1.

Brief Overview of Internal Control System

1.1 Internal Control
Internal controls are the processes that auditor develop to administer unit
effectively. They generally include rules and procedures. The collective result should
be a dynamic process which is designed to provide reasonable, but not absolute
assurance regarding the achievement of objectives with regard to the following:

Effectiveness and efficiency of operations

Reliability with applicable laws and regulations
Compliance with applicable laws and regulations.

1.2 Purpose of internal control system

The overall purpose of Internal Control is to help an organization achieves its
mission. It also helps an organization to

Promote orderly, economical, efficient and effective operations and

produce

quality

products

and

services

consistent

with

the

organizations mission
Safeguard
resources

mismanagement directives
Develop and maintain reliable financial and management data, and

against

loss

due

to

waste,

abuse,

accurately present that data in timely reports.

1.3 Major components of Internal Control

Major components of Internal Control System are

Control environment
Risk assessment
Control activities
Information and communication
Monitoring

Proposed manual does not contain any overview of internal control system. Should I
give it as an observation?

1.4 Code of Ethics for Internal Auditor

Internal

Auditors

should

follow

some

certain

moral

principles.

These

are

recommendatory in nature and provide the basic guidelines to the Internal Auditors
with regard to the moral issue and conflicts which they may face while carrying out
Internal Audit procedure.
1.4.1 Integrity, Objectivity & Independence of Internal Auditor

Internal Auditor shall have an obligation to exercise honesty, objectivity,

and diligence in performance of their duties and responsibilities.

Internal Auditors holding the trust of the Company, shall exhibit loyalty in

all matters pertaining to the affairs of the Company.

Internal Auditors shall refrain from entering into any activity which may be

in conflict with the interest of the company.

Internal Auditors shall not accept a fee or a gift from an employee, a client
of a contractor or a supplier. Internal auditor must be fair and must not
allow prejudice or bias to override his objectivity. She/he should maintain
an impartial attitude. The internal auditor should not, therefore, to the
extent possible, undertake activities, which are or might appear to be
incompatible with her/his independence and objectivity. For example, to
avoid any conflict of interest, the internal auditor should not review an

activity for which she/he was previously responsible.

Internal Auditor should immediately bring any actual or apparent conflict
of interest to the attention of the appropriate level of management so that
necessary corrective action may be taken.

1.4.2 Confidentiality

Internal Auditor shall be prudent in the use of information acquired in the

course of their duties. She/he shall not use confidential information for any
personal reason or in a manner which would be detrimental to the interest

of the respective company.

Internal Auditor should not disclose any such information to a third party,
including the employees of the entity, without the specific authority of the
management/ client or unless there is a legal or a professional
responsibility to do so.

1.4.3 Proficiency and Due Professional Care

Internal Auditor should exercise due professional care in carrying out the
work entrusted to him in terms of deciding on aspects such as the extent
of work required to achieve the objectives of the engagement, relative
complexity and materiality of the matters subjected to internal audit,
assessment of risk management, control and governance processes and
cost benefit analysis. Due professional care, however, neither implies nor
guarantees infallibility, nor does it require the internal auditor to go

beyond the scope of his engagement.

Internal Auditor should have obtained required skills and competence
through general education, technical knowledge obtained through study
and formal courses, as are necessary for the purpose of discharging his

responsibilities.
Internal Auditor shall also have a continuing responsibility to maintain
professional knowledge and skills at a level required to ensure that the
Company receives the advantage of competent professional service based
on the latest developments in the profession, the economy and the
relevant industry and legislation.

(Proposed manual does not contain any narrative description about the code of
ethics of the internal auditor. Should I give it as an observation?)

1.4 Approach of Internal Control Audit

The methodology of an internal control audit should be implemented through Risk
Based Approach.
Risk Based Approach
Risk based methodology shall be followed to conduct Internal Audit effectively. First
step should be to identify all the risks to develop the risk universe. These risks
should be prioritized based on the implications. Second step should be to develop
annual audit plan to cover at least all the high risk areas and other medium and low

risk areas based on sensitivity. It might not be possible to cover all the medium and
low risk areas in a single year. In such case all efforts should be made to cover all
the areas within a span of 3 to 4 years. Once annual plan is finalized, audit program
should be designed, specifying the steps to be performed to execute the audit. The
Audit program should be agreed by Internal Audit Coordinator for the respective
units. Audit program should cover but not be restricted to the Appendices provided
in this manual for the major areas. Post finalization of audit program, Internal
Auditors should carry out Test of Design and Test of Effectiveness of controls as per
audit program. All the finding should be reported to management.
Identifying the risks

Step
1

Priorotize the risks

Step
2

Develop Audit Plan

Step
3

Execute Audit

Step
4

Evaluate results and discuss with repoting authority

Step
5

(Proposed manual does not contain any explanation or indication of risk based
approach. Should I give it as an observation?)

2. Observations and suggestions

2.1 The manual does not conforms the purpose of the internal
audit, distribution policy and confidentiality status of the
manual is not clearly mentioned
A standard audit manual should specify its purpose, distribution policy and
confidentiality to ensure its effective use and avoid conflict of interest. An example
is given below:
Purpose
This manual describes the internal audit process of SHIN SHIN GROUP covering
various aspects such as audit charter, audit organization structure, objectives of
internal audit, code of ethics for Internal Auditors, audit approach, the period to be
covered, the scope and extent of checking, documentation, issuance of reports, the
follow-up of reports, and the system for ensuring compliance of internal audit
observations. Detailed guidelines in respect of all the areas to be covered by
internal audit have also been included. The purpose of this manual is to act as a
quick reference guide for all internal auditors in relation to the internal audit
methodology and to have uniformity in reporting.
Distribution
This manual should be distributed to all Internal Audit Staff and appointed internal
auditors and external auditors for their reference with proper management
approval.
Confidentiality
The contents of this manual are confidential. Copies or extracts of this manual may
not be provided to any person who does not belong to internal audit department,
without prior permission from the Head of Internal Audit.
But no policy regarding the purpose, distribution and confidentiality has been
designed in Proposed Scope, Objective, Plan and Reporting Schedule of
Internal Control.

2.2 No specific Organizational Chart has been proposed

The Internal Audit Department should develop and propose a well design internal
audit chart to implement its operation efficiently and independently.

But no organizational hierarchy has been designed in

Proposed Scope,

Objective, Plan and Reporting Schedule of Internal Control.

2.3 No plan for developing The internal audit charter.

The internal audit charter is a formal document that defines the internal audit
activity's

purpose,

authority,

and

responsibility.

The

internal

audit

charter

establishes the internal audit activity's position within the organization, including
the nature of the internal audit managers functional reporting relationship with the
top management. It also authorizes access to records, personnel, and physical
properties relevant to the performance of engagements; and defines the scope of
internal audit activities. Final approval of the internal audit charter resides with the
top management.
The Internal Audit & Control Department (IACD) of SHIN SHIN GROUP does not
incorporate the process of developing an audit charter in the Proposed Scope,
Objective, Plan and Reporting Schedule of Internal Control.

2.4 Scope of the audit report should cover wider area than
mentioned
The Scope of the proposed internal audit system can be broadly divided into the
following:
1) Review of Systems
2) Review of Transactions
3) Review of Sanctions
4) Review of Internal Control
5) Review of Operations

The internal audit activity must evaluate the adequacy and effectiveness of controls
in responding to risks within the organizations governance, operations, and
information systems regarding the:

Achievement of the organizations strategic objectives;

Reliability and integrity of financial and operational information;
Effectiveness and efficiency of operations and programs;
Safeguarding of assets; and
Compliance with laws, regulations, policies, procedures, and contracts.

Internal auditors must base conclusions and engagement results on appropriate

analyses and evaluations and they must document relevant information to support
the conclusions and engagement results.
As per Proposed Scope, Objective, Plan and Reporting Schedule of Internal
Control the scope and objective of the internal audit is confined within the
boundary of three arena

Financial audit
Cost audit and
Management audit

2.5 Financial audit plan of the company should be specifically

classified
Financial audit plan should be classified into following sections to make the process
more specific and understandable to users:

Cash and Bank Transaction

Book Keeping Procedure
Documentation
Reporting Procedure
Authorization and Approval
Budget

2.6 Production and Cost Audit Plan section comprises some

inconsistent information
As per Production and Cost Audit Plan of Proposed Scope, Objective, Plan and
Reporting Schedule of Internal Control audit job includes the checking of style
wise production process, irregularities in production, supply chain management and

short, late and air shipment with penalty. These issues in our opinion are not
inconsistent in line with the internal control objectivity.

2.7

Human

Resource

Management,

Administration

and

Compliance are bought together under the same internal audit

procedure.
As per Management Audit Plan of Proposed Scope, Objective, Plan and
Reporting Schedule of Internal Control no particular boundary has been drawn
in terms of audit procedure of HR, Admin and Compliance sections. Different audit
procedure should be implemented in these arenas.
Performance of SWOT analysis has only mentioned in this section. But in our opinion
this analysis is applicable for other sections too. Setting Key Performance Indicators
(KPI) and identify Standard Operation Procedure is particularly applicable for
production department rather than HR, Admin & Compliance.

2.8 Merchandising and Supply Chain Management have been

accumulated together
As per Management Audit Plan of Proposed Scope, Objective, Plan and
Reporting Schedule of Internal Control Merchandising and Supply Chain
Management have been brought together. But these two sections should be
separated in terms of internal audit procedure as the nature of these two
departments is completely different from each other.

2.9 Audit of sales and marketing is not relevant in the context

of the companys nature of business.
Audit procedure for Sales/Marketing has been developed under Management Audit
Plan of Proposed Scope, Objective, Plan and Reporting Schedule of
Internal Control which is not consistent to the current business nature of SHIN
SHIN GROUP.