20 Question Self Assessment – ICAI Standards on Internal Audit

Self-Assessment Checklist: Measuring Your Compliance with ICAI Standards on Internal Audit

This self-assessment checklist is designed to provide internal audit firms/IA Departments with a structured tool to evaluate their adherence to the ICAI Standards on Internal Audit. By methodically addressing each question and assigning a score, firms/IA Departments can gain a quantifiable understanding of their current compliance posture and identify specific areas requiring attention.

Instructions for Scoring and Interpretation

For each question, rate your firm’s/IA Department’s current practice on a scale of 1 to 5, based on the following criteria:

• 1 – Not Implemented/Poor: No formal process exists, or existing practices demonstrate significant deficiencies and non-compliance.
• 2 – Partially Implemented/Needs Significant Improvement: Some elements of the required practice are present, but they are inconsistent, ineffective, or lack formalization.
• 3 – Moderately Implemented/Good Progress: A formal process exists, but it requires refinement, more consistent application, or is not fully optimized.
• 4 – Substantially Implemented/Strong: A robust process is in place, consistently applied, with only minor areas identified for further enhancement.
• 5 – Fully Implemented/Excellent: The practice represents best practice, is fully integrated into the firm’s/IA Department’s operations, is highly effective, and could serve as a benchmark for others.

After rating all 20 questions, submit the assessment to review your total score out of a maximum of 100. This total score will then be used in the Assessment Matrix to interpret your firm’s/IA Department’s overall performance.

I. Introduction: Elevating Internal Audit Quality

 

The Imperative of ICAI Standards on Internal Audit

Internal audit, as defined by the Institute of Chartered Accountants of India (ICAI), provides independent assurance on the effectiveness of internal controls and risk management processes to enhance governance and achieve organisational objectives. For an internal audit firm/IA Department, adherence to these standards is not merely a compliance burden but a strategic differentiator that ensures the quality, credibility, and value of services delivered to clients. The ICAI Standards on Internal Audit (SIAs) represent a codification of best practices, providing a framework for activities, establishing performance benchmarks, and fostering improved organizational processes.

The landscape of internal auditing is continuously evolving, driven by increasing regulatory scrutiny, complex business environments, and a heightened demand for robust governance. In this dynamic context, a firm’s/IA Department’s commitment to established professional standards becomes a cornerstone of its reputation and a testament to its reliability. Compliance with ICAI SIAs signifies a dedication to excellence, offering clients assurance that their internal audit functions are managed with the utmost professionalism, rigor, and ethical integrity. This commitment translates directly into enhanced trust and a stronger market position for the internal audit firm.

 

Purpose of this Guide: Self-Assessment for Continuous Improvement

This guide is designed to assist internal audit firms/IA Departments in systematically evaluating their current practices against the robust framework and specific requirements set forth by ICAI. It aims to provide a practical self-assessment tool to identify strengths, pinpoint areas for development, and drive continuous improvement in audit quality and compliance. By undertaking a structured self-assessment, firms can proactively identify gaps, implement corrective measures, and strengthen their adherence to the comprehensive guidelines issued by the ICAI. This proactive stance not only mitigates compliance risks but also cultivates a culture of continuous learning and professional development within the firm, ultimately enhancing the value delivered to clients.

 

II. The Foundational Pillars: ICAI’s Framework and Basic Principles

Understanding the Framework Governing Internal Audits

The “Framework Governing Internal Audits” is an overarching document that outlines fundamental components essential for consistent application of principles, best practices, and standards, ensuring a high level of quality in internal audit engagements. This comprehensive framework is composed of several critical elements: the “Definition of Internal Audit,” four core components (Basic Principles of Internal Audit, Key Concepts, Standards on Internal Audit, and Guidance), and the foundational “Code of Ethics”. The framework’s primary objectives are to provide clarity on the key components governing internal audits, outline their inter-relationships, and specify how they are essential to conducting high-quality internal audits.

A critical aspect of this framework is its mandatory nature. All components, with the sole exception of Guidance, are mandatory. This stipulation highlights that the framework is not merely a collection of isolated rules but rather a systemic approach to ensuring quality and consistency across all internal audit activities. This mandates a holistic adherence to both the spirit and the letter of the standards, emphasizing that compliance is an integrated responsibility rather than a piecemeal effort.

The phased mandatory nature of the SIAs, initially for listed companies and subsequently for all other companies, indicates a deliberate strategy by the ICAI to foster a progressive maturation of internal audit practices across the profession. This phased implementation allows firms/IA Departments to gradually enhance their internal processes and capabilities. However, it also implies a universal expectation for adherence, meaning that firms serving a diverse client base must prepare to meet the highest standards of compliance, as the mandatory application will eventually extend broadly. This approach positions firms that proactively adopt all SIAs as leaders in the profession, demonstrating foresight and a commitment to future-ready practices.

Furthermore, the framework imposes a significant professional obligation regarding departures from standards. It explicitly mandates that if, for any reason, a member is unable to comply with SIA requirements or if a conflict arises with other mandates (e.g., regulatory requirements), the internal audit report “should draw attention to the material departures therefrom along with appropriate explanation”. This requirement extends beyond mere compliance; it is a clear directive for transparency and professional accountability. This places a high ethical burden on the internal auditor, requiring open acknowledgment of deviations even when full compliance is not feasible. For an internal audit firm/IA Department, this translates into a critical need for robust internal policies for identifying, documenting, and transparently reporting such departures, thereby preserving credibility and trust with stakeholders.

 

Adhering to Core Principles: Independence, Integrity, Due Care, and Competence

The “Basic Principles of Internal Audit” are fundamental to the function and activities of internal audit, establishing credibility and outlining essential elements for performance. Any departure from these principles must be appropriately disclosed in the internal audit report or similar communication.

Independence: The Internal Auditor must be free from any undue influences that could compel a deviation from the truth, maintaining independence not only in mind but also in appearance. This is reinforced by the internal audit function’s position within the organizational structure and its reporting lines, ideally to the Board of Directors or the Audit Committee, even if administrative reporting is to an executive officer. The internal audit function must be positioned outside the functions it audits (e.g., Finance and Accounts). While a limited advisory or operational role may be acceptable for a short duration with due approvals, the internal auditor must clearly communicate limitations, such as being unable to assume ownership or accountability of the process, or taking operational decisions that might later be subject to audit.

Integrity and Objectivity: Internal Auditors must embody honesty, truthfulness, and high integrity, operating in a professional and fair manner in all dealings. They must actively avoid all conflicts of interest and refrain from seeking any undue personal benefit or advantage from their position. The work must be conducted with utmost objectivity, particularly in the gathering and evaluation of facts and evidence, ensuring that prejudice or bias does not override conclusions or reporting opinions.

Due Professional Care: The Internal Auditor is required to exercise reasonable care and diligence to achieve planned objectives. This includes meticulous attention to establishing the engagement scope to prevent omissions, recognizing the risks and materiality of areas under review, possessing the necessary skills for complex matters, and determining the appropriate extent of testing within specified deadlines. It is important to note that “Due Professional Care” signifies a standard of diligence, not a guarantee of perfection. It explicitly states that it “neither implies nor guarantees infallibility, nor does it require the Internal Auditor to go beyond the established scope of the engagement”. This distinction is crucial, as it defines the boundaries of professional responsibility, emphasizing the need for meticulous scope definition and robust documentation of professional judgments.

Confidentiality: All information acquired during the course of the audit work must be maintained with utmost confidentiality. Disclosure is strictly on a “need to know basis” within the internal audit function, and confidential information must be kept secure. Any disclosure to third parties outside the company requires specific management or client approval, or must be mandated by a legal or professional responsibility (e.g., to Statutory Auditors). Internal audit reports must be addressed to specified internal auditees and distributed only as directed by those who appointed or engaged the Internal Auditor.

Skills and Competence: The Internal Auditor must possess sound knowledge, strong interpersonal skills, practical experience, professional expertise in relevant areas, and other competencies required to conduct a quality audit. They should only undertake assignments for which they have the requisite competence. If specific expertise is lacking, it must be acquired either through continuing professional education, leveraging in-house experts, or engaging outside experts, ensuring that independence is not compromised. The objective is to ensure that the audit team as a whole possesses all the necessary expertise and knowledge for the area under review.

 

Strategic Imperatives: Risk-Based Audit, System & Process Focus, and Stakeholder Sensitivity

Beyond the core ethical principles, the ICAI Standards introduce strategic imperatives that define the modern internal audit function, shifting its focus from mere compliance to value creation.

Risk-Based Audit: The Internal Auditor must identify important audit areas through a comprehensive risk assessment exercise. Audit activities should be tailored to prioritize and conduct detailed procedures on high-risk areas and issues, while dedicating less time to low-risk areas through curtailed procedures. This approach ensures that risks under consideration are aligned with the overall strategic and company objectives, moving beyond a narrow focus on process objectives. It aims to limit audit procedures to important controls, establish a clear link to company and functional objectives, and highlight only significant findings. This emphasis signifies a strategic evolution of internal audit, moving beyond a purely reactive, compliance-driven service model to one that actively contributes to risk mitigation and organizational efficiency.

Systems and Process Focus: An internal auditor is mandated to adopt a system and process-focused methodology, which is considered more sustainable than simply testing transactions and balances. This approach extends beyond “error detection” to include “error prevention” by requiring root cause analysis on deviations to identify opportunities for system improvement or automation. This strengthens the process and helps prevent the repetition of errors. Understanding the deployment of Information Technology (IT) by companies is crucial for effective internal audits, as this methodology helps the Internal Auditor shift focus from “people to process” and from “detection to prevention”. For an internal audit firm/IA Department, this means cultivating expertise in risk management frameworks, process re-engineering, and IT systems to truly add value. This also necessitates a shift in how audit findings are framed – from mere deficiencies to opportunities for strategic improvement.

Participation in Decision Making (Advisory Role): In conducting internal audit assignments, the Internal Auditor must avoid passing any judgment or rendering an opinion on past management decisions. As part of an advisory role, the Internal Auditor should also avoid participation in operational decision-making that may be subject to a subsequent audit. The focus remains on strengthening the decision-making process itself to minimize the chance of flawed or erroneous decisions, while still being at liberty to present lessons learned from past decisions.

Sensitive to Multiple Stakeholder Interests: The Internal Auditor is required to evaluate the implications of observations and recommendations on multiple stakeholders, especially where diverse interests may be conflicting in nature. In such situations, the Internal Auditor must remain objective and present a balanced view. This approach enables senior management to make decisions using comprehensive information and to balance the strategy and objectives of the company with the expectations and interests of its multiple stakeholders.

 

The Mandate for Quality and Continuous Improvement

The ICAI Standards place a significant emphasis on the quality of internal audit work, recognizing its paramount importance for the credibility of audit reports and the reliability of reported findings.

Quality and Continuous Improvement: A robust quality control process must be in place to ensure the factual accuracy of observations, to validate the accuracy of all findings, and to continuously improve the internal audit process and the internal audit reports. This commitment to excellence is fundamental to maintaining the integrity and trustworthiness of the internal audit function.

Self-Assessment and Peer Review: To uphold this mandate, the Internal Auditor must ensure that a self-assessment mechanism is in place to monitor their own performance and that of their subordinates and any external experts on whom they rely to complete parts of the audit work. Furthermore, a peer review mechanism for quality control should be consistently followed to adhere to all pronouncements issued by the ICAI. The explicit inclusion of “Quality and Continuous Improvement,” “Self-Assessment,” and “Peer Review” within the foundational principles, further reinforced by SIA 7, demonstrates ICAI’s clear intent for internal audit to operate as a self-regulating profession. This emphasis is not merely about external oversight but fundamentally about an internal commitment to excellence. For an internal audit firm/IA Department, this translates into a non-negotiable requirement to embed a robust internal quality assurance (QA) program. Such a program should encompass regular internal reviews, a structured feedback mechanism from clients, and a commitment to periodic external peer reviews. This dedication to self-regulation significantly enhances the firm’s reputation and market standing, serving as a powerful differentiator in the professional services landscape.

 

III. Operationalizing Compliance: Key Standards for Your Firm/IA Department

The ICAI Standards on Internal Audit (SIAs) provide detailed requirements across various facets of internal audit work, from managing the function to executing specific engagements and addressing specialized areas. Adherence to these specific SIAs is crucial for operationalizing the foundational principles discussed earlier.

 

A. Managing the Internal Audit Function (200 Series SIAs)

The 200 series of SIAs focuses on the effective management and oversight of the internal audit function itself, ensuring it is structured and operates in a manner conducive to high-quality audits.

 

SIA 210: Managing the Internal Audit Function

This standard outlines the responsibilities of the Chief Internal Auditor (or the designated person) in overseeing and managing the overall internal audit activities to achieve its objectives. The Chief Internal Auditor bears the overall responsibility for ensuring the achievement of the internal audit function’s objectives through a well-documented internal audit process. This process should be articulated in a comprehensive internal audit manual, serving as a reference for staff on how each audit assignment is to be undertaken, including inputs, steps, milestones, and desired outputs.

A resourcing plan must be prepared to ensure that the internal audit function possesses the necessary professional skills, either internally or acquired externally, and that these resources are effectively deployed across all internal audit assignments. This plan should map skill requirements to available capabilities and address any gaps through proper talent deployment, performance evaluation, and continuous professional development. Furthermore, internal audit assignments must be executed according to the documented process, with adequate review, monitoring, and supervision to achieve planned objectives. A formal quality evaluation and improvement program, designed in line with ICAI pronouncements and SIAs, must be in place to ensure that all internal audit activities conform to established standards. This emphasis on documented processes and formal quality programs is critical for institutionalizing quality within the audit practice, reducing reliance on individual expertise and ensuring consistent quality across all engagements and personnel.

 

SIA 220: Conducting Overall Internal Audit Planning

This standard covers the preparation of an overall internal audit plan for the entire entity for a given period (usually a year), which is then presented to the highest governing body responsible for internal audits, typically the Board of Directors or the Audit Committee. This planning exercise is undertaken prior to the start of the plan period, is comprehensive in nature covering the entire entity, and is directional, considering all Auditable Units (locations, functions, business units, legal entities, and relevant third parties) along with their periodicity.

The objectives of this overall plan include ensuring alignment with the internal audit function’s objectives (as per the internal audit charter or engagement terms) and the organization’s overall objectives. It also aims to align the organization’s risk assessment with the effectiveness of implemented internal controls, confirm the broad scope, methodology, and depth of coverage with those charged with governance, and ensure adequate, skilled resources are deployed effectively in areas of importance, complexity, and sensitivity. A key requirement is the preparation of an “Audit Universe” – a complete identification of all conceivable Auditable Units – prior to establishing the scope. This Audit Universe serves as a foundational tool to ensure that no significant area of the client’s operations or risks is overlooked during planning. By consciously excluding units for justifiable reasons, such as low risk, the firm/IA Department demonstrates a deliberate, risk-informed approach, which is crucial for comprehensive planning, resource allocation, and defending against claims of inadequate coverage. The plan must be continuously monitored during execution, with significant modifications formally documented and communicated to approving authorities.

 

SIA 230: Objectives of Internal Audit

This standard defines the objectives of internal audit, which vary based on entity size, structure, complexity, laws, regulations, and management requirements, but are generally consistent with the overall definition of “Internal Audit”. The objectives are formally documented in either an Internal Audit Charter (primarily for in-house teams) or an Engagement Letter (for outsourced services). These documents define the mission, purpose, objectives, reporting structure, independence, scope, approach, accountability, authority, roles, responsibilities, and quality assurance mechanisms.

The Chief of Internal Audit (or Engagement Partner for fully outsourced functions) is responsible for ensuring these documents are in place, reviewed, and approved by those charged with governance. The IA Charter or Engagement Letter is more than a mere formality; it serves as an explicit “contract of value,” clarifying what the firm/IA Department is expected to deliver and how it will operate. Meticulously drafting and agreeing upon these documents with clients, especially with those charged with governance, is paramount. It sets clear expectations, helps manage potential scope creep, and protects the firm’s independence and professional standing, transforming the service from a generic offering to a tailored, agreed-upon value proposition.

 

SIA 240: Using the Work of an Expert

This standard addresses situations where the Chief of Internal Audit seeks assistance and places reliance on the work of an Expert for specific audit procedures covering complex or specialized areas where internal skills are lacking. An Expert is defined as a person or entity possessing special skills or unique knowledge and experience in a particular area.

The Internal Auditor must make an independent determination of the need for an expert based on the technicality, complexity, risk assessment, and materiality of the subject matter, and a comparison of internal expertise with required expertise. The Internal Auditor must have the authority to select and engage the expert; if management appoints the expert, the Internal Auditor must validate the expert’s independence and objectivity. A thorough evaluation of the expert’s qualifications and credentials is required. Crucially, if the expert’s findings are to be incorporated into the assurance report, the Internal Auditor must participate in defining the scope, approach, and work to be conducted by the expert, and subsequently evaluate the work performed to ensure it constitutes appropriate and reliable evidence. The Internal Auditor retains ultimate responsibility for internal audit conclusions and opinions and should generally not refer to the expert’s work in the Internal Audit Report, unless specifically mandated by the Assurance User. This requirement to retain ultimate responsibility, even when leveraging specialized expertise, underscores the internal audit firm’s/IA Department’s core accountability and the need for robust oversight of all outsourced work.

 

SIA 250: Communication with Those Charged with Governance

This standard mandates effective two-way communication between the Internal Auditor and “those charged with governance” (TCWG) on a periodic basis to ensure the achievement of objectives. TCWG refers to the individual or body responsible for overseeing the strategic direction and accountability of the organization.

The communication must be independent, objective, effective, and timely, established through a formal, pre-agreed communication process with TCWG. This process should outline the form, content, manner, protocol, timelines, and periodicity of communication. Essential matters for communication include the annual internal audit plan, outcomes of risk assessments, significant observations with corrective action plans, status updates on the internal audit department’s functioning, monitoring of prior audit issues, and any other matters mandated by SIAs or regulations. The standard emphasizes the internal auditor’s role as a strategic information conduit for governance. By mandating communication of the overall audit plan, risk assessment outcomes, and the IA department’s operational status, SIA 250 positions internal audit as a key contributor to strategic oversight and decision-making at the highest levels. This requires internal audit firms/IA Departments to develop sophisticated communication strategies and reporting formats that go beyond mere compliance, enhancing their perceived value and influence within the client organization.

 

B. Executing Audit Engagements (300-400 Series SIAs)

This series of SIAs provides detailed guidance on the practical execution of individual internal audit assignments, from planning to reporting and follow-up.

 

SIA 310: Planning the Internal Audit Assignment

This standard covers the second level of internal audit planning, focusing on specific internal audit assignments for a particular part of the entity, known as an “Auditable Unit”. This assignment-level planning is a sub-set of the overall internal audit plan (covered by SIA 220) and is undertaken before commencing a specific audit.

The planning exercise must follow a laid-down process, resulting in a comprehensive written document that includes essential elements like technology deployment and resource allocation. The plan must be reviewed and approved by the Chief Internal Auditor or Engagement Partner. A comprehensive understanding of the Auditable Unit’s business and operating environment is crucial to determine audit procedures, supplemented by discussions with management and process owners. The Internal Auditor must also exchange relevant information with the Statutory Auditor to coordinate work. A risk-based planning exercise is fundamental, prioritizing high-risk areas and processes, with due attention to importance, complexity, and sensitivity. An audit methodology, detailing the depth and nature of procedures, must be established and documented in an Internal Audit Programme (IAP). The standard highlights that audit methodology can be expanded beyond basic compliance to include process reviews, risk-based process reviews, and entity-level control reviews, indicating a tailored approach based on risk and desired value. This allows firms/IA Departments to offer differentiated services and provide deeper insights into process efficiency and control design. Key elements of the plan must be communicated to the auditee and other stakeholders before the audit begins to ensure smooth conduct. The plan must be continuously monitored during execution, and any major modifications formally documented and communicated to approving authorities.

 

SIA 320: Internal Audit Evidence

This standard defines “Internal Audit Evidence” as all the information used by the Internal Auditor to form conclusions and base opinions. Gathering appropriate and reliable audit evidence is a critical part of the internal audit process.

The Internal Auditor must obtain sufficient and appropriate audit evidence that forms a reliable basis for audit findings and conclusions. Evidence collected must be complementary and relevant to the objectives of the audit procedure. The standard explicitly distinguishes between “sufficiency” (quantity of evidence) and “appropriateness” (quality, relevance, and reliability). This dual emphasis is critical, as an abundance of irrelevant or unreliable evidence is as problematic as insufficient evidence, necessitating a balance. Evidence must be obtained from reliable sources, and consistency between various pieces of evidence is crucial. All audit evidence collected must be recorded, and the internal audit function must maintain a written process explaining how evidence is to be gathered, reviewed, documented, and stored in conformance with quality standards and SIAs. This requirement for a written process institutionalizes consistency and defensibility of audit findings, serving as a cornerstone for audit quality.

 

SIA 330: Internal Audit Documentation

“Internal Audit Documentation” refers to the written record (electronic or otherwise) of internal audit procedures performed, relevant audit evidence obtained, and conclusions reached. The Internal Auditor is expected to record and collate all evidence in the form of complete and sufficient audit documentation.

The objectives of preparing such documentation are to validate audit findings, support observations, aid in supervision and review, and establish conformance with ICAI pronouncements. The overall objective is to enable the internal auditor to form an opinion on the assignment’s outcome, with documentation standing independently without requiring further clarification. The internal auditor must record the nature, timing, and extent of all activities and procedures in reproducible documents. Documentation must be complete and sufficient to support analysis, findings, observations, and reports, clearly stating the purpose, source of evidence, outcome, and identifying the performer and reviewer. A written process for documentation preparation, review, storage, and discarding is required to ensure quality and conformance to SIAs. Work paper files must be completed before the final internal audit report is issued, with any pending administrative matters closed within sixty days of the report’s release. This 60-day rule promotes efficiency and ensures that audit files are finalized while the engagement is still fresh, reducing the risk of incomplete or inaccurate records. The ownership and custody of internal audit work papers remain with the Internal Auditor; for outsourced work where reliance is placed, ownership should be assumed, or adequate access provisions must be in place. This ownership is critical for professional independence and accountability, as documentation serves as the auditor’s primary defense.

 

SIA 350: Review and Supervision of Audit Assignments

This standard addresses the Internal Auditor’s responsibility to conduct due review and supervision of internal audit assignments to ensure their effective performance and completion. “Review” refers to the post-completion examination of audit plans, procedures, evidence, and conclusions, while “Supervision” refers to the ongoing oversight and guidance of audit activities. 

The Chief Internal Auditor (or Engagement Partner) holds overall responsibility for the review and supervision of all internal audit activities, ensuring that collected evidence is sufficient and reliable. All documentation must undergo at least one level of review. The periodicity and extent of review should be planned and documented at the audit planning stage, considering audit objectives, staff proficiency, time, and budget constraints. A review of workpapers must ensure their sufficiency and appropriateness, allowing the reviewer to arrive at the same conclusions as the audit staff. This emphasis on the reviewer reaching the “same conclusions” ensures consistency and robustness of audit findings, forming a multi-layered assurance system within the firm/IA Department. The documentation must record evidence of supervision and review. The internal audit function must maintain a written process explaining how review and supervision will be performed to ensure conformance to quality standards.

 

SIA 360: Communication with Management

This standard emphasizes the necessity of effective two-way communication between the Internal Auditor and management throughout the internal audit process. “Communication” refers to any information exchange, whether written or verbal, and “Management” refers to persons with executive responsibility for the company’s operations.

The objectives of this communication are to establish clarity and consensus regarding the audit’s scope, approach, objectives, and timing, and to facilitate continuous dialogue and free information flow to inform, persuade, and prompt action on important matters. It also aims to resolve conflicts in a timely manner. The Internal Auditor must establish a written communication process and protocol with management, which is shared and agreed upon. This process documentation should outline the modes, channels, periodicity, and timelines for communication, and cover essential information. Crucially, any verbal communication concerning essential matters should subsequently be confirmed in writing and maintained as audit documentation. The Chief Internal Auditor (or Engagement Partner) or their designate, must actively resolve conflicts through timely communication. Effective communication is a direct driver of audit efficiency and the acceptance of recommendations, professionalizing stakeholder engagement.

SIA 370: Reporting Results

This standard deals with the Internal Auditor’s responsibility to issue Internal Audit Reports pertaining to specific audit assignments, highlighting key observations. Reporting is generally undertaken in two stages: specific assignment reports (covered by this SIA) and periodic comprehensive reports for the entire entity (not covered). This SIA does not cover formal assurance opinions (refer SIA 110 and SIA 380).

The objectives of issuing these reports are to share significant findings with the auditee, enable management to take methodical corrective actions, and provide a sound basis for any assurance provided. The overall objective is to highlight the effectiveness of internal controls and risk management processes to enhance governance. Based on completed audit work, the Internal Auditor must issue a clear, well-documented Internal Audit Report. Key elements include an overview of objectives, scope, and approach; a statement that the audit was conducted in accordance with ICAI Standards; an executive summary of key observations; a summary of required or agreed corrective actions; and the nature of assurance, if any. The nature of assurance must align with SIA 110 and be pre-agreed with the auditee. The content and form are determined by professional judgment in consultation with the auditee and stakeholders, but a written draft must be shared with the auditee before the final report is issued. The report must be issued within a reasonable timeframe from the completion of audit work. The requirement for “agreed corrective actions” transforms the audit report from a mere list of problems into a roadmap for improvement, directly linking findings to tangible organizational enhancements.

 

SIA 390: Monitoring and Reporting of Prior Audit Issues

This standard addresses the Internal Auditor’s responsibility in monitoring and reporting on prior audit issues, typically through an “Action Taken Report (ATR)”. “Monitoring and Reporting” refers to the periodic tracking of issues raised during prior audits, evaluating corrective actions undertaken by the auditee, and reporting open/pending matters to management and those charged with governance.

The specific objectives are to ensure proper monitoring and closure of open issues, independent validation of corrective actions, escalation of concerns for delays, and timely reporting of status to those charged with governance. The overall objective is to ensure that the auditee mitigates identified risks through timely corrective actions or consciously accepts them. The Chief Internal Auditor is responsible for continuously monitoring the closure of prior audit issues via a formal, pre-agreed monitoring process, while the responsibility for implementation remains with management. After receiving confirmation from the auditee, additional audit procedures must be performed to confirm adequate addressing of issues, with sufficient evidence and documentation maintained. In cases of delays or ineffective implementation, the Internal Auditor must escalate concerns to appropriate management levels. If new facts justify delays, a new time-bound action plan may be agreed, or the issue deferred. The internal auditor must periodically report the status of prior issues (ATR) to management and the Audit Committee, including confirmation of closure, ageing of pending issues, and reasons for delays. This standard establishes a crucial accountability loop, ensuring that audit findings translate into tangible risk mitigation and organizational improvement, thereby demonstrating the direct value of internal audit.

C. Specialized Audit Considerations (500 Series SIAs)

As businesses become more complex and technologically driven, internal audit must also adapt. The 500 series addresses specialized areas requiring distinct considerations.

SIA 520: Internal Auditing in an Information Technology Environment

This standard deals with the Internal Auditor’s responsibility to conduct internal audits in an Information Technology (IT) environment (ITE), where information is captured, stored, and processed through automated means. While overall audit objectives remain consistent, the unique nature of IT risks and controls impacts the audit approach.

The Internal Auditor must gain a thorough understanding of business operations and the corresponding ITE to perform an independent IT risk assessment and identify necessary controls before commencing IT audit activities. A crucial requirement is that the Internal Auditor must possess or acquire the requisite qualifications, skillsets, and experience to perform IT audits, including specialized skills in IT governance, Application Controls, Infrastructure reviews, IT Cyber Security, and Data Privacy regulation. This is a strong signal that traditional audit skills alone are insufficient in today’s digital landscape, necessitating a strategic imperative for firms/IA Departments to invest heavily in developing IT audit capabilities. Planning involves assessing the ITE to define the IT audit scope, identify relevant internal controls, and base the nature, extent, and timing of procedures on an appropriate risk assessment. During execution, the Internal Auditor must test the design, implementation, and operating effectiveness of relevant IT controls to identify gaps, deficiencies, or violations. All activities, from understanding the ITE to planning, testing, and reporting, must be documented in accordance with SIA 330. The outcome of audit procedures and action plans to address deficiencies must be shared with process owners, and the final conclusion documented.

SIA 530: Third Party Service Provider

This standard deals with the responsibility of the Internal Auditor and management regarding risks arising from situations where parts of the entity’s business operations, processes, and information reside with Third-Party Service Providers (TPSPs). These TPSPs are external outsourced service providers to whom business functions, operations, or information processing are outsourced.

The Internal Auditor must study and evaluate the scope of TPSP services, and the client’s governance and oversight processes for managing TPSP risks, particularly those related to direct access and control over critical information. This signifies that the internal audit firm’s/IA Department’s responsibility extends beyond the client’s direct operations to the risks inherent in their supply chain and outsourced functions. A review of both pre-engagement and post-engagement due diligence undertaken by the client is required, including an assessment of the TPSP’s control environment. A periodic independent risk assessment of each third-party arrangement must be conducted by management and reviewed by the Internal Auditor to ensure adequate mitigation steps and effective control activities. The Internal Auditor must conduct an independent audit of the TPSP where permissible, covering entity-level controls, IT controls, and process controls, in compliance with SIAs (especially SIA 520). If the Internal Auditor does not perform an independent audit but obtains Third-Party Audit and Assurance (TPAA) reports, the review of these reports must be undertaken in compliance with SIA 240, “Using the Work of an Expert”. This reliance on SIA 240 for TPAA reports highlights the interconnectedness of ICAI standards and the need for a comprehensive understanding of how different SIAs apply in complex scenarios.

D. Cross-Cutting Quality and Risk Management (Older/Recommendatory SIAs)

While some SIAs are newer and mandatory, older ones, though currently recommendatory, provide crucial guidance on cross-cutting themes like quality assurance and specific risk areas. Their eventual mandatory status underscores their importance.

SIA 7: Quality Assurance in Internal Audit

This standard is paramount for assessing the quality of internal audit work, directly addressing the user’s query of “How to assess whether your internal audit work is as per Standards”. It establishes standards and provides guidance regarding quality assurance in internal audit, aiming to provide reasonable assurance that internal auditors comply with professional standards, regulatory, and legal requirements, ensuring reports are appropriate.

A designated person within the organization must be entrusted with responsibility for quality in internal audit, regardless of whether it’s in-house or outsourced. This quality assurance system should include policies and procedures for leadership responsibilities, ethical requirements, acceptance and continuance of engagements, human resources (capabilities and competence), engagement performance, and continuous monitoring. The quality assurance framework should be embedded through an internal audit manual, appropriately trained and supervised staff, identification of internal audit “customers,” a formal feedback process from users (with responses shared with management/TCWG), established performance criteria (including in external contracts), and benchmarking against industry/peer group performance. This comprehensive QA framework, including client feedback and benchmarking, not only ensures compliance but also serves as a competitive advantage, building trust and differentiating the firm in the market. Internal quality reviews must be ongoing, conducted by the designated quality person or experienced staff, with recommendations promptly implemented and results communicated to management/TCWG. External quality reviews are critical and should occur at least once every three years, conducted by a professionally qualified person appointed in consultation with key stakeholders. The external reviewer’s findings and an action plan to address them must be discussed and submitted to the quality person and TCWG.

SIA 11: Consideration of Fraud in an Internal Audit

This standard defines fraud as an intentional act involving deception to obtain unjust advantage, which can manifest as misstatement of information or misappropriation of assets. While the primary responsibility for fraud prevention and detection rests with management and those charged with governance through an effective internal control system, the internal auditor plays a crucial role in supporting this responsibility.

The internal auditor must use their knowledge and skills to reasonably identify indicators of fraud, exercising reasonable care and professional skepticism. This involves understanding the design and implementation of internal controls to assess fraud risk. The internal auditor’s responsibilities include understanding and evaluating the operating effectiveness of the control environment, assessing management’s fraud risk assessment process, evaluating information systems and communication channels related to fraud (e.g., whistleblower policies), assessing the effectiveness of control activities designed for fraud prevention/detection, and evaluating monitoring mechanisms. Any actual or suspected fraud or misappropriation of assets must be immediately brought to the attention of management. All identified fraud risk factors, the internal auditor’s response, and any additional procedures undertaken must be thoroughly documented. This standard positions the internal auditor as a key player in proactive fraud deterrence by strengthening the control environment, requiring the integration of fraud risk considerations into every audit engagement.

SIA 5: Sampling

This standard establishes guidelines for the design and selection of an audit sample and provides guidance on the use and evaluation of audit sampling in internal audit engagements. It applies equally to both statistical and non-statistical sampling methods, both of which, when properly applied, can provide sufficient appropriate audit evidence.

When using sampling, the internal auditor must design and select a sample, perform audit procedures, and evaluate results to obtain sufficient appropriate audit evidence. Key definitions include “audit sampling” (applying procedures to less than 100% of items to draw conclusions), “error” (control deviations or misstatements), “population,” “sampling risk,” “sampling unit,” “statistical sampling,” and “tolerable error”. Sampling is appropriate for tests of controls when the control leaves audit evidence of performance. When designing a sample, the internal auditor must consider specific audit objectives, the population (ensuring it is appropriate and complete), and the sample size. Stratification may be used for efficiency. Sample size is influenced by sampling risk, tolerable error, and expected error. The choice between statistical and non-statistical approaches is a matter of professional judgment. After performing procedures, the internal auditor must analyze the nature and cause of errors, project errors to the population, reassess sampling risk, and consider the effect on audit objectives. The emphasis on professional judgment even within statistical methods highlights the blend of art and science in auditing, requiring staff training in both methodologies and critical thinking for sample design and evaluation.

SIA 6: Analytical Procedures

This standard establishes guidelines on the application of analytical procedures during an internal audit. Analytical procedures involve the analysis of significant ratios and trends, including the investigation of fluctuations and relationships in both financial and non-financial data that are inconsistent with other relevant information or deviate significantly from predicted amounts.

Internal auditors should apply analytical procedures as risk assessment procedures during the planning and overall review stages of the internal audit. These procedures can also be applied as substantive procedures or to evaluate the efficiency of various business/management systems. Analytical procedures involve comparing the entity’s information with prior periods, anticipated results (budgets, forecasts), auditor’s predictive estimates, or similar industry information. They also consider relationships among financial elements or between financial and non-financial information. The extent of reliance on analytical procedures depends on factors such as the significance of items, other audit procedures, accuracy of predictions, and assessments of inherent and control risks. When analytical procedures identify significant inconsistencies or deviations, the internal auditor must investigate, obtain adequate explanations, and gather appropriate corroborative evidence, starting with inquiries of management. This positions analytical procedures as a crucial “top-down” approach to risk identification, allowing the auditor to efficiently spot anomalies that warrant deeper investigation and optimize audit resources. 

SIA 18: Related Parties

This standard provides guidance on the procedures to be followed by the internal auditor to ensure that related party activities are properly captured through internal controls, and that related party activities are consistent with the entity’s code of conduct, conflict of interest policy, applicable laws, regulations, and disclosure requirements. Management holds the primary responsibility for identifying, accounting for, and disclosing related parties and their transactions. 

The internal auditor’s role involves assessing management’s implementation of controls over related party information and informing management of any detected deficiencies. The standard defines “Related Party,” “Control,” “Significant Influence,” and “Relative”. It notes that related party transactions involve the transfer of resources, services, or obligations, regardless of price, and may not always be conducted under normal market terms, potentially indicating underlying issues like financial distress or earnings pressure. This requires the internal auditor to adopt a quasi-forensic mindset, looking beyond the surface to uncover potential hidden relationships or motivations. Internal audit procedures include obtaining information on related party identities, relationships, and transactions; understanding the nature and extent of these; and inspecting documents (e.g., bank confirmations, minutes, tax returns, contracts, conflict of interest statements) for undisclosed parties or unusual transactions. If significant transactions outside the normal course of business are identified, the internal auditor must inspect underlying contracts, evaluate their rationale (especially for potential fraudulent financial reporting or misappropriation), ensure terms are consistent with explanations, and verify GAAP compliance and authorization. Sufficient appropriate audit evidence must be obtained regarding management’s assertion that a transaction was conducted on arm’s length terms. Significant matters concerning related parties must be communicated to those charged with governance. This standard highlights a specific high-risk area prone to management override and non-arm’s length transactions, emphasizing the interplay between financial reporting and operational controls.

Conclusion: A Commitment to Excellence in Internal Audit Practice

Adherence to the Internal Audit Standards issued by the ICAI is more than a regulatory obligation; it is a fundamental commitment to delivering high-quality, credible, and value-added internal audit services. The comprehensive framework, encompassing core principles and detailed operational standards, provides a robust blueprint for professional practice. By systematically assessing its work against these standards, an internal audit firm can proactively identify areas for enhancement, drive continuous improvement, and reinforce its position as a trusted advisor to its clients.

The journey towards full compliance and sustained excellence is continuous, requiring dedication, investment in professional development, and a culture that champions quality at every level. Embracing this self-assessment guide and integrating its principles into the firm’s operational fabric will not only ensure adherence to ICAI pronouncements but also elevate the firm’s reputation, foster client trust, and contribute significantly to the broader integrity of the internal audit profession in India.