INTERNAL AUDITING

PRACTICES IN INDIA
January ’2015

A Survey of Internal Auditing Practices in leading Companies of India

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

Head Office: CMA Bhawan, 12, Sudder Street, Kolkata-
Kolkata 700016 | New Delhi Office: CMA Bhawan, 3, Institutional Area, Lodhi Road, New Delhi
Delhi- 110003
New Del
Xåxvâà|äx fâÅÅtÜç
XäÉÄâà|ÉÇ Éy \ÇàxÜÇtÄ Tâw|à
It has been long since ‘Internal Audit’ was introduced in India by some enlightened
companies. Recognizing its worth in achieving independent review of financial data and
controls within the organizations, internal audit was first made mandatory for a
particular set of companies vide the Manufacturing and Other Companies (Auditor
Report) Order, (MAOCARO, 1975). MAOCARO, 1975 required the auditor to certify
whether the company has an internal audit system commensurate with its size and nature
of its business. And also, whether there is an adequate internal control procedure
commensurate with the size of the company and the nature of its business, for the
purchase of stores, raw materials including components, plant and machinery, equipment
and other assets, and for the sale of goods.

At that time, internal audit was thought to be subservient to statutory auditors having
prime focus on the audit and finance function and internal controls. The focus of
internal audit was to continuously audit financial records to provide an assurance to the
statutory auditors and the management that the financial controls are adequate and
operating effectively. The statutory auditor, who is external to the company, used to rely
on the assertions of the internal auditor.

Time and again, with the MAOCARO, 1988 and CARO 2003 the need for internal audit
was emphasized and focused. Section 581ZF of the Companies (Amendment)Act, 2002
also stipulated that ‘Every Producer Company shall have internal audit of its accounts
carried out, at such interval and in such manner as may be specified in articles, by a
chartered accountant’. We conjecture that certification by the statutory financial auditor
has led to the belief that internal audit is a separate vertical within the finance and
accounting function. Even today, in around 23 percent of companies, the Chief Internal
Auditor (CIA) administratively reports to the CFO or the senior most authority in the
finance department.
\ÇàxÜÇtÄ Tâw|à@
Tâw|à@ VâÜÜxÇà fàtàâá
However, post CARO, 2003 and with the evolution of the internal audit in other
advanced economies of the world, the scope of internal audit in India too evolved. The
scope of the Internal Audit enhanced on the premise that ‘Internal Audit is a
management tool that can help the organizations and its top management to evaluate
and improve upon the operational, procedural, managerial and governance aspects of
the organization; that also provides consultancy and advisory on areas of strategic
importance to the business’. The worth of internal audit in improving the overall
performance of a company was being acknowledged.

In India, the government acknowledged internal audit as an independent function that

has the potential to support good governance. Section 138 of the Companies Act 2013
requires certain classes of companies to appoint an internal auditor to conduct internal
audit of the functions and activities of the company. Section 134 (5) (e) of the Act gives
the definition of the term internal financial controls, reporting on which is a part of the
Director’s Responsibility Statement. As per the Clause, the term ‘internal financial
controls’ means the policies and procedures adopted by the company for ensuring the
orderly and efficient conduct of its business, including adherence to company’s policies, the
safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy
and completeness of the accounting records, and the timely preparation of reliable
financial information. Safeguarding of assets is not limited to safeguarding assets from
fraud or pilferage. Board of directors is responsible for safeguarding the assets from use
other than for creating shareholder value.

The directors without the support of an independent review cannot certify the
adequacy of financial controls. Therefore, they depend on the report of the internal
auditor. Similarly, the Companies Act requires independent directors to bring
independent judgement to bear on the Board’s deliberations especially on issues of
strategy, performance, risk management, key appointments and standards of conduct.
Independent directors have to depend upon the independent review by internal audit to
discharge those responsibilities.

And thus, in a way, the Companies Act 2013 has broadened the scope of internal audit to
include all important areas of a company’s operations.

2
However, the scope of internal audit is still not well-defined. Companies at different
internal audit maturity levels define audit scope differently. In countries that are at an
advanced stage of adoption of the concept, have moved their focus on the risk-based
internal audit moving from the era where the focus was on financial audit and then to
operational audit and then to management audit.

This study is an attempt to identify the current state of the internal audit function,
particularly in leading companies of India and to highlight its evolution (over the past
years) and its need for further development in the coming years.

Some of the key findings from this study are enlisted below. The survey results are
based upon the responses of 94 companies to the Questionnaire developed for the
survey. Out of the 94 companies, only 14 are public sector enterprise (PSE) and 1 is a
large co-operative society (Gujarat Co-operative Milk Marketing Federation Ltd., having
an annual turnover of Rs. 18,143 crores for the year 2013-14).

fâÜäxç Y|Çw|Çzá
fxvà|ÉÇ TM g{x WxávÜ|Ñà|äxá
1. 79 percent of the respondent companies had an annual turnover of more than
1000 crores. Thus, the survey has primarily captured internal audit practices in
large companies.

2. There is almost an equal divide between the number of companies that have
partly/ completely outsourced their Internal Audit functions and the ones that
have an internal audit department.

Chartered Accountant firms are the most preferred outside agency for those that
have outsourced the function. This may be primarily due to the fact that the
Companies Act, 1956 mentioned that the internal audit should be carried out by
the specified companies by chartered accountants only. Section 138 (1) of the new
Companies Act 2013, however, specifies that an internal auditor may be a
chartered accountant, or a cost accountant or such other professional as may be
decided by the Board of the company. Presumably, law makers appreciate that the

3
 scope of internal audit has shifted from audit of finance records to broad spectrum
of corporate governance.

3. Although the Internal Audit literature suggests that the internal audit team should
have appropriate mix of knowledge skills and other competencies needed to
perform the audit plan, the survey results show that Internal Audit teams are
significantly dominated by professional accountants and finance professionals.
This might lead to the conclusion that in India internal audit is yet to come out
from the image of a younger cousin of financial audit. It cannot be overemphasized
that in a complex business environment, audit of functions and processes requires
deep understanding of the business model and the business environment.

4. An average team composition for the internal audit function, drawn from the
survey results, would include:
• 65 percent professional accountants,
• 17 percent ‘Other Finance Professionals’,
• 8 percent ‘Non- Finance Professionals’
• 8 percent ‘Graduate Engineers’, and
• 2 percent (Negligible) ‘Other Technical Staff’

5. It is worth noting that although organizations appreciate internal audit has to play
roles beyond supporting statutory financial audit, they are yet to reconstitute their
audit team. It is still predominantly a team of accounting and finance professionals.

6. Another interesting finding from the survey is that although the companies at
present did not have multi-disciplinary teams in their Internal Audit function, but,
they lay emphasis on building capabilities amongst the team members by rotating
them across other line functions. Companies also provide them adequate training.
On average companies spend 31.45 hours (approximately, 5-6 days) per person
during a year for training of audit team members. However, companies should
debate whether engagement of specialists as audit team members would be more
productive than rotating accounting and finance professionals to non-finance
functional areas. Rotation has some significant benefits, but it might be too much

4
 to expect that through rotation and training expert knowledge and skills are
developed.

fxvà|ÉÇ UM Tâw|à \ÇwxÑxÇwxÇvx

7. 86 percent of the companies have Audit Committee in place. 50% of the private
companies that are not statutorily mandated to form Audit Committee have
formed the same. This is favourable for the internal auditing profession since this
would definitely encourage the relatively smaller companies to follow the trend.
Forming Audit Committee by companies is a step towards good corporate
governance in ensuring audit independence, for both the statutory as well as the
internal auditors.

8. Other positive findings on audit independence are:

a. The level of Chief Internal Auditor (CIA) in most of the companies is either
equivalent to or higher than the level of departmental heads. It is in
congruence to the principle that the level of CIA should be equivalent to or
higher than the level of auditees to bring audit objectivity.

b. In a majority of the companies, the CIA reports (administratively and

functionally) either to the Chairman, Audit Committee or to the CEO or to the
CFO. This protects the independence of auditor from auditees, particularly in
the area of operational audit. However, reporting to the CFO might impair the
audit objectivity and independence in the audit of finance function.
Reporting to the Audit Committee has to be the recommended practice
atleast in the companies that have one in place.

9. On the alternate plane, in many companies the Audit Committee does not involve
itself in the selection of the CIA. It is advisable that the Audit Committee should
approve the appointment of CIA or the outsourced agency in order to ensure that a
robust selection process has been followed and the selection is unbiased. The

5
 Audit Committee not getting involved in the appointment of the CIA is presumably
because it is considered as an executive function.

10. In relief to the above observation, in most of the companies CIA has a reasonable
access to the Audit Committee. The practice of allowing the CIA to have access to
the Audit Committee protects the company from frauds perpetrated by senior
management.

11. While studying the perceived independence of the Internal Auditors, it was noted
that around 64.5% of the CIAs perceived that their internal audit function is
‘Highly Independent’, around 31.2% perceived it as ‘Moderately Independent’,
2.2% perceived it as ‘Not Independent’ and 2.2% of the respondents marked their
responses as ‘can’t say’. Number of companies in which the CIA does not perceive
high audit independence is non-trivial. High perceived independence is most
important to make the CIA motivated to offer creative solutions. Companies should
take initiatives to improve the level of perceived independence by allowing the CIA
to draw the audit plan independently in consultation with the Audit Committee.

12. While ranking for ‘Who values the internal audit function the most’, the companies
gave the following order of preference (on an average):
a) Audit Committee of the Board
b) CEO
c) Board of Directors
d) CFO
e) Auditees

The finding shows that the auditees do not attach much value to internal audit,
which is a matter of concern. It is possible that they may view internal audit as a
‘policing function’. It is also possible that auditees are aware of weaknesses in the
process/systems and therefore, do not see audit as a value-added service. The
feedback of the auditees could not be recorded for the above possibility, which is a
limitation of the study. In absence of insightful reporting internal audit will be
viewed as a necessary evil by auditees.

6
 13. The authority that evaluates the performance of the internal audit function is also
identified as a factor having influence on the ‘audit independence’. In most of the
companies, the Audit Committee involves itself in the evaluation process,
independently or jointly with other authorities. This is a good indicator that audit
independence is valued in those companies.

However, there are around 44.4% of the companies that do have Audit Committee
but the Audit Committee does not involve itself in the evaluation process of the
internal audit function. Section 177 (4) of the Companies Act 2013, amongst other
things, has made Audit Committee responsible for:

(i) reviewing and monitoring the auditor’s independence and performance, and
effectiveness of audit process
(ii) evaluation of internal financial controls and risk management systems;

In view of the above stipulations of the Act, the Audit Committees will now have to
involve itself in the evaluation of the performance of the internal audit function

fxvà|ÉÇ VM VtÑtv|àç Uâ|Äw|Çz Éy \ÇàxÜÇtÄ Tâw|à gxtÅá

14. Although companies do not have multi-disciplinary teams at present; a majority of
the companies build capabilities by rotating the members of their internal audit
teams to different line functions.

15. Another appreciable finding is that companies spend around 31.45 hours
(approximately, 5-6 days) per person in a year (on an average) for the training of
the internal audit team members.

16. Use of IT in internal audit is increasing and it was noted that around 60 percent of
companies provide IT training to its internal audit staff.

fxvà|ÉÇ WM j{tà \ÇàxÜÇtÄ Tâw|à yâÇvà|ÉÇ ÅxtÇá àÉ w|yyxÜxÇà cxÉÑÄx

17. Out of the total number of Internal Audit hours, companies spend highest

7
 percentage of their time in ‘operations audit’ followed by financial audit,
compliance audit and management audit (in descending order).

18. 89.2% of the companies mentioned that they include ‘operations audit’ in their
scope of Internal Audit while 10.8% didn’t. On an average, 35.07 percent of audit
hours are allocated to operations audit. This shows that internal audit has
graduated from a function complimentary to financial audit to a management
service.

19. While 73.1 percent of companies reported that ‘management audit’ is within the
scope of audit, only:

• Around 50 percent reported that they evaluate the alignment of organizational

structure with that that of organization’s objectives/strategies
• Around 57 percent reported that they evaluate the alignment of objectives of
various departments/SBUs/functions/ processes with the organization’s
objectives
• Around 65 percent reported that they evaluate whether ethical standards have
been understood and implemented across the organization
• Around 55 percent reported that they review strategy implementation in the
organization
• Around 20 percent reported that they evaluate employee satisfaction levels
• Around 32.6 percent reported that they review the movement in the customer
satisfaction levels
• Around 26 percent reported that they evaluate skill gaps within the
organization

From the above, it can be inferred that management audit is being included in the
scope of their internal audit plan, particularly those higher-level decisions, which
are outside the domain of a particular functional area.

20. Companies ranked their priorities for different functions within the Internal Audit
function in the following order of their preferences:

8
 A: Providing assurance on internal controls

B: Providing assurance on compliance to legal, regulatory, and internal policies

and procedures of the organization

C: Achieving excellence in operations by providing assurance as well as value

addition to operations of the organization

D: Risk-based internal audit

E: Identifying and managing strategic risks

F: Value-added advisory role for the betterment of the organization

G: Fraud Risk Management

H: Overall risk management

This is indicative of two pertinent facts:- first, that risk management and risk
based internal audit have assumed importance in Indian companies, and
secondly, management do not recognize internal auditor as an internal
consultant and an advisor.

fxvà|ÉÇ XM \ÇàxÜÇtÄ Tâw|à cÜÉzÜtÅÅx

21. While ranking the consideration for stakeholder’s priority while drafting the
Internal Audit Programme, the respondent companies gave the following order of
preference (on an average):
a) Audit Committee of the Board
b) CEO
c) Board of Directors
d) CFO
e) Auditees

This corroborates the finding that the auditees see least value in internal audit.
This is so because auditees' priorities do not get importance in formulating the
audit plan

22. A majority of the companies mentioned that the CIA does not meet with the Audit
Committee while drafting the Internal Audit Programme. Also, a sizeable number

9
 of companies reported that they do not modify their internal audit programme
during a year. This is a matter of concern, since the involvement of the Audit
Committee while drafting the internal audit programme is pertinent in ensuring a
well defined scope for the functioning of the internal audit team. Also, companies
have to appreciate that drafting of the internal audit programme as an ongoing
process and the same cannot be treated as static, one time document, in a dynamic
and complex business environment.

fxvà|ÉÇ YM e|á~ `tÇtzxÅxÇà |Ç bÜztÇ|étà|ÉÇá

23. A majority of the companies reported that they have risk management frameworks
embedded in their systems. Although a sizeable number of companies mentioned
that they don’t think that the current risk management framework is adequate; but
this can be thought of as the initial steps of the Indian companies to move towards
the regime of risk-based internal audit.

fxvà|ÉÇ ZM YÜtâw `tÇtzxÅxÇà

24. 85 percent of the companies reported that the internal audit function in their
organization is assigned the task of investigating special issues (such as reported
fraud, violation of policies, etc.). This is indicative of the fact that the companies
are readily understanding the role of internal audit in fraud management as the
same has been stressed upon in the Companies Act 2013. The analysis even
indicate that the companies that do not have Audit Committee at present also have
broadened the scope of their internal audit function to include fraud risk
management in its scope.

fxvà|ÉÇ [M cÜx@
cÜx@Tâw|à tÇw cÉáà@
cÉáà@Tâw|à

25. The companies are moving towards the regime of post-audit over the earlier
practice of pre-audit. This is a good practice. It is generally felt that pre-audit is
manager’s responsibility and if the internal audit is assigned that responsibility, it

10
 might obscure objectivity while auditing those transactions.

fxvà|ÉÇ \M háx Éy \g |Ç \ÇàxÜÇtÄ Tâw|à

26. The use of data analytical tools and IT tools and softwares for conducting internal
audit assignments is increasingly being adopted by the Indian companies.

fxvà|ÉÇ ]M \ÇàxÜÇtÄ Tâw|àM VÉÅÑtÜ|Çz à{x gÜxÇw

27. While comparing the survey results with the findings of the survey of the Institute of
Internal Auditors’ Global Pulse of the Profession Survey- 2014, it was observed that:

IIA’s Global Pulse of the Profession Survey- 2014 Survey Results of Indian Companies

‘Strategic business risk’ is the top priority of ‘Assurance and compliance’ is the top priority
stakeholders for the internal audit function in North for the internal audit function in India.
America. ‘Operational Audit’ is a also a focus area on the ‘Operational Audit’ is increasingly topping up
priority list of the stakeholders. the chart of priorities for the internal

Boards in North America are highly concerned about auditors in India

‘Information as well.
security and audit’ is not a
‘information security and audit’ as a part of their popular component of the internal audit
internal audit plans plans in India. A probable reason , however,
is that at present it is being handled by
independent function heads.

The internal audit teams draw professionals with Internal audit teams are dominated by
different skill-sets with focus on different technical as professional accountants and finance
well as soft skills professionals. However, rotation of audit
staff across other line functions and training
of the staff is highly focussed
‘Risk management’ is another pertinent area for the The Indian companies are at stage where
internal auditors. Board relies on the internal audit to they are increasingly adopting risk
educate them on the changing nature of risk and the management framework. Risk based internal
actions being taken to mitigate the same. audit is at the stage of gaining popularity
amongst the leading companies.
The risk maturity levels of Indian companies
are gradually improving but not comparable
with other developed economies of the
world.

11