www.icmai.

in

GUIDANCE NOTE ON

RISK BASED
INTERNAL AUDIT

INTERNAL AUDITING & ASSURANCE STANDARDS BOARD

THE INSTITUTE OF
COST ACCOUNTANTS OF INDIA
Statutory Body under an Act of Parliament
Headquarters: CMA Bhawan, 12 Sudder Street, Kolkata - 700016
Delhi Office: CMA Bhawan, 3 Institutional Area, Lodhi Road, New Delhi - 110003

Behind every successful business decision, there is always a CMA

 MISSION STATEMENT
“The CMA Professionals would ethically drive
enterprises globally by crea ng value to stakeholders
in the socio-economic context through
competencies drawn from the integra on of
strategy, management and accoun ng.”
VISION STATEMENT
“The Ins tute of Cost Accountants of India
would be the preferred source of
resources and professionals for the financial
leadership of enterprises globally.”

ABOUT THE INSTITUTE

T he Institute of Cost Accountants of India is a Statutory body set up under an Act of Parliament in the year 1959.
The Institute as a part of its obligation, regulates the profession of Cost and Management Accountancy, enrols
students for its courses, provides coaching facilities to the students, organises professional development
programmes for the members and undertakes research programmes in the field of Cost and Management Accountancy.
The Institute pursues the vision of cost competitiveness, cost management, efficient use of resources and structured
approach to cost accounting as the key drivers of the profession. In today's world, the profession of conventional
accounting and auditing has taken a back seat and cost and management accountants are increasingly contributing
towards the management of scarce resources and apply strategic decisions. This has opened up further scope and
tremendous opportunities for cost accountants in India and abroad.

After an amendment passed by the Parliament of India, the Institute is now renamed as ''The Institute of Cost
Accountants of India'' from ''The Institute of Cost and Works Accountants of India''. This step is aimed towards
synergising with the global management accounting bodies, sharing the best practices which will be useful to large
number of trans-national Indian companies operating from India and abroad to remain competitive. With the current
emphasis on management of resources, the specialized knowledge of evaluating operating efficiency and strategic
management the professionals are known as ''Cost and Management Accountants (CMAs)''. The Institute is the 2nd
largest Cost & Management Accounting body in the world and the largest in Asia, having approximately 5,00,000
students and 85,000 members all over the globe. The Institution headquartered at Kolkata operates through four
Regional Councils at Kolkata, Delhi, Mumbai and Chennai and 108 Chapters situated at important cities in the country
as well as 11 Overseas Centres. It is under the administrative control of Ministry of Corporate Affairs, Government of
India, New Delhi.

Internal Auditing and Assurance Standards Board (IAASB)

The Institute & eminent resource persons from our profession have felt the need for the constitution of board for
Internal Audit. The Present Council for the first time has nurtured the Board to formulate and issue standards,
guidelines and advisory for the Internal Audit Function. The Cost Accountants have been recognized by the Companies
Act, 2013 and other regulatory bodies for appointment as Internal Auditors.

First Edition: December, 2020

DISCLAIMER:

The views expressed in this publication are those of author(s) which have been reviewed by the Internal Auditing & Assurance
Standards Board of the Institute of Cost Accountants of India after taking into account the suggestions, opinions and comments of
members and non-members of Institute.

Published by:
Internal Auditing & Assurance Standards Board
The Institute of Cost Accountants of India
12, Sudder Street, Kolkata - 700 016
© The Institute of Cost Accountants of India

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form, or by any means, electronic mechanical, photocopying, recording, or
otherwise, without prior permission, in writing, from the publisher.

Behind every successful business decision, there is always a CMA

 Contact Details
CMA P. Raju Iyer
Vice President & Chairman
The Internal Auditing and Assurance Standards Board
E-mail: [email protected]

CMA Kushal Sengupta

Addl. Director
&
Secretary
Internal Auditing and Assurance Standards Board
E-mail: [email protected]

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

Statutory Body under an Act of Parliament
www.icmai.in

Behind every successful business decision, there is always a CMA

 FOREWORD OF PRESIDENT

It is my great pleasure to share that the Council in the year 2019 constituted Internal Au-
diting & Assurance Standard Board (IAASB),keeping in view the need arising on account
of statutory provisions relating to appointment of cost accountants as Internal Auditors of
the Companies Act, 2013.
As per Section 138 (1) of the Companies Act, 2013, companies fulfilling certain criteri-
aarerequired to appoint an internal auditor and further Section 138(1) empowers Cost
Accountants to conduct internal audit of the functions and activities of the company.
Keeping this in mind and in line with the regulatory recognition of practicing Cost Ac-
countants under section 138 (1) of Companies Act 2013 to be appointed as Internal
Auditors, the present Council for the first time as a hall mark in the history of the Institute,
has constituted the Board to formulate and issue standards, guidance notes, guidelines
and advisory for the Internal Audit activities.
This Guidance Note focuses on Risk Based Internal Audit. It also provides an insight into
the general framework of Internal Audit mechanism vis-à-vis sector specific issues which
are prevalent in analyzing risk assessment of an organization.
On behalf of the Institute, I acknowledge the sincere and persistent effort of CMA B.
Mallikarjuna Gupta, Member of the Institute and CMA Lakshmana Rao, Member of the
Institute & a Practising Cost Accountant who has been entrusted for preparation of this
Guidance Note as an author. I also extend sincere gratitude to CMA B.B.Goyal, Co-
opted Member of IAASB for his enormous support, guidance and expertise as a reviewer
nominated by the board.

I am thankful to CMA Biswarup Basu, Vice-President of the Institute and also CMA P. Raju
Iyer, Chairman of the Internal Audit & Assurance Standards Board (IAASB) for their relent-
less support without which, the formation and smooth functioning of the Board would
have been difficult.
I am quite sure that the readers of this Guidance Note will find it very useful in their profes-
sional life and will be benefitted to enrich their knowledge in the field of Internal Audit.

CMA Balwinder Singh

President
Dated:15th Sept, 2020
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT

FOREWORD OF VICE- PRESIDENT

It gives me immense pleasure to present the Guidance Note on Risk Based Internal Audit
prepared by the Internal Auditing and Assurance Standards Board (IAASB). I also ex-
tend my personal gratitude to the Council for formation of Internal Auditing & Assurance
Standard Board (IAASB) taking into consideration the Statutory Provision of the Compa-
nies Act, 2013 wherein the Cost Accountants along with other professionals have been
considered for taking up the assignment of Internal Audit.
The IAASB has been constituted to provide an opportunity to the members of the Institute
to further their skills and knowledge in the field of Internal Audit by way of imparting spe-
cific training and providing guidance notes and standards for serving the industry in both
the Manufacturing as well as the Service Sector.
I am sure that this Guidance Note would go a long way in strengthening and updating
the professional expertise of Cost Accountants and all other stakeholders in the field of
Internal Audit in delivering a far greater role and responsibilities in the years to come.

I would like to place on record my sincere gratitude to CMA B. Mallikarjuna Gupta and
CMA Lakshmana Rao, authors of this Guidance Note and also express my gratitude to
CMA B.B. Goyal, Co-opted Member of IAASB for his enormous support and guidance
as a reviewer for imparting their expert knowledge in the field of Internal Audit for finali-
-zation of this guidance note.
I am happy to be associated with board as a member and would like to extend my sin-
cere thanks to CMA P. Raju Iyer, Chairman of IAASB and to all the members of the board
for their relentless effortsin bringing out this Guidance Note in the present form within a
short span of time.
I wish all the success of the Board in its future endeavor.

CMA Biswarup Basu

Vice President
Place & Date: Kolkata, 15th Sept, 2020.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

 FOREWORD OF THE CHAIRMAN
The Council of the Institute, under the able guidance of CMA Balwinder Singh, President
and CMA Biswarup Basu, Vice President had constituted the Internal Audit Standards Board
(IAASB) in the year 2019. This was a historic decision to promote the role of Cost & Manage-
ment Accountants in the domain area of internal audit. The objectives and functions of the
Board include development & issue of standards, guidance notes, implementation guides,
technical guides, practice manuals, information papers and case studies etc. and to un-
dertake their revision, where ever necessary.
The requirement of IAASB was the need of the hour considering the inclusion of “Cost Ac-
countants” in the scope of Internal Audit as per provisions of Companies Act, 2013 and
other legislations in force.
As the business activities and operations are undergoing continuous changes, auditing to-
day, is not confined only to verification of documents and financial transactions but may
also be suitably aligned with the developments in Artificial Intelligence and data mining. To
assess the organization’s performance, and to ensure the overall quality, credibility, consist-
ency and comparability of the work performed by the Internal Auditors, it is necessary to
follow the prescribed standards, policies, rules, and regulations covering various sectors.
To support & enable the Cost Accountants to qualitatively perform internal audit assign-
ments, the Board felt the need for the preparation and development of Guidance Notes
on Internal Audit for General requirement as well as for specific Industry /Service Sectors.
Considering the same, the board took up the assignment of preparation of Guidance Note
on Risk based Internal Audit along with other guidance notes which will be published very
soon.
On behalf of the Institute, as a Council Member and as a Chairman of IAASB, I sincerely
thank CMA B. Mallikarjuna Gupta, member of the Institute and CMA Lakshmana Rao, mem-
-ber of the Institute and a Practicing Cost Accountant who has dedicated their professional
knowledge and expertise in preparing this Guidance Note as an author and also extending
my sincere gratitude to CMA B.B. Goyal, Co-opted Member of IAASB for his relentless support
and guidance as a reviewer for finalization of this guidance note.
I am sure that our members would find this guidance note as a very useful document for en-
riching their knowledge in Risk Analysis of a business entity while doing internal Audit which
will be beneficial to build a lucrative career in Internal Auditing to tap the fullest potential
of Internal Auditing and Assurance services.

CMA P.Raju Iyer

Chairman of IAASB
Place & Date: Chennai, 15th Sept, 2020.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

 C O N T E N T S

1 INTERNAL AUDIT 1

1.1 Introduction 1

1.2 Objectives of the Guidance Note 1

1.3 Scope of the Guidance Note 1

2 OVERVIEW OF INTERNAL AUDIT 3

2.1 Definition of Internal Audit 3

2.2 Objectives of Internal Audit 3

2.3 Scope of Internal Audit 3

2.4 Methodology 4

2.5 Risk-Based Internal Audit Planning 5

2.6 Sampling 6

2.7 Evidence 6

2.8 Analytical Procedures 7

2.9 Documentation 7

3 CONTROL & RISK MANAGEMENT 9

3.1 Risk Identification 9

3.2 Risk Assessment 9

3.3 Risk Categorization 9

3.4 Risk Prioritization 9

3.5 Risk Mitigation 10

3.6 Risk Monitoring 10

3.7 Risk Communication 11

3.8 Risk Reporting 11

4 RISK GOVERNANCE & INTERNAL AUDIT 13

4.1 Role of Board of Directors/Governing Body 13

4.2 Role of Audit Committee 13

4.3 Role of Risk Management Committee 14

4.4 Role of Senior Management 15

4.5 Role of Executive Functional Heads 15

4.6 Role of Internal Auditor 15

4.7 Internal Auditor’s Skills for Risk Management 16

4.8 Role of External Auditor 17

4.9 COSO Framework 17

5 ENTERPRISE RISK MANAGEMENT (ERM) 19

5.1 Definition of ERM 19

5.2 Attributes of Risk 19

5.3 Activities included in ERM 20

5.4 Benefits of ERM 21

5.5 Assurance Role of Internal Audit in ERM 23

5.6 Consulting Role of Internal Audit in ERM 23

5.7 Safeguards for Internal Audit in ERM 24

6 RISK BASED INTERNAL AUDIT 25

6.1 Why Risk Based Internal Audit 25

6.2 Risk Based Internal Audit Planning 25

6.3 Audit Universe 26

6.4 Steps for Audit Universe Perpetration 28

6.5 Process of Risk Based Internal Audit 29

6.6 Risk Assessment & Measurement 30

6.7 Tips for Successful Implementation of RBIA 31

6.8 Benefits of Risk Based Internal Audit 32

7 INTERNAL AUDIT IN COVID-19 LIKE SITUATION 33

7.1 VUCA 33

7.2 SWOT Analysis 36

7.3 How to Do SWOT Analysis 37

7.4 Process of Risk Based Audit 40

7.4.1 Strategy – Pivoting 40

7.4.2 Review of Business Plans 43

7.4.3 IT Infrastructure & Risk Assessment 45

7.4.4 Reverse Migration 48

7.4.5 Strategy for Future Lockdowns 49

7.4.6 Efficient and Effective Management of Working Capital 51

7.4.7 Virtual Internal Audit 53

8 COVID TO COMBAT COVID 55

8.1 Communicate 55

8.2 Outsource 56

8.3 Vision 56

8.4 Innovate 56

8.5 Delivery 57

9 DATA ANALYTICS AS A TOOL TO INTERNAL AUDIT 59

9.1 Advantages of Data Analytics 59

9.2 Types of Data Analytics 60

9.3 5 W’s of Data Analytics 60

9.4 Steps for Data Analytics Activity 61

9.4.1 Define Scope 61

9.4.2 Gather Data 61

9.4.3 Validate Data 62

9.4.4 Data Analysis 63

9.4.5 Interpret & Report 63

 9.5 Internal Audit of Accounts Payables using Data Analytics 63

9.6 Internal Audit of Accounts Receivables using Data Analytics 64

9.7 Internal Audit of Inventory using Data Analytics 65

9.8 Internal Audit - General Accounting and Compliance using Data Analytics 65

10 APPENDIX 67

10.1 Format of Risk Mapping Matrix 67

10.2 Format of Risk Matrix 67

10.3 Procedure for Control Overview and Risk Assessment 68

INTRODUCTION

INTERNAL AUDIT 1
1.1 INTRODUCTION

Due to globalization and changing trends in the business, management is

increasingly getting risk-focused, and the expectation from internal auditors, has,
over the years, shifted from traditional internal audit to risk-based internal audit.
Audit is no more a post-mortem exercise; rather, it is a proactive exercise. In the light
of this, internal auditors are expected to assure the adequacy and effectiveness of
internal controls with a clear objective as to whether risks are being managed within
acceptable limits. One cannot say that there is no risk at all, but the risk exists within
the acceptable limits as laid down by the management of the enterprise. Such
tolerances of risk depend on the nature of the business and size of the organization.

1.2 OBJECTIVES OF THIS GUIDANCE NOTE

The objective of this Guidance Note are :

► To create an understanding on risk-based internal audit (RBIA)
► To define and determine the scope and the methodology of RBIA
► To explain the need for risk-based internal audit
► To update the latest developments in the fields of RBIA
► To facilitate members, auditors, and auditees in conducting risk based
internal audit

1.3 SCOPE OF THE GUIDANCE NOTE

With the change in the business dynamics, the role and expectations from the
Internal Auditor are also changing. The traditional way of internal audit has to
be enhanced to provide value-added services to the clients. In this context, the
Internal Auditor can adopt risk based internal audit. This Guidance Note provides
an insight into the risk-based internal audit and also the process of doing such audit
along with the areas which the Internal Auditor has to concentrate.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 1

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT

2 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

OVERVIEW OF INTERNAL AUDIT

OVERVIEW OF INTERNAL AUDIT 2

2.1 DEFINITION OF INTERNAL AUDIT

The Institute of Internal Auditors (IIA), defines internal audit thus: ‘Internal audit is an
independent, objective assurance and consulting activity designed to add value
and improve an organization’s operations. It helps an organization to accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and
improve effectiveness of risk management, control and governance processes.’
Internal Audit, therefore, assures that there is transparency in reporting, besides
good governance”.

2.2 OBJECTIVES OF INTERNAL AUDIT

The objectives of internal audit are:

● To provide assurance on compliance
● To provide assurance on the efficiency of systems, processes, and governance
● To provide assurance on adequacy and effectiveness of internal controls
over financial reporting
● To provide assurance on adequacy and effectiveness of the risk management
system
● To provide safeguards against potential fraud, waste, or abuse
● To provide value-added consultancy to the management, and improve the
organization’s operations.
While accomplishing these objectives, the three E’s of audit, i.e., Efficiency,
Effectiveness, & Economy, must be followed.

2.3 SCOPE OF INTERNAL AUDIT

The potential scope of internal audit is the whole system of internal control
established by an organization. This may include controls overall the organization’s
activities, not just controls over financial accounting and reporting. It should review
all significant, operational, and management controls, including policies and
procedures for the management of risk. It should concentrate on high-risk areas
and the most important internal controls.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 3

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
The scope of the audit includes review of -
o Internal control system and procedures
o Custodianship and safeguarding of assets
o Compliance with policies, plans, procedures, and regulations
o Relevance and reliability of information
o Organizational structure
o Utilisation of resources
o Accomplishment of goals and objectives

2.4 METHODOLOGY

Internal audit usually starts with a kick-off meeting with the company.

The Auditor needs to have a discussion with the client regarding the business
structure, controls, and standard operating procedures of the company.
Technically, it is known as “Know Your Client”. Before the start of the audit, one
needs to understand the company’s policies and procedures.

Based on his understanding, the Auditor needs to prepare an internal control

questionnaire with Yes / No responses, which should be answered by the client. A
risk grading criterion should be prepared beforehand to differentiate the level of
risk assessment.

After reviewing the internal control questionnaire, a checklist should be prepared

by the Auditor for conducting the audit of different functionalities.

A risk matrix needs to be prepared, considering the criteria based on the level of
risks identified during the audit. This will help to identify high-risk areas and focus on
what needs to be addressed first.

The management accordingly needs to take necessary action for the identified
and assessed risks and needs to improve the controls to reduce the risk in the future.

The Institute of Internal Auditors (IIA) defines risk as “The possibility of an event
occurring that will have an impact on the achievement of objectives. Risk is
measured in terms of impact and likelihood.”

Some companies have their internal audit teams and in such cases the above-
mentioned methodology may not be followed. Of late many of the large entities
are outsourcing the Internal Audit functionality to maintain independence of audit
function.,

4 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

OVERVIEW OF INTERNAL AUDIT
2.5 RISK-BASED INTERNAL AUDIT PLANNING

The Internal Auditor needs to plan the audit to be performed well before the
commencement of the audit. It should include the scope of the audit, personnel,
and time required.

The audit plan is a bird’s eye-view, as it provides full information regarding the areas
of work to be performed and the delegation of work among the personnel. It needs
to be comprehensive and definite to ensure that non-value-added activities are
eliminated. It should be formulated in a cost-effective and time bound manner.

The Internal Auditor should, in consultation with those responsible for governance,
including the Audit Committee, develop and document a plan for each internal
audit engagement to help him to conduct the meeting in an efficient and timely
manner.

The internal audit plan, which approved by the Audit Committee, should be based
on risk assessment as well as on issues highlighted by the Audit Committee and
senior management. The risk assessment process should be a continuous one to
identify not only residual or existing risks, but also emerging risks. The Internal Auditor
should design the audit work plan by aligning it with the objectives and risks of the
enterprise and concentrate on those issues where assurance is sought.

Risk based Internal Audit Plan :

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 5

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
2.6 SAMPLING

Audit sampling is the application of audit procedures to less than 100% of items
within a population of audit relevance such that all sampling units have a chance
of selection in order to provide the Auditor with a reasonable basis on which to
draw conclusions about the entire population.

The use of sampling in auditing is widely adopted as it facilitates the Auditors to

obtain a minimum amount of evidence to perform maximum level of audit. In
selecting the sample, the Auditor must exercise utmost care as selection ofwrong
sample leads to drawing the wrong conclusion about the entire audit work. The
audit team can follow either statistical sampling or non-statistical sampling or
combination of both based on the size of the business and the extent of complexity
involved. Statistical sampling uses a theory of probability while non-statistical
sampling largely depends on auditors’ experience and judgemental capacity.

2.7 EVIDENCE

Audit evidence helps the auditors to form a strong opinion of the control system and
acts as proof of the transaction performed. Evidence can be formal or informal,
written, or verbal. Evidence should be sufficient, reliable, relevant, and from the
right source. Types of audit evidence are:

1) Physical examination which means physically examining a workplace,

inventory asset, etc. which the Auditor would like to see.

2) Documentation is the act of verifying documents such as sales invoice,

purchase invoice, journal voucher, bank statement, etc.

3) Analytical procedures act as corroborative evidence and help in forming

an opinion and deciding whether an area of operation or function requires
auditing in-depth or not. Analytics sometimes also helps in judging the internal
control system.

4) Confirmations are mostly obtained from third parties such as banks,

insurance agencies, vendors or customers to establish the authenticity of the
transactions.

5) Observations.

6) Enquiry is another mode of collecting information from employees,

management, third parties, etc. depending on the seriousness of the
transactions and risk involved.

6 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

OVERVIEW OF INTERNAL AUDIT
2.8 ANALYTICAL PROCEDURES

Analytical procedures mean the evaluation of financial and non-financial,

qualitative, and quantitative information to establish a relation between business
processes, and transactions. These are used to assess the risk, to conduct effective
tests, to understand the efficacy or otherwise of the internal control system. In the
modern-day audit, big data and data analytics play a vital role in performing
analytical procedures. With automated statistical calculations, data can be
uploaded to the application and the system generated results drive the conclusion.

System support, is no doubt an essential ingredient for analysisbut the human

intervention and interpretation will be certainly overriding in deriving the conclusions.

2.9 DOCUMENTATION

Audit documentation is the record of the audit program, planning, evidence

collected, methodology followed, analysis made, conclusions drawn, comments
received on the draft report, etc. The mode of documentation can be electronic or
physical. Electronic documentation eases the work of documentationand enables
faster communication, and quicker access. Documentation can be divided into
master documents and transactional documents.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 7

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT

8 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

CONTROL & RISK MANAGEMENT

CONTROL & RISK MANAGEMENT 3

3.1 RISK IDENTIFICATION

Risk identification is the process of identifying all possible risks within the organization
and the audit population. This includes evaluation of ‘what can go wrong’ in
the control environment and within the business of the entity selected for audit.
The identification will have an adverse impact on the organization. The adverse
impact could be in the form of possible financial loss, operational inefficiency,
and ineffectiveness, statutory non-compliance, incorrect reporting, etc. Risk
identification is the key to accurate risk assessment.

3.2 RISK ASSESSMENT

The main objective of risk assessment is to assess the degree of risk in the various
business processes. Risk assessment focuses on the business environment, regulatory
environment, organizational structure, organizational and business environment
changes, and specific concerns of management and the Audit Committee to
determine the areas of high degree risk. It also helps the Internal Auditor in evaluating
the control design to determine the desired audit scope. Risk assessment includes
risk identification and then risk prioritization based on defined criteria.

3.3 RISK CATEGORIZATION

According to the Internal Control Framework issued by The Committee of Sponsoring

Organizations (COSO) of the Treadway Commission, risk can be categorized as
Strategic Risk, Operational Risk, Reporting Risk, and Compliance Risk.
o Strategic risk includes high-level goals, aligned with and supporting its mission.
o Operational risk includes effective and efficient use of its resources
o Reporting risk means the reliability of reporting
o Compliance risk is compliance with applicable laws and regulations

3.4 RISK PRIORITIZATION

The identified risk needs to the prioritized based on the pre-defined criteria (Refer
step 1 mentioned in the Audit Plan above- Define the objective, criteria, and risk
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 9
 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
appetite). The typical risk periodization is done on a scale of 1 to 5, as mentioned in
the subsequent sections below, where 1denotes Low, 2 denotes Minor, 3 denotes
Moderate, 4 denotes High, and 5denotes Extreme. This prioritization depends
on many factors viz., risk of non-compliance, risk of significant financial loss, risk
of safety, health and environment (SHE), risk of organizational reputation, risk of
technology, etc.

3.5 RISK MITIGATION

One of the major challenges the organizations are facing across the globe is risk
and how to mitigate the same.

For a risk to be mitigated, the risks have to be identified, and based on the nature
of the risk, corrective actions have to be taken. Say in case an organization is
dependent on a single person in marketing or sale, a second line should be
developed and a person should be deployed as a shadow for the key employee.
Addressing only this will not mitigate the risk; how it will be addressed in the future
in other areas/departments of the organization also has to be planned. For this, the
HR policies have to be addressed and the second level leadership team should
be developed for all the areas where it is required. In this manner, the risk can be
mitigated.

As a single size does not fit all, the risk mitigation will differ from organization to
organization or risk to risk. The Internal Auditor has to come out with various options
in his report, along with the pros & cons. This will help the client to take corrective
steps beforehand and overcome the risk.

3.6 RISK MONITORING

This step involves reviewing the results of MIS and field visits to assess the activities or
business processes. Monitoring is a routine activity, and risk monitoring and control
is required for the following:
o Risk responses have been implemented as planned.
o Risk response actions are as effective and as expected or if new responses
should be developed.
o Risk exposure has changed from its prior state, with analysis of trends.
o A risk trigger has occurred.
o Proper policies and procedures are followed.
o New risks have occurred that were not previously identified.

10 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

CONTROL & RISK MANAGEMENT
o Ensure the execution of the risk plans and evaluate their effectiveness in
reducing risk.
o Keep track of the identified risks, including the watch list.
o Monitor trigger conditions for contingencies
o Monitor residual risks and identify new risks arising during project execution.
o Update the organizational process

3.7 RISK COMMUNICATION

Risk communication is necessary for the organization to carry out internal control
responsibilities to support the achievement of its objectives. Management obtains
or generates and uses relevant and quality information from both internal and
external sources to help the functioning of internal control. Communication is the
continual, iterative process of providing, sharing, and obtaining the necessary
information. Internal communication is how information is disseminated throughout
the organization, flowing up, down, and across the entity. It enables personnel
to receive a clear message from senior management that control responsibilities
must be taken seriously. External communication is two-fold: it allows inbound
communication of relevant external information and provides information to
external parties in response to requirements and expectations.

3.8 RISK REPORTING

Risk reporting is an important factor in risk management. Whom to report, what to

report, and when to report are also important aspects. Reporting organizational
risks should operate on multiple levels to address the needs of diverse audiences,
each with their own specific needs, requirements, expectations, agenda, and
levels of expertise. It also differs from internal and external audiences for internal
and external risk reports. Although internal risk reports aim exclusively at internal
audiences, from a broader perspective, external risk reporting, including corporate
annual reports, may include both external users and interested internal groups.

Some of the risk reports and their reporting are detailed below
• Internal Risk Reports
o Board of Directors
o Audit Committee
o Senior Management
o Managers
o Employees
o Integrated Business Partners
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 11
 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
• External Risk Reports
o Statutory Auditors
o Regulators
o Shareholders
o Creditors
o Customers
o Suppliers
o Media

12 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

RISK GOVERNANCE & INTERNAL AUDIT

RISK GOVERNANCE & INTERNAL AUDIT 4

4.1 ROLE OF BOARD OF DIRECTORS/GOVERNING BODY

The Board should discuss with senior management the state of the entity’s Enterprise
Risk Management and provide oversight as needed. The Board should ensure that
it is apprised of the most significant risks, along with actionthe management is
taking and how it is ensuring effective Enterprise Risk Management.

The Board should consider seeking input from Internal Auditors, external auditors,
and others. Responsibilities of the Board and management on ERM are clearly
stated in the international frameworks (such as the ERM Framework) and the
Corporate Governance Code.

Generally, the Board should oversee the ERM by:

o Define expectations
o Set strategy & high-level objectives
o Resource allocation
o Adopt a risk management policy
o Knowing the extent of ERM within the organization
o Reviewing the risk portfolio of the organization and considering it against the
risk appetite
o Understanding the changes and significant risks the organization is facing
o Considering whether or not the risk responses are appropriate.

4.2 ROLE OF AUDIT COMMITTEE

Although the monitoring of the risk management process is the responsibility of

the Board, in recent times it has been delegated to the Audit Committee. Hence
its role is becoming more important and the scope of its responsibilities and tasks
is expanding. Regardless of whether is it the continental system of corporate
governance, which is characterized by a two-tier governance structure (with
Supervisory and Management Board) or the Anglo-American system of corporate
governance in which the role of the management and Supervisory Board integrates
into a single Board of Directors with executive and non-executive directors, the
Audit Committee is a specialized sub-committee which is being delegated with
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 13
 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
appropriate supervisory functions. The primary functions of the Audit Committee
are usually associated with the internal controls and risk management, financial
reporting, compliance with legal and regulatory requirements and the relevant
issues related to the process of external and internal audit.

The role of the Audit Committee is a non-executive function that aims to satisfy itself
that management has properly fulfilled its responsibilities, as well as the following:
o The degree to which management has assumed ownership for risk and
control.
o How key business risks are identified, evaluated and managed.
o Whether the controls are appropriate forthe purpose and are working as
intended.
o The rigor and comprehensiveness of the review process.

4.3 ROLE OF RISK MANAGEMENT COMMITTEE

The role of the Risk Management Committee is important in the light of the fact
that it has responsibility to assist the Board in setting up risk strategies, policies and
frameworks, models, and procedures in liaison with management. It acts as a
bridge between the Board and management in mitigating the risks.
o To access the company’s risk profile and key areas of risk in particular.
o To recommend to the Board the adaption of risk assessment and rating
procedures.
o To examine and determine the sufficiency of the company’s internal process
for reporting and managing key risk areas.
o To assess and recommend the Board risk tolerance levels.
o To develop and implement a risk management framework and internal
control system.
o To have special investigations into areas of corporate risk and weakness in
the internal control system.
o To review management response to the company auditors’ recommendations,
which are adapted.
o To report the trends in the company’s risk profile, say in specific risks and the
status of the risk management process.
o Propose of risk management policy & philosophy.
o Establish risk management goals.
o Develop & implement a risk management program.

14 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

RISK GOVERNANCE & INTERNAL AUDIT
o Help managers incorporate risk management into operations.
o Convert risk management strategies into operations.
o Present annual report to Board.

4.4 ROLE OF SENIOR MANAGEMENT

o Responsible for all activities including assisting the Risk Management

Committee.
o Set the tone & influences of the internal environment (principles, values).
o Develop risk management philosophy, appetite & culture.
o Coordinate, on an ongoing basis, the implementation of the Risk Management
Plan.
o Review Risk Matrix and reports to the CEO on recommended changes.
o Regularly arrange the leadership team to discuss the areas of major risks and
necessary changes to mitigate the risk.
o Develop and implement risk management procedures and training as may
be needed.

4.5 ROLE OF EXECUTIVE FUNCTIONAL HEADS

o Ensure that risk management controls and processes are included in all
planning and research.
o Encourage an organizational climate that supports risk management.
o Ensure that employees understand the importance and consequences of risk
management issues in their immediate work areas
o Identify any new risks and report them to the Executive Committee.

4.6 ROLE OF INTERNAL AUDITOR

Due to the new demands from the Board and management, the role of an internal
auditor shifts from a control-focus advisor to a consultant who creates value by
supporting the organization’s objectives, monitoring enterprise risks, and ensuring
the effectiveness of the internal control framework. Internal Auditors should consider
whether the future activities will affect their independence and objectivity or not.
The role or Internal Auditor under ERM could be depicted as under :

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 15

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
ROLE INTERNAL AUDITOR IN RISK MANAGEMENT

Core Roles Roles with Safeguards

Assurance that risks are correctly stated Facilitating Identification& Evaluation
of risks.
& evaluated.
Coaching management in responding
Assurance that mitigating actions are to risks.
operating.
Coordinating ERM activities.
Evaluate risk management process. Consolidated reporting on risks.

Evaluate reporting & management of Maintaining and developing ERM

key risks. framework.

Leading establishment of ERM.

Developing ERM strategy for board

approval.

4.7 INTERNAL AUDITOR’S SKILLS FOR RISK MANAGEMENT

• Should be aware of the mission, vision, values, and strategic objectives of the
organization.
o Should understand the development and use of standard tools,
techniques, latest technologies, and methodologies.
o Should have in-depth knowledge of Accounting, and Audit.
o Should know about fraud auditing, forensic and investigation.
o Should have data mining & analysis knowledge with IT & cybersecurity.
o Should have industry-specific knowledge with risk management
aptitude.
o Should know how to identity, assess, and evaluate risks & controls.
o Should be able to summarize in and report at an executive level
preferably in dashboards and color-coding, i.e., Visual Display Analysis
(VDA) mode.
o Should have independent approachability to audit comity and top
management.
o Should have strong team-building skills.

16 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

RISK GOVERNANCE & INTERNAL AUDIT
4.8 ROLE OF EXTERNAL AUDITOR
o Understanding the business
o Identifying the risk areas
o Analyzing the process and controls
o Communicating and recommendation through Report

4.9 COSO FRAMEWORK

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission

(COSO) developed a model for evaluating internal controls. This model has been
adopted as the generally accepted framework for internal control and is widely
recognized as the definitive standard against which organizations measure the
effectiveness of their systems of internal control. The COSO model defines internal
control as “A process effected by an entity’s Board of Directors, management, and
other personnel” designed to provide reasonable assurance of the achievement
of objectives in the following categories:
o Operational effectiveness and efficiency
o Financial reporting reliability
o Applicable laws and regulations compliance

According to COSO, internal control –

o Focuses on achieving objectives in operations, reporting, and compliance
o It is an ongoing process
o It depends on people’s actions and not merely on written policies and
procedures

Following are the components of COSO:

o Control Environment: It describes a set of standards, processes, and structures
that provide the basis for carrying out internal control across the organization.
It is the foundation on which an effective system of internal control is built and
operated.
• Exercise integrity and ethical values.
• Make a commitment to competence.
• Use the Board Of Directors and the Audit Committee.
• Facilitate the management’s philosophy and operating style.
• Create an organizational structure.
• Issue assignment of authority and responsibility.
• Utilize human resources policies and procedures

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 17

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
o Risk Assessment: It forms the basis for determining how risk will be managed.
It requires management to consider the impact of possible changes in the
external and internal environment and take action to manage the impact.
• Create companywide objectives.
• Incorporate process-level objectives.
• Perform risk identification and analysis.
• Manage change.

o Information & Communication: Information is obtained or generated by

management from both internal and external sources to support internal
control components. Communication-based on internal and external sources
is used to disseminate important information throughout and outside the
organization, as needed to respond to and support meeting requirements
and expectations. The internal communication of information throughout an
organization also allows senior management to demonstrate to employees
that control activities should be taken seriously.
• Measure the quality of the information.
• Measure the effectiveness of communication.

o Monitoring Activities: These are periodic or ongoing evaluations to verify that

each of the five components of internal control, including the controls that
affect the principles within each component, are present and functioning
around their products.
• Perform ongoing monitoring.
• Conduct separate evaluations.
• Report deficiencies.

o Control Activities: Control activities are actions (generally described in

policies, procedures, and standards) that help the management to mitigate
risks to ensure the achievement of objectives. Control activities may be
preventive or detective in nature and may be performed at all levels of the
organization.
• Follow policies and procedures.
• Improve security (application and network).
• Conduct application change management.
• Plan business continuity/backups.
• Perform outsourcing.

18 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

ENTERPRISE RISK MANAGEMENT

ENTERPRISE RISK MANAGEMENT (ERM) 5

5.1 DEFINITION OF ERM

As per Chartered Global Management Accountant (CGMA) “Enterprise Risk

Management (ERM) is the process of identifying and addressing methodically the
potential events that represent risks to the achievement of strategic objectives, or
to opportunities to gain a competitive advantage.”

Enterprise Risk Management is a process, effected by an entity’s Board of Directors,

management and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives.

ERM is the identification, assessment, and management of a pool of the most

significant risks/opportunities that could hamper or enable the achievement of the
organization’s strategic, operational, compliance, reporting, and other important
objectives.

Going by the above definitions and understandings, the role of the Internal
Auditor in relation to Enterprise Risk Management is to assure the management
of the effectiveness of risk management. Due consideration should be given to
ensure that the Internal Auditor protects his independence and objectivity of the
assurance provided. The role of the Internal Auditor is to ascertain that risks are
appropriately defined and managed.

5.2 ATTRIBUTES OF RISK

The attributes of risk are

• Probability of occurrence risk
• Consequences of occurrence of such risk

The scope of the Internal Auditor’s work in assessing the effectiveness of the
Enterprise Risk Management would, normally, include the following :

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 19

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
• Assessing the risk maturity level both at the entity level as well as the auditable
unit level.
• Assessing the adequacy of and compliance with the risk management policy
and frameworkfor the risks covered by the internal audit plan.
• Assessing the efficiency and effectiveness of the risk response.
• Assessing whether the score of the residual risk is within the risk appetite.

The extent of the Internal Auditor’s role in Enterprise Risk Management will depend on
other resources, internal and external, available to the Board and on the risk maturity
of the organization. The nature of the Internal Auditor’s responsibilities should be
adequately documented and approved by those charged with governance. The
Internal Auditor should not manage any of the risks on behalf of the management
or take risk management decisions. He has a role only in commenting and advising
on risk management and assisting in the effective mitigation of risk.

The Internal Auditor must review the structure, effectiveness, and maturity of an
Enterprise Risk Management system. In doing so, he should consider whether the
enterprise has developed a Risk Management Policy setting out the roles and
responsibilities and framing a risk management activity calendar. The Internal
Auditor should review the maturity of an Enterprise Risk Management structure by
considering whether the framework so developed, inter alia:
a) protects the enterprise against surprises
b) stabilizes overall performance with less volatile earnings
c) operates within established risk appetite
d) protects the ability of the enterprise to attend to its core business and
e) creates a system to manage risks proactively.

The Internal Auditor should review whether the Enterprise Risk Management
coordinators in the entity report on the results of the assessment of key risks at the
appropriate levels, which are:
• Risk Management Committee.
• Enterprise Business and Unit Heads.
• Audit Committee.

5.3 ACTIVITIES INCLUDED IN ERM

• Articulating and communicating the objectives of the organization

• Determining the risk appetite of the organization

20 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

ENTERPRISE RISK MANAGEMENT
• Identifying potential threats to the achievement of the objectives

• Establishing an appropriate internal environment, including a risk management

framework

• Assessing the risk, i.e., the impact and likelihood of the threat occurring

• Selecting and implementing responses to the risks

• Undertaking control and other response activities

• Communicating information on risks in a consistent manner at all levels in the

organization.

• Centrally monitoring and coordinating the risk management processes and

the outcome

• Assuring the effectiveness with which risks are managed.

5.4 BENEFITS OF ERM

All organizations need to evolve a strategy and periodically adjust it, always
staying aware of both ever-changing opportunities for creating value and the
challenges that will occur in pursuit of that value. To do that, they need the best
possible framework for optimizing strategy and performance.

That is where Enterprise Risk Management comes into play. Organizations that
integrate Enterprise Risk Management throughout the entity can realize many
benefits, including, though not limited to:
• Greater likelihood of achieving those objectives
• Consolidated reporting of disparate risks at Board level
• Improved understanding of the key risks and their wider implications
• Identification and sharing of cross-business risks
• Greater management focus on the issues that matter
• Fewer surprises or crises
• More focus internally on doing the right things in the right way
• Increased likelihood of change initiatives being achieved
• Capability to take on greater risk for greater reward
• More informed risk-taking and decision-making

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 21

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
These benefits highlight the fact that risk should not be viewed solely as a potential
constraint or challenge to setting and carrying out a strategy. Rather, the change
that underlies risk and the organizational responses to risk gives rise to strategic
opportunities and key differentiating capabilities.
ERM 20 key principles within each of the five components

Governance and Strategy and Performance Review and Information,

Culture Objective Revelations Communication and
Setting Reporting
1. Exercise 6. Analyses 10. Identify Risk 15. Assess the 18. Leverages
Board Risk Business 11. Assess Substantial Information and
oversight Context. Sensitivity of Change. Technology.
2. Establishes 7. Defines Risk Risk. 16. Reviews Risk & 19. Communicate
Operating Appetite. 12. Prioritized Performance. Risk Information
Structure. 8. Evaluates Risks. 17. Pursues 20. Reports Risk,
3. Defines Alternative 13. Implements improvement Culture and
Desired Strategies. Risk in Enterprise Performance.
Culture 9. Formulates Responses. Risk
4. Demonstrates Business 14. Develop Management
Commitment Objectives. Portfolio
to Core Views.
Values.
5. Attracts,
Develops
and Retains
Capable
Individuals.

Governance and Culture: Governance sets the organization’s tone, reinforcing

the importance of and establishing oversight responsibilities for Enterprise Risk
Management. Culture pertains to ethical values, desired behaviours, and
understanding of risk in the entity.

Strategy and Objective e-Setting: Enterprise Risk Management, strategy, and

objective-setting work together in the strategic-planning process. Risk appetite
is established and aligned with strategy; business objectives put the strategy into
practice while serving as a basis for identifying, assessing, and responding to risk.

Performance: Risks that may impact the achievement of strategy and business
objectives need to be identified and assessed. Risks are prioritized by severity in the
context of risk appetite. The organization then selects risk responses and takes a
portfolio view of the extent of the risk it has assumed. The results of this process are
reported to key risk stakeholders.
22 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA
ENTERPRISE RISK MANAGEMENT
Review and Revision: By reviewing entity performance, an organization can
consider how well the Enterprise Risk Management components are functioning
over time and considering substantial changes, and what revisions are needed.

Information, Communication, and Reporting: Enterprise Risk Management requires

a continual process of obtaining and sharing necessary information from both
internal and external sources, which flows up, down, and across the organization.

5.5 ASSURANCE ROLE OF INTERNAL AUDIT IN ERM

• Providing an objective assurance that major business risks are being managed
appropriately.
• Providing that the risk management and internal control framework is
operating effectively.
• Giving assurance on risk management processes.
• Giving assurance that risks are correctly evaluated.
• Giving assurance that the process of reviewing of risk management is
happening at frequent intervals.
• Assuring key risks reporting to appropriate levels at the right time

5.6 CONSULTING ROLE OF INTERNAL AUDIT IN ERM

• Having overall knowledge of the organization brainstorming the key

stakeholders about the benefits of ERM.
• Making available to management tools and techniques used by internal
audit to analyze risks and controls.
• Being a champion for introducing ERM into the organization leveraging its
expertise in risk management and control.
• Providing advice, facilitating workshops, coaching the organization on risk
and control, and promoting the development of a common language,
framework, and understanding.
• Acting as the central point for coordinating, monitoring, and reporting on
risks.
• Supporting the managers as they work to identify the best way to mitigate
risks.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 23

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
5.7 SAFEGUARDS FOR INTERNAL AUDIT IN ERM

• The management should be clear that they are responsible for risk
management.
• The nature of internal audit’s responsibilities should be documented in the
audit charter and as approved by the Audit Committee
• Internal audit should not manage any of the risks on behalf of management.
• Internal audit should provide advice and support to management’s decision
making, as opposed to taking risk management decisions themselves.
• Internal audit cannot also give objective assurance on any part of the ERM
framework for which it is responsible. Such assurance should be provided by
other suitably qualified parties.
• Any work beyond the assurance activities should be recognized as a
consulting engagement and the implementation standards related to such
engagements should be followed.

The safeguards could be expressed in the form of aflowchart as under:

24 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

RISK BASED INTERNAL AUDIT

RISK BASED INTERNAL AUDIT 6

The Chartered Institute of Internal Auditors (IIA) defines Risk Based Internal Auditing (RBIA)
as a methodology that links internal auditing to an organization’s overall risk management
framework. RBIA allows internal audit to assure the Board that risk management processes
are managing risks effectively, in relation to the risk appetite.

Risk Based Internal Audit means an audit around Enterprise Risk Management (ERM).
Firms that do not have ERM may focus on procurement of critical material that is in short
supply, and this may result in the production stoppage; therefore, the purchasing team
may circumvent and procure some of the material on emergency basis. This may affect
the bargaining power, and the firm may incur a financial loss due to the higher cost of
procurement. It may also result in buying poor quality material which in turn, results in
producing an inferior quality of finished goods. Here the internal audit may focus on sales
returns due to customer complaints on product quality. In the risk management model, it
must be seen that the supply of inferior quality of finished products may affect the firm’s
reputation and result in further diminution inits market share.

6.1 WHY RISK BASED INTERNAL AUDIT

Risk-based internal audit is required for organizations as they will help the
organization to identify the risks and address them accordingly based on the risk
priority and direction provided by the Board. It helps to identify the following:
a) Inherited risks of the organization
b) Identify the risk appetite
c) Identify the risks and prioritize them based on the risk sequence
d) It will help to identify the risks, respond & classify the risks

RBIA also helps the Board to make decisions effectively as it knows the risk appetite
and the risk potential while taking the decisions regarding the revenue, new
product lines or divisions, or upgradation of technology or operational expansions.

6.2 RISK BASED INTERNAL AUDIT PLANNING

Planning is a key element for the execution of any project or activity, and similarly
for RBIA also, preparation is the key.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 25

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
The Internal Auditor, in-house or outsourced , has to define the audit plan at the
beginning of the year with a vision for the next three to five years for the Risk Based
Internal Audit as the same cannot be completed in a short span of time. The areas
to be worked for each year have to be marked out and executed accordingly.

Once the plan is in place, the same has to be approved by the Audit Committee of
the organization for approval as it has to be in line with the vision of the organization
and should be able to handle the future expansions also. The Audit Committee
members will provide direction based on their experience, wherever required.

The plan, once frozen, should be reviewed on an annual basis on the actual
achievement compared with planned activity. The report has to specify if there
are any deviations along with reasons.

The Board will approve the audit plan as the same is expected to be considered by
the Statutory Auditor.

The audit plan should consider the following

• Major risks
• Business objective
• Risk appetite
• Inputs from key managerial persons
• Business environment

6.3 AUDIT UNIVERSE

Audit universe comprises of the process, locations, activities, operations subject to

audit during the audit period. A proper audit universe facilitates the Internal Auditor
to complete the risk-based internal audit systematically to assess the risks and how
to address the same. Audit universe should be designed to reflect the overall
business objectives along with planning for conducting the audit. Audit universe
and the detailed audit plan should also reflect the change in the management’s
course of action along with the objectives. The key factors of audit universe are the
following.

Organization’s Objective: The objective of the corporate has to be considered

while defining the audit universe. Every organization has its own objective, and the
audit universe should consider the objectives of the organization. An organization

26 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

RISK BASED INTERNAL AUDIT
may have the aim of capturing 10% of the market share; in such cases, the audit
universe should consider the market share as the point, and the audit should be
focused on the risks related to achieving a 10% market share.

Organization’s Structure: Organization structure also has been considered in the

audit universe. It will state who should be approached for conducting the audit
department/location/unit wise.

Business Process:The business process should also be considered as part of the

audit universe. A look at the business process from the angle of internal controls
also helps to understand the client’s way of working. The business process will help
to determine the areas to be audited first and decide the sequence.

Geographic Locations: Audit universe should consider the geographic locations if

the entity is based out of different places. All the locations cannot be audited at
a time; the audit universe should specify the locations with the timings and which
places are being audited.

The above is an illustration of the audit universe for a manufacturing unit. It may
differ from client to client, auditor to auditor, and industry vertical to vertical.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 27

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
6.4 STEPS FOR AUDIT UNIVERSE PREPARATION

Preparing the audit universe is a key process for Risk Based Internal Audit, and it has
to be done with utmost care, else there is a possibility for the whole activity going
into the drains.

For any new process adoption or implementation, the blessing of the management
is required. Preparation of audit universe starts with a discussion with the
management as they provide the direction and also validate the process of RBIA
and its expected outcome.

The second step is the preparation of the audit universe based on the points
discussed in the previous section. Audit universe has to be prepared with utmost
care as the team will be working based on that, and audit universe will help in
identifying the risk and whom to address the same.

Once an audit universe is prepared, the next step it to assess the objective of the
Risk Based Internal Audit, and once it is done, the same has to be revalidated.

28 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

RISK BASED INTERNAL AUDIT
6.5 PROCESS OF RISK BASED INTERNAL AUDIT

The process helps to execute the internal audit to implement the Risk Based Internal
Audit effectively. The process for RBIA is similar to regular internal audit, but the
method of auditing is different.

Define Summarize Assess Control Update

Objectives & Risk Based on Environment RIBA Plan
Risk Appetite Audit Area

Re-assess
Understand Derive
Rate Risks Risk
Business Residual Risk
Process Rating

Allocate
Prepare Categorize Resources for
Derive Audit
Audit Risk Execution
Frequency
Universe

Filter Risks – Develop Approval for

Identity Risk
tolerance / Audit Plan Audit
Acceptability Committee

The process is a never-ending one. It starts with defining the objective or the
outcome of the audit; then, the business process has to be understood by the
team, then the audit universe has to be defined. Once risk is identified, the same is
to be categorized if the organization has the risk appetite and other risks have to be
rated, and, on that basis, the potential risks have to be selected for minimizing them
after approval of the Audit Committee. Once the risk is reduced or eliminated, the
same has to be re-assessed and updated in the audit plan.

Risk appetite is the degree of risk that the organization is going to absorb. To what
extent credit limit can be given to a customer at a given point of time. This defines
the threshold for the risk, which the organization can take on each and every
customer in bad debts.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 29

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
6.6 RISK ASSESSMENT & MEASUREMENT

Risk assessment is the key in risk management as it will determine the organization’s
risk appetite based on risk identification and risk prioritization.

The first step is to identify the risk; the Internal Auditor during the course of the audit
has to verify the internal controls. At the same time, if there are any risks in the
business process these are also to be identified. In the case of cash collection by
the collection agent from the customers, it is a critical risk as the collection agent
can swindle cash or may not report the cash given by the customers. To mitigate
this, the cash collection agent can be provided with a mobile-based application as
it will provide the means for entry of cash collected on real time basis. The real time
updation of records alerts the management and the customer. This whole process
will eliminate the risk of cash swindling by the collection agents. Identification of risk
is the key and how to fix it is the next activity.

At the same time, all such risks have to be measured, and resolution has to be
arrived accordingly. In any organization, all the risks cannot be addressed at a time,
and resolution for some risks has to be postponed, or some risks can be observed
as they are inevitable. If there are multiple risks that have to be addressed, the
risks have to be classified, and priority has to be determined based on it. The risk

30 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

RISK BASED INTERNAL AUDIT
can be classified, or score can be assigned on the basis of which the risks can be
prioritized and addressed in a sequence. At the bottom of the pyramid, the risks
are trivial, and they do not have any significance. The risks which are at the top of
the pyramid are very critical for the sustenance of the organization, and the same
have to be addressed on a war footing.

6.7 TIPS FOR SUCCESSFUL IMPLEMENTATION OF RBIA

For theauditors who will be doing the internal audit for the first time, this Guidance
Note provides some tips for doing the Risk Based Internal Audit.

Knowledge of Industry:The Internal Auditor and his key associates should have
through knowledge of the industry as it will help them to assess how the competitors
are faring and where the client stands in comparison. For example, if RBIA is being
carried out for a steel company, the key raw materials for the steel industry is low
ash metallurgical (LAM) coke and iron ore. In case of low ash metallurgical coke,
the calorific value, ash content and the moisture content of the material being
used by the competitors and the place of sourcing are required to be identified
before the start of the audit,as this will determine the cost of the production and
also the potential risk if the LAM coke is being sourced from the same supplier.

Understand Business Process: Unlike regular internal audit, the RBIA is different and
the way it has to be executed also. Traditional sampling may not be a right fit for
performing the Risk Based Internal Audit.Understanding the business process will
help in identifying the risks and also measuring the risks along with prioritizing the
same. The lead auditor and the key team members should spend the initial days in
understanding the business process in detail, including the data being captured for
each step in the ERP /CRM/SCM software to analyze the data and come out with
the risk parameters.

Experienced based Judgement: While doing the RBIA, the team should have a
blend of experienced and the millennials. The experienced members help the team
to take the decisions based on their experience, and the millennials will assist in
executing the same using technology and help in thinking laterally. It is not possible
to verify every transaction to identify the risk.Sampling in some cases coupled with
experience, will help in identifying the risk. Experience backed by data will help to
make effective decisions.

80/20 Rule: This rule has to be followed while executing any task as it is a smart way
of working. 80% of the risk can be identified if the auditor is experienced when he
verifies 20% of the transactions. When the critical task is detected, the risk can be
assessed and measured accordingly. Remaining 20% activity is only to be checked
to ensure if the organization has risk appetite or the risk can be prioritized based on
criticality.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 31

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
Use Technology: Technology plays a vital role in the RBIA as it is not practically
feasible to verify each and every transaction; it can be done using data analytics,
and the data can be picked up from the underlying tables of the ERP/CRM/SCM
by writing simple queries. This process will help in reviewing all the transactions at
a go along with proper health checks on the data. The IA who is doing the RBIA
should ask for access to the front end as well as for the back end data of the various
softwares which are being used by the client in view/read-only mode. To verify the
controls and checks on the transactions, the Internal Auditor should verify the same
while the users are doing the transactions.This will help to identify any potential
validations which are missing in the system while processing the transactions.

6.8 BENEFITS OF RISK BASED INTERNAL AUDIT

With the pandemic like situation, the dynamic business environment and new
challenges coming up, both the internal Auditors and the organizations are forced
to look into new horizons to identify the risk at the early stage and fix the same
rather than doing a post-mortem analysis of the same. Once organizations can
adapt the Risk Based Internal Audit theyare sure to derive the benefits outlined
hereunder which clearly demonstrate why organizations have to go for it.

Focused Approach to Achieve Goals: Risk-based auditing covers and correlates

all aspects of internal auditing together , objectives, processes, risks, controls, tests,
and reports. The relevance of any analysis can be seen in relation to the entire risk
management framework because of the relationships set up in the risk and audit
universe. This is not always possible where standard audit programs are used, as it is
not always clear why the test is being carried out; what the significance is of control
that is found to be defective; what risk the control is treating; and what objective is
being threatened by that risk.

Prioritization of Risk: Once the risk is identified, risk based internal audit helps to
prioritize the risk based on the parameters and work on them accordingly.

Determining Risk Appetite: Risk Based Internal Audit will help the organization to
determine the risk appetite. This will help the Auditor to address the risks which are
above the risk appetite of the organization and suggest measures to overcome
them.

Effective Risk Mitigation: Risk management processes, including the effectiveness of

responses and the completion of actions are being monitored by the management
to ensure they continue to operate effectively.

32 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

INTERNAL AUDIT IN COVID - 19 LIKE SITUATION

INTERNAL AUDIT IN COVID - 19 LIKE SITUATION 7

Very often we hear about business disruptions, with the advent of technology. In the
transportation sector, operators like Uber and Ola have revolutionized the business and
have displaced the small local cab operators. The Corona 19 virus has disrupted the
economies across the globe which has started in Dec 2019 in Wuhan province of China
the virus has spread to every part of the world and it has resulted in the lockdown of the
economies and has resulted in a reverse migration of the daily labour.

The disruptions have created a crisis in the business, but it has created an opportunity
for the professionals. No business can withstand the prolonged lockdown as cash flows
have disappeared, and the orders have become totally uncertain. This is the time when
the role of the professionals like Cost and Management Accountants assumes added
importance and significance. The strength of the Management Accountant isthat he/she
can withstand any storm and help his/her clients to tide over the crisis. One of the areas
is internal audit, which is carried out to validate the internal controls in the organization
and find how effectively they are being implemented and followed. In this hour of crisis,
the CMAs can do internal audits more effectively and aggressively.

Internal audit can be used as a tool to avert disruptions by following a disruptive approach.
The traditional method of internal auditing must be paused, and the CMAs must adopt
a new approach. They must focus and concentrate more on the strategy for the next
six months to one year as they have an edge over the other professionals as they can
handle any issues on finance, accounting, marketing, sales, or operations. The approach
of taking a deviation from the regular process or flow is called pivoting.

The core areas which an internal auditor is examining have to be revisited and
incorporated in the checklist with the change in the current situations. In a nutshell, the
scope of the internal audit has to be changed, and the following areas have to be
audited additionally. The change in the scope will in still confidence in the clients also as
it will give them a clear and independent view of the organization and its policies without
any biased approach.

7.1 VUCA (VOLATILITY, UNCERTAINTY, COMPLEXITY & AMBIGUITY)

VUCA was a strategy started by the US Army War College after the cold war in the
1990s to address the uncertainties and complexities that were being created.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 33

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
If the business owner can identify and answer the business uncertainties using the
VUCA, then he/she can address any challenge and attain new heights. Everyone
is staring at what is going to be my sales? How can I pay my suppliers and salaries?
When will customers come and buy? Will customers buy my goods or services?
I have orders, but can I get an uninterrupted supply of inputs? Answers to these
questions can be found by adapting VUCA. Let’s understand what is VUCA first,
and then we will see how it can be used to address the challenges.

Volatility – A volatile situation can be defined as one which is unstable or unpre-

dictable and it need not be a complex situation. It is similar to the current situation
like a pandemic, where we are not sure when will the demand pick up even after
easing the lockdown restrictions, or will the lockdown lead to price increases?

Southwest Airways was also facing a similar situation almost a decade and a
halfback. For any airline company, fuel is the major cost, and it is about 16% of the
operating cost of the airlines. Especially for a low frill airway, it is a big challenge with
the volatile pricing of jet fuel. To overcome this, the company has taken forward
hedging for the fuel, and it was able to sustain the volatile situation. The situation
of price increase or decrease is not complex but unpredictable. To address this
vision is required.In the case of Southwest Airways, it had hedged fuel prices and
wasable to beat the blues of price escalation and maintain the pricing.

The best way to handle volatility is to allocate resources and understand the
situation.In the above case Southwest Airways could have stockpiled the jet fuel
but did not resort to that; instead it had hedged its resources and wasable to
reduce the costs and it is said that it had paid almost 50% less fuel prices compared
to the other airlines. This vision has enabled the company to maintain about 21
quarters of profit continuously.

Uncertainty - Uncertainty is the lack of predictability, in a sense not knowing

what will be the outcome of known changes. For example, the sales teams and
the management will not be clear on the revenues being generated for a new
product launch. There is nothing volatile in this situation, but the challenge is a lack
of understanding of the outcome.

34 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

INTERNAL AUDIT IN COVID - 19 LIKE SITUATION
Uncertainty can be addressed by understanding the problem or the situation and
can be resolved by the pooling of more resources and thorough analysis of the
data captured by the organization from time to time. In the current situation, we
are all concerned about the future as we are not sure when the COVID spread will
come to a halt? When will the countries remove international travel restrictions?
These are some of the questions which people are having in their minds but no
answers in sight at this point. The uncertainty will come to an end only when we
have vaccine discovered and administered to all the people of the world.

VUCA
Drivers Effects Demands

Complexity – A complex situation is different from a volatile and uncertain situation.

A complex situation is like a complex tax regulatory, local laws or political climates,
etc.,

A complex situation can be explained in a simple term where a small organization

grows leaps and bounds; the single person who has handled the single departments
like finance, accounts, sales , purchase, etc. handled by single person each are
now being handled by multiple people. This creates acomplexity in understanding
and handling. .

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 35

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
Complexity can be addressed with clarity; the organization should have clarity as
to how the departments should be working and coordinating between themselves,
and for this process, documents and SOP will help to overcome the problems.

Ambiguity – Ambiguity refers to a situation where there is a doubt about the nature
of the cause and effect. In uncertainty, prediction is possible when information is
gathered and analyzed, but in the case of ambiguity, this is not possible. Like in the
case of a pandemic, when will the demand will pick up? For this, there is no answer
due to the situation where there is no information or where people are not aware
of the actual output.

Ambiguity can be addressed with agility; this will help in taking steps as and when
the visibility comes and helps to address it effectively. As there is lack of information,
decisions cannot be taken correctly and structured. The decisions taken have to
be tweaked from time to time, and for this, agility helps in executing it swiftly.

7.2 SWOT ANALYSIS

Every Internal Auditor has to do the SWOT analysis for the organization; this will help
him to understand the organization from a new perspective. The Internal Auditor in
the VUCA world should start his audit with strategy, and, as a part of it, first, do the
SWOT analysis. SWOT analysis helps to understand the market dynamics and also
plan the business accordingly. SWOT stands for Strength, Weakness, Opportunities,
and Threats. Strengths and Weaknesses are based on internal factors, while
Opportunities and Threats are based on external factors.

36 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

INTERNAL AUDIT IN COVID - 19 LIKE SITUATION
Strength describes what the organization possesses compared to the competitors.
These can be intellectual property rights, brand equity, skilled labour, loyal customers,
strong financials, or any other traits which differentiate from the competitors.

Weakness describes what the organization lacks compared to the competitors.

Weakness can be like access to capital markets or funds for expansions or unskilled
resources or high debtors’ turnover ratio or not having loyal customers etc.,

Opportunities refer to new or emerging business opportunities for the organization.

With disruptions and new normal being, the business, as usual, provides a lot of
business opportunities, and for this, pivoting can be followed.

Threats refer to the factors which are potential to harm the business continuity or
erosion of market share due to a new entrant in the market or likelihood of higher
tariff on the products or services.

Every organization should have SWOT analysis performed as part of the IA as he/
she can execute it in an unbiased manner and this is the need of the hour in the
VUCA world or pandemic like situations.

7.3 HOW TO DO SWOT ANALYSIS

The IA has to do the SWOT analysis systematically and also cover all the topics, else
the result shared by the Internal Auditor can lead to wrong decisions, which in turn
can lead to the collapse of the organization. An illustrative list of questionswhich
the Internal Auditor should pose to obtain information required for preparing the
SWOT Analysis report could be as under :

Strengths
• Why do customers prefer to have the company’s products or services?
• Why the company has better brand value?
• How are the key suppliers and how they are contributing to the products of
the company?
• How skilled is the manpower compared to the competitors in the market in
different departments of the organization?
• How strong is the company’s financial position.?
• What are the intellectual property rights the company possess? Does the
company have any patents?
• What is the selling proposition?
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 37
 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
Weakness
• What are the lacunae in the product or services?
• What are the features or attributes which the customers do not like? Why are
customers cancelling the orders?
• Why are customers switching over to competitors?
• What are the resources the competitors have which the company does not
have?
• Is there any dependency on a single or select suppliers for key components?
• Does the company have access to capital markets or funds at a lower cost
for expansions?
• Does the company have skilled manpower? If not, in which areas the
company islacking?
• Are there any challenges in the sales funnel?
• Why is the cost of customer acquisition very high?

Opportunities
• Can the company launch new products and variants? Is there a possibility to
increase the market share?
• Which change in social demographics, can the company enter new
markets?
• With supply chain disruptions, are exports more viable compared to domestic
supplies?
• Is there a possibility to improve the margins by substituting key components
with a cost-effective with value addition?
• Can the company have more skilled manpower at a lower cost due to the
change in the job market dynamics?
• Can the company access cheaper funds from the market due to the fiscal
stimulus?
• Will, there be any reduction in the tax / tariff which in turn increase the
purchasing power and entitles the customers to buy more

Threats
• With disruptions in the market is there any possibility of such a disruption on
the company’s portfolio?
• Are there any new players entering the market?
• Is there going to be any change in the customer’s consumption pattern?

38 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

INTERNAL AUDIT IN COVID - 19 LIKE SITUATION
• Who are the existing competitors and what are their business plans?
• Any potential change expected in the prices of the raw materials in the near
future?
• STEEP Analysis has to be carried out.

STEEP refers to Social, Technological, Economic, Environmental, and Political; such

an analyses has to be done for identifying the threats. Any change in one or many
of the above areas will have an impact on the threats to the organization.

The above list is only indicative, and based on the client’s profile and requirements,
the questions can be expanded, and SWOT analysis has to be carried out. SWOT
analysis helps the organization to keep a vigil on the external and internal forces
and is required in the VUCA world to tide over the crisis.
INTERNAL FACTORS EXTERNAL FACTORS
Strength –Opportunity – Strategy Opportunity – Strength – Strategy
POSITIVE

The strengths of the The strengths of the organization

organization can be can be channelized to covert
channelized to covert the the opportunities.
opportunities

Weakness – Strength – Strategy Threat – Strength - Strategy

NEGATIVE

The strength of the organization The strengths of the organization

can be channelized to can be channelized to covert
overcome the weakness. the Threats and strategy to be
formulated accordingly.

Internal audit would be more effective if the Internal Auditor can come out with
strategies to overcome the threats and grab the opportunities to improve the
top line and bottom line of the organization. At the same time, the report should
also focus on strategies to overcome the weakness and convert the opportunities
available in the market. The strengths of the organization should be used to
overcome the threats and convert the opportunities, and weakness.

SWOT analysis is required to carry out in the present dynamic world as we are
facing unpredictable demand and changing customer preferences. With SWOT
analysis,organizations will be able to sustain the crisis and have better profitability.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 39

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
7.4 PROCESS OF RISK BASED AUDIT

Some new areas or additional scope for internal audit during the Pandemic time
are
1 Strategy – Pivoting
2 Review of business plans
3 IT Infrastructure and related risk assessment
4 Reverse migration
5 Strategy for future lockdowns
6 Efficient and effective management of working capital
7 Virtual internal audit

7.4.1 Strategy – Pivoting

To provide a strategy to the client for overcoming the crisis, the CMAs are
advised to follow the SMART Methodology while resorting to the pivot
approach. Apart from this, the Internal Auditor is also required to do the
internal audit with a separate dimension on the debtors, creditors, and
procurement policies. Adopting a different approach is necessary as the
organizations are facing a cash crunch, and this has resulted in salary cuts
and retrenchment. This situation can lead to some anxiety in employees, and
they may tend to commit fraud in the organization resulting in another set of
challenges.

As the saying goes, tough times do not last, but only tough people do last, ,
only the approach for the internal audit has to be changed. For this, we need
to reskill and learn new methodologies to be successful professionals.

The concept of pivoting is normally followed in start-up ecosystems. Pivoting

is the need of the hour for the CMAs while carrying out the internal audits. As
discussed earlier , the approach of internal audit should also have the element
of strategy while submitting the internal audit report. The report will help the
client to do a soul searching as they are normally involved and seized with
the daily activities like operations planning, procurement of raw materials
or following up with the vendor or improving the order book or dousing the
employee dissatisfaction on account of reduction of salaries. In this process,
it will not help them to see the opportunities that are coming, as their energies
are used completely in the day to day issues. The internal audit report will be
an eye-opener for the entrepreneur. Let’s understand what pivoting is and
what are the steps to be considered while drafting the report and suggesting
measures to the client.

40 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

INTERNAL AUDIT IN COVID - 19 LIKE SITUATION
What is Pivoting?

Pivoting is the process of shifting the strategy and sometimes it takes a drastic
change in the vision and mission of the organization for a short period. During
the lockdown, we have seen the star hotels delivering food through the
food delivery applications like Swiggy or Zomato or the Chefs conducting
online cookery classes. In some cases, they are also willing to come to
the individual’s places and serve food or supplying essentials through the
hyper-local model. The change in business operations is required to ensure
that the organization stays afloat in hard times. This will ensure that there is
some amount of cash flowing into the system and also helps in meeting the
operational expenses. Another example is that many companies like Savlon
or Mediker and many more companies launching hand sanitizers or apparel
manufacturing companies manufacturing Personal Protection Equipment.
One of the best example of pivoting is an event management organization
based out of Hyderabad, has pivoted and entered into the manufacturing
of UV boxes as the pandemic has made them out of business. The above
are the examples of pivoting while the following are not considered to be
pivoting:
a. Change in the features of the existing product
b. Trying to sell in a different geographic location or selling to a new set of
customers
c. Change in the process of delivery like introducing mobile applications
in place of websites or vice versa
d. Change in the marketing strategy, shifting from advertisement-based
marketing to offering free products or services
e. Change in technology to build a reliable product

From the above, it is clear what is pivoting and when we should go for
pivoting. The internal audit report should be based on strategy rather than
on controls and operational aspects. The strategy aspects should cover the
following aspects
1. When to do it?
2. What is market potential?
3. Does it provide opportunity for growth?
4. What is the fund requirement?
5. What is rollout strategy?

Now let’s discuss the above points at a high level, this will give an idea on
who to work on the strategy portion of the audit, the new component.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 41

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
7.4.1.1 When to Do It?
Any business will flourish only when there is a demand, and business
will disappear when the need diminishes or when there is no demand.
Timing determines the success of any business along with the other
business. When suggesting pivoting for the client also indicate when
the new line of business should be started. In today’s world of COVID,
there will be a requirement from every home for hand sanitizers or
usage of automation or robotics in the business operations as there is
a shortage of labor or skilled workers in many of the segments. In case
automation or manufacturing of hand sanitizers is suggested to start
from 2022, then it will not make any business sense. If the manufacturing
of hand sanitizers is suggested, then it should be recommended to start
immediately.

7.4.1.2 What is Market Potential?

The report should also consider this point along with the timing of
new products or services. The market demand should be assessed
accurately, and also it should mention if there are any existing players
in the proposed segment. It should also discuss the potential market
share that could be captured over some time, along with the time
span required.
If possible, the report should also discuss the new entrants in the space
and how deep their pockets are. The entrepreneur will always take a
risk if there is market potential and profitability.

7.4.1.3 Does it provide opportunities with Growth?

The most important aspect of the strategy section should also contain
the opportunity for future growth. If the idea does not find any room
for growth over some time, it is not a viable idea as the market will
be constant. With the entry of new players, it becomes even more
competitive, and they may not also be able to recover the costs, or
the business may not be sustainable for long.. There should not be
exit barriers in such cases; this will help in making a calibrated risk and
take the business decision accordingly. If there is clarity as to whether
the new line being proposed is for the long term or short term, then the
decision will be easy and effective..

7.4.1.4 What is the Fund Requirement?

The pivoting idea proposed will also require some funds. Already the
organization is running short of funds and if they are asked to invest
more funds into the new business, it will not be appreciated by the

42 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

INTERNAL AUDIT IN COVID - 19 LIKE SITUATION
client. The idea being proposed should not be capital intensive. There
are a lot of funding opportunities for new business requirements,
especially in COVID related products. For this, SIDBI has also allocated
funds separately with a lower rate of interest and moratorium. If there
are any special funding schemes provided by various banks and the
Government these should be given as part of the report. This will help
the client to take the decision effectively and promptly. The available
information can be used to assess the risk appetite and take it forward.

7.4.1.5 What is Rollout Strategy?

The take of any product or services based on pivoting will be successful

only when there is a proper rollout strategy. The rollout strategy should
cover areas like what is the time required for the launch of the product
or services, what is the geographic market to be targeted, what is the
go-to-market strategy, who are the target audience, etc., Without this
information, it will be a challenge for anyone to decide on a holistic
approach. The rollout strategy should be given top priority in the
initial report, and when the final report is submitted, the same can be
provided in detail.

The pivoting strategy will be successful only when the CMA knows
about the industry insights and also has complete knowledge of the
prevailing market and economic conditions in the country and across
the globe. The strategy report should also consider entry barriers, along
with restrictions on the export market, if any.. In some of the cases,
exports will be more viable compared to domestic sales or vice versa;
this point should also be considered.

7.4.2 Review of Business Plans

Every organization has business plans, and they are normally prepared well
in advance, and in some organizations, they are prepared and approved by
Dec / Jan. With the lockdown for several months, the sales have impacted
a lot. After a staggered unlockbusinesses have started working. The Internal
Auditor is required to assess the new market situation, and accordingly, they
have to revisit the business plans prepared already, and they have to be
updated accordingly. Most economists are stating that year 2020 should be
the year of survival and not for scaling new heights.

While preparing the revised business plans, the Internal Auditor also should
use his market intelligence and arrive at realistic numbers. At the same time,
the Internal Auditor has to evaluate the following areas critically.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 43

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
7.4.2.1 Review of Business Plans

With lockdowns in the initial days at central level and now at the local
level, there are business disruptions, and many of the businesses are on
the verge of being wiped out. The key raw material and component
suppliers should be evaluated on their financial stability and their
business continuity plans. As part of value addition, alternative suppliers
should be identified, and the same should be mentioned in the report.

Raw materials constitute major portion of the finished products and

at this hour of disruptionsthe organizations have to look for alternative
source of suppliers and also substitutes. With alternative source of
suppliers and substitutes, the costing has to be reworked and impact
on the product quality also has to be assessed.

7.4.2.2 Labour Contracts

In the case of labour-intensive organizations, there will be a challenge

to get the same number of workforce post lockdown due to reverse
migration. The shortage of labour will also impact the production and
thereby impacting the sales plans. The internal audit report should also
discuss these lines and also update the business plans accordingly.
Alternative strategies should be used for reducing the dependency
on labour like automation of process and outsourcing. While preparing
the revised business plans, these aspects also should be considered at
length.

7.4.2.3 Capital Expenditure

Every organization has business plans and accordingly allocate

budgets for increasing the capacities. With a pandemic like situation
and also uncertain business, the ideal situation will be to pause the
capital expansion plans. The capital expansion plans normally have a
huge cash outflow, and , the organizations normally meet this through
internal accruals or borrowings. At this hour of crisis, preserving cash is
the best way. Cash is considered to be the lifeline of the business, and
with a war chest, the raw materials and other supplies can be procured
at a very competitive price. The lower the input costs, the higher will be
the profit margin, or the business can reduce the prices to gain more
market share. The Internal Auditor should do a cost-benefit analysis of
the same and show it in the internal audit report.

44 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

INTERNAL AUDIT IN COVID - 19 LIKE SITUATION
7.4.2.4 Sales Plan

Sales under the pandemic conditions will not be as per the previous
years; the customers are driving the product and not the marketers.
The sales have to be projected accordingly; if these are not projected
correctly, it will lead to unnecessary accumulation of inventories and
blockage of funds in the form of vendor outstanding. Keeping in view
these conditions and challenges, projecting the salescorrectly is very
vital for the business plans as it drives the whole organization. The sales
can be maintained or a notch below in a very optimistic case, but for
this value addition for the product has to be planned. The customers
are looking for value addition and not for luxury, unlike the pre-COVID
days. If sales plans are not reworked, it will lead to cash crunch and
thereby impact the working capital cycle. The auditor should grade
this as one of the risk factors.

7.4.2.5 Cash Flows

The market conditions have become volatile due to uncertainties due

to pandemic conditions. The collections from the customers are getting
delayed, and this is creating a negative cash flow as the vendors have
to be paid on time, salaries, and wages have to be released to the
employees and workers. All this requires cash and in this crisis hour, if
they are delayed, it will hurt the morale of the employees. Alternative
measure should be planed as part of the business planning based on
the rating, say for example an organization with a rating of A++ can
borrow funds at a lower rate as compared to an organization with
rating B-.

7.4.3 IT Infrastructure & Risk Assessment

Information technology or digitalization of the organizations is the key to the

success of any organization. With a pandemic like situation and no clarity on
how long the pandemic and lockdowns last, digitalization has become the
key to day to day working of the organizations.

The new concept of working from home for the non-core functions requires
data access permissions and security of the data. As the world is moving from
a WAN to the internet, security has to be addressed. Organizations have to
adapt or plan for the deployment of the applications from servers hosted
in their offices and accessed on WAN to a remote hosting or cloud hosting
is required. The cloud can be a private one in office premises or on a third-
party server. Hosting on a third party server will give an additional edge in the
following areas.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 45

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
7.4.3.1 Continuity of Services

If the servers are hosted on-premises, then the IT team has to maintain
it in all the conditions, including during the lockdowns where there
are restrictions on the travel and availability of public transportation.
In such a case, maintenance will be a challenge and difficult task to
manage. The persons deployed should have the knowledge of the
combination of Software Development and IT Operations (DevOps) for
deployment and optimizing the server from time to time and also taking
backups. The backups have to the taken at regular intervals and stored
accordingly. It is always recommended to have three generations of
backups at any given point of time.

7.4.3.2 Cost-Effective

The Internal Auditor has to make a cost-benefit analysis and then

conclude on the model being adopted by the organization. If the
servers are hosted on-premises, Disaster Recovery (DR)also has to be
verified. Whether or not a DR plan is in place has to be verified and

46 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

INTERNAL AUDIT IN COVID - 19 LIKE SITUATION
should be made part of the internal audit report. If DR is considered
along, then the cost will be on the higher side as resources are required
for the management of servers and also having rental space in a
different location. If the servers are not on-premises, then it will be shared
servers, and based on the usage and requirements, the users can take
additional server space, and also the maintenance challenges and DR
will be eliminated. Though it is cost-effective, the IT Security Policy of
the organization has to be verified. If not there, it has to be drafted and
followed.

While engaging a cloud service provider, some of the key parameters

which need to be considered are Uptime, SLA, Backups, based on the
number of transactions computing power, etc.,

With work from home being the new normal, the team has to be
provided with proper desktops or laptops. The internal audit report
should verify the following as part of the risk assessment for the laptops
and desktops issued to the employees.

1. Virtual Private Network – The laptops and desktops should be

having all the official versions of the software, and along with
them, the organization has any Virtual Private Network (VPN)
based access only should be provided. VPN will ensure that
the users cannot access other websites, and security can be
maintained from malware and spam wares. This will ensure that
outsiders cannot have access to the company’s confidential
data.

2. Data Security - The USB ports should be disabled so that data

cannot be copied to the external medium. All the working
documents should be saved on the cloud server so that data
cannot be leaked. It depends on the organizations risk appetite
to host data on could or on premises.

3. Communication Tools – As the employees will be working from

home, that means they have to communicate between them
to complete the tasks as well as exchange notes or messages.
For this, a dedicated meeting tool and a messaging tool should
be there so that the data is within the office network and cannot
be accessed by third parties. This helps in having continuous
interactions as well as monitor the work.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 47

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
If any of the above is missing, then the organization will have a risk of
business continuity as well as loss in the efficiency along with data risks.
The first report being prepared during the pandemic should list all these
points and also should be reviewed from time to time on how effectively
they are functioning. Still, there is uncertainty as the vaccine is not yet
developed. Also, the previous pandemics have clearly stated that the
pandemic comes in waves, so work from home will be there for some
time. In this context, it has to be identified in the report which teams can
be given the option of working from home and which software can
be moved to cloud servers so that the employees have access to the
information and work effectively and also the top management and
key stakeholders can take decisions accordingly. The Internal Auditor
during the COVID situation has to focus on the areas like data security
& data access points in the Internal Audit Report.

7.4.4 Reverse Migration

Migrant labour is the key to many organizations as they employ them for
both skilled and unskilled jobs. Most of these workers are paid low wages,
and they don’t have much savings; on account of lockdown they were
not able to survive as their main source of income had been stopped
and the management of many organizations have not responded to the
Governments call of supporting themin the hour of crisis. As a result of this,
many of the migrant labour have moved back to their home States /towns/
villages where they feel they can survive with lesser means of living.

The reverse migration has created a shortage of labour, especially in the

MSME Sector, and many organizations are not able to start the operations
with full strength. In view of the above challenges and situation the Internal
Auditor has to report on how the organization is meeting this challenge and
what steps are being taken along with the measures being effective or not

The internal audit report should also deliberate on the process of how to
handle the situation in the future if the same arises. The following aspects
should be explored and discussed with the management:
1. Maintain the details of the migrant workers – employeddirectly or
through contractors.
2. Identify the key roles and jobs and see if the same can be replaced
with the local workers.
3. Identify and evaluate if the workers from other departments can be
used through internal transfers.
4. Have a plan for job rotation so that if not all, some of them can be
deployed for multiple roles.

48 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

INTERNAL AUDIT IN COVID - 19 LIKE SITUATION
5. Reach out to the local authorities as there will be labour who must have
returned from other States; the State Governments are maintaining the
database for all such workers being returned.

The above steps may not solve the problem in total but it can be addressed
to some extent and also ensure that there are no disruptions in the continuity
of the business operations.

Verify and evaluate if training is being provided to the workers at regular

intervals; this will ensure that the succession planning is there as skilling and
up-skilling will boost the confidence of the workers and employees.

Also, verify if the organization has taken any measure to retain the workers
during the lockdown period like salary disbursal on time or food grains are
being distributed in place of salary so that the workers will not be starving of
hunger but ensure they survive during the crisis.

The report should also evaluate if the organization has availed the schemes of
the Government, which apply to the workers and also announced separately
during the lockdowns. In the case of the construction industry building, welfare
cess is being released to the construction workers through the distribution of
food grains. Also, verify if all the workers are registered under such schemes.

In most of the cases, it is observed that the wages are paid in cash. As a
result, they do not have any PF /ESIC benefits and could not avail the benefits
being announced and rolled by the Governments (Centre as well as States
and, in some cases, industry-specific welfare schemes).

When migrant Labour is returning from other State and start working in the
home States, the concerned State Governments are maintaining a list of
workers returned along with their trade and contact numbers. The HR teams
can reach out the concerned departments and onboard the skilled / semi-
skilled or unskilled labour. This process will save time and effort for reaching
out to labour and on boarding now.

7.4.5 Strategy for Future Lockdowns

The lockdowns are expected to be with us for some more time until the
vaccine is developed and administered to all the citizens. With the increasing
numbers of positive cases of COVID, there is uncertainty in the business houses,
and also there is the hanging sword of totallockdowns being announced
again. Another reason could be travel by migrant workers to their home
towns. In such a case, the organizations should always be prepared with the
steps to be taken in case the lockdown is be imposed again.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 49
 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
The first lockdown has been announced all of a sudden with immediate
intention to stop the spread of the virus.Also, this gave legroom for the
Government to gear up for stepping up of the health facilities. The lockdown
has disrupted the manufacturing and the supply chain drastically. Now the
business continuity plans have to be formulated to meet such situations in
the future. The internal audit report should consider the following aspects.

7.4.5.1 Supply Chain

The supply chain is the key to the organization’s profitability as it

determines the costs and time delivery backed by quality. The
procurement planning should be done in such a manner that
organizations should explore alternative suppliers from a different
location; this will ensure that there is a backup plan and it also ensures
continuity of supplies. The next thing the organizations should do is to
ensure that the finished goods are not stocked in a single location. Else
it will create an unviable situation when the lockdown is announced
once again; the finished products should be stored in different sites,
which are logistically optimized for further movement based on goods.
Proper planning and execution have to be in place for this. The internal
audit report should talk about this point, and if the same is not part of
the business continuity plan, it should be incorporated and discussed
with the client.

7.4.5.2 Production Planning

Production planning should be optimized in such a manner that it will

help the organization to meet such shocks with minimal impact. As part
of it, the organization should explore the option of opening a satellite
facility in different locations or look out for outsourcing so that in case
of disruptions, the production could be maintained, and this will ensure
that there will not be any shortage of its products in the market. This
being a critical activity, more time should be spent on this activity and
discussed with all the stakeholders and concluded at the earliest.

7.4.5.3 Work from Home

To maintain the continuity of the business, work from home is also

essential. To enable the organization to work smoothly, there should be
identified roles that can be carried out from home, and all the identified
employees should be provided with laptops or desktops. Apart from
the data, security, and cloud services, as discussed previously, should
be followed.

50 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

INTERNAL AUDIT IN COVID - 19 LIKE SITUATION
7.4.5.4 Inventory Management

The lead times are being impacted due to lockdowns and vehicle
movement restrictions. The minimum quantity and re-order quantity
should be reworked, keeping in view of the prevailing market conditions,
order books, and the business plans the optimal inventory should be
redetermined.

7.4.5.5 Cash Management

Cash is the lifeline of every organization, and it has to be preserved.

Proper management of cash is necessary during the pandemic period.
The organization should channelize the energies on the collection of
the dues from the customers and also explore the options of availing
additional loans on a precautionary measure. The same can be used
in case of an emergency like situations in the future. The internal audit
report should focus on the cash flow statement at a realistic level and
not in an optimistic manner.

7.4.5.6 Service Management

In case the organization is into services, there should be a plan on how

the organization will enable the deployment of the service engineers/
personnel at various locations. Apart from this, service engineers/
personnel should be trained and educated on following as well as social
distancing while on the job or traveling. If possible, the same should be
outsourced at major locations as it will reduce the dependency as well
as minimize the travel. The SOPs should be redrafted and shared with
all the stakeholders.
These are some of the points which the internal audit report should
focus on during the pandemic period. These areas can be covered
in detail in the first audit after pandemic and should be revisited at
regular intervals.

7.4.6 Efficient and Effective Management of Working Capital

The success of any organization is based on the efficient management

of the working capital. Working capital is the need for the hour, and
it will create a crisis if the same is not managed efficiently. Working
capital can be managed effectively by way of obtaining working
capital demand loans from the banks, and the utilization of the same
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 51
 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
is possible only when the debtors, creditors, and inventory is optimized.
Once these are optimized effectively, it will result in a lower outflow of
cash in the form of interest. The internal audit report should focus more
on the working capital as it will help the organization to save outflow
cash and optimize it effectively. In a pandemic situation, the Internal
Auditor should focus on the following areas:

7.4.6.1 Debtors Management

India is predominantly a credit-driven market, and the realizations

happen after a few days of credit period offered. Even the dues
from the Government departments and PSUs are huge. In times of
pandemic, there is a shortage of funds with the industry, and they
are not able to honour the payments and this is creating stress on the
working capital. In today’s world, if credit is not offered, sales are taking
a toll, and if credit is provided, there is a challenge on realizations. If
credit is not offered, then sales will be impacted. The organization has
to have a policy of having sales and at the same time safeguarding
cash inflows. The Internal Auditor should explore the option of using the
TReDS platform or making supplies against letter of credit or reverse
factoring. Though these are expensive, they will mitigate the risk of bad
debts. The additional cost can be built on the sales price.
For the existing dues, the sales and finance teams should be having
a stringent policy of follow up and plan for realizing the same at the
earliest.
The internal audit report should also evaluate the above points, and if
any gaps are there, they should be addressed.

7.4.6.2 Creditors Management

As cash is becoming a scarce commodity in the market, payments to

creditors have to be made on time ,elseit will impact future supplies
and if they are affected, it will derail the production and sales plans.
The creditors have to be paid on time and if there is any delay, they
should be informed immediately.

If possible, alternative payment methods should be explored, and this

will give confidence to the supplier, and it will provide an opportunity
for a competitive price. The banking facility should be explored and
loans should be obtained by availing the schemes announced by the
Government as COVID relief measures.

52 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

INTERNAL AUDIT IN COVID - 19 LIKE SITUATION
7.4.6.3 Inventory Management

The internal audit report should also evaluate if the organization

is maintaining an optimal inventory of all the items. Prices have to
be renegotiated, and new suppliers and substitutes have to be
explored to check the monopoly of the suppliers. As discussed above,
the minimum and maximum quantities have to be revisited, and
procurement planning has to be made accordingly, keeping in view
the uncertainties.

7.4.6.4 Expense Management

Organizations have to revisit their expenses. There should be a

reduction in the costs of travel and marketing. As on date, customers
are comfortable with online meetings. The sales team should be
encouraged to conduct more and more online meetings rather than
allowing them to travel. During the travel, there is a high possibility for
the sales team to get infected by COVID.

The marketing expenses should be minimized as the marketers are not

determining the sales, but the customers are driving the sales. To retain
the brand recall value, a nominal amount must be spent.

Wherever possible, the expenses should be minimized and spent only if

required. With work from home becoming a new normal, the extra office
space, if possible, can be surrendered or rent can be re-negotiated. A
list of expenses has to be prepared, and wherever possible, the same
should be deferred or reduced.

Above are all the areas where the Internal Auditor has to focus during
the pandemic time or inthe first audit he is doing post lockdown. A
critical view can be taken, and based on that recommendations
should be given in the report. These recommendations will make value
addition to the customer, and he will engage the Risk Based Internal
Auditor for future activities or assignments.

7.4.7 Virtual Internal Audit

In the VUCA world, there is a lot of uncertainty, and the models for
delivery of assignments have to be revisited as there are restrictions in the
movement of people and lack of availability of public transportation.
THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 53
 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
The internal audit is normally carried out at the client’s location but with
these challenges the visits to the client’s place has to be minimized or
avoided if possible. In this context, the best way is to conduct the audit
virtually.

For conducting the internal audit virtually, the Internal Auditor’s team
should have a full understanding of the client’s business process and
also the modified or updated business process due to the pandemic.
At the same, the Internal Auditor’s team has to be trained first on the
process of doing the audit virtually, and then the client has to be
appraised of the same.

Points to be considered before starting the virtual internal audit

1. Explainthe necessity of virtual auditto the internal audit team.
2. The internal audit team should have a team member who has IT
knowledge.
3. The client’s point of contact should be established.
4. Necessary user access should be provided for accessing the
data/systems.
5. For understanding the business process, e-meetings should be set
up with the concerned persons of the client’s team.
6. The change in the internal audit process also should be updated
with the client.
7. The draft report should be reviewed by the partner once before
sharing with the client team.
8. The report should be shared in PDF format if sharing through
email.
9. All the supporting and working papers should be stored online
with proper security and access.
10. All communication should be carried out through emails and calls.
After every call, minutes of the meeting should be prepared and
shared across along with action to be taken by each participant
and also the date on which the task has to be accomplished.

An audit post Covid being done for the first time will be a challenge for
everyone (Internal Auditor and Customer), and it has to be adopted
and taken accordingly. There are is no rule book for carrying out the
internal audit virtually and it is being done for the first time, and the
steps and process will change for client to client.

54 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

COVID TO COMBAT COVID

'COVID' TO 'COMBAT COVID' 8

COVID has taken the world by surprise and none of the business organizations are
prepared to face it. No one has seen a similar happening for almost a century. Once
the organizations have started accepting the challenges they were quick enough to
adapt to the new requirements of the business and the customer preferences. Like the
FMCG companies during the lockdown have started delivering to the customers directly
through the hyper local model as it has eliminated the complete distribution chain and
made the products available at the customers door step, as buyerswere not comfortable
in stepping out and purchasing them.

From the above example we could see the change in the business model and in the
pandemic situation, the business models have to be changed else the organizations
will perish. The business process and strategy have to be monitored continuously by the
Board and modified to meet the dynamic external environment and in this the Internal
Auditor has a key to play in validating the business process with respect to controls and
implementation of the same along with the sustenance models. Now the new normal is
an online and touchless economy with value addition for the products and services.
To come over the COVID crisis, the Internal Auditor should appraise the client on following
COVID methodology. COVID methodology stands for
C – Communicate
O – Outsource
V – Vision
I – Innovate
D – Deliver

8.1 COMMUNICATE

Communication is the key to success in building and sustaining relations. In the hour
of crisis and uncertainty, communication helps to gain the confidence of the other
party and helps in executing the business smoothly.

The management should communicate the changes and likely changes with the
team members vocally, and the communication process helps as confidence-
building measure to the employees and also helps to get new ideas on change in
the business process to accomplish tasks or start a new line of business.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 55

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
Continuous communication with customers by the sales team will help to understand
their cash flow situation and make business decisions accordingly. Communication
with vendors helps to win their confidence, and that will help in getting timely
delivery of supplies and, in some cases, additional discounts or lower prices also.

8.2 OUTSOURCE

The key to survival is outsourcing. Outsourcing can be done for part of the
manufacturing operations or services or some departments. This will reduce the
challenges of following social distance in the office and release extra office space
and save some money. Some of the activities which are not core activities can
be outsourced with proper checks and balances. This will give additional time for
the management to spend time on key activities that are critical for the business.
Departments which can be outsourced can be payroll processing, purchase
accounting, follow up with customers, etc.,

Even payment processing can be outsourced, and RPA (Robotic Process

Automation) wherever possible can be introduced as it will reduce the dependency
on manpower, especially during the lockdowns.

The world is moving towards Gig based economy, meaning that even high-end
jobs or roles can be outsourced rather than having a full-time employee on case
to case basis.

8.3 VISION

The vision of the organization must be clear, and the same should be focused on.
In the pandemic situation, the vision and mission should be kept in mind, and if
required, it should be modified accordingly for the short term but not on the long-
term view. In the hour of crisis to run the organization, if needed, they can pivot
and explore new business lines to bring in additional cash into the system and also
ensure that there is no retrenchment of employees.

There may be caseswhere the vision has to be changed due to the change of
the customer requirements and needs. The management has to evaluate all the
options and take necessary steps accordingly. For deviating from mission again,
communication is the key to successful implementation.

8.4 INNOVATE

In today’s world of VUCA, innovation plays a very key role. Innovation helps to
overcome time and costs. Innovations should be encouraged to have new
product lines or having new features in the existing product line. The customers
are looking for value addition as they are running short of cash and not sure of the
future incomes. Innovation helps to come out with new features and stand out with
the competitors.

56 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

COVID TO COMBAT COVID
8.5 DELIVERY

Planning and execution are two sides of a coin. The implementation should be
inline with the plans agreed by the employees and management. Business plans
have to be revisited and communicated with the teams and all stakeholders for
delivering the same.

As it is a VUCA world or period, no rule book says which method or process is right or
wrong; judgment has to be made based on the realistic approach and weighing
all the pros and cons. If required, external agencies can be engaged or as of the
new norm; even gig-based assignments can be explored by the organization.

In today’s agile world, decisions have to be taken at a faster pace and implemented
swiftly else the market dynamics or the customer needs will change, and it can
result in poor quality of decisions.

The focus of the internal auditor has changed, and the professionals have to
adapt the change else they cannot meet the expectation of the volatile market
and end up losing the market share. This would have very bad implications on
the person as well as on the professional front. The challenge with the Internal
Auditor is like a double-edged sword as he/she has to change his team as well
as the client’s side. The traditional way of internal audit is more or less restricted to
the verification of the data and the new requirement is working on the strategy
also. For the team members from the internal audit team has to be trained or new
members inducted who have knowledge of the business process and exposure to
the external environment. Similarly on the client side also, the team assigned with
the internal auditor has to be re organized and the person who is being assigned
should be having complete knowledge of the business process and also should be
part of the decision-making process in the organization. Both are challenging tasks
and the saying “change or perish” will be a reality.

The Internal Auditor will be under tremendous pressure as he has to come out
with a new approach and communicate the same with all the stakeholders and
then implement the same. The changes range from the audit approach to new
methods being followed. Under the COVID like situations, the internal audit will be
carried out virtually and for this the Internal Auditor has to review all the existing
contracts along with new contracts, the changes in the clauses compared to the
old contracts. This will help him to ascertain the potential risks. Also, the Internal
Auditor has to relay on data for taking any decisions and for this data analytics
should be used. This approach will save time, and also, the risk assessment can be
carried out accordingly.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 57

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
Cost and Management Accountants have a unique edge over the other
professionals as they are taught on all aspects of the business, and they can easily
visualize, grasp, and adapt to the change at a faster pace. The crisis which has
been created by the pandemic has given an opportunity for achieving success
andfor reaching new heights. The crisis should be taken as an opportunity and
move forward in professional life. The past crisis has seen new entities being created
like GM, IBM, etc., and this crisis will also create new giants, and the efforts of the
CMAs will be remembered in the life of the organization. The value addition that
can be given by the CMAs while doing the internal audit can be done by following
the various aspects discussed above.

58 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

DATA ANALYTICS AS A TOOL TO INTERNAL AUDIT

DATA ANALYTICS AS A TOOL TO INTERNAL AUDIT 9

Data analytics is a science of analyzing the raw data in a structured manner and making
decisions based on it. In the current world, it is not possible to go and meet the clients
and do the internal audit. The best way is to do it remotely by analysis of data using
data analytics and this will help to identify the frauds or areas where internal controls are
missing.

With the advent of rapid computerization, data capturing and data availability is easier.
Data is becoming fuel for analytics and decision making. More so, information technology
is also constantly helping to perform audits efficiently. Data analytics is becoming a
game-changer for the internal audit profession too. It helps to audit using data and verify
all the transactions by running queries. As we discussed in the initial Chapters, the IA team
should also have an IT expert who can help in framing queries and verifying the data.
The queries can be run, and exceptional records can be verified. This process will reduce
the time and also enable us to cover all the transactions, unlike the physical audit, where
they do it on a random sample basis.

Data analytics can be effectively used in three stages, i.e., audit planning, execution,
and reporting.

9.1 ADVANTAGES OF DATA ANALYTICS

Three hundred and sixty degree view of the business – Data analytics provides
more insights into the company; it helps in three hundred and sixty degree profiling
of the business and the client.

Early Risk Detection – Data analytics help in developing a better understanding

of the audit process, as well as answer key questions and identify patterns earlier.
This helps Internal Auditors’ early detection of risks in the audit process. Early
identification of risks means an organization can implement changes or make
decisions quicker than they otherwise would, allowing for a timelier analysis and
improvement to internal operations.

Shorter Audit Period – Data analytics helps in all the three stages of the audit, i.e.,
planning, execution, and reporting. This, in turn, leads to the completion of the
audit in a shorter period and promptly.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 59

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
Lesser Audit costs and improved audit productivity – Use of data received from
emails or cloud minimizes the physical presence of audit staff. Shorter audit period
means lesser travel, stay, and allowance to the audit team, which reduces the
costs significantly. Also, the same audit staff can be used to conduct more audits,
essentially improving productivity.

9.2 TYPES OF DATA ANALYTICS

Descriptive Analytics: Raw data is summarized to describe the past. Based on

history, a view can be formed of such transactions that might happen in the future.

Diagnostic Analytics: Based on the past data and after knowing what had
happened in the past , a deeper insight can be formed. This will help to see the
cause and effect relationship of what has happened and why it had happened.

Predictive Analytics – They utilize the findings of both descriptive and diagnostic
analytics to detect tendencies, clusters, and exceptions. They predict what is likely
to happen in the future.

Prescriptive Analytics – Simulation and optimization are used to suggest what action
to take in the future. They recommend decision options to mitigate risk or to take
advantage of a trend. They are process-intensive and require highly sophisticated
tools and technology.

9.3 FIVE W’S OF DATA ANALYTICS

The Internal Auditor has to plan and meticulously execute the data analytics and
for this, the IT member in the team plays a very key role. Apart from the IT expert
, there should be another team member who has complete knowledge of the
business process of the organization.

The IT person should be able to understand the ERP the client is using by reviewing
the Data Flow Diagrams of the process or flows. Before taking up any activity for the
data analytics, the following 5 Ws have to be answered; this process will ensure to
get a big picture of the activity being carried out.

WHO – Who will be the point of contact from the client’s side and also the person
from the internal audit team? Both the members should be in sync to understand
the database and execute the query accordingly.

60 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

DATA ANALYTICS AS A TOOL TO INTERNAL AUDIT
WHAT – Whatare the process for which the data analytics activity is being
performed?

WHY – Why the Internal Auditor is underlaying this activity? Is it identifiable with the
P2P Flows or O2C flows?

WHERE – Where will the scripts be executed? Where will the team meet and
interact?

WHEN – By when the activity has to be completed?

If the internal auditor can answer all the above five Ws, then the activity can be
completed very smoothly and effectively.

9.4 STEPS FOR DATA ANALYTICS ACTIVITY

Any activity or task can be performed effectively if the task is broken into steps.
Steps will ensure proper implementation for accomplishing the task. Similarly, the
data analytics by the internal auditor can be executed by following the five-step
process

9.4.1 Define the Scope

The scope of the activity being performed has to be defined first. The scope
can range from overpayments to suppliers or identify the purchase orders
without price or end date or bottlenecks in the production process or materials
received without purchase orders or analyze the causes for the breakdown
of the machinery etc.

Once the scope is decided, it will help the Internal Auditor to deploy the
team accordingly and work with the technical team for gathering the data.

9.4.2 Gather Data

Once the scope is finalized, the next important step is to gather data. Data
gathering is the key step as the technical team member has to refer to the
concerned tables and prepare the query/script accordingly.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 61

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
If the activity is to identify the price of the same item for different vendors
during the last one year or two years, the query has to be run on the purchase
orders tables.

The data gathering will not be successful in the first instance most of the time;
the query has to be fine-tuned from time to time and also depends on the
columns for the expected output.

In the above case, the report output could be having the following columns
• Item name
• Supplier Name & ID
• PO Number
• PO Date
• Quantity
• Price per unit
• Discount offered
• Landed Cost
• QC Rejections

The above may be the columns of the report when planned, and the query
has to be built accordingly.

9.4.3 Validate Data

Once the query is executed for the above-stated requirements, there is a

need to verify the output generated. This verification is very important as
it will help in identifying the correct records. Some of the records shown in
the report may not be required like the PO is cancelled; in such a case, the
PO status has to be added. The output has to be verified if correct data is
being shown based on the query or any gaps are there in the production
compared to the intended output.

Also, there could be substitutes for the item, if such is the case. It is worth
verifying the price of substitutes also.

An extension for the said could be checking the output quality of the item
being purchased from different suppliers; if this to be verified, the underlying
query should be modified accordingly.

62 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

DATA ANALYTICS AS A TOOL TO INTERNAL AUDIT
9.4.4 Data Analysis

The important step in data analytics is data analysis, and for this the out put
has to be verified in details . If required, the query has to be modified. Suppose
there is a trend that the same item is being purchased for a higher price
from a particular supplier or in a specific location or by a specific purchasing
team member. The trend has to be established before reporting as it will give
authenticity to the data being generated.

If the trend is established, say a particular person is involved with the purchase
of the same item at a higher price, the next step is to verify at what intervals
the purchases are made or in cases where there is a sudden spurt in demand
for the finished goods, or it is seasonal, etc.

9.4.5 Interpret & Report

If the Internal Auditor can understand and do a detailed analysis, he/she

will be able to give accurate reports backed by data, which in turn will help
the client to take corrective action in case of fraud or proper planning of
procurement. This type of analysis is not possible in a manual audit .; data has
to be analyzed and for this data analytics is one of the best options which
read millions of records.

The trend or pattern has to be interpreted correctly and consistently; then

only there will be value for the report ,else it does not carry any importance.
The queries/script built has to be verified time and again and improved if
required. This process is a continuous process, and the scripts or the queries
can be run as a background job during the non-business hours as they are
resource-intensive and time-consuming.

Such activity should be carried out during the weekend or after office hours.
The data analytics can be started with a specific department of flow and
then expanded to all departments.

9.5 INTERNAL AUDIT OF ACCOUNTS PAYABLES USING DATA ANALYTICS

Data analytics can be used in analyzing the creditor’s outstanding payments. Data
analytics helps in the following
• Checking duplicate payments if any
• Checking unauthorized payments

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 63

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
• Checking the payments made for which material or services not received
• Checking the payments in excess of authorization levels
• Checking whether any credit notes eligible but not received
• Checking the trend or history of the creditors
• Checking the repeated purchases made from the same vendors
• Check the highest value or volume of purchases from single source
• Checking multiple invoices with the same date and same value
• Checking invoices issued on non-business days
• Checking the vendor experience, whether a new vendor or experienced
• Checking prices paid , more than the standard price
• Checking high-value emergency purchases frequently from the same vendor
• Checking the bid analysis and subsequent bid allotment
• Checking the payments made to dormant accounts
• Checking a significant amount of cash payments to the same parties

9.6 INTERNAL AUDIT OF ACCOUNTS RECEIVABLES USING DATA ANALYTICS

• Checking duplicate credits given to customers

• Checking wrong credits into the customer’s account
• Checking the instrument series (Cheque/DD) differing from previous payments
• Checking the under receipt of payments from customers
• Checking wrong credit notes issued to customers
• Checking debtors aging analysis and its frequency Checking habitual default
customers
• Checking the end to end profiling of the customers
• Checking the credit limit exceeding cases
• Checking the under-invoicing instances
• Checking the payment received one customer and credit given to another
customer
• Checking the correctness of invoice matching with payment received

64 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

DATA ANALYTICS AS A TOOL TO INTERNAL AUDIT
9.7 INTERNAL AUDIT OF INVENTORY USING DATA ANALYTICS

• Checking repeated purchase of the same inventory items

• Checking the items with expiry date still reflected in the inventory with the
full value
• Checking whether the items of inventory were procured based on the re-
ordering levels or based on user indent
• Checking the velocity of the consumption of the items in the inventory
• Checking the linkage between Payment Voucher to Goods Receipt
Note (GNR) to Purchase Order to Indent to ensure that the entire cycle is
authenticated
• Checking the items purchased at a different locations but the same is
available in different locations of the same entity
• Checking the inventory located in third-party premises and ownership of the
same
• Checking the inventory lying in the location for which GRN not made

9.8 INTERNAL AUDIT OF GENERAL ACCOUNTING AND COMPLIANCE USING DATA

ANALYTICS

• To Identify and choose sample documents for audit

• To check the compliances done or otherwise
• To check the maximum number of accounting entries passed by one single
user
• To check the high-value transactions or journal entries passed
• To check the anonymous users and any abnormality or unintended entries in
the books of account
• Whether tax deduction at source had been made applying the correct rate.

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 65

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT

66 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

APPENDIX

APPENDIX 10
10.1 FORMAT OF RISK MAPPING MATRIX

C Unexplained Risk Low Risk

o
n
t Controls NOT Documented but Controls Documented and
r Followed Followed
o
l
s
Latent or Hidden Risk Controllable Risk

F
o Controls NOT Documented and Controls Documented But NOT
l NOT Followed Followed
l
o
w
e
d
X- Axis

10.2 FORMAT OF RISK MATRIX

LOW Close Intensive

Requires
Monitoring monitoring and Management
I required management
M MEDI Risk may be
P UM accepted, but Management Management
A requires recommended required
C monitoring
T
Risk
HIGH acceptable,
Acceptable risk Managed
requires
regulation

LOW MEDIUM HIGH

LIKELIHOOD

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 67

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT
10.3 PROCEDURE FOR CONTROL OVERVIEW AND RISK ASSESSMENT

RISK ASSESSMENT MATRIX

Certain Low Moderate High Extreme Extreme
Likely Low Moderate High High Extreme
LIKELIHOOD

Possible Low Moderate Moderate High High

Unlikely Low Low Moderate Moderate Moderate
Rare Low Low Low Low Low
Insignificant Minor Significant Major Catastrophic
SIGNIFICANT

Rating Risk Grade Risk possible description

5 Extreme • Financial loss of Rupees XX Crores or more
• Negative media coverage in
(Detailed research and
international market; loss of market share
management planning
• Prosecution and fines, litigation including
required at senior levels)
class actions, incarceration of leadership
• Significant injuries or fatalities to
employees or third parties, such as
customers or vendors

4 High • Financial loss up to Rs. X crores or more

• National negative media coverage;
(Immediate senior significant loss of market share
management attention
• Report to regulator requiring major
needed)
project for corrective action
• Insurance required for employees or third
parties, such as customers or vendors in
visiting workplaces
• Significant attrition at senior management
level

3 Moderate • Financial loss of Rs. X crores or more.

• National short-term negative media
(Senior management coverage
attention needed) • Report of breach to regulator with
immediate correction to be implemented
• Widespread staff morale problems and
high turnover

68 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

APPENDIX

2 Minor • Financial loss of Rs. X crores or more

• Local reputational damage
(Management • Reportable incident to regulator, no
responsibility must be follow up
specified) • General staff morale problems and
increase in turnover

1 Low • Financial loss up to Rs. X crores

• Local media attention quickly remedied
(Manage by routine • Not reportable to regulator
procedures) • Isolated staff dissatisfaction

THE INSTITUTE OF COST ACCOUNTANTS OF INDIA 69

 GUIDANCE NOTE ON RISK BASED INTERNAL AUDIT

70 THE INSTITUTE OF COST ACCOUNTANTS OF INDIA

 www.icmai.in

INTERNAL AUDITING & ASSURANCE STANDARDS BOARD

THE INSTITUTE OF
COST ACCOUNTANTS OF INDIA
Statutory Body under an Act of Parliament
Headquarters: CMA Bhawan, 12 Sudder Street, Kolkata - 700016
Delhi Office: CMA Bhawan, 3 Institutional Area, Lodhi Road, New Delhi - 110003

Behind every successful business decision, there is always a CMA