Sumit SIP Project
Sumit SIP Project
Sumit SIP Project
Submitted by:
Sumit Vithalani
----------------------------------------------------------------------------------------------------
Master of Business Administration
School of Petroleum Management
Pandit Deendayal Petroleum University
Gandhinagar.
Page | 1
PREFACE
It is essential for the management of large firms to carry out internal audit and review their own
processes. Internal audit gives the opportunity to find and correct the gaps in the processes which
helps firms to perform well and minimize the risk.
The project at Reliance industries limited aimed to review the processes of quality control and
quality assurance, which affects the final quality of the company’s products and thus, company’s
overall reputation and market share. The risk based internal audit of quality processes included
the detail understanding of quality process design, review all the laboratory processes of both
DTA and SEZ refinery and finding the gaps in the processes which impacts higher risk on the
objective of the process. The study also included discovering the root cause of the gaps and
recommending suggestions to the management to optimize the same process.
Page | 2
ACKNOWLEDGEMENT
I hereby take this opportunity to sincerely thank the authority of RELIANCE INDUSTRIES
LTD. for taking me as an intern under the kind mentorship of Mr. Gyana Pattanaik and for
providing a very conducive work environment.
I would like to thank my mentor Mr. Gyana Pattanaik whose valuable inputs and guidance
helped me to go about this project.
I would like to extend my sincere gratitude towards the entire team of internal audit at Jamnagar
office including Mr. Manish Vadagama, Mr. Navin Joshi and Mr. Hiten Bathiya who
directly or indirectly played a significant role in my learning associated with the Sumer
Internship.
Finally, I would like to extend a vote of thanks to my faculty mentor at School of Petroleum
Management, Dr. Sudhir Yadav, for his valuable support and guidance throughout the project.
I would also like to thank the other entire faculty of School of Petroleum Management, whose
lessons helped me a lot during my internship project.
Page | 3
Table of Contents
1. Internal Audit over View _________________________________________________________ 7
a. Introduction __________________________________________________________________ 7
b. History of internal auditing _____________________________________________________ 8
c. Organizational independence____________________________________________________ 8
d. Role in internal control _________________________________________________________ 9
e. Role in risk management _______________________________________________________ 9
f. Role in corporate governance __________________________________________________ 10
g. Audit project selection or "annual planning" _____________________________________ 11
h. Internal audit execution _______________________________________________________ 11
i. Internal audit reports _________________________________________________________ 11
j. Quality of Internal Audit Report ________________________________________________ 12
k. Strategy ____________________________________________________________________ 12
l. Measuring the internal audit function ___________________________________________ 13
m. Reporting of critical findings _________________________________________________ 14
n. Audit philosophy _____________________________________________________________ 14
o. The difference between internal and external audit ________________________________ 15
2. Risk based internal auditing _____________________________________________________ 16
a. Background _________________________________________________________________ 16
b. What is risk based auditing? ___________________________________________________ 16
I. Definition _________________________________________________________________ 16
II. Is the organization ready? _________________________________________________ 16
III. A Dynamic process _______________________________________________________ 16
c. Advantages__________________________________________________________________ 17
d. Implementation of RBIA ______________________________________________________ 17
e. Risk maturity assessment ______________________________________________________ 19
I. Objectives_________________________________________________________________ 19
II. Actions to achieve the objectives ____________________________________________ 20
III. Range of audit strategies __________________________________________________ 21
IV. Assurance strategies ______________________________________________________ 22
V. Framework for audit planning _______________________________________________ 23
VI. Consulting strategies ______________________________________________________ 23
VII. Mixed risk maturities _____________________________________________________ 24
Page | 4
f. Production of the audit plan ___________________________________________________ 24
I. The objectives of this stage are to _____________________________________________ 25
II. Information requirements _________________________________________________ 25
III. Actions to achieve the objectives ____________________________________________ 26
IV. Risk defined organizations starting to use RBIA _______________________________ 30
g. Doing the audit ______________________________________________________________ 31
I. Objectives of this stage ______________________________________________________ 31
II. Action to achieve these objectives ___________________________________________ 31
III. Repeating the cycle of RBIA _______________________________________________ 34
h. Benefits and drawbacks _______________________________________________________ 34
I. Direct contribution to the organization’s objectives ______________________________ 35
II. Relationship with management _____________________________________________ 35
III. Management responsibility for risk management ______________________________ 35
IV. Achieving targets _________________________________________________________ 35
i. Audit resources ______________________________________________________________ 36
j. Staff expertise _______________________________________________________________ 36
k. An audit trail for audits _______________________________________________________ 36
3. COSO Framework _____________________________________________________________ 38
a. The overview of the 2013 Framework: ___________________________________________ 39
b. Introduction of 17 principles: __________________________________________________ 39
c. Introduction of 81 points of focus:_______________________________________________ 42
d. Transition from 1992 Framework to 2013 Framework: _____________________________ 47
e. Conclusion: _________________________________________________________________ 48
4. Audit of Quality Control/ Quality Assurance processes _______________________________ 50
a. Introduction _________________________________________________________________ 50
b. Quality Control ______________________________________________________________ 50
c. Quality Assurance ____________________________________________________________ 50
d. Audit Procedure followed in QA|QC Audit _______________________________________ 50
e. Process reviewed for the Audit – Laboratory Management __________________________ 51
f. Risks identified for above sub-process are ________________________________________ 51
g. Processes, Documents and Data analyzed for review _______________________________ 51
h. Observations identified are: ____________________________________________________ 52
i. Recommendations provided: ___________________________________________________ 52
Page | 5
APPENDIX-1 ______________________________________________________________________ 53
List of Figures
Figure 1 Over view of the stages _____________________________________________________ 19
Figure 2 Range of Audit Strategies ___________________________________________________ 22
Figure 3 Assurance provided by RBIA ________________________________________________ 25
Figure 4 Production of Audit Plan ___________________________________________________ 28
Figure 5 RBIA - An audit Trail ______________________________________________________ 37
Figure 6 COSO Cube _______________________________________________________________ 39
Figure 7- 17 Principles ______________________________________________________________ 40
Figure 8 Control Environment _______________________________________________________ 40
Figure 9 Risk Assessment ____________________________________________________________ 41
Figure 10 Control Activities _________________________________________________________ 41
Figure 11 Information & Communication ______________________________________________ 42
Figure 12 Monitoring Activities _______________________________________________________ 42
Page | 6
1. Internal Audit over View
a. Introduction
Internal auditing is an independent, objective assurance and consulting activity designed
to add value and improve an organization's operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes.
Internal auditing is a catalyst for improving an organization's governance, risk
management and management controls by providing insight and recommendations based
on analyses and assessments of data and business processes. With commitment
to integrity and accountability, internal auditing provides assurance to governing
bodies and senior management as an objective source of independent advice.
Professionals called internal auditors are employed by organizations to perform the
internal auditing activity.
The scope of internal auditing within an organization is broad and may involve topics
such as an organization's governance, risk management and management controls over:
efficiency/effectiveness of operations (including safeguarding of assets), the reliability of
financial and management reporting, and compliance with laws and regulations. Internal
auditing may also involve conducting proactive fraud audits to identify potentially
fraudulent acts; participating in fraud investigations under the direction of fraud
investigation professionals, and conducting post investigation fraud audits to identify
control breakdowns and establish financial loss.
Internal auditors are not responsible for the execution of company activities; they provide
assurance to the management and the Board of Directors (or similar oversight body)
regarding the achievement of objectives relating to operations, reporting, and compliance.
As a result of their broad scope of involvement, internal auditors may have a variety of
higher educational and professional backgrounds.
The Institute of Internal Auditors (IIA) is the recognized international standard setting
body for the internal audit profession and awards the Certified Internal Auditor
designation internationally through rigorous written examination. Other designations are
available in certain countries. In the United States the professional standards of the
Institute of Internal Auditors have been codified in several states' statutes pertaining to
the practice of internal auditing in government (New York State, Texas, and Florida
being three examples). There are also a number of other international standard setting
bodies.
Internal auditors work for government agencies (federal, state and local); for publicly
traded companies; and for non-profit companies across all industries. Internal auditing
departments are led by a Chief Audit Executive ("CAE") who generally reports to
the Audit Committee of the Board of Directors, with administrative reporting to the Chief
Executive Officer (In the United States this reporting relationship is required by law for
publicly traded companies).
Page | 7
b. History of internal auditing
The Internal Auditing profession evolved steadily with the progress of management
science after World War II. It is conceptually similar in many ways to financial
auditing by public accounting firms, quality assurance and banking compliance activities.
While some of the audit technique underlying internal auditing is derived
from management consulting and public accounting professions, the theory of internal
auditing was conceived primarily by Lawrence Sawyer (1911-2002), often referred to as
"the father of modern internal auditing “and the current philosophy, theory and practice
of modern internal auditing as defined by the International Professional Practices
Framework (IPPF) of the Institute of Internal Auditors owes much to Sawyer's vision.
With the implementation in the United States of the Sarbanes-Oxley Act of 2002, the
profession's exposure and value was enhanced, as many internal auditors possessed the
skills required to help companies meet the requirements of the law. However, the focus
by internal audit departments of publicly traded companies on SOX related financial
policy and procedures derailed progress made by the profession in the late 20th century
toward Larry Sawyer's vision for internal audit. Beginning in about 2010, the IIA once
again began advocating for the broader role internal auditing should play in the corporate
arena, in keeping with the IPPF's philosophy.
c. Organizational independence
While internal auditors are not independent of the companies that employ them,
independence and objectivity are a cornerstone of the IIA professional standards; and are
discussed at length in the standards and the supporting practice guides and practice
advisories. Professional internal auditors are mandated by the IIA standards to be
independent of the business activities they audit. This independence and objectivity are
achieved through the organizational placement and reporting lines of the internal audit
department. Internal auditors of publicly traded companies in the United States are
required to report functionally to the board of directors directly, or a sub-committee of
the board of directors (typically the audit committee), and not to management except for
administrative purposes.
The required organizational independence from management enables
unrestricted evaluation of management activities and personnel and allows
internal auditors to perform their role effectively. Although internal auditors are part of
company management and paid by the company, the primary customer of
internal audit activity is the entity charged with oversight of management's activities.
This is typically the Audit Committee, a sub-committee of the Board of Directors.
Organizational independence is effectively achieved when the chief audit executive
Page | 8
reports functionally to the board. Examples of functional reporting to the board involve
the board. Approving the internal audit charter; Approving the risk based internal audit
plan; Approving the internal audit budget and resource plan; Receiving communications
from the chief audit executive on the internal audit activity’s performance relative to its
plan and other matters; Approving decisions regarding the appointment and removal of
the chief audit executive; Approving the remuneration of the chief audit executive; and
Making appropriate inquiries of management and the chief audit executive to determine
whether there are inappropriate scope or resource limitations.
Page | 9
practices, mergers and acquisitions, strategic partnerships, legislative changes,
conducting business abroad, etc. Sarbanes-Oxley regulations require extensive risk
assessment of financial reporting processes. Corporate legal counsel often prepares
comprehensive assessments of the current and potential litigation a company faces.
Internal auditors may evaluate each of these activities, or focus on the overarching
process used to manage risks entity-wide. For example, internal auditors can advise
management regarding the reporting of forward-looking operating measures to the Board,
to help identify emerging risks; or internal auditors can evaluate and report on whether
the board and other stakeholders can have reasonable assurance the organization's
management team has implemented an effective enterprise risk management program.
In larger organizations, major strategic initiatives are implemented to achieve objectives
and drive changes. As a member of senior management, the Chief Audit Executive
(CAE) may participate in status updates on these major initiatives. This places the CAE
in the position to report on many of the major risks the organization faces to the Audit
Committee, or ensure management's reporting is effective for that purpose.
The internal audit function may help the organization address its risk of fraud via a fraud
risk assessment, using principles of fraud deterrence. Internal auditors may help
companies establish and maintain Enterprise Risk Management processes. This process is
highly valued by many businesses for establishing and implementing effective
management systems and ensuring quality is maintained & professional standards are met
Internal auditors also play an important role in helping companies execute a SOX 404
top-down risk assessment. In these latter two areas, internal auditors typically are part of
the risk assessment team in an advisory role.
Page | 10
g. Audit project selection or "annual planning"
Based on a risk assessment of the organization, internal auditors, management and
oversight Boards determine where to focus internal auditing efforts. This focus or
prioritization is part of the annual/multi-year Audit Planning. The audit plan is typically
proposed by the CAE (sometimes with several options or alternatives) for the review and
approval of the Audit Committee or Board of Directors. Internal auditing activity is
generally conducted as one or more discrete assignments.
Page | 11
Internal auditors typically issue reports at the end of each audit that summarize their
findings, recommendations, and any responses or action plans from management. An
audit report may have an executive summary; a body that includes the specific issues or
findings identified and related recommendations or action plans; and appendix
information such as detailed graphs and charts or process information. Each audit finding
within the body of the report may contain five elements, sometimes called the "5 C's":
Condition: What is the particular problem identified?
Criteria: What is the standard that was not met? The standard may be a company
policy or other benchmark.
Cause (root cause): Why did the problem occur?
Consequence: What is the risk/negative outcome (or opportunity foregone)
because of the finding?
Corrective action: What should management do about the finding? What have
they agreed to do and by when?
The recommendations in an internal audit report are designed to help the organization
achieve effective and efficient governance, risk and control processes associated with
operations objectives, financial and management reporting objectives; and
legal/regulatory compliance objectives.
Audit findings and recommendations may also relate to particular assertions about
transactions, such as whether the transactions audited were valid or authorized,
completely processed, accurately valued, processed in the correct time period, and
properly disclosed in financial or operational reporting, among other elements.
Under the IIA standards, a critical component of the audit process is the preparation of a
balanced report that provides executives and the board with the opportunity to evaluate
and weigh the issues being reported in the proper context and perspective. In providing
perspective, analysis and workable recommendations for business improvements in
critical areas, auditors help the organization meet its objectives.
k. Strategy
Internal audit functions may also develop functional strategies described in multi-year
strategic plans. Professional guidance on building an Internal Audit strategic plan was
Page | 12
issued by the Institute of Internal Auditors in July 2012 via a Practice Guide
called Developing the Internal Audit Strategic Plan. A key aspect of developing IA
strategy is understanding the expectations of stakeholders, such as the Audit Committee
and top management. This helps guide the IA function in its mission of helping the
organization address the risks it faces. Specific topics considered in IA strategic planning
include:
Building the IA strategy may involve a variety of strategic management concepts and
frameworks, such as strategic planning, strategic thinking, and SWOT analysis
Page | 13
m. Reporting of critical findings
The Chief Audit Executive (CAE) typically reports the most critical issues to the Audit
Committee quarterly, along with management's progress towards resolving them. Critical
issues typically have a reasonable likelihood of causing substantial financial or
reputational damage to the company. For particularly complex issues, the responsible
manager may participate in the discussion. Such reporting is critical to ensure the
function is respected, that the proper "tone at the top" exists in the organization, and to
expedite resolution of such issues. It is a matter of considerable judgment to select
appropriate issues for the Audit Committee's attention and to describe them in the proper
context.
n. Audit philosophy
Some of the philosophy and approach of internal auditing is derived from the work of
Lawrence Sawyer. His philosophy and guidance on the role of internal audit was a
forerunner of the current definition of internal auditing. It emphasized assisting
management and the Board in achieving the organization’s objectives through well-
reasoned audits, evaluations, and analyses of operational areas. He encouraged the
modern internal auditor to act as a counselor to management rather than as an adversary.
Sawyer saw auditors as active players influencing events in the business rather than
criticizing all degrees of errors and mistakes. He also foresaw a more desirable auditor
future involving a stronger relationship with members of Audit Committee and the Board
and a divorce from direct reporting to the Chief Financial Officer.
Sawyer often talked about “catching a manager doing something right” and providing
recognition and positive reinforcement. Writing about positive observations in audit
reports was rarely done until Sawyer started talking about the idea. He understood and
forecast the benefits of providing more balanced reporting while simultaneously building
better relationships. Sawyer understood the psychology of interpersonal dynamics and the
need for all people to receive acknowledgment and validation for relationships to prosper.
Sawyer helped make internal auditing more relevant and more interesting through a sharp
focus on operational or performance auditing. He strongly encouraged looking beyond
financial statements and financial-related auditing into areas such as purchasing,
warehousing and distribution, human resources, information technology, facilities
management, customer service, field operations, and program management. This
approach helped catapult the chief audit executive into the role of a respected and
knowledgeable adviser who was thought to be reasonable, objective, and concerned about
helping the organization achieve the stated goals
Page | 14
o. The difference between internal and external audit
While sharing some characteristics, internal and external audit have very different
objectives. These are explained in the table below:
Page | 15
2. Risk based internal auditing
a. Background
Over the last few years, the need to manage risks has become an essential part of good
corporate governance practice. This has put organizations under increasing pressure to
identify all the business risks they face and to explain how they manage them. In fact, the
activities involved in managing risks have been recognized as playing a central and essential
role in maintaining a sound system of internal control. While the responsibility for
identifying and managing risks belongs to management, one of the key roles of internal audit
is to provide assurance that those risks have been properly managed. A professional internal
audit activity can best achieve its mission as a cornerstone of governance by positioning its
work in the context of the organization’s own risk management framework.
I. Definition
Risk based internal auditing (RBIA) is as a methodology that links internal auditing to an
organization’s overall risk management framework. RBIA allows internal audit to
provide assurance to the board that risk management processes are managing risks
effectively, in relation to the risk appetite.
Page | 16
appraising staff may become more complex. But the advantages of RBIA are much
greater.
c. Advantages
This enables internal audit to provide the board with assurance that it needs on three
areas:
1. Risk management processes, both their design and how well they are working
2. Management of those risks classified as 'key', including the effectiveness of the
controls and Other responses to them
3. Complete, accurate and appropriate reporting and classification of risks
d. Implementation of RBIA
The implementation and ongoing operation of RBIA has three stages;
Identifying the assurance and consulting assignments for a specific period, usually
annual, by Identifying and prioritizing all those areas on which the board requires
objective assurance, including the risk management processes, the management of key
risks, and the recording and reporting of risks.
Page | 17
Stage 3: Individual audit assignments
Carrying out individual risk based assignments to provide assurance on part of the risk
management framework, including on the mitigation of individual or groups of risks.
Page | 18
Figure 1 Over view of the stages
I. Objectives
The first stage of RBIA is to review the level of risk maturity. There are three objectives
to this stage, which are to:
Page | 19
1. Assess the risk maturity of the organisation
2. Report to management and to the audit committee on that assessment
3. Agree an audit strategy
i. Discuss the understanding of risk maturity with the board and senior managers.
Determine what has already been done to improve the risk maturity of the
organisation such as training, risk workshops, questionnaires about risks and
interviews with risk managers. Determine whether managers feel that the risk register
is comprehensive. Discuss whether an understanding of risk management is
embedded so that managers feel responsible not only for Identifying, assessing and
mitigating risks but also for monitoring the framework and the responses to risks.
Using the documents and information gathered, assess the organisation's risk maturity
using these stages: risk enabled, risk managed, risk defined, risk aware and risk naïve.
Page | 20
iv. Report your conclusion on risk maturity to management and to the audit
Committee.
This stage will provide a first, high level, assurance on the risk management
processes, the management of key risks and on the recording and reporting of risks.
In reporting conclusions and their implications, one should note that a risk maturity of
risk Naïve or risk aware implies that the organisation's system of internal control and
the board's ability to assess it may be ineffective. The IIA believes that risk naïve and
risk aware organizations are not complying with either the Turnbull Guidance or the
Code of Corporate Governance.
v. Work with management to identify any actions they propose to take as a result
Of this assessment.
Management may suggest consulting assignments for internal audit such as, for
example, facilitating management's efforts to improve their risk management
processes.
This will follow from your assessment and obtaining approval from management and
audit Committee.
The audit strategy selected depends upon the organisation's risk maturity. Risk naïve or
risk aware organizations will be unable to implement RBIA straight away. However, such
organizations can benefit from some aspects of the audit strategies described below.
For example, internal audit can help improve risk management and governance processes
by reporting its assessment of the risk maturity of the organisation to management and to
the audit committee, and by championing risk management throughout the internal audit
activity's work.
It may also conduct consulting assignments supporting management in improving the
organization’s risk maturity.
There are three potential elements to an RBIA audit strategy:
Page | 21
Figure 2 Range of Audit Strategies
For risk enabled and risk managed organizations, the conclusion on risk maturity is the
first step in being able to provide assurance on risk management processes, management
of key risks and reporting of risks. The internal audit activity's assurance strategy is
therefore to provide assurance on these areas.
For other organizations, the conclusion on risk maturity means that such assurances are
not available. Those in risk defined organizations may be able to identify risk
Page | 22
management policies or pockets of risk management excellence and be able to plan to
provide assurance on these elements.
Otherwise, internal audit should plan to provide assurance that control processes are
working according to the objectives or standards that have previously been set.
In less risk mature organizations, internal audit may wish to set aside time to champion
the introduction and improvement of risk management processes. The aim of this type of
consulting activity is to improve the risk maturity of the organisation.
Internal audit should approach the work in such a way that management retains a sense of
Ownership of the processes that are being developed.
The IIA's International Standards 4 define consulting activities as advisory services, the
nature and scope of which are agreed with the client and which do not involve the
internal auditor assuming any management responsibility. Our position statement on The
Role of Internal Audit in Enterprise-wide Risk Management provides further guidance on
the roles that you may undertake and those that you may not.
In risk enabled and risk managed organizations, the need to improve risk management
processes is less pressing than in less risk mature organizations and may be part of the
framework itself. As a result, less resource may be needed for consulting work.
Page | 23
VII. Mixed risk maturities
It is possible that one part of an organisation may be risk managed and another risk
aware.
Alternatively, an organisation may be risk managed when it comes to one type of risk, for
example, market risk in a bank, but risk aware for another type of risk.
This case, internal audit should not conclude that the whole organisation is risk managed.
It should report the dangers of having a patchwork of risk maturities and devise audit
strategies separately for the different parts of the organisation.
RBIA is not about auditing risks but about auditing the management of risk. Its focus is on
the
Processes applied by the management team:
Page | 24
Figure 3 Assurance provided by RBIA
• Agree all the risk management responses and risk management processes on which
objective assurance from internal audit is required
• Produce an audit plan which lists all audits to be carried out over a specified period -
usually a year.
Page | 25
Stage 1 should have provided the background needed to understand how management
identifies and evaluates risks and how and where the rest of the information needed is
recorded.
The risk register, or attached documents, show responses, actions and monitoring
controls:
• the responses that management believe exist to manage key risks
• the actions that are being taken to add, delete or modify existing responses
where they do not currently bring risk within the risk appetite
• The monitoring controls used by management to ensure that all these elements
of the framework are working.
Internal audit should also obtain from the audit committee and the management team
guidance about the nature of the objective assurance they want from the internal audit
activity. These are called the assurance requirements. They may be explained in a
separate document or as part of the risk register, or they may be identified as a result of
discussions with the people involved.
In RBIA the role of internal audit is not to create any of this information but to be able to
interpret it and to use it for planning purposes.
Internal audit should review the audit committee's assurance requirements and the risk
register and list all the responses on which objective assurance is required, together with
information on the risks to which they are related.
Page | 26
Other risk management processes on which assurance may be required include:
Internal audit should provide assurance on parts of the risk management framework itself:
• Processes used to identify and assess risks and to decide on the appropriate
responses,
• Processes for reporting risks throughout the organization; and monitoring
controls over those processes.
The audit committee may not want objective assurance from internal audit on the
management of all the risks. Reasons not to want such assurance may include:
The audit committee may priorities the risks on the management of which it would like
objective assurance, favoring higher inherent risks. It may not, therefore, require
objective assurance on all risks every year.
Internal audit may wish to review thoroughly the audit committee's assurance
requirements to ensure that they do not leave a gap in assurance. It is important to
recognize that the internal audit activity does not have to provide assurance on every
aspect of the risk management framework in order for it to be effective.
Page | 27
Figure 4 Production of Audit Plan
If there is a large number of risks, they should be categorized. This should result in
grouping the risks into a logical order, which will help in compiling the audit plan. Useful
categorizations include:
By business unit. This is useful where the organisation has a number of physically
independent business units, the procedures and systems of which are self-
contained. It may be necessary to duplicate common responses, for example,
those arising from computers, across all units.
By function or system, such as sales, purchases, or stock control. This is useful in
a large central organization with integrated systems.
Page | 28
By objectives. This is useful when assessing the audit plan for its relevance to the
organization because it links audits directly to the objectives affected by the risks,
the management of which is being checked by the audit.
Internal audit should also prioritize the responses which are to be audited. An important
Characteristic of RBIA is that prioritization is always by reference to the size of the risks
and to the contribution that the response makes to manage the risks. Useful prioritizations
include:
The size of the inherent risks managed by the response: the bigger the risk, the
higher the priority.
The contribution that the response makes in managing risks so that the more
the response reduces the risk, the higher the priority. For example, where a
risk is managed using a single response, say a treatment, the control score -
(the difference between the inherent risk and the residual risk) - is the
contribution of that response. However, the control score for some risks may
be divided among different responses, which needs to be taken into account.
The number and nature of other available assurances that the response is
operating effectively. Where several groups provide assurance on a single
response, it may have a lower priority.
Those categories of risks on which the audit committee requires objective
assurance each period.
i. Group the risks, for example by business unit, objective, function or system, and
decide the audits which will provide assurance on the related responses.
This method has the advantage that the management of all risks will be covered,
but it may be difficult to define audit units which satisfy the organisation's
preferences for audit size", such as the number of staff hours on an audit.
This allocates each audit to a business unit or system and assigns the risks, on which
Assurance is to be provided to these audits. This method has the advantage of covering
one
Physical location in one visit and of allowing the definition of suitably sized audit units.
It requires an additional check to ensure that the management of all risks is being audited.
This step will produce a list of potential audit assignments. The priority of each audit is
derived from the size of the risk management process on which it provides assurance.
This information should link to the categorized listing of risks, which in turn links to the
risks in the organization’s risk register. The organization also needs to collect and record
Page | 29
information that links the risks, the responses to them and the audit assignments which
provide assurance on those responses.
Estimate the number of days required for each audit and identify which audits can be
completed with the available resources, while providing scope for consulting support.
RBIA generates a defined amount of work and, therefore, highlights whether resources
are sufficient to complete the planned work. Internal audit can propose an increase in
staff, or a reduction in the number of audits if there are insufficient resources.
Management and the audit committee should be informed of any risks on which
assurance will not be provided.
All the audits to be included in the plan should have now been determined. However,
many Organizations add audits based on criteria other than risk. Such criteria might
include areas subject to change, mandatory audits or audits requested by management.
This is a reason to 'sense check' the RBIA work so far because any topic worthy of audit
should have surfaced through the risk management framework.
The periodic audit plan should be discussed with management and be presented to the
audit
Committee for approval. It should provide:
• Details of those risks where assurance is provided by carrying out the audits of the
risk management processes and responses in the plan.
• Details of those risks where assurance is provided but based on audit work from
previous years, if applicable.
• Details of those risks where consultancy work is carried out to assist management
in reducing the risks to below the risk appetite, or, at least, an indication of the
resources available for consultancy work.
• The impact of any constraints on resources.
• Any risks not covered due to policy constraints.
• Confirmation that the plan is in accordance with the internal audit activity’s terms
of reference.
Internal audit should report to management any information that has come to light about
the quality of the risk register. If extra topics for audit have been identified at the end of
Stage 2 these should be discussed with management so that management can revise the
risk register.
Page | 30
If an organisation is risk defined it does not have a complete risk register. Internal audit
should use completed parts of the risk register to plan, or re-plan, audit work using the
method above.
For those parts of the organisation without a complete risk register, internal audit should
use an alternative framework as discussed under 'Range of audit strategies' in Risk
maturity assessment.
To provide assurance that, in relation to the business, activity, or system under review
and for the processes identified in the audit plan:
Management has identified, assessed and responded to risks above and below the
risk appetite.
The responses to risks are effective but not excessive in managing inherent risks
within the risk appetite.
Where residual risks are not in line with the risk appetite, action is being taken to
remedy that.
Risk management processes, including the effectiveness of responses and the
completion of actions, are being monitored by management to ensure they
continue to operate effectively.
Risks, responses and actions are being properly classified and reported.
This involves the internal auditors understanding the results of Stages 1 and 2 in order to
draw up the draft scope. Relevant information includes the conclusion on the risk
maturity and the resulting audit strategy, the title of the assignment and information that
Page | 31
links the audit to the responses on which it should provide assurance and then to the risks
managed by the responses
This allows internal audit to take its assessment to a more detailed level than was possible
at Stage 1. The criteria used to assess risk maturity should be consistent with those used
in Stage 1 and in other assignments. The assignment may include scrutiny of the risks
identified by management, which may need additional or expert resources
Conclusions from individual audits should either confirm or cast doubt on the original
organization level assessment. This initial assessment may need to be changed.
If the actual risk maturity (arm) is better than or the same as the expected risk maturity
(erm), the current assignment will carry on as planned.
If arm is lower than erm, internal audit should report this to management, together with
the
Conclusion that responses included in the audit scope are not working effectively.
This may be the end of the audit assignment or, if the nature of the shortfall in risk
maturity means that some responses may still be effective, the scope of the audit may be
restricted to those responses only.
Under RBIA, internal auditors need more of management's time than they would in other
Approaches to internal audit. Heads of internal audit may wish to support the audit team
by Marketing the approach and gaining buy-in from the management prior to conducting
audit work.
This is the first stage of the audit testing. The aim is to determine that the controls used
by
Management to ensure that the risk management framework is working are designed to
achieve this objective and to show that they are working as designed.
These activities may also be required to provide extra evidence that responses to key risks
are working effectively and to support a conclusion that the monitoring controls are also
working.
Page | 32
This differs in RBIA from standard practices mainly in that the link between risks,
responses to risks, assurances given and work done to support those assurances has to be
made clear.
This produces a conclusion about specific scores in the risk register and should lead to
findings about how management determine residual risks in general. If there is a systemic
failing, internal audit should ensure that it is reflected in the organisation-level
conclusions on risk maturity.
This covers both their design and how well they are working. The conclusions need to be
linked to the risks that are managed by the responses so that the assignment can deliver
the assurances that are the aims of this stage
This should be in accordance with the organisation's policies, including whatever levels
of review are required by audit management.
This step is critical to your aim of reinforcing management's responsibility for managing
risks. Findings should be discussed with management in such a way that they take
responsibility for deciding on appropriate remedial actions, including all and any changes
to the risk register.
If this is a big change in the style of the internal audit activity, the effort required to
implement it properly should not be underestimated. Internal audit may need to play a
bigger role in drafting and delivering reports for the first months of implementing RBIA.
To complete the RBIA steps and stages the findings from individual assignments are fed
back into the overview of the organisation begun in Stage 1 because:
• The findings may change the conclusions on risk maturity and may need to be
reflected throughout the audit plan the next time it is updated.
• The findings need to be reflected in the reporting of risks so that management and
the audit committee understand where objective assurance has been provided.
Page | 33
III. Repeating the cycle of RBIA
The RBIA methodology is cyclical. The interval between revisions in internal audit's
assessment of the risk maturity and its audit planning depends on the nature of the
organization: how often its circumstances change and how frequently it must report on
risk management matters. The interval should be agreed with the audit committee.
Changes to the assessment of risk maturity may change the audit strategy. Changes to the
risk register, arising from changes to the assessment of risks or from changes in the
responses to risks, may change which responses require auditing, the way they are
allocated to audit assignments and the priority of the different audits.
Audit work gathers evidence on the risk maturity of the organisation which is fed back
into the assessment.
The risk management framework is a dynamic construction, dependent on people to
operate effectively, and it takes continuous effort to keep it working well.
As the external environment and the objectives of the organisation change, the
circumstances and context of potential risk events also change so that the risk register
needs to evolve as time passes.
RBIA is inextricably linked to the risk management framework. During Stage 1 it allows a
Conclusion on the risk maturity of the organisation. If this is not high, it provides internal
audit with an opportunity to report that fact promptly to management and the audit committee
so that they can take immediate action.
While this allows the internal audit activity to provide value to its organisation, RBIA is a
challenging prospect. Organizations with a poor level of risk maturity may be that way
because the managers and directors do not accept that a good risk management framework is
an essential element of a sound system of internal control. Internal audit may need to
undertake a longer term programme of activity to champion risk management.
Page | 34
I. Direct contribution to the organization’s objectives
RBIA can be implemented fully only in risk enabled and risk managed organizations.
One
Characteristic of this level of risk maturity is that managers have to take responsibility for
managing risks. In taking responsibility for risks, managers understand that controls, like
other responses to risks, are not the responsibility of internal audit, imposed by internal
audit, but are their own responsibility.
Implementing RBIA means that the internal audit activity behaves in a way that
reinforces this management responsibility and thus contributes to a stronger risk
management culture.
Page | 35
RBIA is an effective way to achieve targets set for the internal audit activity, such as:
• The compilation of an audit plan which ensures the internal audit activity fulfils its
charter
• Gaining acceptance from management that it takes appropriate action to manage risks
within the risk appetite;
• Provision of objective assurance in the three areas of risk management normally
required; and Keeping within the budget set for the activity.
i. Audit resources
RBIA justifies the number of auditors required. The audit plan, including the resources
required, is driven by the proportion of processes and risks on which the audit committee
requires objective assurance.
This differs from alternative approaches, where the resources available determine the audits
which can be carried out.
j. Staff expertise
Internal auditors engaged in RBIA require more people and business skills, such as
interviewing, influencing, facilitating and problem solving.
The expansion of the audit universe to cover all risks threatening the organization’s
objectives
Requires the internal auditor to conclude on the design and operation of responses to risks in
area that may be new.
• Use specialist skills already available within the internal audit activity, e.g. computer
auditors.
• Provide specialist training to auditors with general expertise, e.g. provide training on
the regulations and practices related to stress management to an auditor who already a
holds an Advanced Diploma in Internal Auditing and Management.
• Recruit temporary or permanent specialists from inside the organisation, e.g. a
warehouse manager from one overseas subsidiary could audit warehouse processes in
another.
• Use specialists from outside the organisation, e.g. treasury specialist
RBIA ties all aspects of internal auditing together: objectives, risks, processes for responses and
Monitoring controls, tests and reports, as shown on the diagram below.
Page | 36
Figure 5 RBIA - An audit Trail
The relevance of any test can be seen in relation to the opinion on the entire risk management
Framework because of the relationships set up in the risk and audit universe.
RBIA provides an audit trail from an individual audit report back through tests, processes and
risks to objectives, and forward to the audit committee report on whether those objectives are
threatened.
Page | 37
3. COSO Framework
The 2013 Framework retains the five components of internal control; however it adds 17
principles associated with these five components that are necessary for effective internal control.
Upon adoption of 2013 Framework, an entity will need to evaluate the extent to which each of
the 17 principles are relevant to its organisation and, to the extent a principle is relevant, whether
the entity's controls are operating effectively to achieve the principle. This update also introduces
81 point of focus that typically are important characteristics of the 17 principles.
The 2013 Framework contains more guidance of use of technology in reporting, outsourcing key
portions of business activities or control systems to third parties. The 2013 Framework also
expands the reporting aspect of internal control to consider more than just financial reporting,
including external reporting of non-financial information and internal reporting.
Page | 38
a. The overview of the 2013 Framework:
b. Introduction of 17 principles:
The 2013 Framework introduces 17 principles that are necessary for effective internal
control, unless they are not relevant to the entity. Although the Framework presumes that all
17 principles are relevant for each entity, management may determine that a principle is not
relevant based on its unique circumstances. If a relevant principle is not present and
functioning, a major deficiency exists in the system of internal control. The 17 principles are
aligned with each of the five components and are discussed in the component sections below.
Page | 39
Figure 7- 17 Principles
Page | 40
Figure 9 Risk Assessment
Page | 41
Figure 11 Information & Communication
Page | 42
the principles are present and functioning. The 2013 Framework is explicit that management
is not required to separately evaluate whether each of the points of focus are in place to
determine if the principles are present and functioning.
Points of focus may not be suitable or relevant, and others may be identified
Page | 43
Page | 44
Page | 45
Page | 46
d. Transition from 1992 Framework to 2013 Framework:
COSO's goal in updating the original framework has been to reflect changes in the
business and operating environments, to formalize more explicitly the principles
embedded in the original framework that facilitate development of effective internal
control and assessment of its effectiveness, and to increase ease of use when applied to an
entity objective. Accordingly, COSO believes users should transition to the 2013
Framework in their applications and related documentation as soon as is feasible under
their particular circumstances. However, there are clearly many changes for entities to
consider upon adopting the 2013 Framework.
Companies should begin the transition process by first taking the time to read and
understanding the 2013 Framework and related guidance that will be helpful for
implementation. Entities then will need to evaluate the 17 principles to determine if they
are relevant to their organisation and then also determine how they have been
implemented. In this process some entities any determine that a relevant principle is not
addressed, which could signify a material deficiency in their internal control. They will
need to evaluate whether identified deficiencies have implications for the users of their
financial information or their auditors, if applicable. In addition to the consideration of
the principles, adoption of the 2013 Framework will require both management and the
auditor to update the relevant documentation to reflect how the entity's objectives are
being met through the components and related principles.
COSO will continue to make available the 1992 Framework during the transition period
extending to December 15, 2014, after which time COSO will consider it as having been
superseded. COSO believes the key concepts and principles embedded in the original
framework are fundamentally sound and broadly accepted in the marketplace, and
accordingly, continued use of the original Framework during the transition period (May
13, 2013 to December 15, 2014) is appropriate. During that period, the application of the
COSO Internal Control - Integrated Framework that involves external reporting should
clearly disclose whether the original or 2013 version was utilized.
Because entities are not required to use the Framework by any standard setter or
regulatory body, each entity will need to individually determine its transition path to the
new Framework. It will be important for entities to consider the expectations of the users
of the financial statements for the Framework adoption timeframe. Auditors will need to
work with clients to understand which framework they are using and how the transition
will impact their audit procedures.
Page | 47
The entity’s internal control structure is relevant to audit engagements as well as
examination or agreed upon procedure engagements related to internal control. The
impacts of updating the 2013 Framework on the engagement include an updated
understanding of the evaluation process and consideration of any deficiencies identified
during the transition. Auditors will need to evaluate the 17 principles, including
management's assessment of any principles it does not deem relevant to the organisation.
Much like the process to update the COSO Framework was a multi-year project, it is
likely that the implementation and transition to the 2013 Framework will take time and
effort - both on the part of an entity's management and its auditor. The updated guidance
and information in the 2013 Framework provide a strong foundation for entities to re-
evaluate their internal control systems and ensure they are timely updated for changes in
their internal external risk factors.
Getting starting now in assessing the relevant differences between the 1992 Framework
the 2013 Framework will provide management with an understanding of the time and
resources that it will take organisation to address these differences. Also, if any
remediation is required to address these difference, starting early will provide
organisation an appropriate amount of time to remediate any deficiencies from design and
operating effectiveness perspective.
e. Conclusion:
The new Framework gives management an opportunity to adopt a principles-based
approach to establishing, maintaining, and evaluating internal control to address the
specific risks of greatest concern to the organization. It also provides them with an
opportunity to apply a consistent, company-wide approach to internal control, embedding
accountability and responsibility throughout the enterprise to reduce the likelihood of
risks interfering with business objectives.
Management and other personnel in key operational roles, such as sales operations,
inventory management, IT security, international expansion and others, are most
Page | 48
important to internal control. They are closest to where risks exist and to the changes in
the business that could impact risks—and therefore, they are best positioned to spot new
or changing risks, or identify when an issue is likely to occur. They can best define the
approach to address risks. Leveraging a common framework, they can more effectively
and efficiently leverage people, process, and technology to gather and share information,
establish controls to address risks, and monitor whether controls are effective. Combined
with strong oversight for senior management and the board, an internal control system
leveraging the IC-IF can enhance confidence and improve the likelihood that objectives
will be achieved.
Chief Audit Executives (CAEs) are well positioned to help management and boards
understand the unlocked potential of an expanded application of the Framework for their
organizations. They should read the new IC-IF thoughtfully to help management assess
whether their current application of the Framework addresses all of the principles. They
should pay particular attention to the concepts clarified in the updated Framework related
to the expectation that the 5 components of internal control and the 17 principles be
"present and functioning" and "operating together." By understanding the principles and
the importance of each of the components supporting the others, management can begin
to envision the benefits of applying these concepts to:
Enhance the likelihood that risks to business objectives will be identified and
addressed
Leverage to the rest of the organization the investments they've made in applying
internal control to external financial reporting
Page | 49
4. Audit of Quality Control/ Quality Assurance processes
a. Introduction
Quality Assurance and Quality Control processes defines the extent to which an
Organization is able to satisfy its customer and facilitates to meet business objectives.
This process is designed as integrating the activities of identifying the initiatives and
developed & implementing the actions to improve customer satisfaction and thereby
improve products acceptability in the market. This process covers inputs received from
customer, development of a product plan, production monitoring, analysis and
subsequent release of desired product for market. This process also covers the
assimilation of market feedback- particularly, with intent to develop corrective actions to
ensure consistent quality throughout the supply chain to enhance customer satisfaction.
b. Quality Control
It is defined as a set of activities intended to ensure that quality requirements are
continuously being met within the given manufacturing process as per design. The
quality control process encompass sample collection by operation team from the product,
Raw material and process stream drawn from various manufacturing process stages and
the analytical work performed by lab teams as per pre-defined schedules and reference
methods. The analytical data / observations are shared with manufacturing stakeholders
for monitoring and deciding corrective actions to ensure desired quality parameters are
consistently met, to have on-spec production.
c. Quality Assurance
It is a set of activities intended to establish confidence that quality requirements will be
met.QA involve a programme for the systematic monitoring and evaluation of the various
aspects of the project, service, or process to ensure that standards of quality are being
met.
Reliance has central laboratory for each of two refinery. The refineries are the main part
of QA/QC process. So, for the internal audit of the QA/Qc processes, Laboratory
processes are reviewed. These laboratories have any sub processes from which I
reviewed two following sub processes;
i. Approved product specification data for all the plants in both the refinery
ii. LAB WARE software specification data of all the plants and comparing it with
the master data
iii. Compared laboratory product specification data with the Plants approved
specification data
iv. Unrecieved Sample list
v. Sample cycle time in the laboratory data
vi. Instruments list which contains the list of all the instruments available in the both
laboratory
vii. Equipment Calibration list of all the sub sections of both the Laboratory
viii. Checking the calibration status of the randomly selected Equipments in the
laboratory.
ix. Checking the online sample result with the manually written results on register at
both the laboratories.
Page | 51
h. Observations identified are:
i. Incorrect master data are updated compared with approved product specification.
ii. Absence of periodical review and updation of revised specifications of product.
iii. Incorrect Calibration schedules are followed for instruments and in some cases
no calibrations were carried out
i. Recommendations provided:
Page | 52
APPENDIX-1
ABBREVIATIONS MEANING
Page | 53
Case study – Audit Tactics
Internal audit is all about finding the process gaps not the human error or person specific. The
more depth understanding and clarity Auditor has about the process, the more he is able to find
ways to strengthen the process controls. Though, Auditee always have in mind that Auditors are
going to find points against them or their process, it is their common mentality to avoid questions
or not to open up more. Auditors have to follow some tactics to get the more idea and get the
relevant data they need.
How people avoid questions and what to do about that
The response of the auditor should vary according to the situation and according to the tactics
used by the auditee to avoid the questions.
Following are the situations that happen during the interaction and tactics to handle that smartly
are mentioned.
“I don’t have time for you I have already lots of work and you are in my office since three days”
In this approach, the auditee attacks the auditor for wasting his time and try to dominance. Thus
he tries that auditor forgets the follow up questions and may affect his or her future questions
too.
An attacked interviewer in this situations reacts either very strongly and fight with the auditee or
he may shy away and don’t ask more questions. However, both the response is a mistake. A
smart auditor in this situation reacts calmly and takes the necessary steps boldly.
For example, if the auditor does not need answers quickly he may say that, “I understand and
value your time. I have asked all your staff members about this question and they all have revert
me back to you so i have to take your opinion about this. If there any free time there in your
schedule we can fix the meeting during that time.” Here, Auditor has not reacted angry but he
has done his work very calmly as well as boldly.
“Why should we care about recovery process and there is not at all any need of supporting
documents in this matter.” By this approach, they try to avoid the question as it has no relevance.
To respond to this situation Auditor should be very smart and expert of that matter. He should
answer that as this matter reflects very high financially to the company it is very important. He
can show the financial figures and make them tell the matter in detail.
Page | 54
“from your question a new thing came in my mind that we have new computer systems that
detects every error” With this approach, the auditee tries to avoid the main question by coming
up with another matter or issue or anything.
In this situation, Auditor needs to make an list of objectives of the meeting and make sure that at
the end of the meeting every objective should be satisfied.
Declining to answer.
“I don’t know the answer or I don’t know the exact process, I will try to find documents for you
in the next meeting.”(Without intending to do so)
To respond Interviewer must hold the person accountable and should constantly take the follow
up on that matter. He should take this conversation in mail or some written format as it gives the
proof of the conversation and makes the auditee gives the right information.
Every time at the final discussion of the finding points, Auditee have objections over some points
and try to remove some points. So, Auditors have come up with very innovative idea that they
will prepare two or three give away points every time.
These give away points are such that they are not the actual points. They are just made so that on
the objection over the auditee the points can be given away and auditee feels satisfied. Thus,
auditee doesn’t argue over the actual points.
Page | 55