“Internal audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system. Internal audit, therefore, provides assurance that there is transparency in reporting, as a part of good governance.”

The Companies Act, 2013, was enacted on August 30, 2013, which provides for a major overhaul in the corporate governance norms for all the companies in the country. The Act consolidates and amends the law relating to companies. The requirements under the Companies Act, 2013, and the rules notified there under would be applicable for every company or a class of companies (both listed and unlisted) as may be provided therein. In the light of the above, the year 2014 holds changes for the way internal audit is positioned in corporate India. Apart from mandatory requirement for internal audit function for certain classes of companies, the Companies Act, 2013, also specifically requires Audit Committee or Board to formulate the scope, functioning, periodicity and methodology for conducting the internal audit.

Section 138 of the Companies Act, 2013 states as follows:

“Internal Audit”

138  (1) Such class or classes of companies as may be prescribed shall be required to appoint an internal auditor, who shall either be a chartered accountant or a cost accountant, or such other professional as may be decided by the Board to conduct internal audit of the functions and activities of the company.

(2) The Central Government may, by rules, prescribe the manner and the intervals in which the internal audit shall be conducted and reported to the Board.”

Companies (Accounts) Rules, 2014

With respect to an internal audit, Companies (Accounts) Rules, 2014, which comes into effect from April 1, 2014, lays down as follows:

“13. Companies required to appoint internal auditor:-

• The following class of companies shall be required to appoint an internal auditor or a firm of internal auditors, namely:-
  • every listed company,
  • every unlisted public company having –
    • paid-up share capital of fifty crore rupees or more during the preceding financial year; or
    • turnover of two hundred crore rupees or more during the preceding financial year; or
    • outstanding loans or borrowings from banks or public financial institutions exceeding one hundred crore rupees or more at any point of time during the preceding financial year; or
    • outstanding deposits of twenty-five crore rupees or more at any point of time during the preceding financial year; and
  • every private company having –
    • turnover of two hundred crore rupees or more during the preceding financial year; or
    • outstanding loans or borrowings from banks or public financial institutions exceeding one hundred crore rupees or more at any point of time during the preceding financial

Provided that an existing company covered under any of the above criteria shall comply with the requirements of Section 138 and this rule within six months of commencement of such section.

Explanation – For the purposes of this rule –

• The internal auditor may or may not be an employee of the company;
• The term “Chartered Accountant” shall mean a Chartered Accountant whether engaged in the practice or
• The Audit Committee of the company or the Board shall, in consultation with the Internal Auditor, formulate the scope, functioning, periodicity and methodology for conducting the internal

While listed companies, as per requirement in Clause 41 of Listing Agreement, already maintained internal audit departments, the Companies Act, 2013 has extended the coverage to unlisted public companies and private companies meeting specified criteria. This requirement is intended to ensure that the specified companies have a mechanism in place to regularly review and assess their internal control system and, thereby, to identify any weaknesses and develop and implement appropriate measures. The internal audit function plays an important role in the corporate governance framework, and would thereby protect investors and public interest.

Further, the above-mentioned Rule is applicable from April 1, 2014, which means that by September 30, 2014, companies which are required to appoint internal auditor should comply with the provisions of Section 138 and the corresponding Rules, thereby allowing sufficient time for companies that have not yet done so. The Rules also provide leverage to the companies to keep an employee of the company as internal auditor.

Reporting to Audit Committee

Effective discharge of internal audit responsibilities pertaining to financial reporting, corporate governance and corporate control requires a reporting relationship with the Board of Directors’ Audit Committee. Companies (Accounts) Rules, 2014, clearly requires that the Audit Committee of the Board shall, in consultation with the internal auditor, formulate the scope, functioning, periodicity, and methodology for conducting the internal audit. This new requirement is designed to emphasize the role of the audit committee in supervising the internal audit process in the company. It is very important for the internal audit function to have the full support of the Board and the Audit Committee, and equally important for it is to understand their expectations. Through the audit committee, the internal audit function is accountable to the board for maintaining ongoing, constructive relationships and for regular reporting of assurance related issues.

The Audit Committee should exercise an active oversight role with respect to internal audit activities, and determine that the internal auditors are performing reviews of financial and accounting records, reports and systems. It should also monitor the organizational framework of the internal audit activity and it is procedures to ensure that the internal audit function is fully aware of the emerging risks that face the company. This direct contact with the Audit Committee would surely help internal audit to maximize it’s a contribution to good governance and exhibit a high quality of professionalism and quality in its work. The objective is to set up an effective internal audit function that would assist the audit committee in discharging its responsibilities in light of it’s limited time and oversight capacity. As an internal audit’s role evolves, transparency by the audit committee regarding its relationship with and responsibility to the internal audit function could offer valuable insight to stakeholders and help confirm that the committee’s responsibilities are being executed effectively.

Internal Control Systems and Compliances

Internal audit’s scope is expanding because the expectations that the boards and management place on it grow more numerous every day. In the new regulatory environment, responsibility and liability have been elevated to an unprecedented level and demand for heightened accountability resonates especially clearly for Directors. Section 134 of the Companies Act, 2013, has added the following two new requirements to be included in “Directors’ Responsibility Statement”:

“134 (5) The Directors’ Responsibility Statement referred to in clause (c) of sub-section

• shall state that –

....(e) the directors, in the case of a listed company, had laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively.

Explanation – For the purpose of this clause, the term “internal financial controls” means the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of it’s business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information; and

(f) The directors had devised proper systems to ensure compliance with the provisions of all applicable laws and that such systems were adequate and operating effectively.”

An effective internal audit function can help the Directors’ in fulfilling these newly introduced requirements by objectively validating the effectiveness of internal control system and compliance function. Effective Internal Financial Controls (IFC) helps to assure that companies produce reliable financial statements that investors can use in making investment decisions. IFC is one element of broader concept of internal control. The board’s oversight of IFC is delegated to the audit committee, which has specific responsibility of overseeing financial reporting under the Act. The audit committee’s activities usually include review of the assessment of financial reporting risk; discussion with management of significant   control deficiencies and their potential impact on financial reporting; and the evaluation of the quality of financial reporting and related disclosures. Internal auditors can play an active role by testing controls and informing the audit committee of it’s findings relative to IFC. Further, it can also provide support by examining the continued effectiveness of the internal control system through evaluation and make recommendations, if any, for improving that effectiveness.

As far as compliance is concerned, internal audit can review the adequacy and effectiveness of the functioning of controls implemented by the management to ensure compliance with applicable laws and regulations. Compliance is the act of adhering to, and the ability to demonstrate adherence to, mandated requirements as defined by laws and regulations, as well as voluntary requirements resulting from contractual obligations and internal policies. Internal auditors must understand the specific roles and mandates of the compliance groups in the organization, the frameworks they use, and their plans and reports. In boarder terms, it can assist the directors in auditing compliance and the compliance function by providing valuable inputs.

The new regulations also specifically require, as per Section 177, for the Audit Committee to evaluate internal financial controls and risk management systems. Section 177 (5) of the Act clearly states as follows:

“Section 177 (5) The Audit Committee may call for the comments of the auditors about internal control systems, the scope of audit, including the observations of the auditors and review of financial statement before their submission to the Board and may also discuss any related issues with the internal and statutory auditors and the management of the company.”

It may also be clarified that under the provisions of the Act, the Board of Directors and the Audit Committee is solely responsible for establishing an efficient system of internal control. Internal audit may serve in many capacities, including advisory, testing, training and development, so long as that should not cross the line into a decision-making role.

Risk Management

The profession of internal audit is fundamentally concerned with evaluating an organization’s management of risk. In fact, risk management and internal control are two sides of the same coin, as risk management focuses on the identification of threats and opportunities, and controls are designed to effectively counter threats and take advantage of opportunities. Successful organizations seek to integrate risk management and internal control into all activities, through a framework of risk identification, risk assessment and risk response. Section 134 of the Companies Act, 2013, has introduced the following new requirement to be included in the Report by the Board of Directors presented before a company in general meeting:

“134 (3)(n) a statement indicating development    and     implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company,”

The Board is at the top of the assurance chain, seeking the assurance to discharge it’s accountabilities to the organization’s external stakeholders. Internal audit is  a key source of assurance. An internal auditor’s knowledge of the management of risk enables them to act as consultant and catalyst for improvement in an organization’s practices. In addition to ensuring that the risks are identified, internal auditors should review the process for assessing the level of inherent and residual risk. The Board of Directors require relevant and reliable information on risk management for decision-making and control processes. In other words, it requires a skilled team of internal auditors who can act independently and report back objectively to the board of directors on risk management. Internal audit function, thus, can provide objective assurance to the board on the effectiveness of the company’s risk management activities to help ensure key business risks are being managed appropriately.

Standards on Internal Audit

SIA 1,    Planning an Internal Audit

SIA 2,    Basic Principles Governing Internal Audit

SIA 3,    Documentation

SIA 4,    Reporting

SIA 5,    Sampling

SIA 6,    Analytical Procedures

SIA 7,    Quality Assurance in Internal Audit

SIA 8,    Terms of Internal Audit Engagement

SIA 9,    Communication with Management

SIA 10   Internal Audit Evidence

SIA 11,  Consideration of Fraud in an Internal Audit SIA 12,         Internal Control Evaluation

SIA 13,  Enterprise Risk Management

SIA 14,  Internal Audit in an Information Technology Environment

SIA 15,  Knowledge of the Entity and its Environment

SIA 16,  Using the Work of an Expert

SIA 17,  Consideration of Laws and Regulations in an Internal Audit

SIA 18,  Related Partie