal compliance framework, the Internal Auditor
would need to review and re-define its role and fulfill its role as an important
vehicle and an enabler of good corporate governance.
Going forward, the role of the Internal Audit Function is expected to become
much more onerous as the board, management and independent directors
seek increased comfort from an Internal Auditor on newer areas to comply

with their oversight responsibility and legal duties. It is set to evolve into a
more extensive, outward, forward looking and continuous activity playing an
enhanced role in 'Integrated Assurance' - an activity to outline who provides
assurance on what aspects of the entire assurance universe. This new
purpose, authority, and responsibility of the internal audit activity must be
formally defined in the new internal audit charter and presented to the senior
management and the board for approval. However, while Corporate India is
looking to their internal auditors to help deliver a more sustainable, efficient
and effective audit function. One that fully aligns with the new governance
needs and expectations, there is ambiguity in the minds of the board, audit
committee members, CXOs and Internal Auditors on what changes would be
needed in their roles to fulfill these new requirements.
As companies raise the bar on their own performance to contend with the
greater regulatory and stakeholder expectations, it also raises the bar on
Internal Audit Function. This whitepaper discusses four themes which would
now form part of the new Internal Audit Charter to support the organization
and the stakeholders meet the expectations of the new Companies Act 2013
raising the Bar on Governance. Here, we attempt to redefine the internal
audit charter from the perspective of governance stakeholders and build
what we call the 'New Performance Continuum' for the Chief Audit Executive
(CAE) in the wake of the changed environment. With these new expectations,
it is also necessary for Internal Auditors to review their methodology and
include specific procedures to address these changes. We have also
discussed some of the steps and procedures which should find place in new
audit plans, roles and responsibilities for the Internal Auditor.

Mandatory reporting on
Internal financial controls

The Companies Act 2013 requires the Directors report for listed companies,
including public companies with paid up capital of INR25 crores or more, and
auditors report for all companies to comment on whether the company has
adequate

internal

financial

controls

system

in

place

and

operating

effectiveness for such controls. For this purpose, the term internal financial
controls means the policies and procedures adopted by the company for
ensuring the orderly and efficient conduct of its business, including
adherence to companys policies, the safeguarding of its assets, the
prevention

and

detection

of

frauds

and

errors,

the

accuracy

and

completeness of the accounting records, and the timely preparation of

reliable financial information.
Although the ambit of internal financial control for Public companies with
paid-up capital of over INR25 crores is limited to internal controls over
financial reporting, given the fact that the Statutory Auditors have to
comment on the operating effectiveness of internal financial controls (in its
entirety, and not just internal controls over financial reporting), and the Audit
Committee is entrusted with evaluating internal financial controls (both
operational and financial), it appears that all companies will need to lay
down internal financial controls covering its operations, reporting (financial
and non-financial) and compliance responsibilities; and not just over financial
reporting. The discussion draft issued by The Institute of Chartered
Accountants (ICAI) as guidance to Statutory Auditors has indicated using the
COSO framework, as the basis on which internal financial controls will be
evaluated. Therefore, the Act has significantly expanded applicability of
internal financial controls to cover all aspects of operations of the company.
Having evaluated their business needs and capabilities, business leaders
would now need to embed internal controls monitoring their operations,
reporting and compliance processes, as opposed to financial reporting only.
Organizations would need to shift from point in time testing to ongoing
testing embedded within the business processes.

AD sse v e s l so pa n d

DTe e s vt e t lho ep a
The Act places a stronger emphasis than before on the role of the Audit
Committee on internal financial controls and risk management. Given the
importance of these areas, internal audits assurance role is very important
in helping audit committee directors fulfill their oversight responsibility and
legal duties.The changing role of Internal Audit the ever increasing
regulations and expansion of organizations across the globe into new
markets exposed the organizations to greater regulatory and compliance

risks. Regulators expect thorough due diligence, oversight Fraud Detection

mechanism Anonymous complaint by external party Internal audit/legal/
compliance Whistleblower mechanism By accident Fraud detection/ analytics
solution Others Not disclosed 43% 53% 37% 20% 20% 17% 40% Source:
India

Banking

Fraud

Survey

2014

Assurance

Assessment

and

Recommendations Oversight Advisory Services Objective examination to

provide accurate and current information to the stakeholders about the
efficiency and effectiveness of its policies and operations, and the status of
its compliance with the statutory obligations Assessing and making
recommendations on the effectiveness of the existing controls Demonstrates
informed, accountable decision making with regard to ethics, compliance,
risk, economy and efficiency Assessing and making recommendations on the
effectiveness of the existing controls Demonstrates informed, accountable
decision making with regard to ethics, compliance, risk, economy and
efficiency Assessing and making recommendations on the effectiveness of
the existing controls Demonstrates informed, accountable decision making
with regard to ethics, compliance, risk, economy and efficiency The changing
role of internal audit 3 and background checks to be performed on partners,
vendors, suppliers and others. As fraud has a number of negative impacts on
organizations financial and reputational it is important for the
organizations

to

have

strong

fraud

prevention

programme.

As

organizations work towards reducing the losses due to fraud, their anti-fraud
programmes are increasingly looking towards the internal audit function for
support in light of the fact that over time as internal auditors review systems
in the organization, they develop an overall knowledge of the organizations
processes, risks, control systems and personnel which can contribute to an
effective fraud risk management. The IIA provides mandatory guidance for
internal auditors in its International Professionals Practices Framework (IPPF).
Internal auditors are expected to have sufficient knowledge to evaluate the
risk of fraud in their organizations, and are required to report to the board
any fraud risks found during their investigations. IPPF also expects the

internal audit activity to evaluate the potential for the occurrence of fraud
and how the organization manages its fraud risk. The expectation is that
internal auditing should provide objective assurance to the board and
management that fraud controls are sufficient for identified fraud risks and
ensure that the controls are functioning effectively. Internal auditors may
review the comprehensiveness and adequacy of the risks identified by
management especially with regard to management override risks.

Strengthening enterprise
Risk assessment processes
Risk

management

is

central

part

of

any

organization's

strategic

management. Successful organisations seek to integrate risk management

and internal control into all activities, through a framework of risk
identification, risk assessment and risk response.
As per the Companies Act 2013, there are specific requirements that a
company needs to comply with in respect to Enterprise Risk Management. In
addition, the board and audit committee have been vested with specific
responsibilities in assessing the robustness of risk management policy,
process and systems:
Section 134: The Board of Directors report must include a statement
indicating development and implementation of a risk management policy for
the company including identification of elements of risk, if any, which in the
opinion of the board may threaten the existence of the company.
Section 177: The audit committee shall act in accordance with the terms
of reference specified in writing by the board, which shall, inter alia, include
evaluation of risk management systems.
Schedule IV: Independent directors should satisfy themselves that
systems of risk management are robust and defensible.
Also, the revised Clause 49 of the Listing Agreement from SEBI widens the
requirements for risk management. It requires the board to be responsible

for framing, implementing and monitoring the risk management plan for the
company.
Internal audit is third line of defense, which through its risk based approach
provides reasonable independent assurance to the organisations board of
directors and senior management on the effectiveness of risk management
processes. In organisations where risk management implementation is in its
initial stages, the role of internal audit is often that of a catalystor facilitator
to help foster development of the organization's risk management process.
Further, the more risk mature the organization is, it is better for the internal
audit function to provide a realistic picture to the board on risk management
against its strategic objectives.
Key Considerations for the Chief Risk Officer (CRO)
Provide credible risk governance. Inputs to strategy formulation; integrate
risk management and strategy execution. Aggregate information to identify
operational control weaknesses. Identify risks presenting the most significant
risks to shareholder value. Build a risk management dashboard. Use
behavioural change management techniques to maintain risk awareness
capabilities. Coordinate with assurance providers to provide an opinion on
the control environment. Develop prudent risk management techniques to
address key risks, and establish sufficient monitoring of strategic risk
'signposts' to identify risk occurrences in time. View risk management as a
core competency and try to ensure that auditors receive appropriate training
on risk and risk manage-ment practices.
CAE response
Internal Audit function must align its activities with the organisations key
strategies and critical risks must be driven from the top with input from the
executive management and the Board. It should be coordinated with other
key oversight functions. Regardless of whether risk management and internal
audit operate as distinct and separate units, or are closely aligned, it is
imperative that they leverage off each other, continually developing
knowledge and awareness of the environments in which they operate. They

must work within the same risk management framework and conduct
dialogue to continually question each others perspective of the nature and
severity of the risk profile.

Assessing fraud risk

Vulnerabilities
Globalisation has not only led to obsolete geographical boundaries, but has
also increased the scale and complexity of todays business environment. It
has further been complicated by continual changes in the business
environment, mounting competition and multitude of regulations creating
significant pressures on management to effectively maintain oversight of all
operations. These challenging scenarios create various vulnerabilities in
systems, procedures and frameworks for manipulation and frauds.
Fraud negatively impacts the organisation in many ways including financial,
reputational, psychological and social implications. Depending on the
severity of loss, organisation scan be irreparably harmed due to the financial
impact of the fraudulent activity. The incentives and pressures to commit
frauds have always existed both within and outside the organisation. The
opportunity to commit fraud arises when the fraudsters spot a weak link in
the oversight process, inadequate controls, lack of proper accountability,
unrestrained power to certain individuals, inadequate segregation and
rotation of duties, excessive trust etc. Organisations can most influence the
opportunity element by specifying internal controls and procedures that
avoid putting anyone, internal or external, to commit fraud and detects
fraudulent activity as and when it occurs. The new Act proposes vital
changes in this context for the first time - it defines fraud, lays down severe
penalties

for

delinquency,

fixes

extensive

management,

independent

Directors

and

responsibility
auditors,

for

senior

introduces

the

establishment of vigil mechanism and accords statutory status to Serious

Fraud Investigation Office (SFIO).

 Section 447 of the Act provides a specific definition of fraud and also
makes extensive provisions for penalising fraudulent activities. Fraud
includes any act, omission, concealment of any fact or abuse of the position
committed by any person, with intent to deceive, to gain undue advantage
from, or to injure the interests of, the company or its shareholders or its
creditors or any other person, whether or not there is any wrongful gain or
wrongful loss.
Under the new act, liability and punishment for fraud is extended to every
individual who has been a party to it deliberately, including the auditors of
the company
Companies are also required to establish a vigil mechanism for directors
and employees to report genuine concerns, even directly to the chairperson
of the Audit Committee for appropriate cases.

The

mechanism

should

provide

for

adequate

safeguards

against

victimisation of persons who use such mechanism. Importantly, the details of

such mechanism are required to be disclosed by the company on its website
and in the Boards report.
The directors' responsibility statement is required to include a confirmation
regarding proper and sufficient care for the maintenance of adequate
accounting records for safeguarding the assets of the company and for
preventing and detecting fraud and other irregularities.
In light of the above, the companies will have to make sure they have
adequate processes, controls and oversight mechanisms to ensure that there
are adequate fraud prevention controls. The primary responsibility for
prevention and detection of fraud rests with management and those charged
with governance. Establishing a fraud risk management procedures would be
of importance for preventing fraudulent situations and enabling timely and
due monitoring and oversight by the directors. Internal audit is in a suitable
position to identify potentially fraudulent situations during the course of the
audit and thus plays a strong role in preventing fraud and other illegal acts.
While external auditors focus on misstatements in the financial statements

that are material, internal auditors are often in a better position to detect the
symptoms that accompany fraud. Internal auditors usually have continual
presence in the organisation that provides them with a better understanding
of the organisation and its control systems. Therefore, the CAE will now need
to take responsibility over the adequacy of fraud prevention/ mitigation
controls in business processes. He will have to consider fraud procedures as
part of every audit. He can no longer take shelter that the IA function is not
responsible for preventing and detecting fraud.
Fraud risk and the role of a CAE
Proactive auditing to look for misappropriation and misrepresentation
Examining and evaluating the adequacy and
effectiveness of internal controls that might address
fraud risks include:
Controls over significant, unusual transactions
Controls over adjustments in the period-end financial reporting process
Controls over related party transactions
Controls related to significant management estimates
Controls that mitigate incentives for, and pressures on, management to falsify or inappropriately
manage financial results.
Fraud Detection activities include potential fraud indicators in the Risk Control Matrix/Audit
Program. Gather sufficient knowledge of fraud to identify red flags indicating fraud that may have been
committed, the techniques used to commit fraud, and the various fraud schemes and scenarios
associated with the activities reviewed.
Leverage data mining and data analytics to find unusual
items and perform detailed analyses of high risk
accounts and transactions.
Establish effective fraud prevention measures based
on a companys SWOT analysis.
Define robust control activities i.e., policies and
procedures for business processes, including
appropriate authority limits and segregation of
incompatible duties, employee training etc.
Test operating effectiveness of fraud prevention and
detection controls.
Identify relevant fraud risk factors: understand
organisations external and internal business environment.
Review the documentation of previous and suspected
frauds, frauds at similar organisations, root cause analysis
and control improvement recommendations, monitoring
the reporting/whistleblower hotline, and providing ethics
training sessions.
Map existing controls to potential fraud schemes
and carry out a gap assessment: identify preventive
and detective controls in place to address fraud risks and
likelihood and significance of each potential fraud.
Entity level anti-fraud controls such as whistleblower
hotline, whistleblower protection policy, board oversight,
results of continuous monitoring, code of conduct are
important elements in the exercise.

Conclusion & Recommendation

CAEs Evolving Role: Business Case for 'Integrated Assurance'
Current challenge for the CAE is identifying and understanding the assurance
universe across internal audit, the extent of consideration of other assurance
providers in internal audit planning and execution, duplication of work by
different assurance functions creating a 'nuisance factor' within the business
and contradictory views given to executive management. Internal Audit will
be expected to 'connect the dots' in order to facilitate the development of an
integrated assurance framework. Going forward, executive management will
task the CAE with leading the risk convergence initiative at the organisation
level.
Benefits will include a common risk vocabulary and consistent reporting from
each of the key oversight functions (risk management, compliance, internal
audit, SOX, EH&S, etc) to executive management and the Board. It would
also result in cost savings as redundant activities are eliminated and
common information is shared across the various oversight groups.
Coping up with the new role Though the role and responsibility of internal
audit function may vary in scope and authority in different organizations,
there is a clear trend that internal audit is taking on a more strategic and
central role. With these changes, the increased interaction between the
evolving internal audit function and its major stakeholders is an important
area for organizations to focus on and develop. Organizations can be walking
on a dangerous tightrope where senior management believe that the internal
audit function is providing assurance in respect of fraud risk assessment,
detection and investigation, whereas reality is that internal audit are under
resourced or inadequately trained and constrained in their ability to meet the
expected delivery. Apart from this, gaps can also exist in the levels of
support and training that are provided to internal auditor and could mean
that their ability to be effective could be highly compromised. The way
forward An organizations commitment to effective internal control should be

reflected directly in the importance it attaches to its internal audit function.

The internal audit charter, approved by the board or audit committee, should
clearly identify the roles and responsibilities of internal audit with respect to
fraud risks. This could include roles in relation to fraud risk management,
initial or full investigation of suspected fraud, root cause analysis and control
improvement recommendations, monitoring of a reporting/whistleblower
hotline, and providing ethics training sessions. If the internal audit activity is
responsible for the investigation, it may conduct an investigation using inhouse staff, outsourcing, or a combination of both. This will require fraud
investigation teams to obtain sufficient knowledge of fraudulent schemes,
investigation techniques, and applicable laws. In organizations where
primary responsibility for the investigation function is not assigned to the
internal audit activity, the internal audit activity may still be asked to help
gather

information

and

make

recommendations

for

internal

control

improvements. It is, therefore, of utmost importance that internal audit

functions are adequately funded, staffed, and trained, with appropriate
specialized skills depending upon the nature, size, and complexity of the
operating environment of an organization. Also it is essential for the internal
audit function to have independent authority and reporting lines and have
adequate access to the audit committee.

Appendices

Bibliography
Sources:
1. IPPF Practice Guide on Internal Auditing and Fraud
2. Managing the Business Risk of Fraud: A Practical Guide
Paper sponsored by IIA, AICPA and ACFE

https://www.protiviti.com/en-US/Documents/RegulatoryReports/General-Business/Protiviti-Flash-Report-New-ICReqs-Companies-with-India-Operations.pdf
https://www.pwc.in/assets/pdfs/publications/2015/pwc-reportingperspectivesoctober-2015.pdf
https://www.wirc-icai.org/(S(ao1o00a1y1dnqv55oxdi0ujq)X(1))/material/WIRCIFC.pdf
https://www.kpmg.com/IN/en/IssuesAndInsights/ArticlesPublications/Documents/KPM
G-the-New-Internal-Audit-Charter.pdf