A Study of Internal Audit of

Finance and Accounts as a

function of Risk Consultancy at
KPMG

Page | 1
 A Study of Internal Audit of Finance and Accounts as a function of Risk
Consultancy at KPMG

A Project Report submitted in partial fulfillment of the requirement for the

award of Post Graduate Diploma in Management

Undertaken at:
KPMG, Chennai

Submitted by: Submitted on:

Kamala Sundaresan July 24, 2017
Roll No: 66 | Section B | Batch 22
XIME| Bangalore

Page | 2
Page | 3
ACKNOWLEDGEMENTS:

I am generally thankful to each and every individual who has, knowingly or unknowingly,
played a part in helping me successfully complete this Summer Internship Project. I extend
my thanks to Mr. Anand Srinivasan for his constant support and guidance throughout my
internship period and also in the preparation of this project.

I am extremely grateful to Mr. Rahul Lunkar, Associate Director, GRCS, KPMG, Chennai
for allowing me to pursue my Summer Internship Project with KPMG.

I extend my warm regards to Mr. Crisberne Joseph, Assistant Manager, KPMG, Chennai for
acting as my Project Guide and for assisting me in selecting my project as well as for guiding
me throughout my time at the organisation.

I am indebted to all the Analysts and Associate Consultants at the GRCS department of
KPMG, Chennai for being patient in explaining the process of Internal Audit and the
procedure followed at KPMG and for helping me in narrowing down specific project
objectives. In the same vein, I thank them all for accommodating me and making me feel
welcome during my time with their team.

Finally, I am thankful to Mr. Anil Kumar, Professor of Finance, XIME, Bangalore for giving
his assistance as the Faculty Guide.

Page | 4
TABLE OF CONTENTS

SNO. CONTENTS PAGE

NO.
1. List of abbreviations and figures 7
2. Executive Summary 8
 Objectives 8
 Recommendations 8
 Conclusion 8
3. Company Profile 9
 Introduction 9
 Organisation History 9
 KPMG- Indian Operations 10
 Services 11
 Industry Presence 12
 Vision 12
 Mission and Value Statement 12
 Competitors 13
4. Background to Internal Audit of Finance and Accounts 14
 Introduction to GRCS at KPMG 14
 Key practice highlights 15
 The GRCS team 16
 Process Structure 16
5. Project I: Risk Consultancy Practices and GRCS 18
 Objective 18
 Background 18
 Governance Risk Compliance- An overview 18
 Management of GRC 19
 Governance Risk Compliance fit 21
 Components of GRC 21
 Finance and audit GRC- Relationship with GRC 22
 Mitigating Operational Risk 23

Page | 5
SNO. CONTENTS PAGE
NO.
 Current scenario 24
 Recommendations 25
 Conclusion 25
6. Project II: Introduction to Internal Audit 26
 Objectives of Internal Audit 26
 Internal Audit vs. External Audit 27
 Objective of the project 27
 Internal Audit process 27
7. Project 1: Internal Audit of Finance and Accounts of ABC Ltd. 33
 Objectives 33
 Scope and Coverage 33
 Methodology 34
 Procedure of audit of Treasury and Cash Management 36
transactions
 Learnings 37
 Procedure of audit of Book Closure and Reporting 39
 Learnings 39
 Issues Identified and Business Impact 40
8. Project 2: Internal Audit of Finance and Accounts of XYZ Ltd. 41
 Objectives 41
 Scope and Coverage 41
 Methodology 43
 Procedure of Audit 43
 Learnings 43
 Limitations 44
 Recommendations 44
 Conclusion 44
9. Appendix 45
 Bibliography 45

Page | 6
LIST OF ABBREVIATIONS AND FIGURES:

1.GRCS Governance Risk Compliance Services

2. IA Internal Audit

3. SOP Standard Operating Procedure(s)

4.FDs Fixed Deposits

5.KMG Klynveld Main Goerdeler

6.SAMA Saudi Arabian Monetary Authority

7. CMA Capital Market Authority

8. EMA (region) Europe Middle East & Africa (region)

9. ERM Enterprise Risk Management

10. IAD Internal Audit Director

11. AWP Audit Work Program

12. FR Financial Regulations

13. BRS Bank Reconciliation Statement

14. MIS Management Information System

15. WIP Work In Progress

16. CWIP Capital Work In Progress

17. OCEG Open Compliance and Ethics Group

18. Figure 1 GRC capability: model element view

19. Figure 2 Organisational context of GRC

20. Figure 3 Operational Risk Classification

21. Figure 4 Difference between Internal and External

Audit

22. Figure 5 Internal Audit Process

Page | 7
EXECUTIVE SUMMARY:

As part of my summer internship project, I worked at KPMG in the Internal Audit function of
the GRCS (Governance Risk Compliance Services) department.

OBJECTIVES:

 A study of Risk Management as a practice and understand the current Operational

Risk environment with specific regard to GRCS.
 Study the role and importance of internal audit as a professional service in improving
the Governance, Risk and Compliance systems of clients.
 Performance of the work assigned to the best of my capabilities.
 Delivering quality work within defined timelines.
 Making recommendations to add value to the client’s operations.

RECOMMENDATIONS:
 View GRC as a process and not as a product
 Integration of technology at the executive level
 Regular checks for risk mitigation and identification
 Since my work, in my second project, largely involved projects (clients) allotted to
me, all data and recommendations made are covered under the Intellectual Property
Rights of KPMG and hence cannot form a part of this report.

CONCLUSION:
These are dynamic times we live in. There are changes in the industry on an everyday basis.
Market conditions fluctuate very often. All this increases the risks that an organisation faces
and thus Governance Risk Compliance Services become all the more important.

My work in the field of internal audit has exposed me to its importance and the role it plays
in helping an organisation achieve its objectives. Internal audits provide a number of
important services to company management including detection and prevention of fraud,
testing of internal control, and monitoring compliance with company policy and government
regulation. It thus, increases accountability within the organisation.
Page | 8
COMPANY PROFILE:

INTRODUCTION

KPMG is a professional service company being one of the Big Four auditors, amongst
Deloitte, Ernst & Young (EY) and PricewaterhouseCoopers (PwC). The acronym "KPMG"
stands for "Klynveld Peat Marwick Goerdeler." The name emerged as the name of choice
when KMG (Klynveld Main Goerdeler) merged with Peat Marwick.

Based in the city of Amsterdam in Netherlands, 189,000 people are currently employed by
KPMG and it has three verticals of services: Financial Audit, Tax, Advisory as well as
Infrastructure Government and Healthcare. KPMG’s tax and advisory services are further
segmented into various service groups such as:

 Management Consulting

 Risk Consulting

 Deal Advisory

 Strategic Alliances

ORGANISATION HISTORY:

KPMG was formed in the year 1987 with the merger of Peat Marwick International (PMI)
and Klynveld Main Goerdeler (KMG), and their individual member firms. Spanning close to
three centuries, the organization's history can be traced through the names of the principal
founding members - whose initials form the organisation’s name "KPMG."

K stands for Klynveld. Piet Klynveld was the founder of the accounting firm Klynveld
Kraayenhof and Co. in Amsterdam in 1917.

P stands for Peat. William Barclay Peat was the founding member of the accounting firm
William Barclay Peat & Co. in London in 1870.

Page | 9
M abbreviates to Marwick. James Marwick was the founder of the accounting firm Marwick,
Mitchell & Co alongside Roger Mitchell in New York City in 1897.

G abbreviates to Goerdeler. Dr. Reinhard Goerdeler , the Chairman of Deutsche Treuhand-

Gesellschaft later became the chairman of KPMG. He is viewed as one to have played a
critical role in establishing much of the groundwork for the KMG merger.

In 1911, William Barclay Peat & Co. and Marwick Mitchell & Co. joined forces to form
what we would later come to know as Peat Marwick International (PMI), a worldwide
network of accounting and consulting firms.

In the year 1979, Klynveld joined forces with Deutsche Treuhand-Gesellschaft and the
international professional services firm McLintock Main Lafrentz to form Klynveld Main
Goerdeler (KMG).

In 1987, PMI and KMG and their member firms joined forces and today, all member firms
throughout the world carry the KPMG name exclusively or include it in their national firm
names.

KPMG- INDIAN OPERATIONS:

KPMG was established in the country in September 1993, and the organisation has been able
to build a significant competitive presence here rapidly. The firm currently operates out of its
offices in Ahmedabad, Bengaluru, Chandigarh, Chennai, Gurugram, Hyderabad, Kochi,
Kolkata, Mumbai, Noida, Pune and Vadodara, and offers its clients a comprehensive and
exhaustive range of services, including financial and business advisory, tax and regulatory,
and risk advisory services.

An astounding 2700 companies- this is KPMG’s client base. The firm's has been able to
deliver value-added services to clients thanks to their global approach to service delivery. The
firm offers services to leading information technology companies and is a formidable force in
the financial services sector in India while also serving a number of market leaders in other
industry segments.

Page | 10
KPMG’s rapid performance-based, industry-tailored and technology-enabled business
advisory services delivered by some of the leading talented professionals in the country, as
well as globally, has stood them in good stead and is also a result of their global approach to
service delivery.

KPMG professionals are grouped by industry focus and hence their clients are able to deal
with industry professionals who speak their language. The internal information technology
and knowledge management systems ensure the delivery of informed and timely business
advice to clients.

SERVICES:

KPMG has three service lines. Their categorisation is as follows:

 Audit (40%)
 Advisory (38%)
 Tax (22%)

INDUSTRY PRESENCE:
In addition to the financial services stated above, KPMG also has a presence by way of
offering consultancy services in the following industries:

 Consumer Markets
 Defence and aerospace
 Education
 Energy and Natural Resources
 Life Sciences
 Media
 Private Equity
 Healthcare
 Government
 Technology
 Telecommunications
 Transport, Leisure and Sports

Page | 11
VISION:

The vision at KPMG in India is to be an Employer of Choice; to incubate a culture and

environment where people have the passion to perform to their highest potential.

KPMG in India’s People Goal is to “To attract, develop, engage and retain the best talent in
the market” and “To ensure they are equipped to deliver value”.

MISSION AND VALUE STATEMENT:

Our people recognize their responsibility to uphold the values we have established over our
140-year history. These values outline what we stand for and influence the way we behave,
both with our clients and with one another.

 Lead by example
 Work together
 Respect the individual
 Seek facts and provide insight
 Open and honest in communications
 Committed to our communities
 Act with integrity

COMPETITORS:

The following is a list of major competitors of KPMG, both from the standpoint of an
accounting advisory firm as well as an organisation providing consultancy services:

 McKinsey and Company

 Accenture

 Ernst and Young

 PwC PricewaterhouseCoopers

 Deloitte Consulting

 Boston Consulting Group BCG

Page | 12
 A T Kearney

 Booz and Company

 Bain & Company

Page | 13
 BACKGROUND TO INTERNAL AUDIT OF FINANCE AND ACCOUNTS:

For my summer internship project, KPMG accepted me as part of their Governance Risk
Compliance Services (GRCS) department. I worked for 2 months as an intern/trainee in the
function of Internal Audit and was assigned work pertinent to the Internal Audit of Finance
and Accounts of ongoing client(s)/project(s).

INTRODUCTION TO GOVERNANCE RISK COMPLIANCE SERVICES (GRCS) at

KPMG:

The aim of GRCS is to offer highly tailored services that help organisations and firms keep
pace with the fast-moving conditions prevailing in the market that their clients face, with
specific focus in the areas of governance, risk management and internal controls and
reporting and information systems.

The aim that KPMG wishes to achieve for its clients is to help them design and implement:

 Corporate governance structures and processes

 Risk management systems aligned to strategic priorities

 Assurance processes geared to provide independent and objective assurance on key

business risks

 Business processes and internal control systems that are suitable to address emerging
business challenges

 Framework to foster compliance with legal and regulatory requirements.

Through their Governance Risk Compliance Services, KPMG seeks to help their clients
answer several questions of importance such as:

 Does the client organisation have the right oversight and monitoring processes including
governance structures to effectively monitor their strategy and performance of business

 How effectively are the oversight processes structured and the extent to which they
facilitate the board and senior management of the client to focus on key priorities

 Do they have the right processes in the way they manage risk, vis-a-vis, keeping track of
what is changing in their business and external environment, be it, industry, customer,
competitor)

Page | 14
 Does the client have a single and holistic view of key business risks

 Is the client effectively addressing compliance requirements across multiple businesses and
geographies

 Does the client actively monitor emerging changes to the regulatory environment and its
impact on their business

 Is the client organisation’s implementation of business critical strategic projects effective

and how do they monitor if these are delivering the benefits as intended

 How geared are the client’s assurance processes to add value to the business that goes
beyond controls assurance and compliance

 How well designed and aligned are the business processes and information systems of the
client with specific focus on how to meet our information requirements with minimum
work around

Key practice highlights:

 Largest GRCS practice across the Europe, Middle East and Africa (EMA) region of
KPMG

 Largest GRCS telecom team within the KPMG network with extensive experience of
delivering internal audits and revenue assurance engagements in the telecom sector, both in
India and globally

 High quality team which has worked across 50 countries in six continents

 Thought leader in corporate governance, contributing through an array of KPMG Audit

Committee Institute publications and providing valuable inputs to the ICAI on its risk and
internal audit publications

 First in India to successfully pioneer the concepts of 'Offshore Internal Audit' (IA), 'Virtual
SOX' and 'Offshore Support for Finance Function Transformation' for multi-national
clientele

 Assisted CMA (Equivalent to SEBI/SEC) and SAMA (the Central Bank) in Saudi Arabia
in migration to new regulatory frameworks

 Assisted in in-depth and thorough SOX compliance for two Indian SEC-listed companies
(TATA Motors and HDFC bank).

Page | 15
The GRCS team:

 A team of 18 partners and directors

 Leading close to 600 professionals across the country, who have diversified professional
skill sets (Engineers, Architects, MBAs, etc.) and have worked across 50 countries and in
close to six continents

 One of the largest practices in the Europe Middle East & Africa (EMA) region and one of
the largest telecom practices in the world

 KPMG specialists have executed complex engagements encompassing project advisory

and project monitoring, revenue assurance, internal audit services, SOX 404 compliance
and process reviews for both national and global companies

 Thought leaders in governance and risk management.

Process structure:

 A Partner/Director heads and leads each sector aligned according to the industry.
 A Director champions a focused Centre of Excellence (COE) along with the support of
Research Analysts and Professionals with the objective of developing new methods of
thought leadership.
 The firm’s interface with Independent Directors and prominent decision makers is
supported by the Centre of Excellence (COE)

 A delivery centre with a clear focus of working with clients on Internal Audits, risks and
controls, data analytics, etc.

 Sector-specific focus with service offerings excluding internal audit.

 Extensive knowledge pool of industry specific processes, flowcharts and risk registers,
analytical queries, etc.

With respect to Risk Consultancy, KPMG has the following key service offerings:

 Corporate Governance
 Major Projects Advisory
 Enterprise Risk Management (ERM)
 Control Self Assessment

Page | 16
 Model Business Process
 Revenue Assurance
 Internal Audit

Page | 17
ROJECT I: RISK CONSULTANCY PRACTICES AND GRCS

OBJECTIVE:

A study of Risk Management as a practice and understand the current Operational Risk
environment with specific regard to GRCS.

BACKGROUND:

During my tenure at KPMG, the idea of GRCS intrigued me and that spurred me to go ahead
and explore what GRCS as a practice has to offer. This project seeks to establish GRC as an
avenue of importance and also the path ahead in this area.

Governance Risk Compliance-An overview:

In the words of Robert Toogood, contributor to The Risk Management Handbook, “GRC in
itself is not a specific variant of risk management but instead is an approach for more tightly
coordinating risk management with governance and compliance-related activities.” What this
means is that an organisation must have in function some form of risk management and
mitigation strategy as without it, any attempt to implement GRC would fail. Thus, GRC
refers to efforts to more comprehensively coordinate these three critical pillars of modern-day
business namely Governance Risk and Compliance. While there is no universal definition of
GRC, research conducted by Racz, Weippl and Seufert in 2010 provided the following
definition: “GRC is an integrated, holistic approach to organisation-wide governance, risk
and compliance ensuring that an organisation acts ethically correct and in accordance with its
risk appetite, internal policies and external regulations through the alignment of strategy,
processes, technology and people, thereby improving efficiency and effectiveness.”

During my research, I found that there has been general confusion between GRC
(Governance Risk Compliance) and ERM (Enterprise Risk Management) with some even
suggesting that GRC is just another term for ERM. The OCEG (Open Compliance and
Ethics Group) had this to say about GRC- “...enables an organisation to reliably achieve
objectives while addressing uncertainty and acting with integrity; including the governance,

Page | 18
assurance and management of performance, risk and compliance”. On the other hand, the
COSO framework defines Enterprise Risk Management as a process, effected by an entity’s
board of directors, management and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the entity, and manage risk to
be within its risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives.

Further, on comparison of the OCEG model of GRC against risk management frameworks
like ISO 31000, it can be concluded that while the focus in the case of the OCEG approach is
to identify and measure risk, the ISO 31000 seeks to assist organisations in achieving their
objectives, improving the identification of opportunities and threats and effectively allocating
and using resources for risk treatment. Thus, ERM can be seen as the means to achieve the
end goal of effective governance and risk compliance.

Management of GRC:

OCEG activities heavily dominate the best practices in the area of management of GRC.
OCEG came out with the 3.0 Capability Model which has proved to be very useful for many
organisations that have adopted components from this framework.

Page | 19
 Fig 1: GRC capability: model element view

The four elements of the model can further be explained as follows:

 LEARN- It refers to learning about the organization context, culture and key
stakeholders to inform objectives, strategy and actions.
 ALIGN- This refers to aligning strategy with objectives, and actions with strategy,
through an effective decision-making approach that addresses values, opportunities,
threats and requirements.
 PERFORM- These are the actions that promote and reward things that are desirable,
prevent and remedy things that are undesirable, and detect untoward incidents as
and when they happen.
 REVIEW the design and operating effectiveness of the strategy and actions, as well
as the ongoing appropriateness of objectives to improve the organization.

Page | 20
Governance Risk Compliance fit:

As discussed previously, GRC is a framework into which other types of risk management can
be directed and thus has the potential to interact with other types of risk management like
ERM and the like. The importance of a coordinated and not just integrated approach to risk
management has been stressed upon. Another pivotal point is that GRC is already
implemented in a number of organisations and only the degree of coordination differs. Thus,
the Institute of Risk Management developed a graph to provide a synopsis as to the
organisational context in which Governance, Risk and compliance have to coexist.

Fig 2: Organisational context of GRC

Components of GRC:

The following areas were included by Gartner as components of the Governance Risk
Compliance Services:

 Finance and audit GRC

Page | 21
  IT GRC management
 Enterprise risk management.

Finance and audit GRC-Relationship with Operational Risk:

Internal audit of finance and accounts which forms the crux of my work at KPMG, is part of
GRCS and deals with Operational Risk which is one of the arms of risk, the other two being
Market Risk and Credit Risk.

Operational Risk is defined as follows, “the risk of loss resulting from inadequate or failed
internal processes, people and systems, or from external events.” This includes the usual
internal business events as well as external events such as fraud, security breaches, regulatory
effects and natural disasters.

As is the case with market risk and credit risk, operational risk too follows a logical sequence
of steps:

 Identification
 Assessment
 Monitoring
 Control or mitigation

Internal audit, through these above mentioned steps seeks to help an organisation manage
operational risks.

Operational Risk can further be divided into the following categories:

 People Risk
 Process Risk
 System Risk
 External Risk

Page | 22
 Fig 3: Operational Risk Classification

The Basel Committee on Banking Supervision (a forum for regular cooperation on banking
supervisory matters with the objective to enhance understanding of key supervisory issues
and improve the quality of banking supervision worldwide) has further classified risk events
according to seven event types:

 Internal Fraud (IF)

 External Fraud (EF)
 Employment practices and workplace safety (EPWS)
 Clients, products, and business practices (CPBP)
 Damage to physical assets (DPA)
 Business disruption and system failures (BDSF)
 Execution, delivery, and process management (EDPM)

Mitigating Operational Risk:

Operational risk can be minimised in a number of ways, through internal and external
controls. These are mentioned in the following page.

Page | 23
Internal Controls:

 Separation of functions: Individuals responsible for committing transactions should

not perform clearance and accounting functions.
 Dual entries: Entries (inputs) should be matched from two different sources- that is,
the trade ticket and the confirmation by the back office.
 Reconciliations: Results (outputs) should be matched from different sources- for
instance, the trader’s profit estimate and the computation by the middle office

External Controls:

 Internal and external audits: These examinations provide useful information on

potential weakness areas in the organisational structure or business process.
 Confirmations: Trade tickets need to be confirmed with the counterparty, which
provides an independent check on the transaction.
 Authorisation: The counterparty should be provided with a list of personnel
authorised to enter into transactions as well as a list of allowed transactions.

Current scenario:

 Governance Risk Compliance:

While it has been noted that GRC is implemented in a majority of organisations, an
interesting observation was made in a post entitled ‘Rethinking GRC’ wherein the
author noted that it was possible that the time had arrived to rethink the current GRC
practices with added emphasis on people and process aspects.

Although GRC has been in existence for more than a decade now, there still is
ambiguity about what the term really entails. This is probably why GRC, as a practice,
has failed to live up to its potential and there still are many corporate failures.

 Operational Risk:

As in the case of GRC, there still exist problems in the measurement and assessment
of operational risks. This is majorly because operational risk, unlike credit risk and
market risk, is internal to the organisation. Organisations are generally reluctant to

Page | 24
 reveal their mistakes or data making it all the more difficult to identify, asses and
quantify these risks.

RECOMMENDATIONS:

Following are steps that can be adopted to bring about an improvement in GRC as a practice:

 View GRC as a process and not as a product: Governance Risk Compliance must be
seen not as a product offering to be sold to other stakeholders but instead must be
viewed as an integral part of an organisation’s efforts to be managed at every step.
 Integration of technology at the executive level: The OCEG approach stresses on
using technology to mitigate operational risks and this can only be possible if
technology is treated not just as a backend process but is seen as a tool to be used by
management to mitigate risks.
 Regular checks: Organisations must constantly perform checks and test their controls
to identify and mitigate in the initial stage.

CONCLUSION:

These are dynamic times we live in. There are changes in the industry on an everyday basis.
Market conditions fluctuate very often. All this increases the risks that an organisation faces
and Governance Risk Compliance Services become all the more important.

GRC is currently in a critical phase. There are arguments that it has peaked and is now on a
decline. Another view is that the term ‘GRC’ is now redundant as these functions are now
performed by other functional initiatives like Conduct Risk and Ethical Leadership. There is
not much evidence to support either of these views. However, what is certain is that in the
current business scenario, an organisation cannot afford inefficiencies in processes and
functions and Governance Risk Compliance Services does offer a way to avoid those
inefficiencies.

Page | 25
PROJECT II: INTRODUCTION TO INTERNAL AUDIT:

Internal auditing is an independent, objective assurance and consulting activity designed to

add value and improve an organization's operations. The role of internal audit is to provide
independent assurance that an organisation's risk management, governance and internal
control processes are operating effectively.

OBJECTIVES OF INTERNAL AUDIT:

The objective of the internal audit services is to assist the client organisation in evaluating
and testing the effectiveness of controls that are in place. The internal audit is conducted with
a view to:

 Review the adequacy and effectiveness of transaction controls.

 Monitor adherence to defined policies and procedures.
 Surface significant observations and recommendations for process improvements.

INTERNAL AUDIT VS EXTERNAL AUDIT:

Fig 4: Difference between Internal and External Audit

Page | 26
OBJECTIVE OF THE PROJECT:

Study the role and importance of internal audit as a professional service in improving the
Governance, Risk and Compliance systems of clients.

I was assigned specific work by the organization for the period of my internship. There was
no scope to pick a particular project and I was assigned as part of the Internal Audit team for
two clients and this report seeks to set out, within the scope of confidentiality, my work and
the analysis performed on both projects.

INTERNAL AUDIT PROCESS:

As part of the Internal Audit team at KPMG, I was engaged on two internal audit projects for
two different clients over my internship period. While my work on both clients will further be
explained in the upcoming portions, I have, through my work, identified the following steps
as being an integral part of carrying out any internal audit.

Step 1: Planning

The first step in the internal audit process, as in any other process, is of planning. During this
phase of the audit, the auditor(s) intimates the client of the audit, conducts discussions about
the scope and objectives of the examination in a formal meeting with the organization’s
management, gathers information on critical processes, evaluates existing controls, and plans
the remaining audit steps.

Step 2: Announcement Letter

In the next step, the client is informed of the audit through an announcement or engagement
letter from the Internal Audit Director. This letter seeks to communicate to all parties
concerned the scope and objectives of the audit, the auditor(s) assigned to the project and
other relevant information.

Step 3: Initial Meeting

The next step is essentially a semi formal meeting aimed at getting both parties acquainted
with each other. During this meeting, the client describes their unit or system to be reviewed,
the organization, available resources (personnel, facilities, equipment, funds), and any other

Page | 27
information that they consider relevant. The internal auditor(s) then meet(s) with the senior
officer directly responsible for the unit under review and any staff members s/he wishes to
include. It is important that the client identify issues or areas of special concern that should be
addressed.

Step 4: Preliminary Survey

This step is where the actual review begins. In this phase the auditor(s) gather(s) relevant
information about the unit in order to obtain a general overview of operations. S/He talks
with key personnel and reviews reports, files, and other sources of information.

Step 5: ICR (Internal Control Review)

Following the preliminary review, the audit is in full swing. The auditor here reviews the
organisation's internal control structure by using a variety of tools and techniques to gather
and analyze information about the operation. This review of internal controls helps the
auditor identify the areas of highest risk and design tests to be performed in the fieldwork
section.

Step 6: Audit Program

The Audit Work Program outlines the fieldwork necessary to achieve the audit objectives and
essentially serves as a checklist for the auditor.

Step 7: Fieldwork

The fieldwork essentially focuses on testing the samples and dialogue with the client. It is
during this phase that the auditor(s) determine(s) whether the processes that they had
identified during the preliminary review are operating properly and in the manner described
by the client. The fieldwork stage concludes with a list of significant findings from which the
draft audit report is prepared.

Step 8: Transaction Testing

After completing the preliminary review, the auditor(s) perform(s) the procedures as per the
Audit Work Program. These procedures focus on testing the major internal controls and the
accuracy of the transactions. Sample selection and testing of the selected samples forms an
integral part of this step.

Page | 28
Step 9: Advice & Informal Communications

As the fieldwork progresses, significant finding(s), if any, are discussed with the client. This
is done to check whether the client can offer insights and work with the auditor to determine
the best method of resolving the finding(s). Generally, these findings are discussed through
dialogue. However, in more complex situations, e-mails are written in order to ensure that the
client/auditor can fully comprehend the situation. The goal is to ensure that there is a
thorough and audit is performed.

Step 10: Audit Summary

Once the auditor completes the fieldwork, he/she encapsulates the audit findings,
conclusions, and recommendations necessary for the discussion of the audit report draft.

Step 11: Working Papers

Working papers are a vital tool of the audit process. They form the basis of the audit opinion.
The auditor uses them to link the client’s accounting records and financials to the auditor’s
opinion.

Step 12: Working Paper Documentation

It is important for the auditor(s) to document or store all audit process working papers as
evidences for tests performed and also to support any audit finding(s). Further, these need to
be preserved in the manner prescribed in the beginning of the audit.

Step 13: Audit Report

This step is amongst the most difficult as well as vital. It involves encapsulating all that was
found thus far in the audit in written form, i.e., in a report. The auditor(s) express their
opinions, present the audit findings, and discuss recommendations for improvements in the
Audit Report. To facilitate communication and ensure that the recommendations presented in
the final report are feasible o be implemented in the organisation, the internal auditor(s)
discusses the rough draft with the client prior to issuing the final report.

Step 14: Discussion Draft

Once the auditor has completed the fieldwork, he/she drafts the report. The auditor(s)
thoroughly review(s) the work done and tests performed as well as the findings arrived at

Page | 29
before it is presented to the client for comment. This discussion draft is given to the client so
that they can gain an understanding about the work carried out before the exit conference.

Step 15: Exit Conference

Once the auditor(s) and the client’s management have agreed on the draft, the Internal Audit
team meets with the unit's management team to discuss the findings and recommendations of
the draft. At this meeting, the client offers their comments and explanations and the group
works to reach an agreement on the audit findings. This step taught me the importance of
negotiation as well as the importance of doing research. It is a battle as both sides try to
establish their point and I learnt that only proper evidence can stand you in good stead here.

Step 16: Formal Draft

The auditor(s) then issue(s) a draft report, after incorporating any suggestions or changes
from the discussions. Once the auditor(s) and the client review the changes, the final report is
issued.

Step 17: Final Report

The report is then printed and distributed by the Internal Audit team to all concerned
authorities of the client organisation. This report is primarily for internal management use.
The approval of the Internal Audit Director is required for release of the report outside of the
client.

Step 18: Client Response

In this step, the client responds to the audit findings prior to issuance of the final report; this
is generally included or attached to the final report.

The client, in their response, explains how the report findings will be resolved and also
provide an implementation timeline. A decision to not implement the audit recommendation
provided while choosing to accept the risks associated with it can also be a response by the
client.

Step 19: Audit Follow-Up

Within approximately one year of the final report, a follow up review is performed by the
Internal Audit team to verify the resolution of the report findings.

Page | 30
Step 20: Follow-up Review

The client response letter is reviewed and the actions taken to resolve the audit report
findings may be tested to ensure that the desired results were achieved. All unresolved
findings are discussed in the follow-up report.

Step 21: Follow-up Report

A follow-up report which lists the actions taken by the client to resolve the original report
findings is part of the final steps taken in the internal audit process. Any findings that have
not been resolved are also stated in the follow-up report and will contain a summary of the
finding, the original audit recommendation, the client response and the current position. A
discussion draft of each report with unresolved findings is circulated to the client before the
issue of the report.

Step 22: Internal Audit Annual Report to the Board

In addition to the distribution as mentioned earlier, the contents of the audit report, client
response, and follow-up report may also communicated to the Audit Committee of the Board
as part of the Internal Audit Annual Report.

The Process: A Collaborative Effort

To sum up, during each stage in the audit process, be it, preliminary review, field work, audit
reports, and follow-up, clients have the opportunity to participate. The internal audit process
works best when client management and Internal Audit have a good working relationship
based on clear and continuing communication and good intention to perform their jobs fairly
and properly.

Many clients take this working relationship beyond just one particular audit. When the audit
department has worked with management on a project, they have a better understanding of
the unique characteristics of the particular unit's operations. As a result, the audit team can
better help evaluate the feasibility of making further changes or modifications in the client’s
operations.

Page | 31
Shown below is a flowchart summarising the steps involved in the internal audit process:

Fig 5: Internal Audit Process

Page | 32
PROJECT 1: INTERNAL AUDIT OF FINANCE AND ACCOUNTS OF ABC LTD.

As per the Non Disclosure policies and Confidentiality Agreements signed by me with
KPMG, this project will not contain client names or data or analysis procedures that are
covered under KPMG’s intellectual property rights. From here on, the client shall be referred
to as ABC Ltd. ABC Ltd. is engaged in the construction sector.

OBJECTIVES:

The objective of the internal audit services extended to the client was to assist the client in
evaluating and testing the effectiveness of controls that are in place in the company. It was
conducted with a view to:

 Review the adequacy and effectiveness of transaction controls.

 Monitor adherence to defined policies and procedures.
 Review adherence to specified statutory requirements agreed with Management.
 Surface significant observations and recommendations for process improvements.

SCOPE AND COVERAGE:

The areas selected for review under the scope of Internal Audit were:

 Procurement and payables

 Book closure and reporting
 Treasury and Cash management
 Follow up review of previous year report on the above areas.

My work was majorly in the area of Treasury and Cash Management with small forays into
the area of Book Closure and Reporting.

 The work focussed on testing whether adequate internal controls were in place and
whether they are functioning properly.

Page | 33
METHODOLOGY:

An overview of the methodology in which the review was carried out is as follows:

 Fact finding through general understanding of the workflows along with discussions
with the management and staff of ABC Ltd:
 We gained an understanding of the current environment in which the client
operates which could probably impact its functioning. This was done on the
initial day of audit along with client discussion wherein the scope of the audit
was agreed upon.

 This was further followed by an introduction of the key personnel of the client
who were to facilitate the audit process in terms of providing data and
clarifications as and when required.

 Evaluation of risks and controls in place and identification of areas of weakness:

 The first step is to gain an understanding of the existing controls in place to
mitigate operational and financial risks in the organisation.
 Next, the internal controls of the activities relating to the audit areas are
reviewed to identify applicable operational risks that can threaten achievement
of objectives.
 The next step is to select sample transactions for testing whether the controls
are effective and functioning as they should.
 The findings are then categorised as stated in the next page:

Page | 34
 Risk Nature of issue Action Priority Rating

High Significant issue Immediate. Corrective

action to begin
immediately.

Moderate Reportable issue Necessary. Corrective

action to begin within
three months.

Low Observation Recommended. Corrective

action to be considered for
implementation within six
to twelve months.

 Further, as part of the analysis, the root cause for each finding is also classified
so as to ensure a better understanding of the reasons for the lapses. The
classification is as follows:
 Control gap: These refer to missing controls in the control process.
 Exceptions, lapses and non compliances: These refer to non adherence
to defined policies and procedures.
 Control enhancements: These refer to cases where the design of
controls can be redefined further for more effective controls in these
activities.

Page | 35
PROCEDURE OF AUDIT OF TREASURY AND CASH MANAGEMENT
TRANSACTIONS:

 As per the Audit Work Program, I identified the key aspects that are to be tested on
receipt of client data. The Audit Work Program is a document that serves as a guide to
the entire internal audit process by clarifying at the outset, the tasks to be performed
along with the control parameters.
 The next step was to read the Financial Regulations (FR) of the client in order to gain
an understanding of the existing controls in place so as to ensure that current
processes are in line with those existing controls.
 On receipt of data, I started work by analysing the Bank Reconciliation Statements in
order to identify any anomaly transactions. Further, BRS dates and approvals were
checked as per the approval matrix in the FR.
 Next, I performed checks to identify all bank accounts and the relevant transactions to
be traced back to the General Ledger.
 An important part of the analysis included calculation of idle funds in the bank
accounts and the associated opportunity loss of interest.
 Next, the investments made by the client for the audit period were identified and cross
verified as per AS 13. The interest calculations for the same were checked and traced
back to the relevant bank account.
 Analysis of Fixed Deposits made by the client was also carried out.
 Cash transactions (deposits, receipts and payments) were analysed to ascertain any
anomaly transactions.
 Insurance policies along with insurance register were checked to ensure compliance
with clauses. This is important, especially in the case of an entity in the construction
sector as untoward eventualities are aplenty and insurance cover is necessary.
 Intercompany loans were identified and reasons for the same were sought.
 Check of sweep facilities in various bank accounts was also carried out along with
investible surplus analysis.
 We further carried out an analysis of Ledger dump for anomaly transactions.
 We finally carried out a discussion with the client’s management about observations
and findings to find if there were appropriate clarifications so as to close the
observations.

Page | 36
LEARNINGS:

 My work at KPMG has taught me many things, not the least of which being how to
work in a professional environment.
 As far as the academic lessons learnt are concerned , this is a brief summary of the
understanding gained through my work:
 I gained an understanding of the functioning of an internal audit system.
 Through the review of the BRS process, I was able to identify key transactions
that are usually a part of the client’s business so as to help me differentiate
anomaly transactions from ordinary transactions in the course of the business.
We were thus able to identify that the client faces risk due to non
standardization of the BRS review process which might lead to incorrect
information being reflected in the MIS report(s).
 It gave me an insight as to how to look at a MIS report and correlate it to the
General Ledger as well as the respective Ledger accounts.
 I understood how to analyse bank accounts and to calculate idle funds and also
gained an understanding of how the same could affect the client organisation
in terms of opportunity loss of interest.
 I also gained an understanding of the analysis to be performed on investments
made by the client in terms of interest calculations.
 Through my review of the Insurance policies of the client, I learnt how to look
at the nuances of contracts entered into and the method to identify even the
smallest of non compliances as they could ultimately pose a huge risk to the
client in terms of lack of insurance coverage (due to non compliance) in case
of any untoward eventuality. We were able to identify that there exists a risk
of financial loss to the client due to non compliance.
 This audit also gave me an overview of how to read the Ledger dump and to
look for anomaly transactions.
 I was able to relate certain concepts that have been a part of my theoretical
learning and have an understanding of how those concepts work in practicality
through my work on this client. For instance, MIS reports of organisations
were only discussed in theory but to actually get to analyse one was a great
learning experience; analysis and tracing back of interest calculations for
investments made by the company was also a concept that formed a part of our

Page | 37
 learning in financial accounting. Furthermore, it gave me an idea of AS 13:
Accounting for Investments, all of which has broadened my exposure.
 Lastly, during the analysis of fixed deposits, we noticed that the client did not
follow the practice of investing their excess funds in fixed or flexi deposits.
This could lead to possible interest loss due to non investment of excess funds.

Page | 38
PROCEDURE OF AUDIT OF BOOK CLOSURE AND REPORTING:

As part of the book closure and reporting process, I had a limited role. The work I was
engaged in under this scope has been mentioned below:

 The process involved reading through the report prepared by Statutory auditors and
identifying if there were any issues that needed to be further looked at and/or
discussed.
 As part of this procedure, I analysed the General Ledger of the client organisation to
look for any anomaly accounts that would require further clarifications from the client
about their details. This proved to be very important as the issue of delay in
capitalisation of assets was identified through this analysis. Due to confidentiality
reasons, I will not be able to provide in- depth details of the workings and hence will
be limiting myself to providing an overview of the issue.

LEARNINGS:

 While reading the audit report prepared by the statutory auditors, the biggest lesson I
learnt was how to segregate the important and useful parts from the unimportant and
irrelevant portions. Having limited time to skim through the large document made me
work on intuition and calculated guesswork to identify potential risks, issues and
disclosures.
 As part of the CWIP analysis, we were able to identify a huge gap which existed in
the reporting process followed by the company. Through my analysis, I gained an
understanding of the impact that capitalisation and depreciation accrued has both on
assets as well as Work In Progress of the company. These were concepts that till then
had remained only part of theory to me. This gave me a real time view of the multi
dimensional effect it has on a company’s profit figures.

Page | 39
ISSUES IDENTIFIED AND BUSINESS IMPACT:

Given below is a general outline of the issues identified during the Internal Audit process
carried out for ABC Ltd.

 Lack of standardization in performance of monthly BRS reviews.

 Unreconciled items not being addressed in cash transactions due to non specification
of SOP for the same.
 Possibility of financial loss in the case of theft / disaster not being compensated by the
insurer due to terms of the insurance policy not being tailored to suit the client
organisation’s specifications or requirements.
 Possibility of interest loss due to non investment of excess funds in fixed or flexible
deposits.
 Absence of a formally documented policy for investment in Fixed Deposits.
 Possibility of interest loss to the client organisation due to not investing idle funds
within reasonable timelines.
 There was a delay in capitalisation of assets with the delays ranging from 32 days to
159 days. As a result of the delay in capitalisation, depreciation for that particular
asset during that period would not be reflected correctly in the books. This would
ultimately result in a possibility of understatement in the value of asset and
depreciation in the preceding months as well as overstatement of profits in the
preceding months’ MIS.

Page | 40
PROJECT 2: INTERNAL AUDIT OF FINANCE AND ACCOUNTS OF XYZ LTD.

The next project I was assigned to for the remaining period was the internal audit of another
client. As per the Non Disclosure policies and Confidentiality Agreements signed by me with
KPMG, this project will not contain client names or data or processes that are covered under
KPMG’s intellectual property rights. From here on, the client shall be referred to as XYZ Ltd.
XYZ Ltd. is engaged in the management of port(s).

OBJECTIVES:

The objective of the internal audit services extended to the client was to assist the client in
evaluating and testing the effectiveness of controls that are in place in the company. It was
conducted with a view to:

 Reviewing the adequacy and effectiveness of transaction controls.

 Monitoring adherence to defined policies and procedures.
 Reviewing adherence to specified statutory requirements agreed with Management.
 Surfacing significant observations and recommendations for process improvements.

SCOPE AND COVERAGE:

The areas selected for review under the scope of Internal Audit were:

 Revenue
 Fixed Assets Review
 Treasury and Cash management
 Follow up review of previous year report on the above areas.

METHODOLOGY:

An overview of the methodology in which the review was carried out is as follows:

 Fact finding through general understanding of the workflows along with discussions
with the management and staff of ABC Ltd:

Page | 41
  We gained an understanding of the current environment in which the client
operates which could probably impact its functioning. This was done on the
initial day of audit along with client discussion wherein the scope of the audit
was agreed upon.

 This was further followed by an introduction of the key personnel of the client
who were to facilitate the audit process in terms of providing data and
clarifications as and when required.

 Evaluation of risks and controls in place and identifying areas of weakness:

 The first step is to gain an understanding of the existing controls in place to
mitigate operational and financial risks in the organisation.
 Next, the internal controls of the activities relating to the audit areas are
reviewed to identify applicable operational risks that can threaten achievement
of objectives.
 The next step is to select sample transactions for testing whether the controls
are effective and functioning as they should.
 The findings are then categorised as follows:

Risk Nature of issue Action Priority Rating

High Significant issue Immediate. Corrective

action to begin
immediately.

Moderate Reportable issue Necessary. Corrective

action to begin within
three months.

Low Observation Recommended. Corrective

action to be considered for
implementation within six
to twelve months.

Page | 42
  Further, as part of the analysis, the root cause for each finding is also classified
so as to ensure a better understanding of the reasons for the lapses. The
classification is as follows:
 Control gap: These refer to missing controls in the control process.
 Exceptions, lapses and non compliances: These refer to non adherence
to defined policies and procedures.
 Control enhancements: These refer to cases where the design of
controls can be redefined further for more effective controls in these
activities.

PROCEDURE OF AUDIT:

In this audit, no particular area was assigned to me. Instead, I worked on the analysis of a mix
of areas to facilitate the completion of work. Mentioned below is an overview of my work:

 One of the processes allotted to me was the analysis of the financials (MIS report) of
XYZ Ltd. This included performing an analysis along with discussions with and
explanations sought from the client’s management.
 Cross checking the provisions made in order to verify if they are in line with AS
37(Provisions, Contingent Liabilities and Contingent Assets).
 Vouching and verification of TDS and PF with respect to due dates, payments and
calculations.
 Review of process of BRS preparation and verification.

LEARNINGS:

 During the review of the MIS report, it was identified that there existed huge
variances in the figures of Employee Benefit Expenses and also that there were
certain multiple entries. Clarifications for the same were sought. Through this
review, I understood that it is very important to look at the flow of funds through an
organisation in order to be able to identify potential risks.
 It also gave me an understanding about AS 37(Provisions, Contingent Liabilities and
Contingent Assets) and taught me what to look for in a Balance Sheet with huge

Page | 43
 variances in amounts.
 This project also taught me the importance of team work and how a project is both an
individual and collective responsibility and to efficiently achieve results working
together is of utmost importance.

LIMITATIONS:

As per the non disclosure principles and confidentiality agreement at KPMG, this report will
not contain or disclose any actual client data or information and shall only present an
overview of the work carried out under various phases. Further, details of a lot of the analysis
performed shall also not be mentioned as it is also covered under the Intellectual Property
Rights of KPMG. This report therefore contains, to the extent possible, a fair view of the
work carried out by me as part of the GRCS team of KPMG, Chennai.

RECOMMENDATIONS:

Since my work largely involved projects (clients) allotted to me, all data and
recommendations made are covered under the Intellectual Property Rights of KPMG and
hence cannot form a part of this report.

CONCLUSION:

My work in the field of internal audit has exposed me to its importance and the role it plays
in helping an organisation achieve its objectives. Internal audits provide a number of
important services to company management including detection and prevention of fraud,
testing of internal control, and monitoring compliance with company policy and government
regulation. Also, a company that is medium or small- sized is probably more in need of a
strong risk mitigation system as it cannot afford to lose resources by way of fraud and theft.

All in all, internal audit serves as an early warning system allowing the organisation to
identify and remedy deficiencies on a timely basis. Thus, it increases accountability within
the organisation.

Page | 44
APPENDIX

BIBLIOGRAPHY:

 Hillson, D., 2016. ‘The Risk Management Handbook’.

 Jorion, P., 2014. “Financial Risk Manager Handbook’.
 En.wikipedia.org
 https://home.kpmg.com
 https://www.google.co.in/#q=grcs

Page | 45