Page 95 - DCOM204_AUDITING_THEORY
P. 95
Unit 5: Audit Planning
towards such projects. Frequency of high risk areas needs to be high – maybe twice a year Notes
whereas in cases of low risk or almost zero risk areas, the frequency may be once in three
years and so on.
A benchmark against the standard was carried out by the team to identify further areas for
improvement.
Opportunities for Improvement
Overall, the standard sought to address audit planning from two dimensions –
1. Overall Annual Audit Plan
2. Audit engagement or each specific audit project
For the Overall Annual Audit Plan, the areas identified were -
1. The existing Audit Charter adequately explained the ‘purpose, authority and
responsibility’ of the Internal Audit function. The Audit Charter designed earlier
had not been reviewed and revised for the last two years. During the last two years,
the auditee had implemented an ERP and adopted a Balanced Scorecard strategy for
evaluating performance. Efforts of Cost Reduction have rationalised middle level
management.
(a) The CAE and the team felt that the focus of audit needed to be revised through
use of Audit Tools and the possibility of taking on a leading role in
implementing Continuous Auditing.
(b) One of the overall objectives that the standard expects the Internal Audit to
achieve is to “strengthen overall governance, particularly strategic risk
management”. The Audit Charter had not mentioned any specific
responsibility for this objective. The audit team appreciated the following
fact however with this objective that:
(i) When strategic risks are taken, there is no audit involvement.
(ii) The operating management does not perceive any specific role of the
internal auditors in strategic risk management.
(iii) The Internal Auditor is expected not to be a part of the decision. In this
way, he/she retains their independence. If he is a part of this process,
it may be a barrier to his independence at a later date, when the decision
might not achieve the desired objectives. The Internal Auditor’s role
as an assurance provider may get compromised if the internal auditor
is involved in decision making.
One of the internal audit team members pointed out however that if he gets additional
information at a later date, should he not then advise review of the decision rather
than wait for issuance of the report?
This change was therefore sought to be introduced and highlighted specifically for
discussion. The CAE took a stand that while the Internal Auditor could be a part of
the Strategic Risk Management process, it should be seen as a ‘facilitator role’ and
not as member of the decision making team.
2. While the Audit Plan was provided to the Audit Committee for approval, there was
hardly any debate on the same and it was approved. The CAE thought that in the
current practice, they were not really benefiting from the experience and knowledge
of the Audit Committee Members. He therefore thought it fit to arrange for meetings
Contd...
LOVELY PROFESSIONAL UNIVERSITY 89
