top of page
  • Writer's pictureArvind Dang

Conducting Internal Audits-5 types

Updated: Mar 6




                                                

                     

This article covers the following seven processes for conducting Internal audits comprehensively.

·      1. Preparing the Internal audit charter

·      2. Identifying the “Types of internal audits” in Business /functional areas

·      3. Develop internal audit checklists for performing internal audits of each type

·      4. Carrying out S-O-D (Severity-Occurrence-detectability) analysis

·      5. Assigning scores in a logical/rational manner to determine risk impact and Risk likelihood /frequency

·      6. Develop a Heat Map to classify business activities as High or Medium Low risk (abbreviated as H, M, or L)

 

·      7:  Methodology for developing Risk register to determine the frequency & priority of internal audit - Activities in Brief (3)

         Activities (including unethical) that can adversely impact business.

 

 

Process 1: Preparing the Internal audit charter (16 activities)

       A robust internal audit charter must include the 16 aspects listed in my book, such as Vision & mission, Quality policy, audit scope, auditors’ profile and team structure, report structure, Board presentation, and follow-up audits. In chapter 14 of my book, as per the Amazon link given.

My book's Title is “Profitability and Ethics -The key ingredients for business success.

Paper back-amazon link : India


 Amazon link-Global

 

As per the best practices, the Internal audit function should be independent, and the chief internal auditor (CIA) must report directly to the Board sub-

Process 2: Identifying the “Types of internal audits” in Business /functional areas (5 types of audits)

·      Based on this author’s experience, the following are the functional areas where internal audits must be conducted.

  •   1.  Commercial Audits

  •   2. Financial audits (Conventional

  • 3. Technical Audits

  •   4. IT/ERP audits

  •   5. Legal audits

 






The broad functional aspects covered in each are listed below and should be a part of the internal audit yearly calendar.

1. Commercial Audits in:

  • ·      Co’s Sales Depot/warehouse (Already shown as an illustration in earlier para)

  • ·      Marketing offices

  • ·      Authorized Distributors or wholesalers or Dealers, Service providers or Retailer

  • ·      Exports division

  • ·      Management consultancy

      2. Financial Audits in:

  • ·      Sales & Marketing functions

  • ·      Materials management, Including Imports

  • ·      Finance and accounts functions

  • ·      Corporate Services function 

  • ·      Production & assembly function

  • ·      R&D function

  • ·      Quality control function

  • ·      Human resource development function

  • ·      Administration function

  • ·      Management Consultancy

3. Technical Audits in:

  • ·      Manufacturing or assembly plants

  • ·      Out-sourced Assembly plants

  • ·      R&D/New product development division

  • ·      Quality assurance -and Receipt Quality control  

  • ·      Quality assurance -WIP & product quality

  • ·      Service Head Quarters

  • ·      sales & service depot

  • ·      Dealer’s Service rendering workshop

  • ·      Vendor’s manufacturing plant or the Job worker

  • ·      Construction Project -site construction works

4. IT/ERP audits in:  

  • ·      IT Infrastructure at Plants, Offices, warehouses/depots/sales outlets

  • ·      Server rooms/IT infrastructure Control room

  • ·      IT Security Policy & security infrastructure 

  • ·      Outsourced software developers/service provider

5 Legal audits in:

  • ·      Legal & secretarial functions

  • ·      All manufacturing plants, including outsourced, are under company management.

  • ·      Corporate Office, All other types of offices

  • ·      Sales depots and warehouses under company management

  • ·      SEZ operations.

Process 3: Developing internal audit checklists for performing internal audits (18 sources)-

To develop checklists, a list of 18 sources needs to be tapped as per the summary below in my book.

  • ·      Common for all audits=5   

  • ·      Unique to Commercial audits=2

  • ·      Unique to financial audits=4

  • ·      Unique to technical audits=2

  • ·      Unique to legal audits=5

As per this author’s experience, there is a potential to develop the internal audit checklists to 900-1200 points for each type of audit for a medium-sized multi-product, multi-plant/multi-office organisation.

This article briefly includes twenty-four lead points for developing a checklist in the four business aspects mentioned previously.

My book includes examples of 174 checklist points as below.

  •  Financial /commercial areas = 60 narrated in Annex 29

  • Technical areas = 60 in Annex 30

  • T/ERP areas=      =24 Annex 31

  •  Legal areas=      =30 in Annex32 

As per this author’s experience, there is a potential to develop the internal audit checklists to at least 3600 checklist points ( @ 900 -1200 for each of  Financial/commercial + Technical +IT/ERP+ legal functions ) for a medium size multi-product, multi-plant/multi-office organisation.

Further, the internal audit checkpoints for statutory Acts would be in addition to the 3600 internal audit checklist points mentioned above.

Process 4: Carrying out S-O-D (Severity-Occurrence-detectability) analysis (6 activities)

1. Forming  cross-functional teams of functional experts  vis each functional area for which the Risk register is to be prepared

2. CFT, Referring to the checklists prepared (in the last process), deliberates and finds answers to one question, What is the adverse impact on the business in case the operation being performed goes wrong?

3. Analyzing answers compiled on the above questions using S-O-D analysis as highlighted and captured below.

 

The following need to be analyzed by the CFT vis a vis adverse impact on business for each type of internal audit.

 

  • Severity Parameters-5 nos

  • Occurrence parameters-10 nos

  • Detectability parameters-5 stages  

4. Identifying and analysing Severity parameters.

The adverse impact on Business can be of any one or a combination of the five aspects listed below.

i).  Profitability

ii). Statutory regulations & compliances

iii). The strategic value of company & customer retention

iv). Financial statement accuracy /Single operational circular for

listing obligations and disclosure requirements- LODR from SEBI

v). Reliability /effectiveness of process being audited/assessed

 

5. -Occurance Parameteres -Ten aspects that can cause activity to go wrong and hence trigger adverse impact 

CFT analyzing which one or more combinations of causes can contribute/lead to adverse impact vis a vis each business activity performed.

 

·      1. Inadequate skills or & resources

·      2. Improper segregation of duties initiating, modifying, editing, deleting, and approving responsibilities)

·      3. Incorrect or incomplete execution of work/activity.

·      4 No or inadequate verification of output

·      5. Incorrect source data or input parameters

·      6. Weak internal controls

·      7. Non-robust system /non-implementation of SOP

·      8. Not ensuring the availability of appropriate authority norms

·      9. Process logic not configured properly

·      10. Process complexity, malicious intent, lack of diligence, change management, etc

 

6 Identifying and analysing. Detectability parameters -5 stages where error can be detected

CFT analyzes at what stage “wrong “was/can be detected vis a vis each business activity performed.    (one illustration of sales invoicing & shipping an end product to a customer )

 

·      Stage 1: At the  very early stage, i.e., at the sales delivery stage (by the functional user himself who initiates, i.e., makes the  sale invoice

·      Stage 2: At the subsequent stage, i.e., sales invoice approval   ( say  by  Sales Mgr.), who is part of the sales & distribution function

·      Stage 3: At the Mgr. In the finance- stage, while entering sales invoices in financial books, Mgr-Finance is an “Outside sales- function “within the same Business unit.

·      Stage 4: During the internal audit stage, during a random internal audit, the internal auditor detects the invoice error after invoicing -maybe weeks/months later within the Business unit.

·      Stage 5: At the customer end -who is  outside the business unit  and  receives incorrect invoice along with  shipment)

·       

 Process 5: Assign scores in a logical/rational manner to determine risk impact and likelihood frequency. (4 activities)

1. First, a CFT (cross-functional team) must be formed to assign scoring to determine the risk impact logically.

2. CFT must look at the Business activity performed and review each checklist critically to find an answer to a simple question,” What is the adverse impact on the business in case business activity goes wrong?

3. For each business activity performed where training can go wrong, a scoring model is proposed below, where a score is to be assigned by CFT on a scale of 1-10 for each of the following.

  • Severity Parameters            =Scale on a 1-10 point

  • Occurrence parameters      = Scale on a 1-10 point

  • Detectability parameters.  = Scale on a 1-10 point

4. Impact vs. Exposure matrix to be developed based on the following definitions

·      Adverse impact score = severity score multiplied by detectability  score

·      Risk exposure score   = occurrence score (Likelihood factors)

  Illustration - “sale invoicing activity” case by the company’s sales depot.

·      Based on close observations of the billing systems at Depot, let us assume the CFT assigns the score below.

  • Severity Parameters       = 10 (in case the invoice is billed at a lower rate)

  • Occurrence parameters   = 8 (as many parameters out of 10 are not ok)

  • Detectability parameters. =7(assume Accounts may miss catching it due to sale rates not being updated instantly on rate change announced by the Sales team

·      So the Score on business impact would be =10 x 7 ie 70 scores on -severity x detection

·      So the Score on risk likelihood would be= 8

Combining these scores can enable classifying the risk level in the “Heat Map “proposed in the following points.

 Process 6: Develop a Heat Map to classify business activities as High or Medium Low risk abbreviated as H or M, or L- Activities-8

1. “Heat map” is proposed to classify risks as High, Medium, or Low as per the measurement scale below based on the score computation below.

·      Adverse Impact on a (0-100 scale severity score multiplied by detectability score

·      (Exposure likelihood) on a (0-10 scale) = occurrence score

2. The classification of risks vis a vis each audit activity into High, medium, or low (H, M, or L) can be guided by combined scores on impact and likelihood.

3. Some need-based risk classification adjustments can be made in borderline scores.

4. In consultation with the HOD of the respective function, the CFO (along with the company-level risk coordinator) may change the above table and decide the heat matrix accordingly.

5. Each cell has been classified as High, Medium, or Low (“Red,” “Brown or Yellow,” and “Green” colors ) based on the combination of scores abbreviated as shown in the table.

 

In the table below, Y-Axis includes a score on Impact on a 100-point scale. The X-axis denotes the likelihood score on a 10-point scale.



0-2

2.1-4

4.1-5

5.1-6

6.1-8

8.1-10

81-100

IH & EL

IH & EL

IH & EM

IH & EM

IH & EH

IH & EH

61-80

IH & EL

IH & EL

IH & EM

IH & EM

IH & EH

IH & EH

51-60

IM & EL

IM & EL

IM & EM

IM & EM

IM & EH

IM & EH

41-50

IL & EL

IL & EL

IL & EM

IL & EM

IL & EH

IL & EH

21-40

IL & EL

IL & EL

IL & EM

IL & EM

IL & EH

IL & EH

0-21

IL & EL

IL & EL

IL & EM

IL & EM

IL & EH

IL & EH



                                         

                                     X- Exposure (Likely Hood) of Risk                                                        

6. In the above table, the abbreviated words indicate the following:

  • I denote “Impact “in Y-Axis,

  • E denotes “Exposure or likelihood” in X-Axis.

  • H, M, and L denote “High,” “medium,” and “Low, “respectively.  

·      As is evident from the above heat map, Risk is classified into three. Categories are High, medium, or low, abbreviated as H, M &L, respectively.

7. So the activity of “sales invoicing” in the illustration will fall under the “High”-Risk zone as the scores assigned in the previous point were assessed as below:

  Impact score =70 (severity score =10 multiply detectability score=7 ), exposure -Likelihood score=8

8. Thus, risk assessment is to be done by the CFT for each business activity in each business function. A risk register will be prepared to depict High, Medium, or Low-risk categories.

Process 7:  Methodology for developing Risk register to determine the frequency & priority of internal audit - Activities in Brief (3)

1. The Internal audit team to prepare an extract of a proposed simple “Risk Register” is enclosed.

2. Risk Classification would vary as per the score assessment of the relevant auditors.

3. Based on the above sample Risk register, the internal audit team may decide the audit frequency as below.

·      High-risk activities:            Say Qtrly

·      Medium-risk activities:     Say six monthly.

·      Low-risk activities:           Say annually.

The above frequencies are only indicative, and the CIA can change them at    

their absolute discretion based on manpower /resources and other priorities.

My book carries illustrations for developing risk registers for each type of audit, as shown below.

   A) Developing risk registers -Annex 29 -Financial & commercial audits, each with six queries

·      Auditee: sales & marketing function. Auditor’s profile: CA or MBA 

·      Auditee: Materials management function. Auditor’s profile: CA or MBA 

·      Auditee: Finance & accounts function. Auditor’s profile: CA or MBA  

·      Auditee: Corporate services function. Auditor’s profile: CA or MBA  

·      Auditee: Production & assembly function. Auditor’s profile: CA or MBA  

·      Auditee: R&D function. Auditor’s profile: CA or MBA  

·      Auditee: Quality control function. Auditor’s profile: CA or MBA  

·      Auditee: HR function. Auditor’s profile: CA or MBA  

·      Auditee: Administration function. Auditor’s profile: CA or MBA  

·      Auditee: Management function. Auditor’s profile: CA or MBA  

 

B) Developing risk registers -Annex 30 -Technical audits, each with six queries

·      Auditee: Mfrg. or Assly. Plant. Auditor’s profile: Production Engineer

·      Auditee: outsourced assly. Plant. Auditor’s profile: Production Engineer

·      Auditee: R&D. Auditor’s profile: Design Engineer

·      Auditee: Receipt Quality control. Auditor’s profile: Quality Engineer

·      Auditee: Final Product or WIP product. Auditor’s profile: Quality Engineer

·      Auditee: Service Head Qtr. Auditor’s profile: Service Engineer

·      Auditee: Co. managed service depot. Auditor’s profile: Sales & Service Engineer

·      Auditee: Dealer’s workshop. Auditor’s profile: Sales & Service Engineer

·      Auditee: Vendor’s manufacturing plant. Auditor’s profile: Purchase Engineer

·      Auditee: Construction Project. Auditor’s profile: construction engineer

C) Developing risk registers -Annex 31 -IT/ERP audits, each with six queries

·      Auditee: IT Infrastructure at plants, offices, sales depots, etc. Mfrg. or Assly. 

Auditor’s profile: IT engineer/Professional

·      2. Auditee: Server room/IT Infrastructure control room

Auditor’s profile: IT engineer/Professional

·      3. Auditee: IT Security Policy & Security Infrastructure

Auditor’s profile: IT engineer/Professional

·      4. Auditee: outsourced Software developer/service provider 

Auditor’s profile: IT engineer/Professional

D) Developing risk registers -Annex 32  -Legal functions with six queries

·      Auditee: Legal and secretarial function. Auditor’s profile: law professionals

·      Auditee: All plants. Auditor’s profile: law professionals 

·      Auditee: Corporate & all other offices. Auditor’s profile: law professionals

·      Auditee: Sales depots & warehouses. Auditor’s profile: law professionals

·      Auditee: SEZ operations. Auditor’s profile: CA or MBA  

More can be developed directly by the internal audit team/CFT

 Activities (including unethical) that can adversely impact business.

1. Audit charter non-comprehensive vis a vis five types of audits mentioned above.

2 Chief internal auditor’s reporting to some functional head can compromise their independence, thus possibly diluting objectivity in reporting the findings. *  

3. Deliberately keeping some business areas out of the bounds of internal audit. *

4. Not taking inputs from HODs of functions or specialists, and hence, checklists not comprehensive. *

5. Not referring to statutory Acts, applicable regulations, or Quality Standards (for technical audits), thus making incomplete or incorrect checklists. *  

6. Making mundane checklists that have no or little focus on the following aspects:

  • Profitability

  •   sales revenue

  • Statutory  regulations & compliances

  • Quality, Delivery, and Costs 

  •   End customer satisfaction 

                             and so on

7. Inadequate training to the internal audit team, who would be responsible for using S-O-D analysis.

8. Biased or inaccurate assessment of the impact & exposure scores

9. Incorrect classification of Risks as High or medium or low. 

10. Inaccurate preparation of Heat Map

* Indicates activity with unethical or statutory implications

 

 

 

 

 

 

 

 

 

 

 

602 views0 comments

Comments


bottom of page