SIP Report

Understanding Internal Audit Methodology with practice in Quality

Assurance processes Audit review

Submitted by:
Sumit Vithalani

----------------------------------------------------------------------------------------------------
Master of Business Administration
School of Petroleum Management
Pandit Deendayal Petroleum University
Gandhinagar.

Page | 1
 PREFACE

It is essential for the management of large firms to carry out internal audit and review their own
processes. Internal audit gives the opportunity to find and correct the gaps in the processes which
helps firms to perform well and minimize the risk.
The project at Reliance industries limited aimed to review the processes of quality control and
quality assurance, which affects the final quality of the company’s products and thus, company’s
overall reputation and market share. The risk based internal audit of quality processes included
the detail understanding of quality process design, review all the laboratory processes of both
DTA and SEZ refinery and finding the gaps in the processes which impacts higher risk on the
objective of the process. The study also included discovering the root cause of the gaps and
recommending suggestions to the management to optimize the same process.

Page | 2
 ACKNOWLEDGEMENT

I hereby take this opportunity to sincerely thank the authority of RELIANCE INDUSTRIES
LTD. for taking me as an intern under the kind mentorship of Mr. Gyana Pattanaik and for
providing a very conducive work environment.

I would like to thank my mentor Mr. Gyana Pattanaik whose valuable inputs and guidance
helped me to go about this project.

I would like to extend my sincere gratitude towards the entire team of internal audit at Jamnagar
office including Mr. Manish Vadagama, Mr. Navin Joshi and Mr. Hiten Bathiya who
directly or indirectly played a significant role in my learning associated with the Sumer
Internship.

Finally, I would like to extend a vote of thanks to my faculty mentor at School of Petroleum
Management, Dr. Sudhir Yadav, for his valuable support and guidance throughout the project.

I would also like to thank the other entire faculty of School of Petroleum Management, whose
lessons helped me a lot during my internship project.

Page | 3
Table of Contents
1. Internal Audit over View _________________________________________________________ 7
a. Introduction __________________________________________________________________ 7
b. History of internal auditing _____________________________________________________ 8
c. Organizational independence____________________________________________________ 8
d. Role in internal control _________________________________________________________ 9
e. Role in risk management _______________________________________________________ 9
f. Role in corporate governance __________________________________________________ 10
g. Audit project selection or "annual planning" _____________________________________ 11
h. Internal audit execution _______________________________________________________ 11
i. Internal audit reports _________________________________________________________ 11
j. Quality of Internal Audit Report ________________________________________________ 12
k. Strategy ____________________________________________________________________ 12
l. Measuring the internal audit function ___________________________________________ 13
m. Reporting of critical findings _________________________________________________ 14
n. Audit philosophy _____________________________________________________________ 14
o. The difference between internal and external audit ________________________________ 15
2. Risk based internal auditing _____________________________________________________ 16
a. Background _________________________________________________________________ 16
b. What is risk based auditing? ___________________________________________________ 16
I. Definition _________________________________________________________________ 16
II. Is the organization ready? _________________________________________________ 16
III. A Dynamic process _______________________________________________________ 16
c. Advantages__________________________________________________________________ 17
d. Implementation of RBIA ______________________________________________________ 17
e. Risk maturity assessment ______________________________________________________ 19
I. Objectives_________________________________________________________________ 19
II. Actions to achieve the objectives ____________________________________________ 20
III. Range of audit strategies __________________________________________________ 21
IV. Assurance strategies ______________________________________________________ 22
V. Framework for audit planning _______________________________________________ 23
VI. Consulting strategies ______________________________________________________ 23
VII. Mixed risk maturities _____________________________________________________ 24

Page | 4
 f. Production of the audit plan ___________________________________________________ 24
I. The objectives of this stage are to _____________________________________________ 25
II. Information requirements _________________________________________________ 25
III. Actions to achieve the objectives ____________________________________________ 26
IV. Risk defined organizations starting to use RBIA _______________________________ 30
g. Doing the audit ______________________________________________________________ 31
I. Objectives of this stage ______________________________________________________ 31
II. Action to achieve these objectives ___________________________________________ 31
III. Repeating the cycle of RBIA _______________________________________________ 34
h. Benefits and drawbacks _______________________________________________________ 34
I. Direct contribution to the organization’s objectives ______________________________ 35
II. Relationship with management _____________________________________________ 35
III. Management responsibility for risk management ______________________________ 35
IV. Achieving targets _________________________________________________________ 35
i. Audit resources ______________________________________________________________ 36
j. Staff expertise _______________________________________________________________ 36
k. An audit trail for audits _______________________________________________________ 36
3. COSO Framework _____________________________________________________________ 38
a. The overview of the 2013 Framework: ___________________________________________ 39
b. Introduction of 17 principles: __________________________________________________ 39
c. Introduction of 81 points of focus:_______________________________________________ 42
d. Transition from 1992 Framework to 2013 Framework: _____________________________ 47
e. Conclusion: _________________________________________________________________ 48
4. Audit of Quality Control/ Quality Assurance processes _______________________________ 50
a. Introduction _________________________________________________________________ 50
b. Quality Control ______________________________________________________________ 50
c. Quality Assurance ____________________________________________________________ 50
d. Audit Procedure followed in QA|QC Audit _______________________________________ 50
e. Process reviewed for the Audit – Laboratory Management __________________________ 51
f. Risks identified for above sub-process are ________________________________________ 51
g. Processes, Documents and Data analyzed for review _______________________________ 51
h. Observations identified are: ____________________________________________________ 52
i. Recommendations provided: ___________________________________________________ 52

Page | 5
APPENDIX-1 ______________________________________________________________________ 53

List of Figures
Figure 1 Over view of the stages _____________________________________________________ 19
Figure 2 Range of Audit Strategies ___________________________________________________ 22
Figure 3 Assurance provided by RBIA ________________________________________________ 25
Figure 4 Production of Audit Plan ___________________________________________________ 28
Figure 5 RBIA - An audit Trail ______________________________________________________ 37
Figure 6 COSO Cube _______________________________________________________________ 39
Figure 7- 17 Principles ______________________________________________________________ 40
Figure 8 Control Environment _______________________________________________________ 40
Figure 9 Risk Assessment ____________________________________________________________ 41
Figure 10 Control Activities _________________________________________________________ 41
Figure 11 Information & Communication ______________________________________________ 42
Figure 12 Monitoring Activities _______________________________________________________ 42

Page | 6
1. Internal Audit over View

a. Introduction
Internal auditing is an independent, objective assurance and consulting activity designed
to add value and improve an organization's operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes.
Internal auditing is a catalyst for improving an organization's governance, risk
management and management controls by providing insight and recommendations based
on analyses and assessments of data and business processes. With commitment
to integrity and accountability, internal auditing provides assurance to governing
bodies and senior management as an objective source of independent advice.
Professionals called internal auditors are employed by organizations to perform the
internal auditing activity.
The scope of internal auditing within an organization is broad and may involve topics
such as an organization's governance, risk management and management controls over:
efficiency/effectiveness of operations (including safeguarding of assets), the reliability of
financial and management reporting, and compliance with laws and regulations. Internal
auditing may also involve conducting proactive fraud audits to identify potentially
fraudulent acts; participating in fraud investigations under the direction of fraud
investigation professionals, and conducting post investigation fraud audits to identify
control breakdowns and establish financial loss.
Internal auditors are not responsible for the execution of company activities; they provide
assurance to the management and the Board of Directors (or similar oversight body)
regarding the achievement of objectives relating to operations, reporting, and compliance.
As a result of their broad scope of involvement, internal auditors may have a variety of
higher educational and professional backgrounds.
The Institute of Internal Auditors (IIA) is the recognized international standard setting
body for the internal audit profession and awards the Certified Internal Auditor
designation internationally through rigorous written examination. Other designations are
available in certain countries. In the United States the professional standards of the
Institute of Internal Auditors have been codified in several states' statutes pertaining to
the practice of internal auditing in government (New York State, Texas, and Florida
being three examples). There are also a number of other international standard setting
bodies.
Internal auditors work for government agencies (federal, state and local); for publicly
traded companies; and for non-profit companies across all industries. Internal auditing
departments are led by a Chief Audit Executive ("CAE") who generally reports to
the Audit Committee of the Board of Directors, with administrative reporting to the Chief
Executive Officer (In the United States this reporting relationship is required by law for
publicly traded companies).

Page | 7
b. History of internal auditing
The Internal Auditing profession evolved steadily with the progress of management
science after World War II. It is conceptually similar in many ways to financial
auditing by public accounting firms, quality assurance and banking compliance activities.
While some of the audit technique underlying internal auditing is derived
from management consulting and public accounting professions, the theory of internal
auditing was conceived primarily by Lawrence Sawyer (1911-2002), often referred to as
"the father of modern internal auditing “and the current philosophy, theory and practice
of modern internal auditing as defined by the International Professional Practices
Framework (IPPF) of the Institute of Internal Auditors owes much to Sawyer's vision.
With the implementation in the United States of the Sarbanes-Oxley Act of 2002, the
profession's exposure and value was enhanced, as many internal auditors possessed the
skills required to help companies meet the requirements of the law. However, the focus
by internal audit departments of publicly traded companies on SOX related financial
policy and procedures derailed progress made by the profession in the late 20th century
toward Larry Sawyer's vision for internal audit. Beginning in about 2010, the IIA once
again began advocating for the broader role internal auditing should play in the corporate
arena, in keeping with the IPPF's philosophy.

c. Organizational independence
While internal auditors are not independent of the companies that employ them,
independence and objectivity are a cornerstone of the IIA professional standards; and are
discussed at length in the standards and the supporting practice guides and practice
advisories. Professional internal auditors are mandated by the IIA standards to be
independent of the business activities they audit. This independence and objectivity are
achieved through the organizational placement and reporting lines of the internal audit
department. Internal auditors of publicly traded companies in the United States are
required to report functionally to the board of directors directly, or a sub-committee of
the board of directors (typically the audit committee), and not to management except for
administrative purposes.
The required organizational independence from management enables
unrestricted evaluation of management activities and personnel and allows
internal auditors to perform their role effectively. Although internal auditors are part of
company management and paid by the company, the primary customer of
internal audit activity is the entity charged with oversight of management's activities.
This is typically the Audit Committee, a sub-committee of the Board of Directors.
Organizational independence is effectively achieved when the chief audit executive

Page | 8
 reports functionally to the board. Examples of functional reporting to the board involve
the board. Approving the internal audit charter; Approving the risk based internal audit
plan; Approving the internal audit budget and resource plan; Receiving communications
from the chief audit executive on the internal audit activity’s performance relative to its
plan and other matters; Approving decisions regarding the appointment and removal of
the chief audit executive; Approving the remuneration of the chief audit executive; and
Making appropriate inquiries of management and the chief audit executive to determine
whether there are inappropriate scope or resource limitations.

d. Role in internal control

Internal auditing activity is primarily directed at evaluating internal control. Under the
[Committee of Sponsoring Organizations of the Treadway Commission |COSO]]
Framework, internal control is broadly defined as a process, effected by an entity's board
of directors, management, and other personnel, designed to provide reasonable assurance
regarding the achievement of the following core objectives for which all businesses
strive:
 Effectiveness and efficiency of operations.
 Reliability of financial and management reporting.
 Compliance with laws and regulations.
Management is responsible for internal control, which comprises five critical
components: the control environment; risk assessment; risk focused control activities;
information and communication; and monitoring activities. Managers establish policies,
processes, and practices in these five components of management control to help the
organization achieve the four specific objectives listed above. Internal auditors perform
audits to evaluate whether the five components of management control are present and
operating effectively, and if not, provide recommendations for improvement.

e. Role in risk management

Internal auditing professional standards require the function to evaluate the effectiveness
of the organization's Risk management activities. Risk management is the process by
which an organization identifies, analyzes, responds, gathers information about, and
monitors strategic risks that could actually or potentially impact the organization's ability
to achieve its mission and objectives.
Under the COSO enterprise risk management (ERM) Framework, an organization's
strategy, operations, reporting, and compliance objectives all have associated strategic
business risks - the negative outcomes resulting from internal and external events that
inhibit the organization's ability to achieve its objectives. Management assesses risk as
part of the ordinary course of business activities such as strategic planning, marketing
planning, capital planning, budgeting, hedging, incentive payout structure, credit/lending

Page | 9
 practices, mergers and acquisitions, strategic partnerships, legislative changes,
conducting business abroad, etc. Sarbanes-Oxley regulations require extensive risk
assessment of financial reporting processes. Corporate legal counsel often prepares
comprehensive assessments of the current and potential litigation a company faces.
Internal auditors may evaluate each of these activities, or focus on the overarching
process used to manage risks entity-wide. For example, internal auditors can advise
management regarding the reporting of forward-looking operating measures to the Board,
to help identify emerging risks; or internal auditors can evaluate and report on whether
the board and other stakeholders can have reasonable assurance the organization's
management team has implemented an effective enterprise risk management program.
In larger organizations, major strategic initiatives are implemented to achieve objectives
and drive changes. As a member of senior management, the Chief Audit Executive
(CAE) may participate in status updates on these major initiatives. This places the CAE
in the position to report on many of the major risks the organization faces to the Audit
Committee, or ensure management's reporting is effective for that purpose.
The internal audit function may help the organization address its risk of fraud via a fraud
risk assessment, using principles of fraud deterrence. Internal auditors may help
companies establish and maintain Enterprise Risk Management processes. This process is
highly valued by many businesses for establishing and implementing effective
management systems and ensuring quality is maintained & professional standards are met
Internal auditors also play an important role in helping companies execute a SOX 404
top-down risk assessment. In these latter two areas, internal auditors typically are part of
the risk assessment team in an advisory role.

f. Role in corporate governance

Internal auditing activity as it relates to corporate governance has in the past been
generally informal, accomplished primarily through participation in meetings and
discussions with members of the Board of Directors. According to COSO's ERM
framework, governance is the policies, processes and structures used by the
organization’s leadership to direct activities, achieve objectives, and protect the interests
of diverse stakeholder groups in a manner consistent with ethical standards. The internal
auditor is often considered one of the "four pillars" of corporate governance, the other
pillars being the Board of Directors, management, and the external auditor.
A primary focus area of internal auditing as it relates to corporate governance is helping
the Audit Committee of the Board of Directors (or equivalent) perform its responsibilities
effectively. This may include reporting critical management control issues, suggesting
questions or topics for the Audit Committee's meeting agendas, and coordinating with the
external auditor and management to ensure the Committee receives effective information.
In recent years, the IIA has advocated more formal evaluation of corporate governance,
particularly in the areas of board oversight of enterprise risk, corporate ethics, and fraud.

Page | 10
g. Audit project selection or "annual planning"
Based on a risk assessment of the organization, internal auditors, management and
oversight Boards determine where to focus internal auditing efforts. This focus or
prioritization is part of the annual/multi-year Audit Planning. The audit plan is typically
proposed by the CAE (sometimes with several options or alternatives) for the review and
approval of the Audit Committee or Board of Directors. Internal auditing activity is
generally conducted as one or more discrete assignments.

h. Internal audit execution

A typical internal audit assignment involves the following steps:
 Establish and communicate the scope and objectives for the audit to appropriate
management.
 Develop an understanding of the business area under review. This includes
objectives, measurements, and key transaction types. This involves review of
documents and interviews. Flowcharts and narratives may be created if
necessary.
 Describe the key risks facing the business activities within the scope of the audit.
 Identify management practices in the five components of control used to ensure
each key risk is properly controlled and monitored. Internal Audit Checklist can
be a helpful tool to identify common risks and desired controls in the specific
process or industry being audited.
 Develop and execute a risk-based sampling and testing approach to determine
whether the most important management controls are operating as intended.
 Report issues and challenges identified and negotiate action plans with
management to address the problems.
 Follow-up on reported findings at appropriate intervals. Internal audit
departments maintain a follow-up database for this purpose.
 Audit assignment length varies based on the complexity of the activity being
audited and Internal Audit resources available. Many of the above steps are
iterative and may not all occur in the sequence indicated.
In addition to assessing business processes, specialists called Information Technology
(IT) Auditors review Information technology controls.

i. Internal audit reports

Page | 11
 Internal auditors typically issue reports at the end of each audit that summarize their
findings, recommendations, and any responses or action plans from management. An
audit report may have an executive summary; a body that includes the specific issues or
findings identified and related recommendations or action plans; and appendix
information such as detailed graphs and charts or process information. Each audit finding
within the body of the report may contain five elements, sometimes called the "5 C's":
 Condition: What is the particular problem identified?
 Criteria: What is the standard that was not met? The standard may be a company
policy or other benchmark.
 Cause (root cause): Why did the problem occur?
 Consequence: What is the risk/negative outcome (or opportunity foregone)
because of the finding?
 Corrective action: What should management do about the finding? What have
they agreed to do and by when?
The recommendations in an internal audit report are designed to help the organization
achieve effective and efficient governance, risk and control processes associated with
operations objectives, financial and management reporting objectives; and
legal/regulatory compliance objectives.
Audit findings and recommendations may also relate to particular assertions about
transactions, such as whether the transactions audited were valid or authorized,
completely processed, accurately valued, processed in the correct time period, and
properly disclosed in financial or operational reporting, among other elements.
Under the IIA standards, a critical component of the audit process is the preparation of a
balanced report that provides executives and the board with the opportunity to evaluate
and weigh the issues being reported in the proper context and perspective. In providing
perspective, analysis and workable recommendations for business improvements in
critical areas, auditors help the organization meet its objectives.

j. Quality of Internal Audit Report

 Objectivity - The comments and opinions expressed in the Report should be
objective and unbiased.
 Clarity - The language used should be simple and straightforward.
 Accuracy - The information contained in the report should be accurate.
 Brevity - The report should be concise.
 Timeliness - The report should be released promptly immediately after the audit is
concluded, within a month.

k. Strategy
Internal audit functions may also develop functional strategies described in multi-year
strategic plans. Professional guidance on building an Internal Audit strategic plan was
Page | 12
 issued by the Institute of Internal Auditors in July 2012 via a Practice Guide
called Developing the Internal Audit Strategic Plan. A key aspect of developing IA
strategy is understanding the expectations of stakeholders, such as the Audit Committee
and top management. This helps guide the IA function in its mission of helping the
organization address the risks it faces. Specific topics considered in IA strategic planning
include:

1. Scope and emphasis: An IA function may be involved in addressing risks related to

financial reporting, operations, legal and regulatory compliance, and the company
strategy. There may also be special topics of interest to stakeholders that change
considerably year-to-year.
2. Portfolio of services: IA functions may provide traditional audit assurance across the
risk spectrum as well as consulting project support in a variety of areas such as
project management, data analysis, and monitoring of major company initiatives.
Larger audit functions may establish specialty areas to handle their service portfolio.
3. Competency development: The stakeholder expectations around scope and service
portfolio determine what competencies the function needs, which drives decisions
regarding hiring of specific skills and training programs.
4. Technology: IA functions use a variety of technology tools/software to support audit
process workflow, statistical analysis, and obtaining data from systems.

Building the IA strategy may involve a variety of strategic management concepts and
frameworks, such as strategic planning, strategic thinking, and SWOT analysis

l. Measuring the internal audit function

The measurement of the internal audit function can involve a balanced
scorecard approach. Internal audit functions are primarily evaluated based on the quality
of counsel and information provided to the Audit Committee and top management.
However, this is primarily qualitative and therefore difficult to measure. "Customer
surveys" sent to key managers after each audit engagement or report can be used to
measure performance, with an annual survey to the Audit Committee. Scoring on
dimensions such as professionalism, quality of counsel, timeliness of work product,
utility of meetings, and quality of status updates are typical with such surveys.
Understanding the expectations of senior management and the audit committee represent
important steps in developing a performance measurement process, as well as how such
measures help align the audit function with organizational priorities. Independent peer
reviews are part of the quality assurance process for many internal audit groups as they
are often required by standards. The resulting peer review report is made available to the
Audit Committee.

Page | 13
m. Reporting of critical findings
The Chief Audit Executive (CAE) typically reports the most critical issues to the Audit
Committee quarterly, along with management's progress towards resolving them. Critical
issues typically have a reasonable likelihood of causing substantial financial or
reputational damage to the company. For particularly complex issues, the responsible
manager may participate in the discussion. Such reporting is critical to ensure the
function is respected, that the proper "tone at the top" exists in the organization, and to
expedite resolution of such issues. It is a matter of considerable judgment to select
appropriate issues for the Audit Committee's attention and to describe them in the proper
context.

n. Audit philosophy
Some of the philosophy and approach of internal auditing is derived from the work of
Lawrence Sawyer. His philosophy and guidance on the role of internal audit was a
forerunner of the current definition of internal auditing. It emphasized assisting
management and the Board in achieving the organization’s objectives through well-
reasoned audits, evaluations, and analyses of operational areas. He encouraged the
modern internal auditor to act as a counselor to management rather than as an adversary.
Sawyer saw auditors as active players influencing events in the business rather than
criticizing all degrees of errors and mistakes. He also foresaw a more desirable auditor
future involving a stronger relationship with members of Audit Committee and the Board
and a divorce from direct reporting to the Chief Financial Officer.
Sawyer often talked about “catching a manager doing something right” and providing
recognition and positive reinforcement. Writing about positive observations in audit
reports was rarely done until Sawyer started talking about the idea. He understood and
forecast the benefits of providing more balanced reporting while simultaneously building
better relationships. Sawyer understood the psychology of interpersonal dynamics and the
need for all people to receive acknowledgment and validation for relationships to prosper.
Sawyer helped make internal auditing more relevant and more interesting through a sharp
focus on operational or performance auditing. He strongly encouraged looking beyond
financial statements and financial-related auditing into areas such as purchasing,
warehousing and distribution, human resources, information technology, facilities
management, customer service, field operations, and program management. This
approach helped catapult the chief audit executive into the role of a respected and
knowledgeable adviser who was thought to be reasonable, objective, and concerned about
helping the organization achieve the stated goals

Page | 14
 o. The difference between internal and external audit
While sharing some characteristics, internal and external audit have very different
objectives. These are explained in the table below:

External audit Internal audit

Shareholders or members who The board and senior

are outside the organizations management who are within the
Reports to
governance structure. organizations governance
structure

Add credibility and reliability to Evaluate and improve the

financial reports from the effectiveness of governance,
Objectives
organization to its stakeholders risk management and control
by giving opinion on the report processes. This provides
members of the boards and
senior management with
assurance that helps them fulfil
their duties to the organization
and its stakeholders.

Coverage Financial reports, financial All categories of risk, their

reporting risks management, including
reporting on them

Responsibility for None, however there is a duty to Improvement is fundamental to

improvement report problems. the purpose of internal auditing.
But it is done by advising,
coaching and facilitating in
order to not undermine the
responsibility of management.

Page | 15
2. Risk based internal auditing

a. Background
Over the last few years, the need to manage risks has become an essential part of good
corporate governance practice. This has put organizations under increasing pressure to
identify all the business risks they face and to explain how they manage them. In fact, the
activities involved in managing risks have been recognized as playing a central and essential
role in maintaining a sound system of internal control. While the responsibility for
identifying and managing risks belongs to management, one of the key roles of internal audit
is to provide assurance that those risks have been properly managed. A professional internal
audit activity can best achieve its mission as a cornerstone of governance by positioning its
work in the context of the organization’s own risk management framework.

b. What is risk based auditing?

I. Definition
Risk based internal auditing (RBIA) is as a methodology that links internal auditing to an
organization’s overall risk management framework. RBIA allows internal audit to
provide assurance to the board that risk management processes are managing risks
effectively, in relation to the risk appetite.

II. Is the organization ready?

Every organization is different, with a different attitude to risk, different structure,
different processes and different language. Experienced internal auditors need to adapt
these ideas to the structures, processes and language of their organization in order to
implement RBIA. RBIA seeks at every stage to reinforce the responsibilities of
management and the board for managing risk. If the risk management framework is not
very strong or does not exist, the organization is not ready for RBIA. More importantly, it
means that the organization’s system of internal control is poor. Internal auditors in such
an organization should promote good risk management practice to improve the system of
internal control. Where RBIA is new to an organization, the head of internal audit will
need to market the concept to management and win their support, particularly since it
may mean a change for them in the way that they think about risk.

III. A Dynamic process

RBIA is at the cutting edge of internal audit practice. As a result, it is an area that is
evolving rapidly and where there is still little consensus about the best way to implement
it. It is more difficult to manage than traditional methodologies. Monitoring progress
against an annual plan that is constantly changing is a challenge. Setting targets and

Page | 16
 appraising staff may become more complex. But the advantages of RBIA are much
greater.

c. Advantages

By following RBIA internal audit should be able to conclude that:

1. Management has identified, assessed and responded to risks above and below the
risk appetite.
2. The responses to risks are effective but not excessive in managing inherent risks
within the risk appetite.
3. Where residual risks are not in line with the risk appetite, action is being taken to
remedy that.
4. 4. Risk management processes, including the effectiveness of responses and the
completion of actions, are being monitored by management to ensure they
continue to operate effectively.
5. Risks, responses and actions are being properly classified and reported.

This enables internal audit to provide the board with assurance that it needs on three
areas:
1. Risk management processes, both their design and how well they are working
2. Management of those risks classified as 'key', including the effectiveness of the
controls and Other responses to them
3. Complete, accurate and appropriate reporting and classification of risks

d. Implementation of RBIA
The implementation and ongoing operation of RBIA has three stages;

Stage 1: Assessing risk maturity

Obtaining an overview of the extent to which the board and management determine,
assess,
Manage and monitor risks. This provides an indication of the reliability of the risk
register for audit planning purposes.

Stage 2: Periodic audit planning

Identifying the assurance and consulting assignments for a specific period, usually
annual, by Identifying and prioritizing all those areas on which the board requires
objective assurance, including the risk management processes, the management of key
risks, and the recording and reporting of risks.

Page | 17
Stage 3: Individual audit assignments

Carrying out individual risk based assignments to provide assurance on part of the risk
management framework, including on the mitigation of individual or groups of risks.

Page | 18
Figure 1 Over view of the stages

e. Risk maturity assessment

I. Objectives
The first stage of RBIA is to review the level of risk maturity. There are three objectives
to this stage, which are to:

Page | 19
 1. Assess the risk maturity of the organisation
2. Report to management and to the audit committee on that assessment
3. Agree an audit strategy

II. Actions to achieve the objectives

i. Discuss the understanding of risk maturity with the board and senior managers.

Determine what has already been done to improve the risk maturity of the
organisation such as training, risk workshops, questionnaires about risks and
interviews with risk managers. Determine whether managers feel that the risk register
is comprehensive. Discuss whether an understanding of risk management is
embedded so that managers feel responsible not only for Identifying, assessing and
mitigating risks but also for monitoring the framework and the responses to risks.

ii. Obtain documents, where they are available, which detail:

• The objectives of the organisation.

• How risks are analyzed, for example by scoring their impact and likelihood.
• A definition, approved by the board, which defines its risk appetite in terms of the
scoring system used for inherent and residual risks.
• The processes followed to identify risks which threaten the organisation's
objectives.
• How management considers risks as part of their decision making. For example,
including risks and the response to them, in project approval documents.
• The processes followed to report risks at different levels of management.
• The sources of information used by management and the board to assure
themselves that the framework is working effectively to manage risks within the
risk appetite.
• The risk register of the organisation, including the types of information described
in the previous section.
• Any existing assessment by management or the board of the risk maturity of the
organisation.
• Any other documents which indicate the commitment to risk management.

iii. Conclude on the risk maturity.

Using the documents and information gathered, assess the organisation's risk maturity
using these stages: risk enabled, risk managed, risk defined, risk aware and risk naïve.

Page | 20
 iv. Report your conclusion on risk maturity to management and to the audit
Committee.

This stage will provide a first, high level, assurance on the risk management
processes, the management of key risks and on the recording and reporting of risks.
In reporting conclusions and their implications, one should note that a risk maturity of
risk Naïve or risk aware implies that the organisation's system of internal control and
the board's ability to assess it may be ineffective. The IIA believes that risk naïve and
risk aware organizations are not complying with either the Turnbull Guidance or the
Code of Corporate Governance.

v. Work with management to identify any actions they propose to take as a result

Of this assessment.

Management may suggest consulting assignments for internal audit such as, for
example, facilitating management's efforts to improve their risk management
processes.

vi. Decide on the audit strategy

This will follow from your assessment and obtaining approval from management and
audit Committee.

III. Range of audit strategies

The audit strategy selected depends upon the organisation's risk maturity. Risk naïve or
risk aware organizations will be unable to implement RBIA straight away. However, such
organizations can benefit from some aspects of the audit strategies described below.
For example, internal audit can help improve risk management and governance processes
by reporting its assessment of the risk maturity of the organisation to management and to
the audit committee, and by championing risk management throughout the internal audit
activity's work.
It may also conduct consulting assignments supporting management in improving the
organization’s risk maturity.
There are three potential elements to an RBIA audit strategy:

1. The type of assurances that you expect to be able to give

2. The framework that will be used for your audit planning
3. The type of consulting services that you expect to provide.

Page | 21
Figure 2 Range of Audit Strategies

IV. Assurance strategies

For risk enabled and risk managed organizations, the conclusion on risk maturity is the
first step in being able to provide assurance on risk management processes, management
of key risks and reporting of risks. The internal audit activity's assurance strategy is
therefore to provide assurance on these areas.
For other organizations, the conclusion on risk maturity means that such assurances are
not available. Those in risk defined organizations may be able to identify risk

Page | 22
 management policies or pockets of risk management excellence and be able to plan to
provide assurance on these elements.
Otherwise, internal audit should plan to provide assurance that control processes are
working according to the objectives or standards that have previously been set.

V. Framework for audit planning

In risk enabled and risk managed organizations, RBIA means that audit planning is
driven from the organisation's risk register and its need for objective assurance. This is
described in greater detail in production of the audit plan.
For other organizations, there is no reliable risk register. Therefore, in these
organizations, the internal audit activity will need to plan its audit work using an
alternative framework, for example, key systems or business units.
In the past, internal auditors have performed their own assessments of the risks facing
their
Organizations. It is tempting to take these assessments and start considering them the
Organisation’s risk registers.
However, this may be detrimental to the ultimate goal of improving the organisation's
risk maturity since it is likely to reinforce the misconception that internal audit are
responsible for risk management.
The RBIA methodology drives internal auditors to facilitate the improvement of the risk
management framework.
Therefore, the use of misleading names, such as audit needs or risk assessments or
analyses,
Should be discontinued in favor of the generic term 'audit planning framework'.

VI. Consulting strategies

In less risk mature organizations, internal audit may wish to set aside time to champion
the introduction and improvement of risk management processes. The aim of this type of
consulting activity is to improve the risk maturity of the organisation.
Internal audit should approach the work in such a way that management retains a sense of
Ownership of the processes that are being developed.
The IIA's International Standards 4 define consulting activities as advisory services, the
nature and scope of which are agreed with the client and which do not involve the
internal auditor assuming any management responsibility. Our position statement on The
Role of Internal Audit in Enterprise-wide Risk Management provides further guidance on
the roles that you may undertake and those that you may not.
In risk enabled and risk managed organizations, the need to improve risk management
processes is less pressing than in less risk mature organizations and may be part of the
framework itself. As a result, less resource may be needed for consulting work.

Page | 23
 VII. Mixed risk maturities
It is possible that one part of an organisation may be risk managed and another risk
aware.
Alternatively, an organisation may be risk managed when it comes to one type of risk, for
example, market risk in a bank, but risk aware for another type of risk.
This case, internal audit should not conclude that the whole organisation is risk managed.
It should report the dangers of having a patchwork of risk maturities and devise audit
strategies separately for the different parts of the organisation.

f. Production of the audit plan

RBIA is not about auditing risks but about auditing the management of risk. Its focus is on
the
Processes applied by the management team:

 The responses to individual risks, and

 The processes used to assess risks, to decide on the responses to them, to monitor the
responses and to report to the board.

Presentation of assurance provided by RBIA:

Page | 24
Figure 3 Assurance provided by RBIA

I. The objectives of this stage are to

• Agree all the risk management responses and risk management processes on which
objective assurance from internal audit is required
• Produce an audit plan which lists all audits to be carried out over a specified period -
usually a year.

II. Information requirements

Page | 25
 Stage 1 should have provided the background needed to understand how management
identifies and evaluates risks and how and where the rest of the information needed is
recorded.

The risk register, or attached documents, show responses, actions and monitoring
controls:
• the responses that management believe exist to manage key risks
• the actions that are being taken to add, delete or modify existing responses
where they do not currently bring risk within the risk appetite
• The monitoring controls used by management to ensure that all these elements
of the framework are working.

Internal audit should also obtain from the audit committee and the management team
guidance about the nature of the objective assurance they want from the internal audit
activity. These are called the assurance requirements. They may be explained in a
separate document or as part of the risk register, or they may be identified as a result of
discussions with the people involved.

In RBIA the role of internal audit is not to create any of this information but to be able to
interpret it and to use it for planning purposes.

III. Actions to achieve the objectives

The steps to complete Stage 2 are shown as follows.

1. Identify the responses and risk management processes on which objective

Assurance is required.

Internal audit should review the audit committee's assurance requirements and the risk
register and list all the responses on which objective assurance is required, together with
information on the risks to which they are related.

Reponses to risk Processes to audit

Terminate activities if the risks Action plans and projects to terminate he

they pose are too high or too activity
costly
Tolerate a risk Monitoring the risk

Transfer a risk Processes for transferring risks

Treat a risk These include the familiar accounting and
operational controls that have been the focus of
internal audit for many years

Page | 26
 Other risk management processes on which assurance may be required include:

• Action plans to increase or reduce the amount of transfer or treat responses;

and
• Monitoring controls to ensure that the processes and action plans are operating
as expected.

Internal audit should provide assurance on parts of the risk management framework itself:

• Processes used to identify and assess risks and to decide on the appropriate
responses,
• Processes for reporting risks throughout the organization; and monitoring
controls over those processes.

The audit committee may not want objective assurance from internal audit on the
management of all the risks. Reasons not to want such assurance may include:

• The quantity of assurance from other sources

• The skills and competence of the internal audit activity in a specialist area
• The availability of objective assurance from other sources.

The audit committee may priorities the risks on the management of which it would like
objective assurance, favoring higher inherent risks. It may not, therefore, require
objective assurance on all risks every year.
Internal audit may wish to review thoroughly the audit committee's assurance
requirements to ensure that they do not leave a gap in assurance. It is important to
recognize that the internal audit activity does not have to provide assurance on every
aspect of the risk management framework in order for it to be effective.

Producing the audit plan:

Page | 27
Figure 4 Production of Audit Plan

2. Categories and prioritize the risks.

If there is a large number of risks, they should be categorized. This should result in
grouping the risks into a logical order, which will help in compiling the audit plan. Useful
categorizations include:

 By business unit. This is useful where the organisation has a number of physically
independent business units, the procedures and systems of which are self-
contained. It may be necessary to duplicate common responses, for example,
those arising from computers, across all units.
 By function or system, such as sales, purchases, or stock control. This is useful in
a large central organization with integrated systems.

Page | 28
  By objectives. This is useful when assessing the audit plan for its relevance to the
organization because it links audits directly to the objectives affected by the risks,
the management of which is being checked by the audit.

Internal audit should also prioritize the responses which are to be audited. An important
Characteristic of RBIA is that prioritization is always by reference to the size of the risks
and to the contribution that the response makes to manage the risks. Useful prioritizations
include:

 The size of the inherent risks managed by the response: the bigger the risk, the
higher the priority.
 The contribution that the response makes in managing risks so that the more
the response reduces the risk, the higher the priority. For example, where a
risk is managed using a single response, say a treatment, the control score -
(the difference between the inherent risk and the residual risk) - is the
contribution of that response. However, the control score for some risks may
be divided among different responses, which needs to be taken into account.
 The number and nature of other available assurances that the response is
operating effectively. Where several groups provide assurance on a single
response, it may have a lower priority.
 Those categories of risks on which the audit committee requires objective
assurance each period.

3. Link risks to audit assignments.

Following methods can be used to link risks to audit assignments:

i. Group the risks, for example by business unit, objective, function or system, and
decide the audits which will provide assurance on the related responses.
This method has the advantage that the management of all risks will be covered,
but it may be difficult to define audit units which satisfy the organisation's
preferences for audit size", such as the number of staff hours on an audit.

ii. Set up an audit universe

This allocates each audit to a business unit or system and assigns the risks, on which
Assurance is to be provided to these audits. This method has the advantage of covering
one
Physical location in one visit and of allowing the definition of suitably sized audit units.
It requires an additional check to ensure that the management of all risks is being audited.

This step will produce a list of potential audit assignments. The priority of each audit is
derived from the size of the risk management process on which it provides assurance.
This information should link to the categorized listing of risks, which in turn links to the
risks in the organization’s risk register. The organization also needs to collect and record

Page | 29
 information that links the risks, the responses to them and the audit assignments which
provide assurance on those responses.

4. Draw up the periodic audit plan.

Estimate the number of days required for each audit and identify which audits can be
completed with the available resources, while providing scope for consulting support.
RBIA generates a defined amount of work and, therefore, highlights whether resources
are sufficient to complete the planned work. Internal audit can propose an increase in
staff, or a reduction in the number of audits if there are insufficient resources.
Management and the audit committee should be informed of any risks on which
assurance will not be provided.
All the audits to be included in the plan should have now been determined. However,
many Organizations add audits based on criteria other than risk. Such criteria might
include areas subject to change, mandatory audits or audits requested by management.
This is a reason to 'sense check' the RBIA work so far because any topic worthy of audit
should have surfaced through the risk management framework.

5. Reporting to management and the audit committee.

The periodic audit plan should be discussed with management and be presented to the
audit
Committee for approval. It should provide:

• Details of those risks where assurance is provided by carrying out the audits of the
risk management processes and responses in the plan.
• Details of those risks where assurance is provided but based on audit work from
previous years, if applicable.
• Details of those risks where consultancy work is carried out to assist management
in reducing the risks to below the risk appetite, or, at least, an indication of the
resources available for consultancy work.
• The impact of any constraints on resources.
• Any risks not covered due to policy constraints.
• Confirmation that the plan is in accordance with the internal audit activity’s terms
of reference.

Internal audit should report to management any information that has come to light about
the quality of the risk register. If extra topics for audit have been identified at the end of
Stage 2 these should be discussed with management so that management can revise the
risk register.

IV. Risk defined organizations starting to use RBIA

Page | 30
 If an organisation is risk defined it does not have a complete risk register. Internal audit
should use completed parts of the risk register to plan, or re-plan, audit work using the
method above.
For those parts of the organisation without a complete risk register, internal audit should
use an alternative framework as discussed under 'Range of audit strategies' in Risk
maturity assessment.

g. Doing the audit

Since RBIA is not about auditing risks but about auditing the management of risk, it focuses
on the actions taken by the management team to respond to risks.
Internal auditors need to spend time with managers, discussing and observing the monitoring
Controls they apply, rather than re-performing controls or other responses, or analyzing data
for themselves.
Internal auditors should behave in a way that reinforces the fundamental principle that
management is responsible for managing risks. Procedures should exist to enable internal
auditors to report issues to management and agree with them the action they will take to
update the risk register.

I. Objectives of this stage

To provide assurance that, in relation to the business, activity, or system under review
and for the processes identified in the audit plan:

 Management has identified, assessed and responded to risks above and below the
risk appetite.
 The responses to risks are effective but not excessive in managing inherent risks
within the risk appetite.
 Where residual risks are not in line with the risk appetite, action is being taken to
remedy that.
 Risk management processes, including the effectiveness of responses and the
completion of actions, are being monitored by management to ensure they
continue to operate effectively.
 Risks, responses and actions are being properly classified and reported.

II. Action to achieve these objectives

The steps to complete this stage are:

1. Establishing the planned scope of the assignment.

This involves the internal auditors understanding the results of Stages 1 and 2 in order to
draw up the draft scope. Relevant information includes the conclusion on the risk
maturity and the resulting audit strategy, the title of the assignment and information that

Page | 31
links the audit to the responses on which it should provide assurance and then to the risks
managed by the responses

2. Assessing the risk maturity of the unit being audited.

This allows internal audit to take its assessment to a more detailed level than was possible
at Stage 1. The criteria used to assess risk maturity should be consistent with those used
in Stage 1 and in other assignments. The assignment may include scrutiny of the risks
identified by management, which may need additional or expert resources

3. Assignment-level conclusions on risk maturity.

Conclusions from individual audits should either confirm or cast doubt on the original
organization level assessment. This initial assessment may need to be changed.
If the actual risk maturity (arm) is better than or the same as the expected risk maturity
(erm), the current assignment will carry on as planned.
If arm is lower than erm, internal audit should report this to management, together with
the
Conclusion that responses included in the audit scope are not working effectively.
This may be the end of the audit assignment or, if the nature of the shortfall in risk
maturity means that some responses may still be effective, the scope of the audit may be
restricted to those responses only.

4. Confirming the scope of the assignment.

Under RBIA, internal auditors need more of management's time than they would in other
Approaches to internal audit. Heads of internal audit may wish to support the audit team
by Marketing the approach and gaining buy-in from the management prior to conducting
audit work.

5. Discussion and observation of monitoring controls.

This is the first stage of the audit testing. The aim is to determine that the controls used
by
Management to ensure that the risk management framework is working are designed to
achieve this objective and to show that they are working as designed.

6. Verification of evidence, walkthroughs, re-performance, etc.

These activities may also be required to provide extra evidence that responses to key risks
are working effectively and to support a conclusion that the monitoring controls are also
working.

7. Documenting the results of the audit work.

Page | 32
This differs in RBIA from standard practices mainly in that the link between risks,
responses to risks, assurances given and work done to support those assurances has to be
made clear.

8. Assessing management's evaluation of residual risks.

This produces a conclusion about specific scores in the risk register and should lead to
findings about how management determine residual risks in general. If there is a systemic
failing, internal audit should ensure that it is reflected in the organisation-level
conclusions on risk maturity.

9. Conclusions on responses and risk management processes covered by the

Assignment.

This covers both their design and how well they are working. The conclusions need to be
linked to the risks that are managed by the responses so that the assignment can deliver
the assurances that are the aims of this stage

10. Reporting and feedback.

This should be in accordance with the organisation's policies, including whatever levels
of review are required by audit management.
This step is critical to your aim of reinforcing management's responsibility for managing
risks. Findings should be discussed with management in such a way that they take
responsibility for deciding on appropriate remedial actions, including all and any changes
to the risk register.
If this is a big change in the style of the internal audit activity, the effort required to
implement it properly should not be underestimated. Internal audit may need to play a
bigger role in drafting and delivering reports for the first months of implementing RBIA.
To complete the RBIA steps and stages the findings from individual assignments are fed
back into the overview of the organisation begun in Stage 1 because:

• The findings may change the conclusions on risk maturity and may need to be
reflected throughout the audit plan the next time it is updated.
• The findings need to be reflected in the reporting of risks so that management and
the audit committee understand where objective assurance has been provided.

11. Summarizing the audit conclusions for the audit committee.

This summary should:

• Support the requirement of any regulations which apply to the organisation.
• Fulfil the requirements of the audit charter.
• If not part of the charter, provide an opinion on whether risks are being managed
sufficiently to ensure the organization’s objectives are being achieved and, within
reasonable limits, will be achieved in the future.

Page | 33
 III. Repeating the cycle of RBIA

The RBIA methodology is cyclical. The interval between revisions in internal audit's
assessment of the risk maturity and its audit planning depends on the nature of the
organization: how often its circumstances change and how frequently it must report on
risk management matters. The interval should be agreed with the audit committee.

Changes to the assessment of risk maturity may change the audit strategy. Changes to the
risk register, arising from changes to the assessment of risks or from changes in the
responses to risks, may change which responses require auditing, the way they are
allocated to audit assignments and the priority of the different audits.

Other sources of change include:

 Audit work
 The risk management framework
 The external environment
 The objectives of the organisation.

Audit work gathers evidence on the risk maturity of the organisation which is fed back
into the assessment.
The risk management framework is a dynamic construction, dependent on people to
operate effectively, and it takes continuous effort to keep it working well.

As the external environment and the objectives of the organisation change, the
circumstances and context of potential risk events also change so that the risk register
needs to evolve as time passes.

h. Benefits and drawbacks

RBIA is inextricably linked to the risk management framework. During Stage 1 it allows a
Conclusion on the risk maturity of the organisation. If this is not high, it provides internal
audit with an opportunity to report that fact promptly to management and the audit committee
so that they can take immediate action.

While this allows the internal audit activity to provide value to its organisation, RBIA is a
challenging prospect. Organizations with a poor level of risk maturity may be that way
because the managers and directors do not accept that a good risk management framework is
an essential element of a sound system of internal control. Internal audit may need to
undertake a longer term programme of activity to champion risk management.

Page | 34
 I. Direct contribution to the organization’s objectives

An effective risk management framework will improve an organization’s governance and

its chances of achieving its objectives over the long term.
The RBIA methodology makes a clear and valuable contribution to the risk management
framework by providing objective assurance and by facilitating management's efforts to
improve the framework.
It ensures that internal audit resources are directed towards assessing the management of
the most significant risks.

II. Relationship with management

The RBIA approach requires increased management involvement.

Since the processes to be covered in audits exist in all parts of the organisation, audits
may involve managers in departments never before visited.
In order to discuss the responses deployed to manage risks and how management knows
these are working properly the internal auditor may need to involve a greater number of
more senior managers than might be involved in traditional audits.
RBIA emphasizes management's responsibility for managing risks. This must be stressed
during all meetings with managers.

The close-down meeting is less about management accepting internal audit's

recommendations and more about management agreeing that an issue exists and
determining what action it is going to take and what reporting it needs to provide to the
next level of management.
As a result, the head of internal audit may be required to market the benefits and the need
for internal audit. A much higher profile may be necessary in non-financial areas in order
to pave the way for audits that managers can understand and support. The implications
for staff expertise are discussed overleaf.

III. Management responsibility for risk management

RBIA can be implemented fully only in risk enabled and risk managed organizations.
One
Characteristic of this level of risk maturity is that managers have to take responsibility for
managing risks. In taking responsibility for risks, managers understand that controls, like
other responses to risks, are not the responsibility of internal audit, imposed by internal
audit, but are their own responsibility.

Implementing RBIA means that the internal audit activity behaves in a way that
reinforces this management responsibility and thus contributes to a stronger risk
management culture.

IV. Achieving targets

Page | 35
 RBIA is an effective way to achieve targets set for the internal audit activity, such as:
• The compilation of an audit plan which ensures the internal audit activity fulfils its
charter
• Gaining acceptance from management that it takes appropriate action to manage risks
within the risk appetite;
• Provision of objective assurance in the three areas of risk management normally
required; and Keeping within the budget set for the activity.

i. Audit resources

RBIA justifies the number of auditors required. The audit plan, including the resources
required, is driven by the proportion of processes and risks on which the audit committee
requires objective assurance.
This differs from alternative approaches, where the resources available determine the audits
which can be carried out.

j. Staff expertise

Internal auditors engaged in RBIA require more people and business skills, such as
interviewing, influencing, facilitating and problem solving.
The expansion of the audit universe to cover all risks threatening the organization’s
objectives
Requires the internal auditor to conclude on the design and operation of responses to risks in
area that may be new.

This may require specialist knowledge that may be acquired as follows:

• Use specialist skills already available within the internal audit activity, e.g. computer
auditors.
• Provide specialist training to auditors with general expertise, e.g. provide training on
the regulations and practices related to stress management to an auditor who already a
holds an Advanced Diploma in Internal Auditing and Management.
• Recruit temporary or permanent specialists from inside the organisation, e.g. a
warehouse manager from one overseas subsidiary could audit warehouse processes in
another.
• Use specialists from outside the organisation, e.g. treasury specialist

k. An audit trail for audits

RBIA ties all aspects of internal auditing together: objectives, risks, processes for responses and
Monitoring controls, tests and reports, as shown on the diagram below.

Page | 36
Figure 5 RBIA - An audit Trail

The relevance of any test can be seen in relation to the opinion on the entire risk management
Framework because of the relationships set up in the risk and audit universe.
RBIA provides an audit trail from an individual audit report back through tests, processes and
risks to objectives, and forward to the audit committee report on whether those objectives are
threatened.

Page | 37
3. COSO Framework

Introduced in 1992, the Committee of Sponsoring Organizations of the Tredway Commission’s

Internal Control – Integrated Framework (COSO IC-IF, or the “Framework”) has become the
most widely adopted control framework worldwide. In response to an increasingly complex,
technologically driven, and global business environment, COSO has developed an updated
Framework designed to reflect key issues for future organizational success.

The 2013 Framework retains the five components of internal control; however it adds 17
principles associated with these five components that are necessary for effective internal control.
Upon adoption of 2013 Framework, an entity will need to evaluate the extent to which each of
the 17 principles are relevant to its organisation and, to the extent a principle is relevant, whether
the entity's controls are operating effectively to achieve the principle. This update also introduces
81 point of focus that typically are important characteristics of the 17 principles.

The 2013 Framework contains more guidance of use of technology in reporting, outsourcing key
portions of business activities or control systems to third parties. The 2013 Framework also
expands the reporting aspect of internal control to consider more than just financial reporting,
including external reporting of non-financial information and internal reporting.

The 2013 Framework includes a following:

 Illustrative Tools for Assessing Effectiveness of a System of Internal Controls, which

includes templates to illustrate a possible summary of internal control assessment results
under the updated Framework.

 Internal Control over External Financial Reporting: A Compendium of Approaches and

Examples, which provides illustrations of how various characteristics of principles may
be present and functioning within a system of internal control relating to external
financial reporting objectives.

Page | 38
 a. The overview of the 2013 Framework:

Figure 6 COSO Cube

b. Introduction of 17 principles:
The 2013 Framework introduces 17 principles that are necessary for effective internal
control, unless they are not relevant to the entity. Although the Framework presumes that all
17 principles are relevant for each entity, management may determine that a principle is not
relevant based on its unique circumstances. If a relevant principle is not present and
functioning, a major deficiency exists in the system of internal control. The 17 principles are
aligned with each of the five components and are discussed in the component sections below.

Page | 39
Figure 7- 17 Principles

Figure 8 Control Environment

Page | 40
Figure 9 Risk Assessment

Figure 10 Control Activities

Page | 41
Figure 11 Information & Communication

Figure 12 Monitoring Activities

c. Introduction of 81 points of focus:

The 2013 Framework introduces 81 points of focus. The points of focus are typically
important characteristics of principles that can be used to facilitate designing, implementing,
and conducting internal control. These are items management can consider to determine if

Page | 42
the principles are present and functioning. The 2013 Framework is explicit that management
is not required to separately evaluate whether each of the points of focus are in place to
determine if the principles are present and functioning.

 Points of focus may not be suitable or relevant, and others may be identified

 Points of focus facilitate designing, implementing, and conducting internal control

 There is no requirement to separately assess whether points of focus are in place

Page | 43
Page | 44
Page | 45
Page | 46
d. Transition from 1992 Framework to 2013 Framework:
COSO's goal in updating the original framework has been to reflect changes in the
business and operating environments, to formalize more explicitly the principles
embedded in the original framework that facilitate development of effective internal
control and assessment of its effectiveness, and to increase ease of use when applied to an
entity objective. Accordingly, COSO believes users should transition to the 2013
Framework in their applications and related documentation as soon as is feasible under
their particular circumstances. However, there are clearly many changes for entities to
consider upon adopting the 2013 Framework.

Companies should begin the transition process by first taking the time to read and
understanding the 2013 Framework and related guidance that will be helpful for
implementation. Entities then will need to evaluate the 17 principles to determine if they
are relevant to their organisation and then also determine how they have been
implemented. In this process some entities any determine that a relevant principle is not
addressed, which could signify a material deficiency in their internal control. They will
need to evaluate whether identified deficiencies have implications for the users of their
financial information or their auditors, if applicable. In addition to the consideration of
the principles, adoption of the 2013 Framework will require both management and the
auditor to update the relevant documentation to reflect how the entity's objectives are
being met through the components and related principles.

COSO will continue to make available the 1992 Framework during the transition period
extending to December 15, 2014, after which time COSO will consider it as having been
superseded. COSO believes the key concepts and principles embedded in the original
framework are fundamentally sound and broadly accepted in the marketplace, and
accordingly, continued use of the original Framework during the transition period (May
13, 2013 to December 15, 2014) is appropriate. During that period, the application of the
COSO Internal Control - Integrated Framework that involves external reporting should
clearly disclose whether the original or 2013 version was utilized.

Because entities are not required to use the Framework by any standard setter or
regulatory body, each entity will need to individually determine its transition path to the
new Framework. It will be important for entities to consider the expectations of the users
of the financial statements for the Framework adoption timeframe. Auditors will need to
work with clients to understand which framework they are using and how the transition
will impact their audit procedures.

Page | 47
 The entity’s internal control structure is relevant to audit engagements as well as
examination or agreed upon procedure engagements related to internal control. The
impacts of updating the 2013 Framework on the engagement include an updated
understanding of the evaluation process and consideration of any deficiencies identified
during the transition. Auditors will need to evaluate the 17 principles, including
management's assessment of any principles it does not deem relevant to the organisation.

Much like the process to update the COSO Framework was a multi-year project, it is
likely that the implementation and transition to the 2013 Framework will take time and
effort - both on the part of an entity's management and its auditor. The updated guidance
and information in the 2013 Framework provide a strong foundation for entities to re-
evaluate their internal control systems and ensure they are timely updated for changes in
their internal external risk factors.

Getting starting now in assessing the relevant differences between the 1992 Framework
the 2013 Framework will provide management with an understanding of the time and
resources that it will take organisation to address these differences. Also, if any
remediation is required to address these difference, starting early will provide
organisation an appropriate amount of time to remediate any deficiencies from design and
operating effectiveness perspective.

Having the appropriate individuals involved in your organisation's assessment of the

impact of transitioning to the 2013 Framework will help ensure that relevant difference
are identified and a plan to address these differences is developed. For example, it is
reasonable to expect that given the increased emphasis on information technology, third
party vendors and fraud in 2013 Framework, there may be enhancements your
organisation needs to make regarding the internal controls and/or related documentation
in these areas of emphasis. Therefore, organisation should involve the individuals who
are familiar with organisation's information technology environment, third party vendor
relationship, and anti-fraud programs and controls in the transition assessment.

e. Conclusion:
The new Framework gives management an opportunity to adopt a principles-based
approach to establishing, maintaining, and evaluating internal control to address the
specific risks of greatest concern to the organization. It also provides them with an
opportunity to apply a consistent, company-wide approach to internal control, embedding
accountability and responsibility throughout the enterprise to reduce the likelihood of
risks interfering with business objectives.

Management and other personnel in key operational roles, such as sales operations,
inventory management, IT security, international expansion and others, are most

Page | 48
important to internal control. They are closest to where risks exist and to the changes in
the business that could impact risks—and therefore, they are best positioned to spot new
or changing risks, or identify when an issue is likely to occur. They can best define the
approach to address risks. Leveraging a common framework, they can more effectively
and efficiently leverage people, process, and technology to gather and share information,
establish controls to address risks, and monitor whether controls are effective. Combined
with strong oversight for senior management and the board, an internal control system
leveraging the IC-IF can enhance confidence and improve the likelihood that objectives
will be achieved.

Chief Audit Executives (CAEs) are well positioned to help management and boards
understand the unlocked potential of an expanded application of the Framework for their
organizations. They should read the new IC-IF thoughtfully to help management assess
whether their current application of the Framework addresses all of the principles. They
should pay particular attention to the concepts clarified in the updated Framework related
to the expectation that the 5 components of internal control and the 17 principles be
"present and functioning" and "operating together." By understanding the principles and
the importance of each of the components supporting the others, management can begin
to envision the benefits of applying these concepts to:

 Enhance internal control across the organization

 Enhance the likelihood that risks to business objectives will be identified and
addressed

 Leverage to the rest of the organization the investments they've made in applying
internal control to external financial reporting

Page | 49
4. Audit of Quality Control/ Quality Assurance processes

a. Introduction
Quality Assurance and Quality Control processes defines the extent to which an
Organization is able to satisfy its customer and facilitates to meet business objectives.
This process is designed as integrating the activities of identifying the initiatives and
developed & implementing the actions to improve customer satisfaction and thereby
improve products acceptability in the market. This process covers inputs received from
customer, development of a product plan, production monitoring, analysis and
subsequent release of desired product for market. This process also covers the
assimilation of market feedback- particularly, with intent to develop corrective actions to
ensure consistent quality throughout the supply chain to enhance customer satisfaction.

b. Quality Control
It is defined as a set of activities intended to ensure that quality requirements are
continuously being met within the given manufacturing process as per design. The
quality control process encompass sample collection by operation team from the product,
Raw material and process stream drawn from various manufacturing process stages and
the analytical work performed by lab teams as per pre-defined schedules and reference
methods. The analytical data / observations are shared with manufacturing stakeholders
for monitoring and deciding corrective actions to ensure desired quality parameters are
consistently met, to have on-spec production.

c. Quality Assurance
It is a set of activities intended to establish confidence that quality requirements will be
met.QA involve a programme for the systematic monitoring and evaluation of the various
aspects of the project, service, or process to ensure that standards of quality are being
met.

d. Audit Procedure followed in QA|QC Audit

In the internal audit of QA|QC processes, the above procedure of risk based internal audit
was followed. It included planning of the audit, interaction with process owners for
understanding the process. Analyzing the documents and results. Based on the Risk
Page | 50
 associated and type of control, findings were found on Risk basis to improve the process
control and minimize the risk and recommendations were given accordingly.

e. Process reviewed for the Audit – Laboratory Management

Reliance has central laboratory for each of two refinery. The refineries are the main part
of QA/QC process. So, for the internal audit of the QA/Qc processes, Laboratory
processes are reviewed. These laboratories have any sub processes from which I
reviewed two following sub processes;

i. Quality assurance for Intermediate Product

ii. Calibration of Equipments

f. Risks identified for above sub-process are

i. Absence of specification / laid down standard for testing and clearance of

intermediate product may lead to incorrect test procedure.
ii. Incorrect / incomplete updation of product master in LIMS may lead to non-
testing / performing of incorrect test procedure.
iii. Unauthorized changes to specifications / non-updation of master data subesequent
to change in specification may lead to performing of incorrect test procedure.
iv. Non-calibration / delay in calibration of Lab instruments may result in inaccurate
test result

g. Processes, Documents and Data analyzed for review

i. Approved product specification data for all the plants in both the refinery
ii. LAB WARE software specification data of all the plants and comparing it with
the master data
iii. Compared laboratory product specification data with the Plants approved
specification data
iv. Unrecieved Sample list
v. Sample cycle time in the laboratory data
vi. Instruments list which contains the list of all the instruments available in the both
laboratory
vii. Equipment Calibration list of all the sub sections of both the Laboratory
viii. Checking the calibration status of the randomly selected Equipments in the
laboratory.
ix. Checking the online sample result with the manually written results on register at
both the laboratories.

Page | 51
h. Observations identified are:

i. Incorrect master data are updated compared with approved product specification.
ii. Absence of periodical review and updation of revised specifications of product.
iii. Incorrect Calibration schedules are followed for instruments and in some cases
no calibrations were carried out

i. Recommendations provided:

i. Immediate correction of master data in line with approved specification.

ii. Laboratory team should put a process of maker and checker control to avoid
future occurrence of above mismatches.
iii. Laboratory team in consultation with Technical operation team should develop a
process stating the time line of revision of product specification.
iv. Laboratory team should follow the approved calibration schedule for calibrating
the instrument correctness and should review the list of equipment which are not
currently calibrated and revise the calibration schedule

Page | 52
APPENDIX-1

ABBREVIATIONS MEANING

Arm actual risk maturity

CAE Chief Audit Executive
COSO Committee of Sponsoring Organizations
Erm expected risk maturity
ERM Enterprise Risk Maturity
IA Internal Audit
IC-IF Internal Control-Integrated Framework
IIA Institute of Internal Auditors
IIPF International Professional Practice Frame Work
QA Quality Assurance
QC Quality Control
RBIA Risk Based Internal Audit
SWOT Strength, Weakness, Opportunities, Threats

Page | 53
 Case study – Audit Tactics

Internal audit is all about finding the process gaps not the human error or person specific. The
more depth understanding and clarity Auditor has about the process, the more he is able to find
ways to strengthen the process controls. Though, Auditee always have in mind that Auditors are
going to find points against them or their process, it is their common mentality to avoid questions
or not to open up more. Auditors have to follow some tactics to get the more idea and get the
relevant data they need.
How people avoid questions and what to do about that
The response of the auditor should vary according to the situation and according to the tactics
used by the auditee to avoid the questions.
Following are the situations that happen during the interaction and tactics to handle that smartly
are mentioned.

Attacking the interviewer.

“I don’t have time for you I have already lots of work and you are in my office since three days”
In this approach, the auditee attacks the auditor for wasting his time and try to dominance. Thus
he tries that auditor forgets the follow up questions and may affect his or her future questions
too.

An attacked interviewer in this situations reacts either very strongly and fight with the auditee or
he may shy away and don’t ask more questions. However, both the response is a mistake. A
smart auditor in this situation reacts calmly and takes the necessary steps boldly.

For example, if the auditor does not need answers quickly he may say that, “I understand and
value your time. I have asked all your staff members about this question and they all have revert
me back to you so i have to take your opinion about this. If there any free time there in your
schedule we can fix the meeting during that time.” Here, Auditor has not reacted angry but he
has done his work very calmly as well as boldly.

Attacking the question.

“Why should we care about recovery process and there is not at all any need of supporting
documents in this matter.” By this approach, they try to avoid the question as it has no relevance.
To respond to this situation Auditor should be very smart and expert of that matter. He should
answer that as this matter reflects very high financially to the company it is very important. He
can show the financial figures and make them tell the matter in detail.

Diverting the question.

Page | 54
“from your question a new thing came in my mind that we have new computer systems that
detects every error” With this approach, the auditee tries to avoid the main question by coming
up with another matter or issue or anything.

In this situation, Auditor needs to make an list of objectives of the meeting and make sure that at
the end of the meeting every objective should be satisfied.

Declining to answer.

“I don’t know the answer or I don’t know the exact process, I will try to find documents for you
in the next meeting.”(Without intending to do so)
To respond Interviewer must hold the person accountable and should constantly take the follow
up on that matter. He should take this conversation in mail or some written format as it gives the
proof of the conversation and makes the auditee gives the right information.

Give Away Points (Most innovative and useful tactic)

Every time at the final discussion of the finding points, Auditee have objections over some points
and try to remove some points. So, Auditors have come up with very innovative idea that they
will prepare two or three give away points every time.
These give away points are such that they are not the actual points. They are just made so that on
the objection over the auditee the points can be given away and auditee feels satisfied. Thus,
auditee doesn’t argue over the actual points.

Page | 55