Compendium of Generic Internal Audit Guides (As on January 1, 2015) Volume II The Institute of Chartered Accountants of India (Set up by an Act of Parliament) New Delhi © The Institute of Chartered Accountants of India All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise without prior permission, in writing, from the publisher. Edition : January, 2015 Committee/ Department : Internal Audit Standards Board E-mail : cia@icai.in Website : www.icai.org Price : 1,000/- (Vol. I & II including CD) ISBN : 978-81-8441-747-0 Published by : The Publication Department on behalf of the Institute of Chartered Accountants of India, ICAI Bhawan, Post Box No. 7100, Indraprastha Marg, New Delhi - 110 002. Printed by : Sahitya Bhawan Publications, Hospital Road, Agra - 282 003. January/2015/P1689 (New) Foreword The business landscape has changed dramatically and the need to create greater transparency, establish sound corporate governance and understand risk exposure has never been greater. Internal audit is well positioned to help organizations adapt and even succeed in these unprecedented times. It is a key pillar in effective corporate governance and risk management, and is ultimately there to safeguard the sustainability of organizations. The Institute has been working relentlessly to elevate the internal audit profession and to provide members with the support and resources they need to successfully meet each challenge. Strong technical knowledge and skills will help the internal auditors to meet stakeholder’s expectations and be viewed as enablers of sustainable value. Internal Audit Standards Board of the Institute has over the years brought out high quality literature on internal audit, internal control and risk management for the guidance of the members. Apart from issuing Standards on Internal Audit, the Board has also issued a number of generic and industry specific guides. In 2013, the Board had issued “Compendium of Technical Guides on Internal Audit” which contained both generic and industry specific Guides. Considering the fact that number of guides have increased substantially, the Board has decided to issue two separate Compendiums, one for industry specific Guides and other for generic Guides on internal audit. This “Compendium of Generic Internal Audit Guides” is a one stop reference for all the generic guides issued by the Board till date. I would like to congratulate CA. Charanjot Singh Nanda, Chairman, Internal Audit Standards Board and all the other members of the Board for their efforts in developing technical literature on internal audit. I am sure that this Compendium would prove beneficial, as part of efforts of our members to deliver best in all their internal audit engagements. January 13, 2015 CA. K. Raghu New Delhi President, ICAI Preface Accelerated changes in response to challenging economic and competitive market conditions over the past years have redefined organizational structures, business processes, and ultimately the risks. In this dynamic environment, internal audit’s scope is expanding because the expectations that boards and management place on it are growing thereby demanding an increased focus on achieving balance between risk management and business performance. Internal auditors need to be more broad based and adopt a holistic approach to their planning and execution methodology in order to be effective business partners. The Institute through Internal Audit Standards Board has been playing an important role in helping members to not only sharpen internal auditing knowledge and skills but also in moving towards being an important pillar of corporate governance framework. The Board has over the years brought out a number of generic and industry specific guides which provide detailed guidance to the members on various internal audit aspects. In 2011, the Board had issued “Compendium of Technical Guides on Internal Audit” which contained text of all the Industry Specific and Generic Guides issued by the Board till June, 2011 and further issued revised edition of the same in 2013. With a view to enhance utility and optimize the size of the Compendium, the Board is bringing out separate Compendiums for Industry Specific Internal Audit Guides and Generic Internal Audit Guides. This Compendium of Generic Internal Audit Guides (As on January 1, 2015) is divided into two Volumes. The first volume contains Background Material on Due Diligence, Guide on Risk Based Internal Audit, Guide to Implementing Enterprise Risk Management, Study on Co-ordination of Internal Auditor with Functional Heads and Study on Investigative Audit, The second volume contains Guide on Environmental Audit, Data Analytics and Continuous Control Monitoring, Technical Guide on Social Audit, Technical Guide on Internal Audit of Intangible Assets and Technical Guide on Internal Audit of Tendering Process. Further, it may be noted that the text of each of all these Guides have been published as a separate publication of the Institute. I would like to express my gratitude to CA. K. Raghu, President, ICAI and CA. Manoj Fadnis, Vice President, ICAI for their continuous support and encouragement to the initiatives of the Board. I must also thank my colleagues from the Council at the Internal Audit Standards Board, viz., CA. Shriniwas Yeshwant Joshi, Vice Chairman, IASB, CA. Rajkumar S. Adukia, CA. Prafulla Premsukh Chhajed, CA.  Sanjeev K. Maheshwari, CA. Dhinal Ashvinbhai Shah, CA. Shiwaji Bhikaji Zaware, CA. V. Murali, CA. S. Santhanakrishnan, CA. Abhijit Bandyopadhyay, CA. Sanjiv Kumar Chaudhary, CA. Atul Kumar Gupta, CA. Naveen N.D. Gupta, Shri Manoj Kumar, Shri P. Sesh Kumar and Shri R.K. Jain for their vision and support. I also wish to place on record my gratitude for the co-opted members on the Board, viz., CA. R. Balakrishnan, CA. N. S. Ayyanagoudar, CA. Sunil H. Talati, CA. J. Vedantha Ramanujam and CA. Milind Vijayvargia and special invitees, CA. Nagesh D. Pinge and CA. Hardik Chokshi for their invaluable guidance as also their dedication and support to various initiatives of the Board. I also wish to express my thanks to CA. Jyoti Singh, Secretary, Internal Audit Standards Board, CA. Arti Bansal, Asst. Secretary and CA. Pallavi Aggarwal, Management Trainee in giving final shape to the Compendium. I am sure that having these Guides together at one place in the form of Compendium would make an easy reference for all the users. January 13, 2015 CA. Charanjot Singh Nanda New Delhi Chairman, IASB vi Contents Foreword ..................................................................................... iii Preface ......................................................................................... v Volume II G-6 Guide on Environmental Audit ........................... 587-712 G-7 Data Analytics and Continuous Controls Monitoring (including Practical Case Studies) ................................................................. 713-897 G-8 Technical Guide on Social Audit ........................ 899-991 G-9 Technical Guide on Internal Audit of Intangible Assets ................................ 993-1109 G-10 Technical Guide on Internal Audit of Tendering Process ........................................... 1111-1262 Volume I G-1 Background Material on Due Diligence ................. 1-192 G-2 Guide on Risk-based Internal Audit................... 193-276 G-3 Guide to Implementing Enterprise Risk Management ................................................ 277-369 G-4 Study on Co-ordination of Internal Auditor with Functional Heads ......................................... 371-424 G-5 Study on Investigative Audit .............................. 425-586 Note : Detailed contents of each of these Guides is given at the beginning of the respective Guide. G-6 GUIDE ON ENVIRONMENTAL AUDIT Compendium of Generic Internal Audit Guides 588 Guide on Environmental Audit Foreword The global environment scenario is very grim because of increasing water and atmospheric pollution, over-exploitation of land, cutting down of forests, increase in untreated waste, threats to biodiversity and marine areas. The multiplicity of agencies involved, pressures of various interest groups and complexity of the tasks to be performed in environmental protection poses a great challenge in ensuring adequate protection of the environment. Environmental audit is a methodical examination of environmental information about an organization, a facility or a site, to verify whether, or to what extent, they conform to specified audit criteria. I congratulate CA. Rajkumar S. Adukia, Chairman, Internal Audit Standards Board and other members of the Board for bringing out this “Guide on Environmental Audit” on a timely basis. This comprehensive publication would surely help the members to understand the various compliance and regulatory requirements related to environment audit and obtain better skills and knowledge in this emerging field. I am sure that this Guide would help the members to play a significant role in assisting organizations, to ensure application of the best business practices, resulting in decrease of potential environmental liabilities and mitigation of environmental risks. January 2, 2012 CA. G. Ramaswamy New Delhi President, ICAI 589 Compendium of Generic Internal Audit Guides Preface Environmental issues are increasingly impacting the bottom line and future prospects of companies in many industries. They can present both opportunities and risk and can have important implications for strategy, competitiveness, risk management, stakeholder relations and business resilience. Understanding how environmental issues impact stakeholders and understanding stakeholder’s expectations about environmental issues can contribute valuable insights for the identification of strategic opportunities and corporate risks. Positive stakeholder relations build trust, increasingly essential for competitiveness and resilience. Environmental auditing seems to date back, formally, to around the promulgation of the U.S. National Environmental Protection Act (NERA) in 1969. Environmental auditing is a process whereby an organisation’s environmental performance is tested against it’s environmental policies and objectives. The aim is to assess how well environmental organisation, management and equipment are performing with the aim of contributing to safeguard the environment by facilitating management control of environmental practices and assessing compliance with organisational policies, which would include meeting regulatory requirement. Recognising the growing importance of the subject of environmental auditing as the survival and growth mantra for business these days, the Internal Audit Standards Board has issued this Guide on Environmental Audit. The main objective of this Guide is to provide a general overview of the concept of environmental auditing as an emerging area. The Guide is divided into eight chapters. Chapter I is introductory in nature and Chapter II discusses some key concepts related to this area. Chapter III explains the concepts of environmental auditing, it’s features, objectives and benefits. Chapter IV deals with evolution of the concept of environmental auditing over the past few decades. This chapter also explains some applicable standards in this area. Chapter V elaborates the 590 Guide on Environmental Audit process of environmental auditing and lists out the tools and techniques used. It also explains the manner of writing an environmental audit report. Chapter VI deals with various types of environmental audit and some emerging trends in the area. Chapter VII analyzes emerging opportunities for the members in the area of environmental auditing and Chapter VIII includes summary and conclusion. The guide also includes checklist for environmental audit, illustrative environmental audit report and glossary of terms thereby providing valuable guidance to the readers for developing understanding of the subject matter. At this juncture, I wish to express my sincere gratitude to Dr. (Ms.) Shuchi Pahuja for sparing time out of her professional and personal commitments and sharing her wealth of experience in the area of environmental auditing in the form of this Guide. I wish to place on record my thanks for CA. G. Ramaswamy, President and CA. Jaydeep N. Shah, Vice President, ICAI, for their continuous support and encouragement in the activities of the Internal Audit Standards Board. I also wish to express my sincere gratitude to all my colleagues from the Council at the Internal Audit Standards Board, viz., CA. P. Rajendra Kumar, Vice Chairman, CA. Amarjit Chopra, CA. Shiwaji B. Zaware, CA. Ravi Holani, CA. Anuj Goyal, CA. Nilesh Vikamsey, CA. Vijay K. Garg, CA. Atul C. Bheda, CA. J. Venkateswarlu, CA. Abhijit Bandyopadhyay, Shri Prithvi Haldea, Smt. Usha Narayanan, Smt. Usha Sankar, Shri Manoj Kumar and Shri Sidharth Birla for their vision and support. I also wish to place on record my gratitude for the co-opted members on the Board, viz., CA. Madhu Sudan Goyal, CA. Rohit Choksi, CA. Ketan Vikamsey and CA. Pankaj Kumar Adukia as also special invitees on the Board, viz., CA. Anil Kumar Jain, CA. Ajay Minocha, CA. Sumit Behl and CA. R. Subramaniam for their invaluable guidance as also their dedication and support to the various initiatives of the Board. I also wish to express my thanks to CA. Jyoti Singh, Secretary, Internal Audit Standards Board and her team of officers for giving final shape to this publication. 591 Compendium of Generic Internal Audit Guides I am hopeful that this Guide would play an important role in providing the members an initial start in acquiring necessary knowledge in this emerging area, so that they are able to contribute in conservation of environment. Jannuary 2, 2012 CA. Rajkumar S. Adukia Mumbai Chairman Internal Audit Standards Board 592 Guide on Environmental Audit Contents Abbreviations .......................................................................... 594 Glossary ........................................................................... 596 Executive Summary ................................................................ 600 Chapter 1 Introduction ........................................................ 603 Chapter 2 Key Concepts .................................................... 606 Chapter 3 Environmental Audit .......................................... 612 Chapter 4 Evolution of Environmental Audit ...................... 620 Chapter 5 Environmental Audit Process ............................ 629 Chapter 6 Types of Environmental Audit ........................... 639 Chapter 7 Emerging Opportunities for Professional Accountants in the Field of Environmental Audits ................................................................. 658 Chapter 8 Summary and Conclusion ................................. 667 Appendices Appendix I The Confederation of British Industry’s Guide to Environmental Audit ........................... 671 Appendix II Relevant Environmental Laws in India .............. 673 Appendix III Sample Checklists ............................................. 676 Appendix IV Environmental Statement - Form V .................. 702 Appendix V Sample Environmental Audit Report ................. 705 References ........................................................ 709 593 Compendium of Generic Internal Audit Guides Abbreviations ASOSAI Association of Supreme Audit Institutions CA Chartered Accountants CES Carbon (Emission and Sequestration) Accounting CICA Canadian Institute of Chartered Accountants CPCB Central Pollution Control Board CSA Canadian Standards Association EIA Environmental Impact Assessment EMAS European Eco-management and Audit Scheme EMS Environmental Management System EPA Environmental Protection Agency, USA EU European Union FEE Federation des Experts Comptables Europeens (Europeans Federation of Accountants) GCC Global Climate Change GHG Greenhouse Gases GRI Global Reporting Initiative ICC International Chamber of Commerce IEA International Environmental Agreements IEM Integrated Environmental Management IFAC International Federation of Accountants INTOSAI International Organization of Supreme Audit Institutions IPCC Intergovernmental Panel on Climate Change ISO International Standards Organization NEPA US National Environmental Policy Act SAI Supreme Audit Institutions SEAs Strategic Environmental Assessments SEC Securities and Exchange Commission, USA 594 Guide on Environmental Audit SEESR Social, Ethical, Environmental and Sustainability Reporting SHEQ Safety, Health, Environmental and Quality SPCB State Pollution Control Board UNCED United Nations Conference on Environment and Development (known as Earth Summit) UNCTAD United Nations Conference on Trade and Development UNEP United Nations Environment Program UN ISAR United Nations Inter Governmental Working Group of Experts on International Standards on Accounting and Reporting WCED World Commission on Environment and Development WGEA Working Group on Environmental Audit 595 Compendium of Generic Internal Audit Guides Glossary Compliance Monitoring A continuous process to ensure that the conditions in the environmental law, certificates or permits are adhered to. Corrective Action Action to eliminate the cause of a detected non-compliance. Corrective Action Plan An action plan developed by auditee or someone on his behalf to resolve the non-conformity item. Environmental Audit An audit which aims at verification and validation to ensure that various environmental laws are complied with and adequate care has been taken towards environmental protection and preservation. Environmental An individual or firm who act in an Consultant independent manner to provide information for decision-making. Environmental Due An audit which is normally conducted Diligence Audit before acquisition or sale of a business or property to check the extent to which the business may have known or unknown (or visible or hidden) environmental liabilities. Environmental Risk An assessment of the environmental Assessment risks arising from a facility in areas such as, air, water, soil and groundwater pollution. Environment Environment includes water, air and land and the inter-relationship which exists among and between water, air and land, human beings, other living creatures, plants, micro organism and property. 596 Guide on Environmental Audit Environment The generic term used for all forms of Assessment assessment of projects, plans, programmes or policies. This includes methods such as, environmental impact assessment, sustainability assessment, strategic environment assessment, etc. Environmental Audit A summary report prepared after an Report environmental audit that describes the attributes of the audit and audit findings and conclusions. Environmental An audit conducted mainly to ensure Compliance Audit compliance with environmental laws, standards, industry guidelines and company’s policies. Environmental performance audit- An audit conducted to verify environmental activities and performance of the auditee. Environmental Impact A positive or negative condition that occurs to environment as a result of the activity of a project, facility or entity. Environmental Impact A process which is used to identify, Assessment predict or assess the potential environmental impact of a proposed project on the environment. It is compulsory requirement in many countries. Environmental An audit which explores the extent, Management Audit nature and format of environmental management systems which are in place. It is normally carried out to evaluate operations which may be required considering certification for formal EMS systems such as, ISO 14000 or EMAS. 597 Compendium of Generic Internal Audit Guides Environmental An audit, where an established EMS is Management System in place, to be carried out to test (EMS) Audit effectiveness and appropriateness of the EMS against the context of current operations and activities or to comply with EMS audit requirement of ISO 14001 or EMAS. Impact The positive or negative effects on human well-being and/ or on the environment. Integrated A philosophy which prescribes a code Environmental of practice for ensuring that Management (IEM) environmental consideration are fully integrated into all stages of the development and decision-making process. Lead Auditor An auditor who is appointed to undertake the environmental audit and undersign the audit report. Mitigate Implementation of measures to reduce adverse impacts on environment. Permit Audit An audit carried out, usually as a formal permit condition, to externally check the compliance of an organization to the terms and requirements of a permit or licence. Proponent- Any individual, authority, industry or association proposing an activity, project or programme. Pollution Prevention Use of processes, practices, techniques, materials, products, services or energy to avoid, reduce or control (separately or in combination) the creation, emission or discharge of 598 Guide on Environmental Audit any type of pollutant or waste, in order to reduce adverse environmental impacts (as defined in ISO 14001:2004). Scoping The process of determining key issues in an environmental assessment. The main purpose is to ensure that only significant issues are examined and at the same time no important issue is left. Safety, Health A safety, health, environment and Environmental & quality audit carried out by organizations Quality (SHEQ) who wish to reduce the cost and Management inconvenience of having a number of separate audits and, instead, combine these audits into one exercise. Stakeholders A sub-group of public whose interests may be positively or negatively affected by a proposal or activity and/ or who are concerned with a proposal or activity or its consequences. In environmental issues even public at large is a major stakeholder. Surveillance Audit An audit undertaken to verify that an organization with an existing certification is still meeting the minimum requirements of certification. 599 Executive Summary Compendium of Generic Internal Audit Guides 1. During past few decades, adverse environmental effect of economic development has become a matter of great public concern all over the world. It has been increasingly realized that industrial and development activities are a key contributor to the escalating environmental degradation of the earth, through intensive use of natural resources and generation of environmental pollutants and waste that overwhelm the natural environment’s capacity to recover. Industry and developers cannot remain silent spectators to these devastating impacts on the environment and resulting global climate change. The time has arrived that they must take all the steps to protect the environment and to minimize the adverse environmental impact to this planet, in a sustainable manner for the sake of the future generation. 2. The recognition regulators and public have given to the importance of environmental issues and sustainability challenge in past two decades is beginning to put lot of pressure on industry and business. Various laws have been enacted at national and international levels addressing issues like, pollution, conservation of resources, global warming and climate change. There has also been significant increase in public concern on the issue. Ever increasing ethical consumers, ethical investors (mainly institutional investors), concerns by media, NGOs and awareness among stakeholders about environmental risk and its impact on financial results of the concerns have compelled the companies to redefine their products, processes and markets to make them more environmental friendly and less resource consuming. More and more businesses are becoming conscious of their carbon footprint and how their actions impact the environment. With this legislative and social trend, assessment of environmental performance and environmental impacts of a business has become important to managers not only for reasons of social concern but because they represent very real liabilities faced by organisations. In fact, environmental issues have become so central to organizational management that any organisation ignoring environmental aspect in its functioning would indirectly endanger its own existence. 600 Guide on Environmental Audit 3. Since companies have started taking green initiatives to reduce their carbon footprint and to conserve the resources, it has become necessary that some action should be taken to evaluate green performance of the company. Environmental audit, popularly called green audit, is a step in this direction. Simply speaking, environmental audit refers to verification of environmental measures taken by an organization. It is a branch of social audit. According to US Environmental Protection Agency (EPA), “Environmental audit is a systematic, documented, periodic and objective review by a regulated entity of facility, operations and practices related to meeting environmental requirements”. Environmental audit aims at verification and validation to ensure that various environmental laws are duly complied with and adequate care has been taken towards environmental protection and preservation. It is a wide term which includes in it mainly three areas – Environmental compliance audit, Environmental performance audit, and Environmental financial audit. While compliance audit seeks to ensure compliance with relevant environmental laws, standards, industry guidelines and company policies; focus of environmental performance audit is on verification of environmental performance of the concern to ensure application of the best business practices to decrease potential environmental liabilities and to mitigate environmental risks. In the environmental financial audit, the auditor verifies accuracy and authenticity of all significant environmental costs, benefits, assets and liabilities reported by the concern. 4. These days, environmental audit has become a valuable tool in the management and monitoring of environmental and sustainable development programs. In fact, environmental audit acts both as the first essential step towards environmental sensitivity and as a regular and essential part of environmental management system. The results of the environmental audit exercises provide important information to various concerned internal and external stakeholders. Conducting an environmental audit is no longer optional but a sound precaution and a proactive measure in today’s highly regulated environment. 5. Accounting profession is considered to be low environment impact sector and therefore, accountants and auditors were earlier 601 Compendium of Generic Internal Audit Guides not associated with the conservation of environment movement. However, with environmental protection assuming increased importance in the world, the accounting profession all over the world has shown positive response to the environmental issues. It has been felt that professional accountants can play an important role in helping an organization to respond to environmental issues. It would help them also in developing their role beyond the traditional core activities related to financial accounting and auditing. 6. Environmental audit as an emerging area in auditing is of substantial interest to the accounting profession in India. This “Guide on Environmental Audit” aims at providing a useful understanding of the concept of environmental audit to the professional accountants in India. The Guide would give general information on processes, tools and techniques of environmental audit. It contains eight chapters namely, Introduction; Key Concepts; Environmental Audit – concept, features, objects and benefits; Evolution of Environmental audit and some environmental audit standards; Process of environmental audit; Types of environmental audit; Emerging opportunities for professional accountants in the area of environmental audit; and finally, Summary and conclusion. It is expected that the guide would help auditors in planning and conducting environmental audits in a more structured and systematic manner. They can apply the general guidance provided in the manual in audit of different environment related issues with suitable customization. 602 Chapter 1 Guide on Environmental Audit Introduction 1.1 In the past few decades, environmental crisis has become a global issue. People have become increasingly concerned about the effects of global warming and resulting Global Climate Change (GCC). Increase in water, air and other forms of atmospheric pollutions, decrease in size of forests, over exploitation of land, dumping of waste and increase in emission of GHGs have contributed to the threats faced by biodiversity and ecology of the earth. It has been felt that this degradation in environment is mainly the result of relentless march towards economic and social development without environmental considerations which encouraged urbanization, industrialization, over-utilization of natural resources, deforestation, pollution, etc. 1.2 To control this situation, the Governments of many countries are promoting more and more regulations to protect the environment and the community, in general. There are several environmental laws at national and international levels to address major environmental issues such as, water scarcity and quality degradation, soil degradation, accumulation of toxic wastes, forest cover depletion, pollution from industry and urban livelihoods, climate change, and global warming. Violation of these statutes can result in significant fines, remediation costs and even closure of business. It is because of stringent environmental laws, in all the major business decisions (like, financing, capital budgeting, working capital management, cost controls, project planning and control, mergers or corporate restructuring) that environment has become one of the critical factor. With this legislative trend, assessment of environmental performance and environmental impacts of a business has become important to managers not only for reasons of social concern but because they represent very real liabilities faced by organisations. 1.3 There has also been a significant growth of public concern regarding environmental issues over the past two decades. Ethical 603 Compendium of Generic Internal Audit Guides consumers, world over, are giving preference to green products. They want a product that is manufactured using the fewest resources, contains no harmful toxic chemicals and which can be disposed off in an eco-friendly manner. Consumers are even ready to pay more for such green products. Among the industrial customers, many big companies are demanding detailed environmental metrics such as, carbon-foot print data from suppliers. They seek green supplier practices like, reduced packaging or redesigning of distribution routes to cut fossil fuel and resource use. In the same way, there is growing concern about environmental issues among other stakeholders like, investors (particularly institutional investors), creditors, financial community (banks, insurance companies, etc.), NGOs and society at large. 1.4 There are pressures of stringent environmental laws, rising resource prices, reduction in availability of natural resources and growing awareness among various concerned stakeholders about environmental issues which have compelled companies to redefine their products, processes and markets to make them more environmental friendly and less resource consuming. More and more businesses are becoming conscious of their carbon footprint and how their actions impact the environment. It appears that green business is the only survival and growth mantra for business these days. 1.5 Since companies have started taking green initiatives to reduce their carbon footprint and to conserve the resources, it has become necessary that some action should be taken to evaluate green performance of the company. Environmental audit, popularly called green audit, is a step in this direction. Simply speaking, environmental audit refers to verification of environmental measures taken by an organization. Environmental audits are undertaken mainly to ensure compliance with regulatory requirements and corporate guidelines. They also seek to ensure application of the best business practices to decrease potential environmental liabilities and to mitigate environmental risks. 1.6 The main objective of this Guide is to provide a general overview of the concept of environmental audit as an emerging 604 Guide on Environmental Audit area in auditing. The Guide is divided into eight chapters including the present one which is introductory in nature. Before going into details of environmental audit, Chapter II introduces some key concepts used in the area. Chapter III explains the concept of Environmental audit, its features, objects and benefits. Chapter IV deals with evolution of the concept of environmental audit over the past few decades. This Chapter also explains some applicable standards in this area. Chapter V elaborates the process of environmental audit and lists out some tools and techniques used in environmental auditing. The Chapter also explains how to write an environmental audit report. Chapter VI deals with various types of environmental audit and some emerging trends in the area. Chapter VII analyzes emerging opportunities for professional accountants in the area of environmental auditing. Finally, Chapter VIII gives summary and concludes the discussion. 605 Compendium of Generic Internal Audit Guides Chapter 2 Key Concepts 2.1 Before going into details of environmental audit, it is necessary to have knowledge of some key concepts relating to environment, climate change and environmental performance. This chapter presents meaning of some key concepts used in relation to environmental audit. Environment 2.2 The term environment refers to all the conditions that surround us. It includes “The physical surroundings, conditions, circumstances etc. in which a person lives… the totality of the physical conditions on the earth or part of it.” In the context of business organizations, environment can be defined as all the conditions that surround a business concern. These conditions include external as well as internal environment of the organization. According to Environment (Protection) Act, 1986, “Environment includes water, air and land and the inter-relationship which exists among and between water, air and land, human beings, other living creatures, plants, micro organism and property.” This definition covers natural physical environment only. This Guide also mainly focuses on natural physical environment and, therefore, ignores non-physical, general, industrial and internal environment. Environment has been taken as natural physical surroundings and includes air, water, land, flora, fauna and non-renewable resources such as, fossil fuels and minerals. Environmental Degradation 2.3 The relentless march towards development, industrialization and increasing urbanization has led to rapid degradation of the environment. Environmental degradation occurs when nature’s resources such as, trees, habitat, land, water and air are consumed faster than the rate at which nature can replenish them; when pollution results in irreparable damage to the environment or when 606 Guide on Environmental Audit human beings destroy or damage eco-systems in the process of development. Some of the causes of such degradation include overpopulation, urbanization, industrial pollution, waste dumping, intensive farming, over-fishing, industrialization, introduction of invasive species, lack of environmental regulations, etc. Global Warming 2.4 Global warming is the increase of earth’s average surface temperature due to the effect of Greenhouse Gases (GHGs) such as, carbon dioxide released from burning of fossil fuels, industrial activities and human uses which trap heat that would otherwise escape from earth. This is a type of Greenhouse effect. The effects of such warming may range from mild to dire, i.e., from moderate changes in regional climates and length of seasons to catastrophic global ecological changes like, extreme weather conditions, damage of crops, cyclones and storms, destabilization of massive ice sheets in Polar Regions, rise of sea levels, sub-merging of coastal cities, widespread vanishing of animal species, dislocation of people and resulting effects. Global Warming is not just an environmental or health concern- it is a matter of survival on the earth. Greenhouse Gases (GHGs) 2.5 Greenhouse gases are gases that trap heat in the earth’s atmosphere. The main greenhouse gases defined within the context of Kyoto Protocol include: carbon dioxide (CO2), methane (CH4), nitrous oxide (N2O), and industrial gases such as, hydro fluorocarbons (HFCs), perfluorocarbons (PFCs) and sulphur hexafluoride (SF6). Though GHG covers six gases, CO2 is a major component accounting for around 55 percent of it (about 85 percent in US). That’s why, GHG accounting is mostly referred to as carbon accounting. Global Climate Change 2.6 According to Integrated Panel on Climate Change (IPCC), Climate change refers to a change that can be identified by changes 607 Compendium of Generic Internal Audit Guides in the state of the climate that persist for an extended period, usually decades or longer. Such changes can be there due to natural variability or as a result of human activity. As the concentration of GHGs grows, more heat is trapped in the atmosphere and less is escaped back into space. This increase in trapped heat alters the weather patterns and changes the climatic conditions on the earth known as Global Climate Change (GCC). Sustainability 2.7 The concept of sustainable development requires every organization to think in time dimension longer than a generation and place, and emphasizes on both rights and responsibilities. The term sustainability was popularised by the Brundtland Commission’s 1987 report “Our Common Future”. The aim of sustainability is to have “development that meets the needs of the present without compromising the ability of future generations to meet their own needs.” Thus, sustainability requires a delicate balance between people, planet and profit. Many big companies all over the world are embracing the concept of ‘triple bottom line’ which is equal weighing of three pillars of corporate sustainability namely, social, environmental and economic factors. Environmental Management System (EMS) 2.8 Industry and business is now encountered with an increasing number of environmental laws and regulations, pressures from stakeholders and concern of management regarding environmental performance. In an effort to meet environmental challenges, business organizations have been developing management systems that are designed to achieve organization’s environmental goals and objectives. These systems are known as environmental management systems (EMSs). An EMS may be considered as a part of the overall management system which covers all aspects of the organization relating to environment and is the means by which the separate elements of environmental response are systematically harmonized and integrated with the other management systems (including accounting systems) of the organization. 608 Guide on Environmental Audit 2.9 ISO 14001 specifically governs EMS and provides necessary input for any organisation to develop and implement a cost-effective system of environmental management. According to ISO 14001, “EMS is that part of the overall management system which includes organizational structure, planning activities, responsibilities, practices, procedures, processes and resources for developing, implementing, achieving, reviewing and maintaining the environmental policy.” An efficient system of environmental management helps management in complying with environmental laws, acknowledging environmental risks as well as controlling them and reducing adverse impact of its activities on the environment. Environmental Accounting 2.10 The term environmental accounting has many meanings and uses. It can support national income accounting, financial accounting or internal business management accounting. Environmental Protection Agency (EPA) of USA has explained environmental accounting at following three levels: (i) Environmental accounting in the context of national income accounting refers to natural resource accounting, which can entail statistics about a nation or region’s consumption, extent, quality and value of natural resources both renewable and non-renewable. (ii) Environmental accounting in the context of financial accounting usually refers to the preparation of the financial environmental reports for external audiences using GAAP. It includes estimation and public reporting of environmental liabilities and financially material environmental costs. (iii) Environmental accounting as an aspect of management accounting serves business managers in making capital investment decision, costing determinations, process/ product design decisions, performance evaluations, and a host of other forward looking business decisions. Thus, environmental accounting at this level refers to the use of 609 Compendium of Generic Internal Audit Guides data about environmental costs and performance in business decisions and operations. Exhibit 1 shows environmental accounting at these three levels. Exhibit 1 : Types of Environmental Accounting* S. Type of Environmental Focus Audience No. Accounting (i) National Income Accounting Nation External (ii) Financial Accounting Firm External (iii) Managerial or Management Firm, Division, Internal Accounting Faculty, Products, Lines, or System Environmental Reporting 2.11 Due to growing social and legal pressures and increasing judicial intervention, there has been a growing demand for disclosure of environmental policies, practices and performance of a company to the interested stakeholders in or outside the concern. “Environmental reporting is the term commonly used to describe the disclosure by an entity of environmentally related data, verified (audited) or not, regarding environmental risks, environmental impacts, policies, strategies, targets, costs, liabilities or environmental performance to those who have interest in such information as an aid to enabling/ enriching their relationship with the reporting entity, via either the annual report and accounts package; a stand-alone corporate environmental report (CER); a site-centered environmental statement, or some other medium (e.g., staff newsletter, video, CD Rom, internet site)” (United Nations, 1997). These days, environmental reporting is described either as a branch of the corporate governance tree, or as one aspect of the so-called ‘triple bottom line’ – whereby data on financial results, environmental performance and social impact are brought together in what might be termed as a sustainability report. * EPA, (1995a), ‘An introduction to environmental accounting as a business management tool: Key concepts and terms’, US: EPA primer, Washington DC, p.4. 610 Guide on Environmental Audit Social and Environmental Audit 2.12 Social audit is verification, validation, measurement, evaluation and reporting of the organization’s performance in fulfillment of its social responsibilities. A branch of it is environmental audit. Environmental audit aims at verification and validation to ensure that various environmental laws are complied with and adequate care has been taken towards environmental protection and preservation. According to UNEP, 1990, “Environmental audit can be defined as a management tool comprising systematic, documented and periodic evaluation of how well environmental organization management and equipment are performing with an aim of helping to regularize the environment.” The term environmental audit and its features have been discussed in detail in the next Chapter. 611 Compendium of Generic Internal Audit Guides Chapter 3 Environmental Audit 3.1 This chapter presents the concept of environmental audit and highlights its important features. The objectives and benefits of conducting environmental audits have also been explained in this chapter. Environmental Audit — Concept and Features 3.2 The term environmental audit means different things to different people. Terms such as environmental assessment, survey and review are used to describe the same type of activity. Furthermore, some organizations consider that an “environmental audit” addresses only environmental matters, whereas others use the term to mean an audit of health, safety and environmental matters. Basically, environmental audit is an independent evaluation of policy and principles, systems, procedures, practices and performance, and other elements of a business relating to environment. 3.3 Some important definitions of environmental audit are as follows: (i) According to US Environmental Protection Agency (EPA), “Environmental audit is a systematic, documented, periodic and objective review by a regulated entity of facility, operations and practices related to meeting environmental requirements.” (ii) The Confederation of British Industry (1990) defines environmental audit as, “the systematic examination of the interaction between any business operations and its surroundings. This includes all emissions to air, land and water; legal constraints; the effects on the neighbouring community, landscape, and ecology; and the public’s 612 Guide on Environmental Audit perception of the operating company in the local area…Environmental audit does not stop at compliance with legislation. Nor is it a ‘green-washing’ public relation exercise…Rather it is a total strategic approach to the organization’s activities.” (iii) The International Chambers of Commerce (ICC) in its publication Environmental Auditing (1989) defines environmental auditing as “a management tool comprising a systematic, documented, periodic and objective evaluation of how well environmental organization, management and equipment are performing, with the aim of helping safeguard the environment by: (a) facilitating management control of environmental practices; and (b) assessing compliance with company policies which would include meeting regulatory requirements.” 3.4 The definition given by ICC is unanimously accepted definition. Many leading companies follow the same basic philosophy and approach as given by this definition. The European Commission in its regulation on Environmental Auditing and Eco- management and Audit Scheme (EMAS) also adopts the ICC definition of environmental audit. The European Commission’s Eco- management and Audit Scheme (EMAS) defines an environmental audit as … “a management tool comprising a systematic, documented, periodic and objective evaluation of the performance of the organization, management system and process designed to protect the environment with the aim of: (i) facilitating management control of practices which may have an impact on the environment; (ii) Assessing compliance with company environmental policies.” Hence, environmental audit may be defined as a means of management which allows exhaustive, documented, periodical and objective evaluation of the way in which management and equipments of an entity manage and control their environmental impacts and comply with environmental policies, standards and environmental laws. 613 Compendium of Generic Internal Audit Guides Features of Environmental Audit 3.5 The following are features of environmental audit: (i) Management tool – Environmental audit is generally considered as one of the management tool which is a part of internal control system and is mainly used to assess, evaluate and manage environmental performance of a company. It can be taken as one of the many ways used by management to respond to the environmental issues. (ii) Aim of environmental audit – A green audit may be conducted for many purposes, for example, to comply with environmental laws or as a social responsibility measure or to meet some certification requirements. But the main and ultimate aim of any environmental audit is to evaluate and control the adverse impact of economic activities of an organization on the environment. (iii) Environmental audit should be distinguished from Environmental Impact Assessment (EIA) – EIA is a tool used to predict, evaluate and analyze environmental impacts mostly before a project commences. It assesses the potential environmental effects of a proposed facility. Whereas environmental audit looks at environmental performance for an existing operation or activity. The essential purpose of an environmental audit is the systematic scrutiny of environmental performance throughout a company’s existing operations. (iv) Systematic – Environmental audit is a systematic process that must be carefully planned, structured and organized. As it is a part of a long-term process of evaluation and checking, it needs to be a repeatable process so that over time, it can be easily used by different teams of people in such a way that the results are comparable and can reflect change in both quantitative and qualitative terms. (v) Documented – Like any other audit, the base of any environmental auditing is that its findings are supported by 614 Guide on Environmental Audit documents and verifiable information. The audit process is designed in such a way that it seeks to verify on a sample basis past actions, activities, events and procedures with available evidences to ensure that they were carried out according to system’s requirements and in a correct manner. (vi) Periodic – Environmental audit is generally conducted at pre-defined intervals. It is a long-term process because it can sometimes take long time before sustainable environmental change and improvement can be tracked clearly. (vii) Objective evaluation – Though environmental auditing is conducted using pre-decided policies, procedures and a proper documented system, there is always an element of subjectivity in an audit, particularly if it is conducted internally. In addition to internal environmental audits, having independent audit teams that have specialized skills and who come back periodically (say annually) to repeat audits tends to increase objectivity in the system. Hence for the sake of objectivity, external environmental audits are preferable. This is also required under many certification guidelines (e.g. ISO 14001). (viii) Environmental performance – As mentioned before, the essence of any environmental audit is to find out how well the environmental organization, environmental management and environmental equipments are performing. The ultimate aim is to ensure that organization’s environmental performance meets the goals set in its environmental policy and also to ensure compliance with standards and regulatory requirements. Objectives of Environmental Audit 3.6 At national level, the main objective of environmental audit is to see that the natural resources are properly utilized and proper steps have been undertaken to control or to prevent adverse affects of production, development and other activities on the environment. The aim is to ensure that the natural resources are utilized for 615 Compendium of Generic Internal Audit Guides industrial development and for national progress and at the same time, to see that proper steps have been undertaken for maintaining health, welfare of the community and also for dispersal of harmful wastes and social risks. 3.7 At corporate level, there are some environmental responsibilities facing companies like, meeting regulatory requirements, cleaning up pollution that already exists, properly disposing of the hazardous material, disclosing to the investors the amounts and nature of the preventive measures taken by the management, operating in a way that environmental damage does not occur, and promoting a company-wide environmental attitude. To check fulfillment of these environmental responsibilities by the organization, environmental audits are conducted. Environmental audit aims at evaluating and reporting key environmental performance measures like, pollution control measures, energy conservation or waste management techniques, etc. The main objective of an environmental audit at organizational level is to ensure conservation of scarce natural resources and to promote use of clean technologies in industrial production and to minimize generation of pollution and waste. 3.8 The following are major objectives of environmental auditing: (i) Determine and document compliance status; (ii) Help to improve environmental performance at operational facilities; (iii) Assist facility management ; (iv) Increase the overall level of environmental awareness; (v) Accelerate the overall development of environmental management control system; (vi) Improve the risk management systems; (vii) Protect the corporation from potential liabilities; and (viii) Develop a basis for optimizing environmental resources. 616 Guide on Environmental Audit Benefits of Environmental Auditing 3.9 If environmental auditing is implemented in a constructive way, there are many benefits to be derived from the process. Some of these benefits are as follows: (i) Improves efficiency of Environmental Management System (EMS) – Environmental auditing encourages an organization to examine its operations in a constructive manner and is the cornerstone of an effective EMS. It helps in assessing performance of the EMS, identifies deficiencies in the system and provides the basis for environmental improvement plans. On the basis of findings of environmental audit, management can recommend corrective actions and identify further training needs. (ii) Compliance with environmental laws and standards – The most important benefit of environmental audit is that it ensures cost effective compliance with environmental laws and regulations, industry guidelines and standards, and company’s own environmental policies. (iii) Risk mitigation – There is a growing belief that environmental issues represent a source of risk in terms of unforeseen or foreseen reputational damage or similar other risks. In fact, it is the concern regarding environmental risks which has led to the development of the field of environmental auditing. Environmental audit can act as effective risk management tool for assessing compliance with environmental legislation, and thereby, assisting your company in avoiding the risk of prosecution and fines arising from potential environmental breaches. This is particularly true for those involved in hazardous polluting industries. (iv) Meeting stakeholders’ expectations – These days, stakeholders have heightened expectations for a company’s environmental performance. They are concerned about environmental responsibility and want to know about potential hazards and future environmental liabilities of the companies. Conducting environmental audits will help in reassuring 617 Compendium of Generic Internal Audit Guides various stakeholders that the company is living up to its environmental principles. It helps in enhancing reputation of the company as a good corporate citizen. It assists good relations with control authorities and also increases confidence with the general public. (v) Reduction in operational inefficiencies – Environmental auditing can highlight areas of inefficiencies in the operations and processes, for example, where the amount of resources used are out of proportion to the amount of items or services produced and sold. By identifying operational inefficiencies, a company may be able to reduce its cost and/ or improve its environmental performance. In addition, it also highlights ways of safeguarding the environment. (vi) Encourages continual improvement– By pinpointing both strengths and weaknesses in the environmental management and other operating systems relating to the environment on a regular basis an environmental audit encourages continual improvement. It is to be noted that environmental audit will cost an organization both time and money but if approached correctly, the organization should be able to recover these costs very easily. (vii) Compliance with certification requirements – Conducting an environmental audit can be an important step towards gaining a companywide certifications like, ISO 14001 or cradle to grave or product specific certification from organizations like, Energy Star, LEED, the Forest Stewardship Council, Chlorine Free Products Association, etc. (viii) Increases employees’ awareness of corporate environmental policy and responsibility – Environmental audit demonstrates to the employees company’s commitment to environmental protection. It upgrades the level of information for use in emergency situations. It also provides the company with a greater overall awareness of its workers, potential health hazards, risks and other needs. It boosts staff morale and commitment to quality within the company. 618 Guide on Environmental Audit (ix) Assists management in decision-making – Environmental audit provides an environmental database to assist management decisions on plant modifications, designing of new projects, identifying new market and commercial opportunities. It also enables management to set targets and give credit for good environmental performance. Increasingly, companies are recognizing the practice of ecological auditing as a valuable environmental management tool as it can provide information for management review (audit findings and recommendations); raise corporate image with respect to environmental concerns; provide competitive advantage by raising corporate profile with respect to environmental issues, especially through ISO 14001 certification; facilitate evaluating the integration of the corporate EMS into the operation being audited; improve management control and allow checking and corrective action in the light of increasing complexity of environmental legislation. Hence, there are several benefits of environmental auditing. Increasingly, companies are recognizing the practice of ecological auditing as an important tool of contemporary business management. Environmental audits have shown to the corporations that environmental protection can be regarded as an investment in the future. It helps in complying with regulatory requirements, reducing legal costs, enhancing corporate image with respect to environmental concerns, provides competitive advantage and improves profitability of the concern. It has been realized that saving the earth and making profits is not an either/ or proposition. 619 Compendium of Generic Internal Audit Guides Chapter 4 Evolution of Environmental Audit 4.1 This chapter explains evolution of the concept of environmental audit over past few decades. It also presents some international standards on the issue. Evolution of Environmental Auditing 4.2 The awareness of the environment and man’s ability to cause damage started from the fifties of last century. In 1972, a World Conference was held in Stockholm where heads of States from all over the world came together for the first time to consider the State of the Globe as a whole, which ultimately gave birth to a special UN Agency titled UN Environmental Program (UNEP) to deal with environmental issues. But prior to the 1980s, many companies saw environmental protection as something to be avoided, if possible. Some regarded environmental protection as a costly expense that could make companies less competitive. However, environmental disasters in the 1970s and 1980s, such as those at Bhopal and Chernobyl in Europe and the Valdez oil spill in the USA, led to a dramatic increase in environmental awareness throughout Europe and the USA. Ecological activism increased and environmental groups began to lobby for stricter state environmental legislation and eco-friendly corporate policies. 4.3 In 1969, the US National Environmental Policy Act (NEPA) was promulgated. Environmental impact assessments (EIAs) were probably first developed in the USA under the NEPA. This lead was initially followed by Canada, Australia, Netherlands, New Zealand and Japan but has since become a requirement – often a legal requirement- across the globe. The Environmental Protection Agency was established in December 1970 to implement policies for the regulation of emissions, discharges, environmental impact assessments, pesticide use and so on. Quantitative assessments of impacts on air, water, toxicity levels and health standards became widespread. Interest amongst US Regulators about environmental audit started with the draft report issued by the EPA which called 620 Guide on Environmental Audit for independent, certified, third party environmental auditors who would visit plants, collect samples, perform analysis and report back results to the government authorities. However, the draft report never developed beyond draft stage. 4.4 Environmental auditing originated in the United States in the 1970s. In early seventies, the chemical industry in USA was the first to embrace the environmental audit concept. It became popular for evaluating ecological performances of some units in the Oil Field and Chemical industry so as to avoid the remediation costs and fines which might stem from the failure to manage environmental liabilities. Cahell and Kane (1989) traced the beginning of the use of environmental auditing as a management tool to actions taken by the Securities and Exchange Commission (SEC) that required three public companies (US Steel, Allied Chemicals and Occidental Petroleum) to perform internal environmental audits to determine the nature and extent of the companies’ environmental liabilities for presentation to the stakeholders in corporate annual reports. The SEC believed that public companies were understating their liabilities in their annual reports. 4.5 Most of these early environmental auditing practices were simply internal reviews to help management to discharge their regular duties. The focus was on achieving and maintaining a level of compliance with regulatory requirements and solving any urgent environmental problem to avoid unnecessary costs. Later on, EPA developed a comprehensive guidance document which outlined procedure for conducting environmental management audits. As regulations became more complex, non-compliance costs increased and EPA stressed the importance of conducting environmental audits to reduce compliance costs, environmental managers of several Federal Agencies began to incorporate audits as essential tools in their operations. Rules governing hazardous chemicals were implemented in the United States in the early 1980s. Many large chemical producing companies began to develop environmental audit programme in order to comply with these rules. This trend towards adoption of environmental auditing programme to help ensure compliance and meet other obligations continued 621 Compendium of Generic Internal Audit Guides and later on at the beginning of 1980’s, this practice spread in major developed countries having different meanings. Many management consultancy firms began to encourage their clients to undertake environmental audits as a means to quantify their environmental liabilities. In the mid 1990s environmental audit reached a certain level of maturity and its applicability spread beyond the basic chemical industries to all types of industries. 4.6 In the beginning, environmental audits in the US tend to focus primarily upon the issue of legal compliance, rather than continuous improvement. Now EPA has begun to change its approach by encouraging companies to use self audits as a means of “self-policing”. This new “self-disclosure” approach is an attempt by the authorities to encourage the correction of problems at an early stage. This avoids delays in disclosure because of fear of prosecution which often ultimately results in serious environmental degradation which is more difficult and costly to remediate. If companies come forward with the results on self audits and volunteer their non-compliance with legislation, they can get some of their penalties reduced by as much as 75%. 4.7 US Corporations with holdings in Canada introduced the concept of environmental audit to their Canadian subsidiaries in the early 1980s. However, many Canadian companies had already implemented in-house auditing programmes before stringent environmental regulations began to appear. These programmes were designed as tools for management excellence rather than protection from liability. The Canadian Institute of Chartered Accountants (1993) issued the document – ‘Environmental Costs and Liabilities: Accounting and Financial Reporting Issues’ which expressed how environmental concerns should be accounted for and reported in the financial reports. This stimulated an interest in assessing environmental performance and in the following year the Canadian Standards Association (CSA) published Guidelines for Environmental Auditing: Statement of Principles and General Practices (CSA, 1994). The purpose of these environmental audit guidelines was to encourage organizations to consider environment when making business decisions. 622 Guide on Environmental Audit 4.8 Environmental auditing was introduced to UK and elsewhere by the multi-national corporations who began to apply the audit procedures corporately and to their subsidiaries. Then, public sector bodies and local authorities increasingly started adopting auditing methods to establish baselines of environmental performance. In the late 1980s, a number of authorities, prepared environmental charters, follow up environmental strategies and action plans which are generally referred to as green plans. The leading authorities also realized the greater corporate performance and environmental benefits of the broader and deeper approaches of the internal and external auditing. In 1990s, Strategic Environmental Assessments (SEAs) emerged as a way of appraising the environmental impacts of policies, programmes and plans. Many local authorities in England and Wales undertook these audits. 4.9 In the mid-eighties, on the basis of changing situation and because of the environmental issues becoming a worldwide phenomenon in the developed and the developing countries, World Commission on Environment and Development (WCED), known as Bruntland Commission was established by the UN. The Commission published a report called “Our Common Future”’ in 1987, with the proposed concept of ‘sustainable development’. According to the report, the aim of sustainability is to have “development that meets the needs of the present without compromising the ability of future generations to meet their own needs.” The report suggested that equity, growth and environmental maintenance are simultaneously possible and that each country is capable of achieving its full economic potential whilst at the same time enhancing its resource base. This concept received worldwide acceptance and led to the convening of the UN Conference on Environment and Development (UNCED) in Rio de Janerio, Brazil in 1992, known as “EARTH SUMMIT”. In this conference, heads of different States signed four agreed documents including the Agenda 21. The Agenda 21 contains a checklist of do’s and don’ts to protect the environment through the next century. Particularly, the role of corporate entities in respect of overall management of the environment was duly recognized in this conference. 623 Compendium of Generic Internal Audit Guides 4.10 Environmental audit’s emergence in India coincided with the country’s reintroduction to the global arena, the initiation of the process of liberalization and globalization, growing commitment to the principles of the Constitution and consequently, increasing awareness among the public about the impacts of human activities on the environment. Rule 14 of the Environmental Protection Act, 1986 was introduced on 13.3.1992 which requires certain industries to submit environmental audit report every year in a particular format (Refer to Annexure IV for Form V). The environmental audit report has to be submitted to State Pollution Control Board (SPCB) every year. This report is mandatory in the following cases: · For every industry/ operation/ process which requires consent under Water (Prevention and Control of Pollution) Act, 1981, · For every industry/ operation/ process which requires consent under Air (Prevention and Control of Pollution) Act, 1981, and · For every industry/ operation/ process which requires authorization under Hazardous Wastes (Management and Handling) Rules, 1989. 4.11 The emergence of the ISO 14000 series on EMS and environmental audits has resulted in many international corporations seeking ISO 14001 certification for their national and international subsidiaries. An increasing number of Indian companies are also becoming ISO 14001 certified and are being audited annually by local certification bodies. During 1990s, there were few organizations undertaking environmental audits and there were a few auditors available. However, in the last decade, the importance of this field is constantly increasing. As people have started realizing the social and ecological costs of economic activities, interest in voluntary auditing is also growing. 4.12 In 21st century, environmental auditing has become more proactive as organizations have recognized potential market and shareholders benefits, efficiency gains, financial savings, and the importance of improved relations. Earlier it was thought that 624 Guide on Environmental Audit environmental audit and environmental impact assessment should only apply to the most polluting (so called dirty) industries such as extraction, chemical, gas, cement, etc. But now environmental audits have been undertaken on banks, hospitals, universities as well as on NGOs and community enterprises. It has been realized that every organization has significant environmental impacts. Some International Standards on Green Audits 4.13 Different countries have developed various sets of principles and auditing standards to check ecological responsibility of the companies. Many companies voluntarily became signatories to these standards. While national guidelines on environmental auditing and EMS have existed in some countries for quite some time, it was the issuance of international and generic standards which thrust environmental auditing and EMS onto the international stage as a central plank in any organization’s environmental policy and strategy. There are three of these standards that we are mentioning here: The British Standards Institution’s BS7750 It is typically considered to be the first international standard for EMS and environmental auditing. Issued in 1991 (and subsequently withdrawn in 1997 in favour of ISO 14001), it drew heavily on the approach and rationale used in the British Standard approach to ‘total quality management’. The essential element of the standard was that an organization must have a systematic environmental policy in place, means to identify key issues, a systematic monitoring of these and a commitment to continuous improvement. With its emphasis on the means of managing environmental effects rather than on actual environmental performance, the standard was relatively popular with business, widely adopted and in broadest terms, set the template for the later standards. 625 Compendium of Generic Internal Audit Guides The European Eco-Management and Audit Scheme (EMAS) EMAS was adopted by the European Council in 1993. EMAS is the EU voluntary instrument which acknowledges organizations that improve their environmental performance on a continuous basis. The scheme has been available for participation by companies since 1995 and was originally restricted to companies in industrial sectors. Since 2001, EMAS has been open to all economic sectors including public and private services. The three key elements of EMAS were its robust insistence on targets and improvements, its site-basis and its requirement for disclosure and verification (refer to Exhibit 2). The insistence on targets and improvement means that the standard will not tolerate simply monitoring environmental effects, but actually requires improved environmental performance. The site-basis of the standard, whilst it allows organizations to develop their compliance with EMAS on a piecemeal, it also means that dirty sites cannot be hidden by off-setting results against cleaner sites. The most important issue was, however, disclosure and verification. If improvement in the environmental performance of organizations is our principal aim, then disclosure seems an essential component. Companies need to know that their performance will be under public scrutiny based on data which has been systematically attested to. In 2009, the EMAS regulation was revised and modified for the second time. The idea was to move away from merely operational environmental measures towards a strategic approach on how to deal with environmental challenges. EMAS remains the toughest of the environmental management and audit standards. It was adopted widely in Germany and Austria but its adoption in other countries was patchy. In Europe many organizations run EMS under EMAS logo and report on their environmental performance through publication of an independently verified environmental statement which is guaranteed as to reliability of provided information by EMAS. 626 Guide on Environmental Audit Exhibit 2: Requirements for registration under EMAS · The organization must have a policy related to EMAS. · There must be on site review of the policy. · There must be clear objectives of the organization regarding environment, on the basis of policy and review discussed above. · Regular audit of the matters related to the environment should be there. · A clear statement by the organization regarding the environment. · Continual improvement process (CIP) including expansion, enrichment and upgrading. ISO 14000 Series of Standards In 1993, ISO began work on the ISO 14001 standards for environmental management systems. Incorporated within these standards are guidelines for environmental audit tools and procedures. ISO 14000 series emerged primarily as a result of Uruguay round of the GATT negotiations and the Rio summit on the environment held in 1992. The standards apply to all types and sizes of organizations. Exhibit 3: Outline of ISO 14000 An environmental management system (ISO 14001) must comprise: · An environmental policy; · An assessment of environmental aspects and legal and voluntary obligations; · A management system; · A series of periodic internal audits and reports to top management; · A public declaration that ISO 14001 is being implemented; · An environmental audit (ISO 14010) is required to establish that ISO 14001 is being complied with. Source: Gray and Bebbington, 2001, p.108. 627 Compendium of Generic Internal Audit Guides This approach to auditing is often called ‘compliance auditing’, because it is directed towards compliance with the law and the avoidance of fines and lawsuits. Exhibit 4 shows ISO standards relevant for environmental auditing. Exhibit 4: ISO Standards relevant for environmental auditing · 14010: Guidelines for environmental auditing- General principles of environmental audit. · 14011: Guidelines for environmental auditing- Audit procedures- Part I: Auditing of EMS. · 14012: Guidelines for environmental auditing- Qualification criteria for environmental auditors. · 14013/15: Guidelines for environmental auditing- Audit programs, reviews and assessments. · 14024: Environmental labeling- Practitioner programmes, guiding principles, practices and certification procedures of multiple criteria programs. · 14031/32: Guidelines on environmental performance evaluation. · 14040/43: Life cycle assessment general principles and practices. In 2002, ISO 19011 was introduced. This standard provides guidance on the principles of auditing, managing audit programmes, conducting quality management system audits and environmental management system audits, as well as guidance on the competence of quality and environmental management system auditors. It is applicable to all organizations required to conduct internal or external audits of quality and/ or environmental management systems or to manage an audit programme. This first edition of ISO 19011 cancels and replaces ISO 10011-1:1990, ISO 10011- 2:1991, ISO 10011-3:1991, ISO 14010:1996, ISO 14011:1996 and ISO 14012:1996. 628 Chapter 5 Guide on Environmental Audit Environmental Audit Process 5.1 This chapter deals with process and techniques of environmental audit. The chapter is divided into four sections. Section 1 deals with the question whether environmental audit is a technique of internal audit or it is external audit. Section 2 gives stages in environmental audit process. Section 3 gives desired contents of environmental audit report and Section 4 lists out some techniques used in environmental audits. Internal or External Audit 5.2 A question generally raised is whether environmental audit is part of internal control and audit system to be conducted by employees of the organization or it should be conducted by external independent persons. In fact, a competent environmental auditing programme, conceivably a combination of internal and external auditing, is an excellent means for minimizing organizational environmental risks. 5.3 ISO 14000 also views environmental audit as a management tool which involves both types of auditing: · Internal audit carried by company’s own staff to look on its own system, procedures and activities in order to ascertain whether they are adequate and are being complied with; and · An external audit performed by some independent party on the facility to assess their capabilities in meeting specified requirements. Hence, environmental audit should be performed by both internal and external auditors. Both are interested in the same areas of the organization but for different reasons. Internal auditors as a part of management are interested in reviewing compliance with environmental regulations and statutes; determining the propriety 629 Compendium of Generic Internal Audit Guides of the accounting for environmental issues and ensuring that proper disclosure is being made. They evaluate the internal controls to see that these are in place to keep environmental problems at a minimum, to make efficient use of resources and to keep wastes and pollution under control. 5.4 Internal auditing has two major customers – the auditee, the operating organization whose performance will be enhanced by the results of the audit; and management that needs feedback on the operating units for which it is accountable. In order to accomplish these dual responsibilities, the audit operations should cover many areas like, compliance audit, environmental management system audit, issue audit, supplier audit, insurance audit, material audit, etc. (for details on these audits, refer to chapter 6) 5.5 There should be independence and objectivity in the functioning of internal audit team. The members of the internal audit team should be free from any organizational constraints and should have a direct reporting path to top management. The audits should be performed in a systematic and well organized manner. Audits should also be well planned and the audit programmes should be a logical guide based on comprehensive preliminary survey progress. The audits should be well documented and all elements of the audit reports should be well supported by the working papers. 5.6 External environmental auditors must, either by themselves or with environmental experts determine that the organization is complying with governmental regulations in the handling of emission of pollutants, the disposition of contamination and waste and the detoxification of previously contaminated assets. He is essentially interested in ensuring that the financial statements are proper. External auditor must be familiar with the environmental aspects of reviewing assets and liabilities to determine that their valuation is proper, contamination has not reduced the carrying value of the assets, and that the expending and capitalization of remedial costs has been recorded properly. The external auditor must also determine that financial statements reflect all environmental costs and liabilities of the organization. In addition, he should check 630 Guide on Environmental Audit whether the client, as a result of the acquisition of new properties and assets, is exposed to or actually have incurred liabilities as a result of the contamination of the acquired assets. 5.7 Environmental audit being a diverse activity is, generally, conducted by a team of auditors having one lead auditor and others as audit assistants. To conduct environmental audits efficiently, the audit team must be duly qualified for the operation. It is recommended that, in addition to personnel with audit experience and ability, the teams should have available to them qualified environmental engineers on a full time basis or as advisors when needed. The audit teams should also have legal expertise available as needed. Environmental Audit Process 5.8 Although different types of environmental audits examine different issues, all environmental audits should have four basic stages of activities: pre-audit, on-site, post-audit and follow up or review activities. These stages have been depicted in Exhibit 5. Exhibit 5: Process of Environmental Audit Pre-audit On-site Post-audit Follow up or review Define objectives Opening conference Final evaluation of findings Identify areas of Define scope concern Submit preliminary Select audit criteria Site/facility inspection report Verify the actions Records/document taken on audit Select audit team Get approval of review findings or members management recommendations Develop audit plan or Staff interviews use protocol Hold exit Initial review of conference Inform the facility findings Review the background Submit final Closing/exit conference report information 631 Compendium of Generic Internal Audit Guides Stage 1: Pre-audit or Planning Stage 5.9 Audit planning is vital to the success of the audit undertaken. It is essential that the internal auditor spends adequate time in planning as this will result in better identification of important areas, potential problems and proper assignment of work. During this stage of audit, generally following steps are taken: (i) Collect background information about the entity – Collect information about environmental policy and goals of the organization, relevant environmental laws, regulations and standards governing the entity, persons responsible for carrying environmental duties, environmental budget, significant environmental matters like, material costs, risk areas, etc. (ii) Define objectives of audit – What are the goals of the environmental audit? (iii) Define scope – What parts of a facility (operations) will be audited? What programmes will be audited? How far back will the audit examine? (iv) Choose audit criteria – Against what will the facility be audited (e.g., for regulatory compliance audits, against what regulations or standards will the facility be audited)? (v) Select the audit team members – The audit team leader selects team members based on appropriate knowledge and experience. The team can consist of external consultants, internal staff, or a combination of both. If internal staff is going to be involved, they should be chosen in a proper way so as to avoid conflict of interest. The facility environmental manager, for example, should not be on the audit team. (vi) Develop audit plan and protocols – Protocols are written guides for the auditors that outline the activities to be undertaken in conducting a review of a given topic area during the environmental audit. They often contain detailed information about audit criteria, such as, applicable regulations. Computers are often used in creating audit 632 Guide on Environmental Audit protocols and in locating and sharing information between team members during the audit (e.g., regulatory databases are often utilized in creating audit protocols). (vii) Inform the facility – Arrangements for on-site activities need to be made. (viii) Desktop review. Stage 2: On-site or Field Audit 5.10 The following are steps involved in on-site or field audit: (i) Opening conference – Communicate the objectives and methods of the audit of key facility personnel and schedule necessary meetings and interviews. (ii) Facility tour – Identify areas of concern for more detailed inspection, get a feel for the site and modify the audit schedule accordingly. (iii) Site/ facility inspection – Established protocols should guide the inspection. The team may also wish to inspect areas of concern or interest that they have been identified in the facility tour. It may not be possible to inspect the entire facility (comprehensive inspection), therefore, sampling techniques may be an important part of determining the parts of a site to be inspected. (iv) Evidence – Collect sufficient, appropriate and reliable audit evidences to check the activities, performance impacts and reports. (v) Records/ document review – The audit protocols should give instructions as to the types of records to request as well as what to look for when examining the documents. (vi) Staff interviews – Interviews with key informants will yield the least reliable information, due to the fallibility of human memory, but are important in the identification of potential 633 Compendium of Generic Internal Audit Guides problems and in collecting information about facility operations. (vii) Initial review of findings – Findings are the result of the evaluation of evidence collected against audit criteria. It is Important at this stage to review where the facility does not meet the audit criteria. (viii) Closing/ exit conference – This is a chance for auditees to identify misunderstandings and to be introduced to the findings of the audit team. Stage 3: Post - Audit 5.11 Steps involved in post – audit are as follows: (i) Final evaluation of findings: Findings must be backed by evidence. It is important to note areas of deficiency that were present during the previous audit, but are not yet corrected. Often finding are labeled as major or minor depending on the level and types of risks posed and speed with which the audit team feels they should be addressed. (ii) Draft preliminary audit report (iii) Get approval of the management (iv) Hold exit conference (v) Discuss recommendations, if any (vi) Prepare and submit final report. Stage 4: Follow up or Review Stage 5.12 This is also called corrective action follow-up phase. While not technically part of the audit, the audit manager or team leader may be involved in developing a corrective action plan for addressing audit findings with the facility and reporting to senior management as to the progress of this plan. 634 Guide on Environmental Audit Environmental Audit Report 5.13 The end product of environmental audit is environmental audit report (EA Report) which contains findings or results of environmental audit and recommendations for improvement, if any (mainly required in environmental performance audit where objective is to improve performance of the organization). EA report should be concise and informative with information displayed in a format that is easy to interpret and understand. The environmental auditor must ensure that EA report should provide an accurate record of soundly based observations and of logical deductions. The report must be signed by environmental auditor. Contents of Report 5.14 A standard EA report should include the following: (i) Executive summary (ii) Introduction/ background to audit including specification of the entity/ process or activity/ system/ site in respect of which the environmental audit was conducted, and audit period. (iii) Object of environmental audit (iv) Scope of environmental audit (v) Audit criteria (vi) Description of Audit approach and methodology used (vii) Evidences used (viii) Findings: Depending upon type of audit, finding may include following: - Status of compliance with environmental legislative and standard requirements; 635 Compendium of Generic Internal Audit Guides - Status of conformity with internal environmental policies; - Status of good environmental practices implementation; - Measurement and recognition of all significant environmental costs, benefits, assets and liabilities and identification of significant environmental risks and contingencies; - Level of staff awareness of operational issues relating to environmental performance; and - Overall status of environmental performance. The report must distinguish between isolated incidents and chronic problems. (ix) Conclusion (x) Recommendations: It includes possible impacts of negative finding and suggested corrective action and recommendations for environmental performance improvement. (xi) Signatures of auditor with date. 5.15 The Audit report should be complete, precise, accurate and balanced. It should contain constructive and precise recommendations. It must be persuasive and instrumental in inspiring the managements of entities to take corrective actions. The violations and omissions should also be effectively mentioned in the report. Last but not the least, the contents of green audit report should be easy to understand and free from vagueness or ambiguity, include information which is supported by complete and relevant audit evidence and be independent, objective fair and constructive. 636 Guide on Environmental Audit Tools and Techniques Used in Environmental Auditing 5.16 Some of the tools which can be used in environmental audits are: · Checklists – Checklists are very useful tools used to ensure that different tasks or topics are included during the audit. They are very useful in specialized cases where a complex range of issues and questions need to be asked to ensure that nothing is missed. · Questionnaires – Audit protocols or audit questionnaires provide the basis and structuring for most audits. They are based upon checklist questionnaires but are more complex and include more detail and sometimes logistical information and data relating to the audit and the site being audited. · Questioning – Questioning is one of the most crucial aspects of auditing yet from a training and awareness point of view, it is often given the least attention. The purpose is information gathering in nature and not an interrogation. The questioner must, therefore, be sensitive to the perspective of the auditee and avoid making the questions accusatory, judgmental or aggressive. · Observation – Observation is a vital component of an auditing exercise. Observation is a disciplined activity which must be carried out in a very deliberate and controlled manner. The idea of looking at something twice is important because it is part of the process that checks that the observation is accurately noted, analyzed and recorded. · Photographs – These are a very valuable aid in the audit process. However, in order to use them, a number of important practical points must be borne in mind, the most important one is formal approval before using this technique. · Research – It is useful to try and undertake some background research and investigation into the site or 637 Compendium of Generic Internal Audit Guides company to be audited. Familiarization with the operations, products, raw materials reports, press material and newspaper articles etc. all provides useful background information to supplement questioning sessions and help understand the operational processes. 638 Chapter 6 Guide on Environmental Audit Types of Environmental Audit 6.1 This chapter deals with different types of environmental audits. According to International Organization of Supreme Audit Institutions (INTOSAI), broadly environmental audits can be classified into three parts: Environmental Compliance audit, Environmental Performance audit, and Environmental Financial audit. This chapter discusses these three types of environmental audits and also gives some emerging trends in the area of environmental audit. Environmental Compliance Audit 6.2 Compliance audit is the most common type of environmental audit. It consists of verification of environmental activities to check compliance with environmental legislation, standards, industry guidelines, and company policy. These audits include permit audits which require detailed site-specific assessments of current, past and planned operations to check compliance with permits and consent orders. Another sub-type of compliance audit is ‘Specific requirement audit’ which assesses regulatory compliance with a specific regulation or compliance with a specific standard (e.g., for sustainable forestry management). The need for compliance audits is clear. The environmental laws and regulations have increased in size and complexity over the past two decades. Violation of these requirements may result in heavy fines. Over the time enforcement has become strict, penalty is heavy and chances of being caught have increased. Hence, importance of compliance audits has increased significantly. Following are the important points about compliance audit: (i) Objective – To provide assurance that organizational activities are conducted in accordance with relevant environmental laws, standards, guidelines and policies. (ii) Focus – All applicable obligations. 639 Compendium of Generic Internal Audit Guides (iii) Audit Criteria – National law, Supra-national law, International agreements, Applicable standards, Industry guidelines, or corporate policy. (iv) Main Benefits – • Helps in ensuring compliance with environmental laws. • Reduces risks and costs associated with non- compliance. • Identifies liabilities and risks (present and potential). • Helps in knowing the gap between promises and results achieved by policies. • Saves costs by minimizing waste, conserving resources and preventing pollution. • Helps in improving environmental performance. Examples of environmental compliance audits have been discussed in the following paragraph: Energy Audit 6.3 Energy audit is verification, monitoring and analysis of use of energy with a view to reduce energy consumption per unit of product output and thereby to reduce operating cost and environmental effects. It gives a positive orientation to strategic area of energy cost reduction without affecting productivity or quality. Focus of energy audit is on data relating to overall energy consumption, share of various forms of energy in total, cost of various forms of energy, availability and reliability of supply of energy, an appropriate energy mix steps taken to conserve energy and benefits of energy conservation. In many countries energy conservation audits are compulsory. In India, companies are required to publish information on Energy Conservation (steps taken for this and benefits derived therefrom) in the annexure to Director’s Report under Section 217(1) (e) of Companies Amendment Act, 1988. For ensuring the truth and fairness of information given, energy audits should be conducted. 640 Guide on Environmental Audit Certification Audit 6.4 As mentioned earlier, there are three main standards which were/ are used for certification: (i) The British Standards Institution’s BS7750 - The first international standard for EMS and environmental auditing (issued in 1991 and subsequently withdrawn in 1997 in favour of ISO 14001). (ii) The European Eco-management and Audit Scheme (EMAS) - First adopted by the European Council in 1993, EMAS has been open to all economic sectors including public and private services since 2001. (iii) The ISO 14000 series - First published in 1996, it has grown in both number and ubiquity since then. It is probably appropriate to say that ISO 14000 is now the main standard for environmental management and audit. The reasons for this are not hard to find. Based in the USA and dominated by large US companies, the ISO’s guidance on environmental management and audit is explicitly voluntary; far more concerned with the management systems than with environmental performance per se and most especially, contains a number of requirements for either disclosure or rigorous verification. Before granting certificate to an organization, a certification audit is conducted. A certification audit is an audit which is carried out specifically to verify that an organization can be awarded a certificate. It confirms that the organization’s environmental management system meets the minimum requirements to formally conform to a specified standard. Surveillance Audit 6.5 Surveillance Audit is the term used to describe an audit undertaken to verify that an organization with an existing (e.g., ISO) certification is still meeting the minimum requirements of certification. A certificate is valid for 12 months and surveillance audits are usually carried out every six months. 641 Compendium of Generic Internal Audit Guides Supplier Audits and Eco-labeling 6.6 Eco-labeling and supplier audit are two related issues which rely, to some degree, upon both EMS and environmental auditing. Eco-labeling relates primarily to purchases by end-users (and, thus, depends upon the quality of EMS and environmental audit in the supplying organization). On the other hand, the supplier audits are, generally, concerned with the environmental effects from the source of goods and services purchased by organizations for use in production of their own goods and services and are, thus, an essential input to the organization’s own environmental management and environmental audit. 6.7 Eco-labeling aims to permit organizations to ‘badge’ products and services that meet the highest environmental standards in their manufacture and operation. Such labeling is perhaps at its most active in Europe. The European Eco-labeling Regulation was first established in 1991 and takes a cradle-to-grave (also called life cycle) approach to products. The award of an eco-label will be taken to suggest that the total product meets the very high standards of environmental care throughout its life to be, in fact, the result of a total environmental quality management system. It can be said that an eco-label cannot be achieved without an organization first having qualified under EMAS or ISO 14000. In 1991, eco-labeling scheme was launched in India by MoEF, but till date it is not very popular. 6.8 The essence of the Supplier audits is that products and services bought in by an organization should meet, at a minimum, the standards applied within that organization. Supplier audits are to be conducted because a green claim for a product, service or process can be undermined by the use of non-green inputs. These audits advance the level of environmental awareness in the organization and help in establishing supply chains and competitive advantage in advance of changing law and public perception. The supplier audit is still an emerging phenomenon in India. Though many companies, particularly large PSUs and even private sector companies are going for it, it still does not have any established method in India. At their most effective, they constitute an advanced 642 Guide on Environmental Audit form of green consumerism and rely on policy statements whereby an organization will not buy from (for example) a company that does not have the eco-audit certification. Environmental Impact Assessment (EIA) 6.9 Though EIA is not technically a type of environmental audit, it is considered to be a part of planning process and a useful management technique as part of wider environmental management and audit. EIA can be defined as ‘essentially a process that seeks to identify and predict the impacts of new development on the environment, to mitigate them where possible and to monitor the actual impacts”. As a general statement, all major projects that are subject to some form of planning permission and which are likely to have a significant impact on the environment should be subject to EIA. Exhibit 6 shows information to be analyzed in an EIA. Exhibit 6: Information in an Environmental Impact Assessment • Description of the proposed project, and where applicable, of the reasonable alternatives for its site and design. • A description of the environment that is likely to be affected. • An assessment of the likely effects of the proposed project on the environment. • A description of the measures proposed to eliminate, reduce or compensate for adverse environmental effects. • A description of the relationship between the proposal and the existing environment and land-use plans for and standards of, the affected area. • An explanation of the reasons for the choice of the preferred site and project design rather than of the ‘reasonable alternative. • All this information would, in addition, need to be published in a form which the public can understand, to ensure effective public participation. 643 Compendium of Generic Internal Audit Guides 6.10 In many countries, EIA is a legal requirement for new projects that requires environmental law consent. Since July 1988, EIAs have been required throughout Europe as a result of the EC directive on environmental assessment. But even where it is not legally compulsory, corporations are voluntarily going for it to avoid any legal hassles in future. According to Gray and Bebbington, ‘The EIA is clearly an area in which experience and technical, legal and scientific knowledge are required. Any organization with a well developed environmental response and fully functioning EMS system will integrate the EIA process with the other elements of ‘environmental audit’ to avoid duplication, to provide independent source of data and to develop the overall organizational strategy with respect to environmental sensitivity.’ Environmental Performance Audit 6.11 Environment is embedded in every strand of organizational life and its impact will continue to grow. Hence, environmental audit should become a regular, critical and analytical part of organizational management. Measurement of environmental performance and impacts and its reporting to concerned shareholders has become important in past few decades. For verifying environmental performance of the entity in different areas, environmental performance audits are conducted. Some important points about environmental performance audits are: (i) Objective – To assess whether an organization meets its environmental objectives, is effective in producing environmental results, and operates efficiently and economically. (ii) Focus – Focus of environmental performance audit is on • Environmental performance of the audited entity in different areas. • Conduct of Environmental programmes in an economical, efficient and effective manner. 644 Guide on Environmental Audit (iii) Audit criteria – Performance indicators prescribed by some professional institutes, government or non-governmental organizations, supra-national bodies, academic literature or environmental organizations. Types of Environmental Performance Audit* 6.12 Within any particular management strategy, the following audits may be seen as the same in essence, differing only in terms of their objectives, scope, the risk they seek to assess, and the management decisions which they support and inform: (i) Environmental Survey – Environmental survey (sometimes also called scoping audit) refers to the simplest type of environmental audit- the first step that any organization can take towards improving its environmental sensitivity. It serves number of important functions, including orienting organizations to the environmental issues, beginning the process of recognizing and identifying actual and potential areas of environmental impact, and laying out an initial agenda for undertaking environmental studies and starting the move towards a more complete environmental management. It can be considered as a very crucial step towards a full-fledged EMS and audit system. Basically, an environmental survey includes a thorough analysis of an organization’s system, its input and process requirements, their impact on the environment, and checking how these impacts can be minimized through reuse, reduce, recycle and substitute. Managers can also consider costs and benefits of such an analysis and the crucial business success factors which are affected by this kind of survey. Later on, one can include in this a reference to law, local conditions, industry standards, etc. As a starting point, this survey is very useful though not sufficient. * It is to be noted that in any of these audits if compliance with some standard, law or policy etc. is to be checked, it will be taken as compliance audit, but if it is verification of voluntary activities relating to environment, then it comes under performance audit. 645 Compendium of Generic Internal Audit Guides (ii) Issues audit – An evaluation of how a company’s activities relate to an emerging environmental issue (e.g., global pollution, energy use) or an evaluation of corporate environmental performance in a particular area or on a specific issue (e.g., buildings, supplies). (iii) Energy audit – In energy audit, basic data relating to overall energy consumption, share of various forms of energy in the total energy consumption, cost of various forms of energy, steps taken to conserve energy, cost reduction, etc. are analyzed. Process wise, plant wise or activity wise analysis can be done. (iv) Health and safety audits – An assessment of health hazards, safety measures, accidental risks and contingency planning sometimes merged with environmental auditing because of the interconnected impacts of industrial processes and hazards. (v) Site audits – Reviewing every aspect of a site or spot checks on sites having actual or potential problems. (vi) Activity audits – Reviewing a particular activity, especially one which spans sites, business units and countries (e.g., energy or waste management). (vii) Process audits – Designed to ensure that policies, processes, documentation, responsibilities, monitoring and appraisal are in place. (viii) Corporate environmental audit – An audit of the whole company and its environmental policies, structure, procedures and practices. (ix) Product or life cycle audit – An analysis of environmental impact of a product throughout all stages of its design, production, use and disposal including its reuse and recycling (cradle to grave approach). (x) Third Party Audits – Third party audits are external audits carried out by “a third party” and are a means of 646 Guide on Environmental Audit independently verifying internal audits carried out by an organization. They also add credibility to the effective functioning of organizations’ environmental management systems. These audits would be carried out by specialized audit consultants rather than auditors from an organization’s other sites. (xi) Environmental Management System (EMS) Audit – An environmental management audit is an audit which explores the extent, nature and format of environmental management systems that are in place. It is normally carried out to evaluate operations which may be considering certification for formal EMS systems such as, ISO 14001 or EMAS and require an indication of how well their existing system is functioning and what is needed to bring them up to conforming to a formal EMS system requirement. An EMS audit, where an established EMS is in place, is an audit that would be carried out to test the effectiveness and appropriateness of the EMS against the context of current operations and activities or to comply with EMS audit requirements of ISO 14001 or EMAS. What an organization must be seeking by these audits is an integrated environmental management strategy which leads organizations to consider zero complaints, zero spills, zero accidents, zero pollution and zero waste as fundamentally possible. Environmental Financial Audit 6.13 In environmental financial audit, all financial/ monetary transactions relating to environmental activities of an organization are verified by the auditor. Some important points are: (i) Objective – To enable an auditor to establish whether the reporting entity has appropriately recognized, valued and reported all significant environmental costs, benefits, assets, liabilities, and contingencies. (ii) Focus – On accuracy and authenticity of environmental financial information provided in the annual reports. 647 Compendium of Generic Internal Audit Guides (iii) Criteria – Standards issued by recognized bodies, standard setting authorities, guidance notes, and other academic literature. 6.14 According to International Auditing Practices Statement (IAPS) 1010 “The consideration of Environmental Matters in the Audit of Financial Statements” issued by IFAC, statutory auditor must consider all significant environmental matters in audit of financial statements. As per IAPS 1010, following environmental matters may significantly affect financial statements and hence, should be considered during an audit of financial statements: (i) Initiatives to prevent, abate, or remedy damage to the environment, or to deal with conservation of renewable and non-renewable resources (such initiatives may be required by environmental laws and regulations or by contract, or they may be undertaken voluntarily); (ii) Consequences of violating environmental laws and regulations; (iii) Consequences of environmental damage done to others or to natural resources; and (iv) Consequences of vicarious liability imposed by law (for example, liability for damages caused by previous owners). 6.15 Before conducting a regular audit, internal auditor should obtain knowledge on environmental matters which may have significant effect on the financial statements, the audit process and the audit report. He must consider environmental laws and regulations and compliance or non-compliance with them and assess inherent risk, i.e., risk of material misstatements due to environmental matters like, financial impact of non-compliance with environmental laws. 6.16 While checking annual reports, perform substantive procedures to obtain evidence in support of environmental disclosures made in the financial statements. Internal auditor should try to find that valuation of environmental assets and liabilities 648 Guide on Environmental Audit (including constructive obligations) is proper and check whether the contamination has not reduced the carrying value of the assets. In addition, auditor must ensure that all intangible assets like, carbon permits or licenses have been properly valued and amortized. All significant environmental benefits should be disclosed properly in the accounts and all assets and liabilities including contingent liabilities due to environmental factors have been duly provided for and properly disclosed in the books of accounts. Emerging Trends 6.17 As environmental auditing has continued to gain acceptance in both the private and public sectors, new trends in auditing have emerged. Some of the recent national and international developments in the field of environmental auditing include environmental management audit, pollution prevention opportunity assessment, environmental auditing standards and professional recognition, ethical audits, sustainability audits and carbon audits. Some of the emerging trends have been discussed in the following paragraphs: Development of Non-financial Auditing 6.18 In the last two decades, non-financial auditing has developed as a business management tool and has resulted in the proliferation of audits in the annual calendars of various companies. Many companies have made the decision to combine non-financial audits such as, health, safety, environment and quality in an effort to reduce costs, disruption and inconvenience in the workplace. Sometimes also called Safety, Health, Environmental and Quality (SHEQ) audit, this approach has both advantages and disadvantages. The advantages include the fact that there are fewer audits and less likelihood of reduced productivity in the workplace. It reduces inconvenience and costs involved in conducting frequent audits. A disadvantage would be that by combining a number of audits, this could dilute the focus on the individual components. If this were balanced by increasing the length of time of the audit, this would then begin to increase the 649 Compendium of Generic Internal Audit Guides disruptive element of the audit which may affect productivity. The negative effect of the audits can be reduced if companies are able to utilize the “added value” from the audits which normally result in reduced wastage, reduced risk, improved performance and reduced incidents. It is not always possible to financially quantify these benefits and so the perception still remains that audits are time consuming and interfere with production. Another problem is that there are fundamental differences between financial and non- financial auditing and this has been noted in practice by companies who have attempted to undertake broader based auditing exercises. For example, many aspects of the “social audits” are more difficult to quantify which creates a problem when contrasted with the more precise financial auditing structures. Social, Ethical, Environmental and Sustainability Reporting (SEESR) Audits 6.19 Since 1990s, there has been steady growth of social, ethical, environmental and sustainability reporting accompanied by an increase in SEESR audits. The audit of SEESR is considered necessary to build credibility and trust among corporate stakeholders. Being an integrated approach, SEESR is considered to be predominantly a management tool, useful for checking the efficiency of the internal management control systems in the SEESR area, rather than a mechanism for enhancing corporate accountability to stakeholders and building credibility and trust. Emergence of Sustainability Auditing 6.20 Sustainable development balances economic growth with environmental quality and social responsibility, while acknowledging and taking responsibility for the growth’s long-term impact on society. The broadening of the scope of environmental auditing to include “Triple Bottom Line” or sustainability auditing is a relatively recent development. The “Triple Bottom Line” concept puts forward the idea that the corporate sector should not focus solely on the financial “bottom line” of profit, but also consider “social bottom lines” and “environmental bottom lines” and incorporate these into their accounting structures. Sustainability audit is an evaluation of 650 Guide on Environmental Audit the state of sustainability performance level in an organization using various performance indicators. It includes ideas and strategies for the future green footprints of the business. Auditing guidelines for sustainability auditing have been developed to measure and monitor “Triple Bottom Line” performance. The Global Reporting Initiative (GRI) Guidelines provide the corporate sector with a model for Tripe Bottom Line accounting. Included in these guidelines is a procedure for auditing compliance to the sustainability model. Recently, IFAC has issued Sustainability Framework 2011, ‘Professional Accountants as Integrators’, for sustainability accounting and auditing. Sustainability auditing is in its infancy and as yet there is no sustainability standards established by any professional accounting body. Since there is no real criterion as to what constitutes a sustainable organization, this presents something of a challenge to the auditors. Increase in Environmental Audits by Supreme Audit Institutions 6.21 Globally and regionally, governments have made commitments to address environmental issues and sustainable development. International leadership has contributed direction and facilitated cooperation on numerous environmental issues. International environmental agreements (IEAs) are important for facilitating international cooperation. IEAs refer to agreements, declarations, accords, treaties, and conventions with an environmental focus that have been signed by more than one country. Meanwhile, governments work to protect the environment in their countries. Issues such as waste management, contaminated sites, and national park management often fall within national boundaries. Domestic action can involve a variety of public policy tools including legislation, taxes, enforcement, market incentives, regulations, and policies. These tools are necessary for nations to implement domestic environmental protection and IEAs at home. Holding government and industry to greater accountability for their actions with respect to the environment has led to a need to report on the consequences of these actions. There is also an expectation 651 Compendium of Generic Internal Audit Guides that these reports will be subject, in turn, to an independent audit. Consequently, the role of Supreme Audit Institutions (SAIs) has been to respond to the expectations of citizens by providing independent, credible and objective verification of the information provided by government agencies with respect to their activities and their impacts on the environment. SAIs can play a major role in overseeing that their government’s public policy tools will produce their intended results. As expressed by Dr. Genaro Matute Mejia, Comptroller General of the Republic of Peru: Our audits help to improve government’s management of environmental issues and in the long run improve social prosperity and economic development in each and every one of our countries. 6.22. In the past two decades, there has been significant increase in environmental audits by SAIs. Environmental audit by SAI India is conducted within the broad framework of compliance and performance audit. More than 100 specialized environmental audits have been conducted by SAIs for the last 25 years. These audits relate to air issues, water issues, waste, bio-diversities and EMS. SAI India is an active member of INTOSAI WGEA and ASOSAI working group on environment. A review of environmental audits by SAIs shows that their audit findings have been linked to the following positive environmental results: (i) The water quality of rivers and watersheds has improved. (ii) Action has been taken to protect against invasive species. (iii) There has been increased protection for plants, animals, and ecosystems. (iv) Management of natural resources has improved. (v) Environmental degradation from construction has decreased. (vi) Environmental pollution has decreased. (vii) Desertification of land has been reduced. 652 Guide on Environmental Audit Environmental Due Diligence Audit 6.23 An environmental due diligence audit is an audit that is normally carried out before acquisition, merger, divestiture or sale of a business or property to check the extent to which the business may have known or unknown (or visible or hidden) environmental liabilities e.g., cleaning of contaminated land or remediation cost. If a business has undeclared environmental liabilities, then these could materially affect the value of the business as at some later point, the business may be required to deal with those liabilities (e.g., clean up buried waste which has caused pollution) and thus its assets could be diminished. An environmental due diligence audit may identify one or more environmental liabilities and this may result in a re-negotiation of the price paid for the business because the liability is seen as a potential charge against the business. Emergence of Carbon Audits 6.24 Public concerns the world over has resulted in building mechanisms such as the Intergovernmental Panel on Climate Change (IPCC) and the Kyoto Protocol for Greenhouse gas (GHG) reduction. Many countries are now considering to control green house effects and CO2 targets through regulation of business entities using carbon emission rationing system where they allocate carbon credits or permits to them for the emission of a certain quantity of greenhouse gases in a particular period (i.e., a permitted quota), or by approving certain organizations as being able to issue legitimate carbon credits (called ‘abatement certificates’). 6.25 Measuring and verifying the carbon footprint, i.e., undertaking a carbon audit of a product, service, site or a whole company is a vital step towards reducing carbon emissions. Carbon audit involves identifying and calculating carbon dioxide emissions caused directly from burning fossil fuels on-site or as a result of production and other activities of the company or indirectly, when inputs or resources are purchased or emissions caused by other stakeholders including clients, employees and industrial partners, etc. This information often enables a business to make immediate carbon 653 Compendium of Generic Internal Audit Guides reductions through fairly straight forward practical steps and sometimes through relatively simple technical solutions. For conducting carbon audit, it is necessary that some standards and guidance for companies must be provided to prepare a GHG emissions inventory at the organizational level. GHG accounting concepts and issues should be linked through the use of common accounting principles. The principles of relevance, completeness, consistency, transparency, and accuracy should be applied in their appropriate contexts. The application of these principles is intended to ensure credible accounting of both corporate GHG emissions and project-based GHG reductions. Verification of an entity’s carbon accounts by independent duly qualified assurers is another important issue. 6.26 It has been felt that to deal with carbon trading related issues in accounts, accounting professionals in different countries must develop a Carbon (Emission and Sequestration) Accounting (CES Accounting) standard which needs to be consistent with the Intergovernmental Panel on Climate Change (IPCC) principles. Other CES measurement and reporting approaches to be considered in this regard are – the Global Reporting Initiative (GRI, 2006); the United Nations Conference on Trade and Development’s (UNCTAD) Intergovernmental Working Group of Experts on International Standards of Accounting and Reporting (UNCTAD 2006) and the World Resources Institute and the World Business Council for Sustainable Development (2007) with its Greenhouse Gas Protocol (GHG Protocol). The GHG protocol is an international accounting tool for government and business leaders to understand, quantify, and manage greenhouse gas emissions. The protocol consists of two modules — Corporate Accounting and Reporting Standards providing methodologies to business and other organizations to inventories and report all of the CO2 emissions they produce and Project Accounting Protocol and Guidelines. Environmental Information Audit 6.27 Since mid 1990s, there is also a remarkable growth in the number of companies reporting voluntarily on their environmental 654 Guide on Environmental Audit policies, activities and performance. Research in the area has revealed that while many of these companies provide limited, qualitative, non-financial information mainly through the annual report, some large companies, particularly those operating in environmentally sensitive industrial sectors have started disclosing significant quantitative and qualitative information on the issue. 6.28 Reporting of environmental information to external stakeholders gives rise to the need for verifying these statements, i.e., environmental information audit. It has been realized that the users of environmental information are more informed and are more concerned about accuracy and validity of data provided in environmental reports. To increase reliability, credibility and validity of environmental information provided to various stakeholders by a company, it is essential that an independent external auditor verifies these reports. This verification is necessary to ensure objectivity of the environmental reporting process, confirming the consistency of reported data and improving the quality of dialogue with stakeholders. Hence, environmental information audit system aims at providing accurate, reliable, relevant and objective environmental information to various internal and external stakeholders to help them in making more informed decisions. 6.29 Increasing number of organizations report on issues which require a high level of assurance, for example, emissions of pollutants or conservation of natural resources. There is a need to provide transparency in the data and information the company show in environmental report. This is not a new concept, as publicly listed companies are presently required to provide independently audited annual reports to shareholders. It is accepted practice that financial statements, if they are to be at all reliable, must be subject to the scrutiny of an independent third party. There is a growing view that environmental reports must also be attested to in the same way and for the same reasons. This system of auditing provides a degree of assurance to users of these statements that the contents provide an accurate view of the company’s environmental performance, and permits inter-company comparison of performances. 655 Compendium of Generic Internal Audit Guides Thus, the primary purpose of a third-party independent verification of an environmental statement is to legitimize the accountability relationship by providing assurance to the stakeholders that the information contained within the report is accurate, complete, and that the report provides a balanced view of the organization’s performance. This assurance will add significant credibility to the environmental report. The verification is also a valuable management tool. It provides management with internal assurance that the information presented is a fair and accurate reflection of company’s environmental performance. It also gives valuable information to management for improving management processes, systems, data collection and dialogue with stakeholders by highlighting potential inefficiencies. 6.30 For verification, it is necessary to have standards against which information has to be verified. Information is verifiable if there are criteria against which actual information can be verified objectively. The European Commission indicated that there are 15 different guidelines being used by companies producing environmental reports, naturally not all these parties share the same goals, and hence the development of reporting has not yet progressed in a converging way. The heterogeneity of information contained in environmental reports makes them incomparable. Initiatives are being undertaken aimed at converging the practices, for example, Global Reporting Initiative (GRI), has received strong support and acceptance worldwide for its guidelines on sustainability reporting. There also exist several other guidelines for verifying environmental reports. The International Federation of Accountants (IFAC) has released an International Audit Practices Statement (IAPS) 1010 offering practical guidance on the “Consideration of Environmental matters in the Audit of Financial Statements”*. The * This has been discussed in detail in Section 6.3 on environmental financial audit. It is to be noted that environmental financial audit focuses on audit of all monetary information related to environmental activities of an organization. Since all financial information is reported in financial statements, it indirectly means consideration of environmental matters in audit of financial statements. The term environmental information audit is wider in scope. It includes audit of all types of information, financial, physical or descriptive, reported by a concern in the annual reports or through some other medium like environmental reports, web-sites etc. 656 Guide on Environmental Audit IAPS concentrates on issues such as, consideration of relevant environmental laws and regulations; obtaining sufficient knowledge of the business in relation to the relevant environmental matters; and using the work of experts. The United Nations Inter Governmental working Group of Experts on International Standards on Accounting and Reporting (ISAR) recommendations also provides the criteria against which the audit of environmental considerations within financial statements can be considered. ISO 14000 is a methodology for environmental management. It provides necessary requirements and recommendations for any organization to develop and implement a cost effective system of management by introducing environmental auditing. ISO 14000 series may also cover environmental information audit. 657 Compendium of Generic Internal Audit Guides Chapter 7 Emerging Opportunities for Professional Accountants in the Field of Environmental Audits Emerging Opportunities for Chartered Accountants 7.1 The growth in interest and activity in environmental accounting and auditing in the past two decades is astonishing. From the most marginal and irrelevant subset of social accounting at the beginning of 1990s, it has expanded to become something which is now seen as an essential element in any organization’s environmental responsibility. In this context, a question generally asked is whether a chartered accountant (CA) has required capabilities to conduct environmental audits or what role a professional accountant can play in dealing with environmental concerns. This chapter explores opportunities for CAs in the area of environmental accounting and auditing. 7.2 Chartered accountants in the past have been reluctant to participate in green issues because their capability and knowledge to conduct environmental audits may be challenged. They felt that environmental audit is a diverse activity which involves knowledge about various technical, legal and non-financial matters. It may involve multiple agencies as well as multiple users. In the absence of established standards and guidelines, it is difficult to conduct environmental audits. But over the time, it has been realized that the role of chartered accountants in green accounting and audit is significant. 7.3 According to INTOSAI, 2004, “Accountants as providers of information, reports and assurance on which business and government decisions are frequently based, have increasingly been drawn into environmental arena. The influence of accountants and 658 Guide on Environmental Audit auditors comes from their access to financial information. They analyze reports and communicate information on which decisions are based and performance is evaluated. They can encourage greater transparency and informed decisions about application of resources and the impact of activities on environmental outcomes without distorting existing accounting standards. Thus, in order to ensure the provision of accurate information by annual reports, it is necessary to involve the environmental audit.” The accounting literature clearly establishes the potential for financial auditors to play a role in the conduct of environmental audits. FEE and INTOSAI created work groups for environmental audit that published guidance on conducting audits of activities with environmental perspectives in 2001. These work groups conducted numerous studies and research projects on the issue. Accounting profession of various countries have also published research reports on environmental accounting and auditing, of which the most notable work done by the Canadian Institute of Accountants (CICA) is titled “Environmental Auditing and the Accounting Profession.” Another important work, “The Environmental Audit and the Audit Profession” has been done by the Limpberg Institute of Netherlands on behalf of the Dutch Accounting Professions. All these reports emphasize that accounting profession has significant role to play in environmental matters. ‘By establishing commonality between the principles of financial auditing and other forms of assurance practice, such as environmental audits, financial auditors have claimed sufficient expertise to coordinate the provision of environmental audit services’. 7.4 The role of accountant in helping an organization in dealing with environmental issues can be analyzed under following heads: CA as Environmental Accountant Environmental financial accounting refers to the preparation of the environmental financial reports for external audiences using generally accepted accounting principles (GAAP). It mainly includes estimation and public reporting of all significant and financially 659 Compendium of Generic Internal Audit Guides material environmental information such as, significant environmental costs, liabilities and contingencies. Chartered accountants due to their specialized accounting skills can help an organization in preparing environmental financial accounts, i.e., in dealing with identification, measurement, recognition and disclosure of all significant environmental financial costs, benefits, assets, liabilities and contingencies. In this context, the most relevant work is of the United Nations Inter Governmental Working Group of Experts on International Standards of Accounting and Reporting (ISAR). ISAR began to focus on the subject of Environmental Accounting and Reporting (EAR) in the late 1980s. Starting from 1989, ISAR has issued number of recommendations on EAR. Apart from ISAR, different types of supra-national bodies (e.g., FEE, European Union) have also shown interest in EAR and some of these have issued guidelines in this connection. Professional accounting bodies all over the world have this item on their agenda. CA’s Role in Environmental Management Accounting In addition to the significant role that the chartered accountants can play in environmental financial accounting and reporting, environmental management accounting also offers an opportunity for accountants to develop the services they offer beyond the traditional core activities. The focus of environmental management accounting is internal. Environmental management accounting (EMA) is the process of identifying, collecting and analyzing information about environmental costs and performance to help an organization’s decision-making (EPA, 1995a). EMA is mainly concerned with the presentation of data about environmental activities and performance to the management, so that it can also be considered while making number of business decisions like, capital budgeting decision, costing determinations, process/ product design decisions or performance evaluations. It has been felt that the accountants have the necessary skills and experience to: (i) monitor, measure and control environmental costs; 660 Guide on Environmental Audit (ii) manage environmental information systems so that the outputs are accurate and reliable; (iii) identify and plan financial budgets for improvement projects; (iv) help formulate and implement environmental strategy; and (v) provide highly regarded advice on improvement of environmental performance. Consideration of Environmental Matters in Audit of Financial Statements* The International Auditing Practices Committee (IAPC) of the International Federation of Accountants (IFAC) has published a discussion paper titled “The Audit Profession and the Environment” in May 1995. According to IAPC, “Environmental matters are becoming significant to an increasing number of entities and may, in certain circumstances, have a material impact on their financial statements. These issues are of growing interest to the users of financial statements. The recognition, measurement, and disclosure of these matters are the responsibility of management. For some entities, environmental matters are not significant. However, when environmental matters are significant to an entity, there may be a risk of material misstatement (including inadequate disclosure) in the financial statements arising from such matters. In these circumstances, the auditor needs to give consideration to environmental matters in the audit of the financial statements. Environmental matters can be complex and may therefore require additional consideration by auditors.” International Auditing Practice Statement (IAPS) 1010, “The Consideration of Environmental Matters in the Audit of Financial Statements” was approved by the IAPC in March 1998. The Statement provides practical assistance to auditors by describing: (i) The auditor’s main considerations in an audit of financial statements with respect to environmental matters; * In 2002, IAPC was reconstituted as the International Auditing and Assurance Standards Board. 661 Compendium of Generic Internal Audit Guides (ii) Examples of possible impacts of environmental matters on financial statements; and (iii) Guidance that the auditor may consider when exercising professional judgment in this context to determine the nature, timing, and extent of audit procedures with respect to: (a) Knowledge of the business (ISA 310, “Knowledge of the Business”); (b) Risk assessments and internal control (ISA 400, “Risk Assessments and Internal Control”); (c) Consideration of laws and regulations (ISA 250, Consideration of Laws and Regulations in an Audit of Financial Statements”); and (d) Other substantive procedures (ISA 620, “Using the Work of an Expert” and some others). The guidance under (c) reflects the typical sequence of audit process. Having acquired a sufficient knowledge of the business, the auditor assesses the risk of a material misstatement in the financial statements. The assessment includes consideration of environmental laws and regulations that may pertain to the entity, and provides a basis for the auditor to decide whether there is a need to pay attention to environmental matters in the course of the audit of financial statements. The statement also gives meaning of environmental matters and examples of environmental matters which have impact on financial statements. When planning and performing audit procedures and evaluating and reporting the results thereof, the auditor should recognize that non-compliance by the entity with laws and regulations may materially affect the financial statements. However, an auditor cannot be expected to detect non-compliance with laws and regulations. According to ISA 250, “the auditor’s training; experience and understanding of the entity and its industry may provide a basis for recognition that some acts coming to the auditor’s attention may constitute non-compliance with laws and regulations. The 662 Guide on Environmental Audit determination as to whether a particular act constitutes or is likely to constitute non compliance is generally based on the advice of an informed expert qualified to practice law but ultimately can only be determined by a court of law.” CA’s Role in Compliance and Certification Audits Compliance audits are conducted to verify an entity’s compliance with environmental laws, regulations, standards, industry guidelines or company’s own policy. It is felt that CAs can very efficiently conduct compliance audits if they gain knowledge of relevant environmental laws and regulations. They can also conduct certification audits. Such arguments, generally, centre on the requirements outlined in ISO 14012 Guidelines for environmental auditing issued in 1996. ISO 14012 para 4 recommends that, environmental auditors should have “appropriate work experience, formal training and/ or on-the job training in some or all of a number of areas, including audit procedures, processes and techniques”. In 2002, ISO 19011 was issued which superseded ISO 14012. ISO 19011 also provides that in addition to personal attributes like, ethical, open-minded, versatile, observant, decisive, etc, an environmental auditor should have specific knowledge of (a) skills in application of audit principles, procedures, techniques (b) knowledge of EMS, terminology related to environmental matters, relevant environmental laws, environmental aspects of operations, etc. CAs already have first set of required skills. After obtaining knowledge about environmental laws, EMS and relevant terms, they can very efficiently conduct environmental audits, particularly certifications audits. These audits may include monitoring of environmental management system of the unit, checking the status of consent orders, compliance of consent orders, water cess, other legal requirements, industrial data collection regarding product process, electric consumption, water consumption, raw materials and energy balance, etc. 663 Compendium of Generic Internal Audit Guides In the same way, CAs can play important role in non-financial auditing or carbon audits. CA and Environmental Information Audit The main role of financial auditor is to express opinion on truth and fairness of assertions made in financial statements. This role can be very well extended to include environmental information audit where all types of environmental information reported by a concern through various mediums is verified with the help of all available evidences. CA as Environmental Consultants CAs can enter in the environmental consultancy area and help organizations in obtaining consents required under various environmental laws. For example, before establishing an industrial unit a CA’s certificate about proposed Capital Investment or Gross capital investment (land, building, plant and machinery) is required to be submitted along with the application for establishment of a unit. This certificate is also known as Gross Block Investment certificate. This certificate should include the cost of land, building, plant and machinery without depreciation. CAs can also provide information on the capital and recurring (O&M) expenditure on various aspects of environment protection such as effluent, emission, hazardous wastes, solid wastes, tree-plantation, monitoring, data acquisition, etc. This is important information to be given in the application for consent to establish/ operate/ renewal of consent. Chartered Accountants as environment consultants can play an important role in obtaining environmental clearance under the Environment Impact Assessment Notification. The environmental consultant should be conversant with the existing legal and procedural requirements of obtaining environmental clearance for a proposed project. The consultant should guide the project proponent (i.e., the person who is going to establish an industrial unit) through initial screening of the project and establish whether Environment Impact Assessment (EIA) studies are required to be 664 Guide on Environmental Audit conducted and, if so, finalise the scope of such study. Chartered Accountants as environmental consultants can give opinion on viability of various projects, technologies to prevent pollution and clean up polluted resources. CA’s Role in Sustainable Development Professional accountants in all types of organizations have a significant role to play in sustainable development also. In 2011, the IFAC has issued a sustainability framework. According to IFAC, “Achieving a sustainable future is only possible if organizations recognize the role that they can and need to play. Effective action by the accountancy profession and professional accountants to better integrate and account for sustainability is an essential part of that role. The IFAC Sustainability framework primarily targets professional accountants working in commerce, industry, financial services, education, and the public and non-profit sectors. IFAC strongly believes that these professional accountants can influence the way organizations integrate sustainability into their mission, goals and objectives, strategies, management and operations, definitions of success and stakeholders communications.” IFAC’s Sustainability Framework — (i) Emphasizes on role of professional accountants in sustainable development. (ii) Feels that accountants have knowledge and expertise in dealing with environmental matters. (iii) Believes that professional accountants have a significant role in integrating sustainability issues into strategy, operations and reporting and in ensuring that accurate and credible necessary information, analysis and insights are available to relevant stakeholders to support decision-making. 7.5 Accountants are interested in finding a solution to the environmental issues and they are ready to accept challenges posed by global environmental concerns. Some audit companies have already started training specialized teams on environmental audit. These teams include environmental engineers, legal 665 Compendium of Generic Internal Audit Guides professionals, finance specialists, ISO 14001 certifiers, certified chartered accountants, etc. Accountants have significant role in green audits (particularly, environmental financial audit and environmental information audit) because they have knowledge of law and accounting standards and expertise in accounting and financial matters. They can ensure that environmental information provided by government or business is accurate, complete and authentic and can encourage greater transparency and informed decisions. CAs can play significant role in environmental matters as accountant, as decision maker, as advisor, as manager, as consultant, as analyst, as part of internal audit team or as independent verifier. There are significant opportunities in this area, but to avail these opportunities it is necessary to provide relevant education to deal with issues like, social audit, carbon audit, energy audit, and sustainability auditing. In addition, continuous training is required to deal with dynamic and diverse environmental issues. The need has also been felt to develop a conceptual framework for environmental reporting and some guidelines and standards for incorporating environmental issues in the financial statements. “The ability of the planet’s eco-systems to sustain future generations can no longer be taken for granted. …. Humanity is, in essence, impairing the very foundations of our health and prosperity. Governments have a key role to play in reversing these trends and in protecting our national heritage. So do environmental auditors” *. * INTOSAI, 2004. 666 Chapter 8 Guide on Environmental Audit Summary and Conclusion 8.1 Since late eighties, companies are under increasing pressure from various internal and external stakeholders to reduce adverse environmental impacts of their activities by making efficient use of scarce resources and by using cleaner production technologies. The focus is on shifting business priorities from just a financial profit bottom line to a broader “Triple Bottom Line”. The global challenge is to ensure that organizations develop systems and take other necessary steps to reverse the previous erosion of natural resources and to improve their environmental performances. This requires radical changes in many of the business and management areas. 8.2 From an organization’s point of view, the only sensible response to the growing complexity of the environmental agenda is to work towards the development of a fully integrated environmental management system (EMS). An EMS represents the organizational structure, responsibilities, processes and preconditions for the implementation of a company’s environmental policy. To verify efficiency of the EMS and to check measures taken by the concern for environmental conservation and protection, environmental audits are required to be conducted. An umbrella term, environmental auditing encompasses a wide range of auditing practices like, certification audits, energy audits, environmental surveys, policy impact assessment, EMS audits etc. which are generally undertaken on a voluntary basis by companies as a part of strategy of self regulation as well as for ensuring compliance with environmental standards and laws. Green audit touches many areas of current, proposed and possible future environmental regulation and acts both as the first substantial step towards environmental sensitivity and as a regular and essential part of environmental management systems. 8.3 The major benefits of conducting an environmental audit include mitigating your company’s legal and reputational risks, 667 Compendium of Generic Internal Audit Guides reducing operational inefficiencies, improving the environmental performance of your company, and achieving certification requirements. These audits can add value to the efforts made by organizations for managing environmental impacts. Environmental audits help a way of identifying, evaluating and managing environmental risks (known and unknown). It can be undertaken at various levels of sophistication and detail which can be tailored to the needs of the organization. The environmental audit also assists in the process of testing performance in the environmental arena and is fast becoming an indispensable aid to business decision making. But the value of the environmental audit as an environmental performance measurement and verification technique, and as a continuous environmental performance improvement tool has yet to be appreciated on a large scale. There is still a perception that environmental audits may have a negative impact on the organization by exposing the companies to penalties and imposition of costly changes in the facility. This perception has to change. In fact, environmental management and audit systems are now so central to organizational management that any organization which ignores them indirectly endangers its very existence. What is crucial for all types of environmental auditing activity is that it forms part of an overall environmental management strategy of a business which incorporates the environment into core business functions. 8.4 The environmental auditing should be more clearly defined and understood, if it is to be an effective management tool for improving environmental practices and procedures and gaining credibility with stakeholders. Because it is a diverse activity, in large organizations, it is necessary that an audit team should conduct it. The audit team must be qualified for the operation. In addition to persons with audit ability, the team should have available to them qualified environmental auditors on a full time basis or as advisors when needed. The audit team should have legal expertise available as and when required. However, the competence of environmental auditors is still to be defined by the professional agencies. Auditor competence is the key to the quality of an environmental audit and further efforts need to be made to define 668 Guide on Environmental Audit the key skills that environmental auditors need to be effective auditors. The ISO standard on auditor qualification criteria will help clarify competencies, but a more fundamental formal training and educational structure needs to be developed to allow environmental auditing to be developed as a profession. 8.5 Accountants and auditors have traditionally not been associated with the conservation of environment movement. However, with environmental issues assuming increased importance in the world, the accounting profession all over the world has shown positive response to the environmental issues by publishing research reports and putting these issues in their professional agenda (INTOSAI, 2004). In fact, accountant, as the prime custodian and light bearers of economic development, can no longer shut their eyes to the effect of environmental issues on business, management, accounting, auditing and disclosure system. Protection of environment and the potential involvement of accountants is becoming a common subject of discussion among the accountants all over the world. Now-a-days, accountants are expected to take a proactive role in the environmental protection process. Corporate environmental accounting and reporting has now become a “global issue” with a pressing need to harmonize accounting and reporting of environmental costs and liabilities. 8.6 Considering the corporate entity’s responsibility towards environmental protection, formulation of valuation, accounting and reporting techniques relating to environmental matters is a great challenge to the accounting profession. Increasingly careful attention has been given by both national and international auditing bodies to the ways in which environmental issues might have a financial impact on the activities of the client and the implications this can have on auditing procedures. In addition to the technical matters of verifying evidences relating to existing environmental provisions, liabilities and contingencies, the audit procedures should take into consideration explicitly the potential but hidden environmental problems. The major challenge is to incorporate environmental matters into the regular financial statements by placing an objective value to the environmental impacts. Unfortunately, no one has 669 Compendium of Generic Internal Audit Guides developed an acceptable, objective and verifiable measurement technique in this regard. 8.7 Another important challenge facing the profession is to develop environmental reporting both as a useful environmental management tool, and as a means to provide stakeholders with credible information about their environmental performance. Environmental information audits can be used as a mechanism for enhancing corporate accountability to stakeholders and building trust and credibility. This in turn, raises issues about attestation of environmental reports and the role of statutory financial auditor in this attestation. In the case of verification of environmental reports, the qualifications of the auditor are of vital importance. In order for verification to add credibility to environmental reports, the verifiers themselves must be credible. It is necessary that some qualification requirements should appear for environmental auditors in the same way as those exist within financial auditing. The task of professional accounting institutes is to provide the qualified accountants with necessary education and skills to consider environmental matters in the financial statements and to verify environmental reports. In a nutshell, environmental management and audit have been undoubtedly the major growth and development areas in a business’s response to the environmental agenda and professional accountants and auditors have important role to play in conservation of environment movement. 670 Appendix I Guide on Environmental Audit The Confederation of British Industry’s Guide to Environmental Audit What is environmental audit? A systematic, objective and documented evaluation of the impact of your business activities on the environment. Why do so many companies To prepare themselves for: are using the environmental • New and tougher legislation audit as management tool? • Increasing corporate and personal liability • Rising energy and materials costs • Rapidly rising waste disposal costs • Competitive pressure as other companies clean up their act • Growing public pressure. • Ensure that your company is staying What can an audit do for you? within the bounds of the law • Cut effluent and waste disposal costs • Reduce material and energy balls • Improve your corporate image • Assist in formulation of an environment policy What does an audit involve? • Evaluating your operational practices to A rigorous environmental audit determine whether they can be made will do more than simply more efficient in terms of resource use ensure legislative comp-liance, and waste production, or altered to it will sim to identity the Best minimize risk of pollution. Practicable Environmental • Examining the way in which your Option (BPEO) for your company deals with the waste it company. A good audit will produces to see if more effective waste help you run a tighter, more management options could be deployed. efficient company. • Taking a good look at the material and energy resources your company uses to see whether more environmentally sound alternatives could be subsituted. • Developing contingency plans for environmental mishaps. 671 Compendium of Generic Internal Audit Guides Who should carry out the audit? If you have relevant expertise in-house set up an internal audit term or you may wish to bring in external audit team. And after the internal audit? • Define a set of corporate objectives based on the audit results and set them out in a formal environmental policy. • Like a financial audit, an environmental audit is not a one-off event Regular monitoring will be necessary to check that your company is moving satisfactorlly towards its objectives. • Incorporate an environmental component into both your training programme and communication strategy. 672 Appendix II Guide on Environmental Audit Relevant Environmental Laws in India Some Acts (amended from time to time) 1927 The Indian Forest Act 1972 The Wildlife Protection Act 1974 The Water (Prevention and Control of Pollution) Act 1977 The Water (Prevention & Control of Pollution) Cess Act 1980 The Forest (Conservation) Act 1981 The Air (Prevention and Control of Pollution) Act 1986 The Environment Protection Act 1991 The Public Liability Insurance Act 2002 The Biological Diversity Act 2010 The National Green Tribunal Act In addition, there are some Acts incorporating environmental (including health and safety) concerns like, The Factories Act, 1948; The Coastal Zone Regulations; The Indian Explosives Act, 1884; or Motor Vehicles Act, 1988. Some Important Environment Related Rules 1989 Hazardous Waste (Management and Handling) Rules 1989 Manufacture, Storage and Import of Hazardous Chemical Rules 2000 Municipal Solid Waste (Management and Handling) Rules 1998 The Biomedical Waste (Management and Handling) Rules 1999 The Environment (Siting for Industrial Projects) Rules 2000 Noise Pollution (Regulation and Control) Rules 2000 Ozone Depleting Substances (Regulation and Control) Rules 673 Compendium of Generic Internal Audit Guides 2011 E-waste (Management and Handling) Rules 2011 National Green Tribunal (Practices and Procedure) Rules 2011 Plastic Waste (Management and Handling) Rules In addition, from time to time, MoEF has notified Amendment Rules in almost all the major acts. For all these acts and amendments therein refer to rules and regulations on http:// moef.nic.in/modules/rules-and-regulations/water-pollution/ National Environmental Plans and Policy Documents* 1. National Forest Policy, 1988 2. National Water Policy, 2002 3. National Environment Policy or NEP (2006) 4. National Conservation Strategy and Policy Statement on Environment and Development, 1992 5. Policy Statement for Abatement of Pollution (1992) 6. National Action Plan on Climate Change 7. Vision Statement on Environment and Human Health 8. Technology Vision 2030 (The Energy Research Institute) 9. Addressing Energy Security and Climate Change (MoEF and Bureau of Energy Efficiency) 10. The Road to Copenhagen; India’s Position on Climate Change Issues (MoEF) Some International Conventions Where India is Signatory (i) Convention on Wetlands of International Importance, 1971 (Ramsar) * CAG, 2010, Environment and Climate Change: Public Auditing Guidelines , Principles and Practices of Environmental Audit and Climate Change. 674 Guide on Environmental Audit (ii) Convention Concerning the Protection of the World Cultural and Natural Heritage, 1972 (iii) Convention on International Trade in Endangered Species (CITES) (1973) (iv) Montreal Protocol on the Substances that Deplete the Ozone Layer, 1987 (v) Basel Convention on the Control of Transboundary Movements of Hazardous Wastes and Their Disposal, (Basel Convention) 1989 (vi) U.N. Framework Convention on Climate Change, 1992 (vii) Convention on Biological Diversity, 1992 (viii) UN Convention to Combat on Desertification, 1994 (ix) Kyoto Protocol, 2005 Pollution Control Authorities (i) Ministry of Environment and Forests (MoEF) (ii) The Central Pollution Control Board (CPCB), (iii) State Pollution Control Boards (SPCB) (iv) State Departments of Environment 675 Compendium of Generic Internal Audit Guides Appendix III Sample Checklists I Sample Checklist for Environmental Management System (EMS) Audit The following table contains some sample questions which may be included in Environmental Management System audit checklist. It provides a starting point for internal auditors in preparing for an EMS audit. The checklist is general in nature, which can be customized according to nature and size of environmental system of the organization and circumstances of the case. In most cases, additional questions supporting information and clarification from the environmental managers or staff will be necessary. S. Particulars Questions Responsible Comments Yes/No Person Date 1. Environmental Policy and Objectives (a) The · Does your company has a Environmental documented Environmental Policy of the Policy? · Is this consistent with other corporate policies? · Has top management defined and committed to the policy? · Are the views of stakeholders taken into account in developing the policy? · Is the policy appropriate to the nature and scale of the company and environmental impacts of its activities, products or services? · Is the environmental policy clear 676 Guide on Environmental Audit S. Particulars Questions Responsible Comments No. Yes/No Person Date and specific enough to guide the setting of environmental objectives and targets? · Is the policy sufficiently clear to be capable of being understood by interested parties? · Does the policy show commitment to continuous improvement in environmental performance, prevention of pollution and sustainable development? · Does it comply with relevant environmental legislation and regulations and other environmental mandates? · Has the policy been communicated to and understood by employees of all business units? · Is the policy reviewed periodically to ensure its continuing relevance, in the light of changing standards, technology, and emerging concerns? (b) The Environ- · Does your company has clearly mental established environmental Objectives objectives? · Do they reflect company’s environmental policy? · Do they reflect significant environmental impacts associated with the company’s operations? 677 Compendium of Generic Internal Audit Guides S. Particulars Questions Responsible Comments No. Yes/No Person Date · Do the objectives identify significant legal aspects? · Has the entity established proper systems to translate its objectives into action? · Has the entity developed adequate procedures to accomplish its objectives and are they really efficient and viable? · Has the entity established environmental objectives for each relevant business function and level? · Have targets been set for environmental objectives? · Does your company’s objectives and targets reviewed and revised to incorporate changes in internal and external environment? · Do you have a system of communicating your environmental objectives and policies to various concerned internal and external stakeholders (like employees, contractors and suppliers etc)? · Does your company have a proper system to identify, allocate and review human, technical and financial resources to meet its environmental objectives and targets? 678 Guide on Environmental Audit S. Particulars Questions Responsible Comments Yes/No No. Person Date (c) The · Has your company developed a Environ- comprehensive framework of mental policies, practices, procedures, Management systems and relevant system management information to support environmental management? · Has your company adopted any principles of the Environmental Management System? (e.g. ISO 14001) · Is EMS of the company of acceptable level and size within the entity? · Has environmental management system been integrated into the overall business management processes of your company? · Do the existing procedures fully take into account all environmental aspects at all levels and activities of the organization? · Are the environmental responsibilities of the Chief Executive and Executive Members of your company reasonably clearly defined? · Does your company collaborate with other departments or agencies in relation to environmental management? · Does your company communicates specific 679 Compendium of Generic Internal Audit Guides S. Particulars Questions Responsible Comments Yes/No No. Person Date responsibilities and accountabilities throughout the organization? · Are the environmental responsibilities documented within your company and are they up-to- date? · Has your company considered/ sought/achieved ISO certification? · Do you have sufficient resources and technical competencies to implement EMS as per ISO requirements? · Has your company assessed the costs and benefits of certification under the standard? 2. Management Issues (a) Planning · Has your company established a Environmental systematic and documented Aspects process describing the methods to identify, monitor and evaluate environmental aspects of your company’s activities, products or services? · Does the process drive the development, application and operational aspects of environmental policy? · Does your company monitor and measure those operations that can have a significant impact on the environment? 680 Guide on Environmental Audit S. Particulars Questions Responsible Comments No. Yes/No Person Date · Does it include an environmental risk assessment to evaluate those aspects, which may have a significant impact on the environment in a positive and negative way? · Does it considers the scale, frequency, severity and sensitivity of the environmental impacts? · Do you make efforts to determine the significance of those impacts using a recognized risk management approach? · Does it ensures that aspects which have a significant impact are considered in setting environmental objectives? · Do you provide for the audit and review of the process to confirm that planned arrangements are properly implemented and maintained? (b) Key · Has your company established performance Key Performance Indicators indicators (KPIs) to demonstrate progress (KPIs) against environmental objectives and targets? · Does your company have the capability to identify and track KPIs and other data, necessary to achieve its environmental objectives and targets? 681 Compendium of Generic Internal Audit Guides S. Particulars Questions Responsible Comments No. Yes/No Person Date · Have these targets or objectives linked to the organization’s corporate or business plans to ensure accountability or follow up? (c) Environ- · Have you developed programs to mental achieve objectives and targets Management established for each relevant Program business function and level? · Do these programs respond to your company’s environmental policy and the risk assessment? · Do these programs support or contribute to the authorities or Governments overall environmental programs? · Do the programs nominate personnel with specific responsibilities in the environment area? · Are the programs monitored to track progress against objectives and targets? · Is someone responsible for tracking progress towards achieving objectives and targets? · Does the program include an environmental review for new activities? · Has the program been amended to reflect changes for new activities? 682 Guide on Environmental Audit S. Particulars Questions Responsible Comments Yes/No No. Person Date · Does your company monitor and revise its environmental management programs? 3. Implementation and Operation (a) Structure · Is there an Executive Committee and or Board to oversee the Responsibility environmental monitoring and reporting of your company’s activities? · Has top management defined the roles, responsibilities and authorities of personnel for environmental management in the context of the company’s Environmental Management System (EMS)? · Do the roles, responsibilities and authorities extend to establishing, implementing, maintaining and reporting on the EMS? · Have the roles been documented and communicated to relevant people responsible for environmental management and are the relevant people aware of the roles assigned to them? · Has management provided adequate resources to implement and control its EMS? · Does your company integrate an awareness of environmental issues into its culture? 683 Compendium of Generic Internal Audit Guides S. Particulars Questions Responsible Comments Yes/No No. Person Date · Does your company integrate the principles of sustainable development in decision making process through the appraisal and evaluation of policies, programs, plans and projects? · Are there written guidelines on how to conduct operations in a manner that is responsible in accordance with the principles of sustainable development? · Are systems of internal control for managing the environment appropriate to your company’s corporate plan or business charter? · Do they provide timely and useful management information? · Does your company have an effective internal audit function? (b) Training, · Has your company conducted a Awareness Training Needs Analysis for and environmental management Competence issues? · Is there adequate expertise in your company to deal with the environmental and sustainability issues? · Do you have a systematic and documented process to ensure that personnel who carry out tasks that have a significant impact on 684 Guide on Environmental Audit S. Particulars Questions Responsible Comments No. Yes/No Person Date the environment are adequately trained and experienced? · Does your company assess the adequacy of resources and training of staff with designated responsibilities for environmental management and/or protection? · Are employees’ responsibilities for environmental management identified in their accountabilities (e.g. position descriptions, annual performance goals)? · Are employees encouraged to take the initiative, submit suggestions for improvement, and to suggest actions or policies to reduce your company’s environmental impact? · Does the training include response to emergencies and drills, and working with external agencies such as fire brigade? · Does the company sponsor scientific or policy research devoted to environmental technology, management, and performance issues or other relevant research areas at educational or research institutions? · Does the company participate in external activities designed to share the results of such scientific and policy research? 685 Compendium of Generic Internal Audit Guides S. Particulars Questions Responsible Comments No. Yes/No Person Date (c) Communi- · How does your company cation communicate with key stakeholders in regard to significant environmental aspects and is this process documented? · Do you try to identify, monitor, evaluate and understand the needs and expectations of stakeholders? · Does your company have a process to record and maintain communications between key employees (in your company) responsible for environmental management? · Does your company have a system to receive, record and respond to communications from interested parties about environmental impacts associated with your company’s operations? · Does your company proactively seek the advice of independent community groups (e.g., through newsletters, regular meetings, open forums, or community oversight committees) regarding possible risks posed by the operations of your company? · Have you established documented procedures to monitor and evaluate the effectiveness and efficiency of your communication strategy/methods? 686 Guide on Environmental Audit S. Particulars Questions Responsible Comments No. Yes/No Person Date · Has your company established, and does it maintain, information to describe the core elements of the EMS and provide direction on where to obtain more information on specific parts of the EMS? · Does the information describe how the elements interact with each other? · Does it describe the key roles, responsibilities, procedures, follow-up actions or response? (d) Operation · Has your company identified Control operations and activities that are associated with significant environmental aspects of your company’s operations? · Are these operations and activities carried out under controlled conditions and in accordance with operating criteria to ensure compliance with environmental policy and the achievement of objectives and targets? · Does your company have a formal written policy regarding materials/ resource conservation, reduction, re-use and recycling? · Have you established specific targets for material/resource conservation programs for energy, water or waste avoidance, or other emerging issues or activities? 687 Compendium of Generic Internal Audit Guides S. Particulars Questions Responsible Comments No. Yes/No Person Date · Have you established specific targets for each conservation strategy? · Does your company monitor and document trends in energy consumption by source? · Does your company have a program to maximize the use of environmentally safer and more sustainable energy sources? · Does your company, routinely or in specific circumstances, track chemical use and environmental releases? · Has your company addressed issues of habitat protection and stewardship (such as watershed management, wilderness protection, biodiversity, etc.) in areas affected by your operations? 4. Monitoring and Measurement (a) Monitoring · Have you developed and implemented procedures for checking the performance of the EMS? · Is there an adequate system to identify areas of non-conformance? · Does your company have procedures to regularly monitor and measure the significant operations and activities that can have a significant impact on the environment? 688 Guide on Environmental Audit S. Particulars Questions Responsible Comments Yes/No No. Person Date · Does your company have systematic and documented procedures to evaluate compliance with relevant environmental legislation and regulations? · Are periodic audits carried out using established programs and procedures? · Does your company have data collection and information management systems adequate to support environmental reporting needs? · Is the performance of your company regularly monitored in relation to the principles of sustainability and best practice? · Do you compare and publicly report predictions made in Environmental Impact Statements (EIS) with actual outcomes? · Does your company have auditing programs for workplace health, safety and environmental auditing? · Does your company monitor and document trends in consumption of natural resources? · Are your company’s environmental audit programs reviewed by an independent organization? · Does your company seek 689 Compendium of Generic Internal Audit Guides S. Particulars Questions Responsible Comments No. Yes/No Person Date independent verification of data collection and information management systems? · Are your audit results available to the public? (b) Checking · Does your company have systems and to measure the cost and quality of Corrective environmental protection services Action and the use of resources entrusted to the company? · To what extent does your company use internal environmental cost information to support internal decision-making? · Is this done through a managerial cost accounting system or other financial management system that routinely compiles, analyses, and reports on environmental costs? · Which environmental costs are so identified (e.g., management costs, resource use, waste disposal, permitting, monitoring, training, auditing, insurance)? · At what level are costs aggregated (e.g., product, process, facility, division, corporate)? · For what purpose is this cost information compiled? (c) Non- · Do documented emergency/ conformance contingency plans exist for and rectifying significant environmental Corrective mishaps? 690 Guide on Environmental Audit S. Particulars Questions Responsible Comments No. Yes/No Person Date and · Does your company have Preventative procedures to establish and Action maintain responsibility and authority for handling investigations of non-conformance and taking corrective and preventative action? · Has the cost of rectifying specific environmental mishaps/ repercussions been estimated in order to prioritize your risk assessment? (d) Manage- · Does the Executive Committee or ment Board regularly receive key Review information, such as performance information, major initiatives or investigations of issues affecting the environment? · Does your company have a process to demonstrate how recommendations and feedback from the EMS review have been implemented and contribute to improvement in environmental performance? · Does your company review on a regular basis the extent to which objectives and targets have been met? · Do you take into account the results of audits undertaken and any changed circumstances for continuous improvement? 691 Compendium of Generic Internal Audit Guides S. Particulars Questions Responsible Comments Yes/No No. Person Date · Are the results of the reviews: documented, reported to, and considered by, the Board and or Chief Executive? · Do they take action on the results of the reviews? · Does your company review on a regular basis its EMS to ensure · its continuing suitability, adequacy and effectiveness · systems conform to planned arrangements · systems have been fully implemented · systems are properly maintained? · Are views of interested parties and stakeholders taken into account? (e) Legal and · Do your operations require Other compliance with environmental, Require- health or safety regulations at ments either the national or state level? · Is there a documented process to: · identify the legal and other regulatory requirements associated with environmental impacts of activities, products or services · provide access to the legal and other regulatory requirements · evaluate compliance with the legal and other regulatory requirements? 692 Guide on Environmental Audit S. Particulars Questions Responsible Comments Yes/No No. Person Date · How does your company keep track of (changes to) legal and other requirements? 5. Reporting (a) Document · Has your company established Control and maintained procedures for controlling all key documents? · Are the procedures adequate so that the documents can be easily located at relevant locations? · Who is authorized to approve alterations to documentation? · Are obsolete documents promptly removed from all points of issue?· Are obsolete documents retained for legal and other reasons and suitably identified? · Do you have a transparent and open system of reporting to communicate your company’s management of the environment to the public? · Is there an appropriate and reliable environmental reporting system which meets requirements of the entity? · Does your company report to regulators?· Does your company contribute to National or International reports? · Does your company produce an annual Environment Report? 693 Compendium of Generic Internal Audit Guides Responsible S. Particulars Questions Comments Yes/No Person No. Date · Does this report address the issues of sustainable development? · Is the report externally verified or validated? · Does your company report to the Parliament and/or the public on the fulfillment of its environmental responsibilitie ? II. Sample Environmental Compliance Audit Checklist This sample Environmental Compliance Audit Checklist contains some usual questions relevant for environmental compliance audit. Depending upon nature of the organization and applicable environmental laws and regulations, questions can be added or deleted. Recommendations Questions Observations/ Responsible Particulars Comments person Yes/No Date No. 1. General · Is the sector in which the company operates prone to and known for a high level of pollution/ environmental impact? · Does it fall within the notified industries as per CPCB’s notifications? 694 Guide on Environmental Audit Recommendations Questions Observations/ Responsible Particulars Comments person Yes/No Date No. · Are there clearly specified orders empowering the entity to operate in the specified industry? · Have you obtained all the necessary approvals or permits for your operations? · Are all these approvals properly documented and readily available for inspection? · Does the sector in which the entity operates entail any special environmental risks or require special consideration? · Does the entity carry out environmental risk analysis in accordance with specified schedule? · Is there a suitable internal control system to ensure that the entity’s operations achieve the intended environmental objectives? · Is the EMS suitably designed to meet environmental objectives of the entity? · Does it provide for regular verifications and physical monitoring? 695 Compendium of Generic Internal Audit Guides Recommendations Questions Observations/ Responsible Particulars Comments person Yes/No Date No. · Are the actions taken by the management to mitigate/ abate the environmental impacts adequate? · Have the cost for the same assessed properly? · Are the penalties for violation of the environmental conditions regularly paid? 2. Enviro- · Was the entity legally required nmental to carry out any EIA prior to Impact starting its operations? assess- · Was it carried out? ment · Did the entity applied for and (EIA) obtained environmental clearances as required under the relevant laws and regulations? · Were the conditions subject to which the clearance was granted duly met? · What was the cost of meeting environmental obligation as per environmental report/EIA report? · Was it duly recorded in the books of accounts? 3. Air · Does your concern require official approval for emissions to air? 696 Guide on Environmental Audit Recommendations Questions Observations/ Responsible Particulars Comments person Yes/No Date No. · If yes, have you obtained these approvals (in the form of permits, licences, consents or authorization)? · Are these approvals up to date and available for inspection? · If relevant, are authorized limits and conditions under approval (e.g. monitoring data) being met? · Are all sources of polluting air authorized where required? · Has the entity taken action to measure and quantify the pollution level, emission level etc. during its operations? · Has any reliable assessment of the level of Green house gas emissions/extent of air pollution of the environment attributable to the entity’s operations been made? · Are efforts being made to control such emissions? · Has the sanctioning authority reviewed the same and given its approval? 4. Water · Does your company require official approval to discharge liquid effluent to ground, surface water (including 697 Compendium of Generic Internal Audit Guides Recommendations Questions Observations/ Responsible Particulars Comments person Yes/No Date No. streams, rivers and lakes) or sewer or drainage systems? · If yes, have these approvals been obtained? · Are these approvals up to date and available for inspection? · Are all discharges identified and if required, authorized, licensed or permitted? · Are discharge monitoring reports available for past few (say three) years? · If relevant, are records of discharge samples kept for past few (say three) years? · Is there adequate procedure for spill prevention and control? 5. Waste · Does the company have an manage- inventory of all the waste ment generated in last three years? · Does the company monitor and document usage, volume and disposal of all such waste? · Does the company have details of where wastes are finally disposed off? · Does the company have specific programmes to minimize such waste? 698 Guide on Environmental Audit Recommendations Questions Observations/ Responsible Particulars Comments person Yes/No Date No. · Does the company generate hazardous waste? · Are hazardous waste collected and stored in properly constructed, undamaged, and closed containers? · Are containers held on site for the minimum time possible, and less than any legally specified limit? · Is an up-to-date inventory of hazardous chemicals kept on site available? · Does the company have a hazardous waste minimization/ pollution prevention plan in place? · Do you monitor and document oil spills, chemical spills and other accidental releases? · Is spill clean-up and containment equipment easily available? 6. Emerg- · Does the company have a ency documented plan for dealing planning with emergencies that may and have an environmental comm- significance? unity · Are emergency actions relations clearly posted in all areas, with relevant telephone contact numbers? 699 Compendium of Generic Internal Audit Guides Recommendations Questions Observations/ Responsible Particulars Comments person Yes/No Date No. · Does your company have procedures to identify the potential for, and response to, environmental incidents, accidents and emergency situations? · Are the site emergency procedures reviewed and exercised regularly? · Does your company have procedures to report on environmental incidents, accidents and emergency situations and implementing corrective actions? · Are the procedures communicated to all relevant parties like employees, factory neighbours etc.? · Is there a programme to eliminate, or if not possible reduce the use of hazardous substances? · Is there a list of the hazardous substances on site, plus information on handling, disposal etc.? · Does your company, routinely or in specific circumstances, track chemical use through materials accounting or some other method as distinct from, 700 Guide on Environmental Audit Recommendations Questions Observations/ Responsible Particulars Comments person Yes/No Date No. or in addition to, tracking environmental releases? 7. Record · Does the company keep track Keeping of the environmental and Re- sanctions issued to it? porting · Is all approval documentation available? · Does the company record violations noticed in the system? · Have it taken timely remedial actions in the past? · Do you maintain record of violations and remedial actions? · Is the entity required under law or regulations to submit periodical environmental performance reports to the government? · Do you report environmental performance regularly in the annual reports of environmental reports? · It the reporting system satisfactory? · Are these reports externally verified? 701 Compendium of Generic Internal Audit Guides Appendix IV Environmental Statement - Form V Every person carrying on an industry, operation or process requiring consent under Section 25 of the Water (Prevention and Control of Pollution) Act, 1974 or under Section 21 of the Air (Prevention and Control of Pollution) Act, 1981 or both, or authorization under the Hazardous Wastes (Management and Handling) Rules, 1989 shall submit an environmental statement for the financial year ending the 31st March in Form V to the concerned State Pollution Control Board on or before the thirtieth day of September every year, beginning 1993. This requirement for the environmental statement was inserted through Rule 2 of the Environment (Protection) Second Amendment & Rules, 1992 vide G.S.R. 329(E), dated 13.03.92.Subsequently, the word audit was substituted by the words statement through Rule 2(a)(i) of the Environment (Protection) Amendment Rules, 1993 through notification G.S.R. 386(E), dated 22.4.93. Even the deadline for the submission of this report came from this amendment. A specimen of form is provided in this Appendix: FORM V (Rule 14) Environmental Statement for the Financial Year Ending on 31st March ……... PART A (i) Name and address of the owner/ occupier of the industry operation or process. (ii) Industry category Primary……(STC Code) Secondary…… (STC Code). (iii) Production capacity…… Units (iv) Year of establishment (v) Date of the last environmental statement submitted 702 Guide on Environmental Audit PART B Water and Raw Material Consumption (i) Water consumption m3/ d Process : Cooling : Domestic : Name of products Process water consumption per unit of product output During the previous During the current financial year financial year (1) (2) (1) (2) (3) (ii) Raw material consumption *Name of raw Name of Consumption of raw material per materials products unit of output During the previous During the current financial year financial year *Industry may use codes if disclosing details of raw materials would violate contractual obligations, otherwise all industries have to name the raw material used. PART C Pollution Discharged to Environment/ Unit of Output (Parameter as specified in the consent issued) Pollutants Quantity of Concentration of Percentage of pollutants pollutants in variation discharged discharges (mass/ fromprescribed (mass/ day) volume) standardswith reasons (a) Water (b) Air 703 Compendium of Generic Internal Audit Guides PART D Hazardous Wastes (as specified under Hazardous Wastes Management and Handling Rules, 1989) Total Quantity (Kg) Hazardous Wastes During the previous During the current financial year financial year (a) From process (b) From pollution control facilities PART E Solid Wastes Total Quantity During the previous During the current financial year financial year (a) From process (b) From pollution control facility (c) (1) Quantity recycled or re- utilized within the unit (2) Sold (3) Disposed PART F Please specify the characterization (in terms of composition and quantum) of hazardous as well as solid wastes and indicate disposal practice adopted for both these categories of wastes. PART G Impact of the pollution abatement measures taken on conservation of natural resources and on the cost of production. PART H Additional measures/ investment proposal for environmental protection abatement of pollution, prevention of pollution. PART I Any other particulars for improving the quality of the environment. 704 Appendix V Guide on Environmental Audit Sample Environmental Audit Report ENVIRONMENTAL COMPLIANCE AUDIT REPORT It is to be noted that length and detail of environmental audit report may vary according to nature and type of organization audited and also on the basis of scope and object of audit. However, usually it is expected that the report should include following contents: Executive summary Table of contents 1. Background: e.g., nature and type of auditee organization, main business, facility description, EMS, etc. 2. Audit objective: e.g. to review compliance status of the organization, to check reporting of non-compliance or to verify the mechanisms for rectifying non-compliance. 3. Audit scope: whether it is initial audit, audit of only one site, facility or process or audit of whole organization, etc. 4. Audit criteria: National law, Supra-national law, International agreements, Applicable standards, Industry guidelines, or corporate policy. 5. Audit team 6. Audit schedule 7. Audit methodology: e.g., - Document review - Checklist- Interviews, etc. 8. Audit findings: - Compliance status: compliance with environmental laws, specific regulation, certification requirement or company’s own environmental policy. - Violation information: e.g. failure to have required 705 Compendium of Generic Internal Audit Guides clearance, permit or approval, failure to have required plan or failure to report to authorities. - Mention the relevant law or regulation to which the violation relates like, air, water or hazardous waste Acts.- Significant consequences of non-compliance. e.g., penalty - Areas where non-compliance was found and corrected during audit period and areas where it is yet to be corrected. 9. Audit conclusions and recommendations - If audit findings indicate commendable level of compliance and no non-compliance was identified, still some opportunities for improvement can be identified and listed. - If non-compliance was found, recommendations can be made for developing some mechanism so that in future, it is not repeated. Indicate the time until the correction is to be completed and person responsible for making corrections. 10. Annexes - Environment policy and action plan of organization - List of applicable laws and regulations - Checklists Signature of auditor with date and place 706 Guide on Environmental Audit SAMPLE ENVIRONMENTAL INFORMATION AUDIT REPORT Environmental Audit Report 2011 of ABC Ltd. Dated 31 December 2011 st 1. Executive Summary 1.1 Type of audit 1.2 Description of audit environment 1.3 Summary of findings 2. Introduction 2.1 Objective of verification: To verify the reliability and consistency of environmental data selected by ABC Ltd. for inclusion in the company’s Environmental Report, 2011, issued under the responsibility of the management. The aim of verification is to consider the accuracy of environmental performance data provided in the report and to provide a verification opinion based on objective evidence. 2.2 Scope of work: The scope of work covered activities at all four sites of ABC Ltd for which environmental data is generated, each one of which was visited as part of the verification coverage. 2.3 Reference documents: - Environmental policy statement of the company - Environmental Action plan of the company for the year 2011 - Environmental performance data of each site - Others 3. Verification methodology: The verification has been conducted using standard audit procedures and guidance for external verification of non-financial reporting, based on current best practice. Adequate compliance and substantive procedures were used in verification. 4. Audit findings: On the basis of verification of data, we are of the opinion that: - The environmental data reported at headquarter as well 707 Compendium of Generic Internal Audit Guides as sites level is measured, collected and recognized based on established and effective internal control system and processes. - All errors in reported data identified during the verification process have been duly corrected - Environmental impact data related to economic activities of the organization was clear and unambiguous. - Reporting of data as per regulatory requirements was appropriate. 5. Audit Conclusions: Nothing came to our attention to suggest that data was not reliable or it contained significant errors. 6. Recommendations* 7. Annexes 7.1 Audit checklists 7.2 Supporting documents 7.3 Auditor’s qualifications Signature of the auditor Place and date For some more guidance on environmental audit reports, refer to: 1. Department of Environment, Ministry of Natural Resources and Environment, Malaysia, Environmental Audit Guidance Manual, 2011. Source:http://www.doe.gov.my/portal/wp-content/uploads/ Environmental_Audit_Manual_Draft_91.8-final-edited- 19Oct112.pdf 2. Environment Agency, Abu Dhabi, Technical Guidance Document for Environmental Audit Report, 2011. Source: http://www.ead.ae/_data/global/tgd_auditreport.pdf * These are mainly required in Environmental performance audits, where purpose is to reduce environmental impacts of the concern and improve environmental performance of the company. 708 Guide on Environmental Audit References 1. ACCA and UNEP, (2002), ‘Industry as a Partner for Sustainable Development Accounting’, A report prepared by Association of Chartered Certified Accountants (ACCA), developed through a Multi stakeholder process facilitated by UNEP, UK, Source: http://www2. accaglobal.com/pubs/ general/activities/library/sustainability/sus_archive/tech-unep- 001.pdf. 2. CAG, (2008), ‘Study Report on Environmental Auditing’, Source: http://saiindia.gov.in/english/home/Our_Products/ Other_Reports/Study_Reports/Study_Report_Environment_ Audit/Study_Report_Environment_Audit.html. 3. Cahill, L.B., (1996), ‘Environmental Audits’, 7th Edition, Government Institutes, Rockville. 4. Canadian Institute of Chartered Accountants, (1992), ‘Environmental Auditing and the Role of the Accounting Profession’, Toranto, Ontario: CICA. 5. Canadian Standard Association, (1994), CSA-Z751-94: ‘Guidelines for Environmental Auditing: Statement of Principles and General Practices’, CSA. 6. Department of Environment, Ministry of Natural Resources and Environment, Malaysia, ‘Environmental Audit Guidance Manual, 2011’. Source: http://www.doe.gov.my/portal/wp- content/uploads/ Environmental_Audit_ Manual_Draft_91.8- final-edited-19Oct112.pdf. 7. Department of Environmental Affairs and Tourism, South Africa, (2004), ‘Environmental Auditing’. Source: http:// www.environment. gov.za/Services/documents/Publications/ series_14.pdf. 8. ‘Eco-Management and Audit Scheme (EMAS)’. Source: http:/ /ec.europa.eu/environment/ emas/index_en.htm. 709 Compendium of Generic Internal Audit Guides 9. ‘Environment (Protection) Act, 1986 of India’. Source: http:// moef.nic.in/downloads/rules-and-regulations/eprotect_ act_1986.pdf. 10. Environment Protection Agency (EPA), (1995a), ‘An introduction to Environmental Accounting as a Business Management Tool: Key Concepts And Terms’, US EPA primer, Washington DC: EPA, (1995a), p.28. Source: http:// www.epa.gov/opptintr/library/pubs/archive/acct-archive/pubs/ busmgt.pdf. 11. Federation Des Experts Comptables Europeens (FEE), (1999), ‘Discussion Paper Towards a Generally Accepted Framework for Environmental Reporting’, Source: http:// www.fee.be/search/ default_view.asp?content_ref=284. 12. Global Reporting Initiative (GRI) (2002). Sustainability Reporting Guidelines. Source: https://www.globalreporting.org/ resourcelibrary/G3.1-Sustainability-Reporting-Guidelines.pdf. 13. Gray R. and Bebbington T., (2001), ‘Accounting for the Environment’, Sage Publications, London, 2nd Edition. 14. IFAC (2011). ‘Sustainability Framework 2.0, Professional Accountants as Integrators’, Source: http://www.accountability. org/images/content/4/3/435.pdf. 15. International Auditing Practice Statement 1010 (1998). “The Consideration of Environmental Matters in the Audit of Financial Statements”. Source: http://web.ifac.org/download/ b007-2010-iaasb-handbook-iaps-1010.pdf. 16. International Chamber of Commerce, (1989), ‘Environmental Auditing’, Paris: ICC. 17. International Organization for Standardization, ‘ISO and the Environment’ Source: http://www.iso.org/iso/iso_catalogue/ management_standards/environmental_management/ iso_and_the_environment.htm. 18. INTOSAI, Working Group on Environmental Auditing, (2004), ‘Environmental Audit and Regularity Auditing’. Source: http:/ /www.environmental-auditing.org/LinkClick.aspx?fileticket=Lv HmglevYf0%3d&tabid= 128&mid=568. 710 Guide on Environmental Audit 19. INTOSAI, Working Group on Environmental Auditing, (2007), ‘Evolution and Trends in Environmental Auditing’. Source: http://www.environmental-auditing.org/LinkClick.aspx? fileticket=91 RsG1vxtGs% 3d&tabid=128&mid=568. 20. ISO 14000 Series and ISO 19011:2002. http://www.iso.org. 21. KPMG, (2002), ‘KPMG International Survey of Corporate Sustainability Reporting’, Source: http://www.gppi.net/ fileadmin/gppi/KPMG2002.pdf. 22. Mayya S., (2009), ‘Emerging Opportunities for Environmental Auditing: a Study of Large Scale Industries of Karnataka’, A research study sponsored by ICAI accounting research foundation, Delhi Source: http://www.icai.org/resource_file/ 17799enviormental_auditing.pdf. 23. MoEF, Legislations on Environment, Forests and Wildlife, Source: http://envfor.nic.in/legis/legis.html. 24. Pahuja S., (2007), ‘Environmental Reporting Verification: A Critical Evaluation of Accountants’ Views and Corporate Practices in India’, Social Responsibility Journal, Vol.3, No. 2, 2007, pp. 22-31. This paper received Outstanding Paper Award for 2007 from Emerald Publishers, UK. Source: http:// www.emeraldinsight.com/journals.htm?articleid=1631551. 25. Pahuja S., (2009), ‘Environmental accounting and reporting: Theory, law and empirical evidence’, New Century Publications: Delhi. Source: http://www.newcentury publications.com/servlet/ncpGetBiblio?bno=000214. 26. United Nations, (1997), Environmental Financial Accounting Guidelines, Reports Prepared for the UNCTAD Intergovernmental Working Groups of Experts on International Standard of Accounting and Reporting (ISAR), New York, UN. 27. United Nations Environment Programme (UNEP), (1990) ‘Environmental Auditing’, Technical Report Series No. 2, UNEP, Industry and Environment office. 28. United Nations, (2000), ‘Accounting and Financial Reporting for Environmental Costs and Liabilities’, A Manual prepared 711 Compendium of Generic Internal Audit Guides for the United Nations Conference on Trade and Development (UNCTAD) under the guidance of an International review group and technical support of UNCTAD/ISAR: Intergovernmental Working Group of Experts on International Standards of Accounting and Reporting (ISAR), CICA: Canadian Institute of Chartered Accountants, ACCA: Association of Chartered Certified Accountant, UK.. Source: http://www.unctad.org/Templates/webflyer.asp?docid=205& intItemID=3914&lang=1&mode=downloads. 29. Young S.S., (1994), ‘Environmental auditing’, Cahners Publishing Company, Des Plaines. 712 G-7 DATA ANALYTICS AND CONTINUOUS CONTROLS MONITORING (including Practical Case Studies) 713 714 Foreword Information Technology is revolutionizing the nature and scope of worldwide communications, changing business processes, and erasing the traditional boundaries of the organization, internally between departments and externally with suppliers and customers. The resulting intra-enterprise coordination as well as inter-enterprise integration with external business partners through supply chain management and customer relationship management systems demonstrates the power of IT as both a driver and enabler of management processes and strategies. The developments in Information Technology are not only changing the way business are being conducted, but also increasing the associated risks and changing the requirement of proper controls. Internal auditors must recognize and leverage the powerful capabilities of computers and technology in collecting, generating, and evaluating information for managerial decision making related to strategy, risk management and controls, and, more broadly, for effective organizational governance. The purpose is to enhance audit effectiveness, which should improve corporate governance by increasing the monitoring, accountability, and accuracy of the organisation’s transactions and financial reporting. I am pleased that the Internal Audit Standards Board of ICAI is issuing this publication on “Data Analytics and Continuous Controls Monitoring” to educate members with current data analysis tools, computer-assisted audit techniques and continuous auditing and monitoring methods. I congratulate CA. Rajkumar S. Adukia, Chairman, Internal Audit Standards Board and other members of the Board on issuance of this publication. I am confident that this publication would help the members to implement technology enabled auditing and render their duties in an effective manner. August 8, 2012 CA. Jaydeep Narendra Shah New Delhi President, ICAI 715 Compendium of Generic Internal Audit Guides Preface Information Technology fundamentally changes the way in which organizations operate internally and interconnect with external organizations redefining the boundaries for cooperation. Internal auditors can play a pivotal role in helping organizations leverage IT to meet the increased demand for improved governance by evaluating current risks and controls as well as define and assess the monitoring systems. Internal auditors can also help develop an information system to provide the board with mandated financial information, industry insights, risk and controls analysis, and the integrity of the financial reporting system. While IT brings great opportunities to the organization, it also brings great risk. The interconnectivity of the e- commerce environment increases the scope and magnitude of risks faced by the organization. Data analysis can help auditors meet their auditing objectives and would thereby helps to comply with auditing standards, support enterprise risk management system, uncover fraud and money laundering, recover costs, improve compliance with regulations and would also provide better insight into business operations and performance. Considering this, the Internal Audit Standards Board is issuing “Data Analytics and Continuous Controls Monitoring”. This Guide has been divided into various chapters covering data analytics for business decision making, computer aided audit tools, stages in the use of general audit software, benefits derived by using general audit software, general audit software applications across business functions and industries, fraud detection using general audit software, documentation of process of use of general audit software, etc. This guide also provides guidance on challenges while implementing data analytics, application of CAATs to bank audits, continuing auditing with IDEA, etc. This guide also contains practical case studies for using MS Excel for CAAT, Data Analysis and MIS reporting. At this juncture, I am grateful to CA. Deepjee A. Singhal, CA. Manish Pipaliia for sharing their experiences and knowledge with us and preparing the draft of the publication for the benefit of the members and also to CA. Rishabh Pugalia for prepairing chapter on “Case Studies – using MS Excel for CAAT. Data Analysis and MIS Reporting” for inclusion in this Guide. 716 Data Analytics and Continuous Controls Monitoring I wish to thank CA. Jaydeep N. Shah, President and CA. Subodh Kumar Agrawal, Vice President for their continuous support and encouragement to the initiatives of the Board. I must also thank my colleagues from the Council at the Internal Audit Standards Board, viz., , CA. Rajendra Kumar P., Vice- Chairman, IASB, CA. Amarjit Chopra, CA. Shiwaji B. Zaware, CA. Ravi Holani, CA. Anuj Goyal, CA. Nilesh Vikamsey, CA. Atul C. Bheda, CA. Charanjot Singh Nanda, CA. Pankaj Tyagee, CA. G. Ramaswamy, CA. J. Venkateswarlu, CA. Abhijit Bandyopadhyay, CA. S. Santhanakrishnan, Shri Prithvi Haldea, Smt. Usha Narayanan, Shri Gautam Guha, Shri Manoj Kumar and Shri Sidharth Birla for their vision and support. I also wish to place on record my gratitude for the co-opted members on the Board viz., CA. Porus Doctor, CA. Masani Hormuzd Bhadur, CA. Ghia Tarun Jamnadas, CA. Deepjee A Singhal, CA. Nitin Alshi, CA. Narendra Aneja and CA. Guru Prasad M and special Invitee, CA. Sumit Behl for their invaluable guidance as also their dedication and support to the various initiatives of the Board. I firmly believe that this publication would serve as basic guide for the members and other readers interested in the subject. August 9, 2012 CA. Rajkumar S. Adukia Mumbai Chairman Internal Audit Standards Board 717 Compendium of Generic Internal Audit Guides Contents Introduction ............................................................................................ 719 Chapter 1 Data Analytics for Business Decision Making ...................... 721 Chapter 2 Computer Aided Audit Tools (CAATs) ................................. 726 Chapter 3 Academic and Regulatory Drivers to the Use of CAATs................................................................................. 733 Chapter 4 Stages in the use of General Audit Softwares ...................... 735 Chapter 5 Benefits derived by using General Audit Softwares ............. 737 Chapter 6 Common General Audit Software Applications across Business Functions and Industries ...................................... 739 Chapter 7 Fraud Detection using General Audit Softwares – Case Studies ....................................................................... 750 Chapter 8 Documentation of process of use of General Audit Softwares ............................................................................ 771 Chapter 9 Challenges while Implementing Data Analytics .................... 778 Chapter 10 Application of CAATs to Bank Audits ................................... 780 Chapter 11 Continuous Auditing with IDEA ............................................ 820 Chapter 12 Continuous Monitoring with Big Data using Caseware Monitor .............................................................. 834 Chapter 13 Conclusion .......................................................................... 842 Chapter 14 Case Studies — Using MS Excel for CAAT, Data Analysis and MIS Reporting ................................................ 844 718 Introduction Data Analytics 1. Although internal auditors have been doing analysis for more than 25 years, it has only recently started to become standard practice. By nature, most accountants and auditors are inclined to stick with what has worked in the past, rather than reach outside their comfort zones for an alternative that could help them accomplish more. They should self-introspect, “Could They analyse data electronically in 15 minutes where traditional methods would take 15 hours, and certainly improve the quality of reports as a result.” At the end of the day, if the internal auditor want to make better decisions and take the right actions, they have to use analytics. Putting analytics to work is about improving performance in key business domains using data and analysis. For too long, managers have relied on their intuition or their “golden gut” to make decisions. 2. On the audit front, auditors both financial and internal have been performing data analysis for more than 25 years. Data Analysis using Computer Assisted Audit Techniques (CAATs) have started to gain centre- stage in the ‘Now Economy’. All organisations are impacted by IT in various forms. It is nearly impossible to conduct an effective audit without the aid of technology tools. Current audit standards already require consideration of the use of data analysis for good reason. The use of data analysis allows auditors to view high-level organizational operations and drill down into the data. It is important for the Chief Audit Executive (CAE) and his staff to realize that the use of data analysis technology is not limited to the scope and activities associated with IT audit alone. The use of technology-based audit techniques in general, and data analysis technology, in particular, is far more widespread. Continuous Controls Monitoring 3. Continuous Controls Monitoring applications are a framework to achieve acceptable levels of risk in an organization by monitoring and addressing internal control weaknesses. The application manages risks and controls from an enterprise level by examining the details of transactions and data files. 719 Compendium of Generic Internal Audit Guides Most organizations spend significant time and effort in streamlining their internal controls to meet regulatory requirements, such as COSO III, Sarbanes-Oxley, Basel II, and ISO 9000. By implementing Continuous Controls Monitoring applications, these efforts can be automated and made repeatable. 4. Organizations can move away from periodically examining the state of controls to knowing when a control has failed or is about to fail. Continuous Controls Monitoring applications monitor transactions and data within business processes to detect exceptions based on business rules and parameters. Once detected, relevant business users and departmental heads can be alerted through triggers using a variety of contact options, such as email and text messaging. All alerts and reports are managed within a comprehensive workflow solution. 720 Chapter 1 Data Analytics for Business Decision Making Introduction 1.1 All the analytics in the world won’t help unless we use them to make and execute better decisions. Entrepreneurs who realize this will ride the wave for times to come. Analytics and fact-based decisions establish trends for the ages to come. Other decision approaches will ebb and flow, but the progress towards fact-based techniques are here to stay permanently. The writing is on the wall for us all to see – “We are becoming rational, analytical and data-driven in a far wider range of activity then we ever have been before”. Better information systems facilitate better decisions. The first fifty odd years of the digital age were spent largely in capture of data. Now that entities are beginning to master analytics, they can better justify the utilization of the captured data sets. 1.2 Fact-based decisions employ objective data and analysis as the primary guides to decision making. The goal of these guides is to get at the most objective answer through a rational and fair-minder process, one that is not colored by conventional wisdom or personal biases. Whenever feasible, fact-based decision makers rely on the scientific method – with hypothesis and testing – and rigorous quantitative analysis. They eschew deliberations that are primarily based on intuition, gut feeling, hearsay, or faith, although each of these may be helpful in framing or assessing a fact-based decision. Business Side of Analytics 1.3 Analytics can yield significant benefits to business. Following are some of the reasons to jump onto the analytical band-wagon right away: (i) Better Strategic Decisions If you’re trying to conclude on buying or merging with another company, entering a new market or winning over a different customer type, you will benefit from analytical decision making. Strategic decisions need good 721 Compendium of Generic Internal Audit Guides intuition, but analytics will certainly help you make sense of the impact of imponderables on growth and profit. (ii) Improved Tactical and Operational Decisions Decisions on production, pricing, market segment and selling are decisions that recur frequently and are based on operations that creates tonnes of data. The systematic collection and analysis of data can yield tangible and cognizable savings per transaction and super profits over a dramatic time scale. (iii) Enhanced Ability to Take on Problems Head-on If your supply chain has more inventory than you would expect for the quarter, analytics can help with a solution. Hence, if something is going wrong, then gathering and analysing data on the underlying causes of the problems is the best way to get to its source. Analytics work the numbers and demystify the cause, let alone treat the symptoms. (iv) Streamlined Business Processes Embedding analytics into the underlying business processes is just good business. Processes are a structured way to think about how work gets done. Analytics are a structured way to think about the decisions within those processes. (v) Decisions at the Speed of Analytics and Consistent Results Analytics take time to develop at first instance. Once developed and set up, you can scale it and run it any number of times in shorts spans of time. By using analytic optimizers created by your experts, you can sure? decisions will be made correctly and consistently across the board. (vi) Anticipate Varying Trends and Market Conditions Monitoring the outside business environment and its force-factors can provide a compelling early warning alert mechanism of shifting economic and market dynamics. Analytics bring opportunities to the fore and help predict changing customer tastes, loyalties and spending tendencies. Assumptions made under various analytical scenarios can be tested for their relevance and applicability on an on-going basis. 722 Data Analytics and Continuous Controls Monitoring (vii) Sharper Business Results It’s a known fact that entities which ride the analytic wave make better financial fortunes than their industry peers. Traits of Analytical Leaders for Evolved Decision Making 1.4 Analytical leaders must demonstrate the following traits abundantly: (i) Develop their People Skills Analytical leaders must learn to develop a fine blend of the technical nuances and subtle people skills like sympathy and empathy. (ii) Be a Catalyst for More Data and Greater Analytics Individuals who plan to hone leadership skills in analytics must set a tone for data and analysis amongst all their teams. Sloppy logic and uninformed intuition must make way for hard-data analysis and related conclusions. (iii) Lead from the Front Good analytical leaders set an example by crunching data in their own decisions. (iv) Sign-up for Results Seasoned analysts commit themselves to achieving a specific result in the part of the organization they serve or control. (v) Train Budding analysts gently guide, orient and sensitize protégés into the analytical way of work. (vi) Set Strategy and Expected Results Analytical Leaders at the helm of affairs know that analytics and fact-based decisions do not happen in a vacuum. Defining metrics will itself drive the organization in a more sustained analytical direction and motivate employees to begin tools usage and decision making thereof. (vii) Look for Leverage Strong analytical leaders know where to apply leverage and where a small improvement in a process driven by analytics can make a big difference in top line and bottom line figures. 723 Compendium of Generic Internal Audit Guides (viii) Patient and Perseverant Analytical leaders have to work doggedly and persistently for the long haul because changes that apply analytics to decision making, business processes, information systems, culture and strategy hardly happen overnight. (ix) Create an Analytical Ecosystem Expert analysts build an ecosystem of employees, vendors, partners who work towards providing talent, advice, resources, tools and solutions to common problems. (x) Know Limit Mature analytical leaders blend analytics with intuition and never lose sight of the big business picture. They focus on the soft issues in business models and customer values and let their intuition take over as and when required. Introspection for Decision Makers on Use of Data Analytics 1.5 Following are important points for introspection for decision makers on use of data analytics:  Assessing where you are, i.e., what are your analytical capabilities, strengths and weaknesses.  Recognizing where to go next i.e., what strengths can you capitalize on, and what gaps should you try to close.  Setting reasonable ambitions, i.e., what can you hope to accomplish and when.  Monitoring progress, i.e., how fast and how far are you traveling on the journey to capitalize on analytics.  Consensus with executive leadership and everyone else with an interest in succeeding with analytics – how can each decision maker come to mutual understanding about capabilities and commitments to a plan of analytic action. Conclusion 1.6 Traditional basis of competitive advantage like, geographical proximities or protective regulation have been eroded by the sweeping 724 Data Analytics and Continuous Controls Monitoring effects of globalization. This leaves three key differentiators as the basis for competition – efficient and effective implementations, intelligent decision making and the skill to cull-out every ounce of value from business processes – all of which can be gained through the mature use of analytics. The time has come for auditors to:  Use data more intelligently to deduce critical business analytical insights.  Build a framework of data, people and technology to administer analytics.  Groom analytical users and leaders.  Set and monitor SMART targets for analytical pursuits. Sources: 1. Analytics at Work – Smarter Decisions Better Results – Davenport, Harris and Morison. 2. Competing on Analytics – The New Science of Winning – Davenport and Harris. 3. Research papers on CAATs – IDEA Data Analysis Software – www.caseware-idea.com. 725 Chapter 2 Computer Aided Audit Tools (CAATs) 2.1 Data analysis as used by auditors is the process of identifying, gathering, validating, analysing and interpreting various forms of data within an organization to further the purpose and missions of auditing. Computer Assisted Audit Techniques (CAATs) are computer programs that the auditor uses as part of the audit to process data of audit significance to improve the effectiveness and efficiency of the audit process. 2.2 The matrix below identifies the six key questions that data analytics can address in any organization: Past Present Future Information What What is happening What will happened? now? happen? (Reporting) (Alerts) (Extrapolation) Insight How and why What’s the next What’s the did it happen? best action? best/worst that can happen? (Modelling, (Recommendation) (Prediction, experimental optimization, design) simulation) Much of your “business-intelligence” activities are in the top row. Moving from purely information-oriented questions to those involving insights is likely to give you a much better understanding of the dynamics of audit in any business operation. Where can CAATs Apply 2.3 Analytics can help to transform just about any part of your business or organization. Many organizations start where they make money, in customer relationships. They use analytics to segment their customers and 726 Data Analytics and Continuous Controls Monitoring identify their best ones. They analyse data to understand customer behaviours, predict their customers’ wants and needs, and offer fitting products and promotions. They price products for maximum profitability at levels that they know their customers will pay. Finally, they identify the customers at greatest risk of attrition, and intervene to try to keep them. Not surprisingly, analytics can also be applied to the most numerical of business areas like, finance and accounting. Instead of just putting financial metrics on scorecards, leading firms are using CAATs to determine which factors truly drive financial performance. In this era of instability, financial and other firms are using CAATs to monitor and reduce risk. When Application of CAATs are not Practical 2.4 There are times when being analytical just doesn’t fit the situation. Some of these situations are: (i) When there’s No Time. Some decisions must be made before data can be gathered systematically. One of the best examples is the decision Gary Klein addresses in his book Sources of Power. When a fire-fighter is in a burning building, trying to decide whether the floor is about to collapse, he has to “gather data” rapidly by observing his surroundings. He’s unlikely to perform a logistic regression analysis using CAATs. (ii) When there’s No Precedent. If something has never been done before, it’s hard to get data about it. The obvious analytical response in such a situation is to perform a small-scale randomized test on the idea and see if it works. (iii) When History Is Misleading. Even when ample precedents exist, as the fine print on the stockbroker ads warns, “past performance is not necessarily indicative of future results.” Rather than abandoning statistical techniques in CAATs altogether, auditors should try to identify those unusual times when the past is not a good guide to the present. (iv) When The Decision Maker Has Considerable Experience. Sometimes a decision maker has made a particular decision often enough to have internalized the process of gathering and analysing data. If you’re an experienced home appraiser, for example, you can estimate what a home on the market is worth without feeding data into an algorithm. (v) When The Variables Can’t Be Measured. Some decisions are difficult to make analytically because the key variables in the analysis are hard to measure with rigor. 727 Compendium of Generic Internal Audit Guides Type of CAATs 2.5 CAATs may consist of packaged, purpose written utility programs or system management programs. Different technologies fall under this concept, including database interrogation tools (generic standard query language-based tools) and audit-specific packages. Table below identifies the different type of CAATs with a brief on their purpose: CAATs Caption Purpose General Audit Special programs developed for data extraction Softwares and analysis, entailing, sorting, grouping, filtering, joining, sampling, irregularity testing, arithmetical computation and more. Stress Testing Tools Tools that can be specially deployed for volume and stress testing of user traffic response through newly implemented application programs. Integrated Test Facility Program that simulates transactions that can be used to test processing logic, computations and controls actually programmed within software applications. Enterprise Risk Tools when integrated with the company ERM Management (ERM) activities assists in risk identification, scoring, Tools treatment and mitigation. Audit Administration Special purpose tools which assist the auditor Programs in planning, programming, administration, working paper management and reporting. This chapter will largely present General Audit Softwares. General Audit Softwares – Attributes of Data Analysis Software for Audit 2.6 Data analysis technology for internal audit’s use needs to have the features and functionality that auditors require to do their job effectively. Not only should it deal with the data access challenges, but it also needs to support the way in which auditors work and the types of analytics that are appropriate to the audit task on hand. 728 Data Analytics and Continuous Controls Monitoring Following are some of the key attributes of General Audit Softwares:  Able to analyse entire data populations covering the scope of the audit engagement.  Makes data imports easy to accomplish and preserves data integrity.  Allows for accessing, joining, relating and comparing data from multiple sources.  Provides commands and functions that support the scope and type of analysis needed in audit procedures.  Generates an audit trail of analysis conducted that is maintained to facilitate peer review and the context of the audit findings.  Supports centralized access, processing and management of data analysis.  Requires minimum IT support for data access or analysis to ensure auditor independence.  Provides the ability to automate audit tasks to increase audit efficiency, repeatability and support for continuous auditing. 2.7 Use of General Audit Software’s for data analysis tasks can be grouped into following three types: Ad Hoc Repetitive Continuous Explorative and Periodic analysis of ‘Always on’ – scripted investigative in nature. processes from auditing and multiple data sources. monitoring of key processes. Seeking documented Seeking to improve the Seeking timely conclusions and efficiency, consistency notification of trends, recommendations. and quality of audits. patterns and exceptions. Supporting risk assessment and enabling audit efficiency. Specific analytic queries Managed analytics – Continual execution of – performed at a point in created by specialists automated audit tests time – for the purpose of – and deployed from a to identify errors, 729 Compendium of Generic Internal Audit Guides generating audit report centralized, secure anomalies, patterns findings. environment, and exceptions as accessible to all they occur. appropriate staff. 2.8 Leading internal audit activities have a lot in common when looking for data analysis tools. They look for data analysis tools (i.e., software) that are easy to learn and can realistically be used by the entire audit staff, not just a select few. The software must measurably improve audit techniques and shorten audit cycles right out of the box. 2.9 Chief Audit Executives (CAE’s) may employ the comprehensive ranking card (below) while evaluating suitable General Audit Software for his/her engagements: Need: 0=Needless: 1=Nice to Have: 2=Desirable: 4=Mandatory Need Internal Audit Strategic Objectives 1 Software is easy to learn and use 2 Competitive advantage 3 Minimize reliance on IT professionals 4 Improve work accountability, responsibility and supervision 5 Enforces production program change controls 6 Reliability: bug free, speed, work like a professional 7 Portability: runs on a laptop 8 Scalable: grow from desktop to server without learning new software 9 Data integrity and security: client data is protected from auditor change 10 Collaborative features 11 Supports development of automated and continuous programs 12 Compatible with electronic work papers 13 Improves documentation of audit work completed. Provider and Implementer Support 14 Global presence 15 Years in business 730 Data Analytics and Continuous Controls Monitoring Need: 0=Needless: 1=Nice to Have: 2=Desirable: 4=Mandatory Need 16 Multiple languages 17 Help desk available 18 Ease of doing business: knowledgeable in auditing needs 19 Regular software upgrades 20 Training readily available 21 User group program for networking with other users of the Tool 22 Knowledgeable consultants independent of the provider available 23 Getting started programs available Technical Features and Functionality 24 Import all file types used by the organization 25 Handles large file record sizes 26 Handles large data volumes 27 Ease in validating and reconciling data import 28 Modify imported data field properties 29 Support search for text, numbers and time. 30 Project visual chart or mapping of data actions performed 31 File join/ merge/ compare 32 File append 33 Visual Connector 34 Sorts, indexing, filtering and fuzzy logic 35 Summarization 36 Extraction 37 Pivot Table 38 Stratification 39 Gap Detection 40 Aging 41 Compare data to predicted data – Benford’s Law 42 Advanced statistical analysis: correlation, trend analysis, time series 731 Compendium of Generic Internal Audit Guides Need: 0=Needless: 1=Nice to Have: 2=Desirable: 4=Mandatory Need 43 Sampling 44 Statistical analysis 45 Export to typical office applications 46 Create custom reports and graphics 47 Create simple and complex calculated fields 48 Data cleansing solutions – character and functions available Cost 49 Software purchase 50 Implementation costs – scripting and components 51 Upgrade fees 52 Annual help desk support Source - Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring and Risk Assessment released by the Institute of Internal Auditors (IIA) 732 Chapter 3 Academic and Regulatory Drivers to the Use of CAATs 3.1 Academic pronouncements issued by international Audit and Accounting regulators in the last decade have played an important role in promoting CAATs worldwide. Of these pronouncements the guidelines issued by the following regulators are significant:  The Institute of Chartered Accountants of India  The Institute of Internal Auditors, Delhi  The Information Systems Audit and Control Association. The Institute of Chartered Accountants of India 3.2 Recognising the developments in the field of technology and its impact on the auditing profession in India, Auditing and Assurance Standards Board had issued Standard on Auditing (SA) 401, “Audit in Computer Information System Environment”. The Guidance Note on Computer Assisted Audit Techniques comes as a follow up to that AAS. The Guidance Note deals extensively, with the concept of CAATs and related pertinent issues such what CAATs are, where they may be used, considerations in use of CAATs, how to use CAATs, testing of CAATs, controlling application of CAATs, documentation required when using CAATs, use of CAATs in small entities, etc. The Guidance Note also contains a comprehensive appendix containing examples of CAATs, their description and comparable advantages and disadvantages of each of these CAATs. Further, the date Standard on Auditing (SA) 315 and SA 330 come into effect, this Standard on Auditing shall stand withdrawn. The SA 315 and SA 330 are effective for audits of Financial Statement beginning on or after April 1, 2008. The Institute of Internal Auditors, Delhi 3.3 The Global Technology Audit Guide (GTAG) 16 on ‘Data Analysis Technologies’ released by the Institute of Internal Auditors in August, 2011 is a significant and landmark International Professional Practices Framework (IPPF) - Practice Guide on use of CAATs. 733 Compendium of Generic Internal Audit Guides The GTAG 16 cites related Standards/Guidance: (i) Standard 2300: Performing the Engagement Internal auditors must identify, analyse, evaluate and document sufficient information to achieve the engagement’s objectives. (ii) Standard 2310: Identifying Information Internal auditors must identify sufficient, reliable, relevant and useful information to achieve engagement’s objectives. (iii) Standard 2320: Analysis and Evaluation Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations. (iv) Practice Advisory 2320-1: Analytical Procedures Internal auditors may use analytical procedures to obtain audit evidence. Analytical procedures involve studying and comparing relationships among both financial and non-financial information. The application of analytical procedures is based on the premise that, in the absence of known conditions to the contrary, relationships among information may reasonably be expected to exist and continue. The Information Systems Audit and Control Association 3.4 The Information Systems Audit and Control Association released IT Audit and Assurance Guideline G3 – ‘Use of Computer Assisted Audit Techniques (CAATs)’ on 1st December 1998 which was subsequently revised on 1st March 2008. It lays down that “As entities increase the use of information systems to record, transact and process data, the need for the IS Auditor to utilise IS tools to adequately assess risk becomes an integral part of audit coverage. The use of computer-assisted audit techniques (CAATs) serves as an important tool for the IA auditor to evaluate the control environment in an efficient and effective manner.” 734 Chapter 4 Stages in the Use of General Audit Softwares 4.1 Data analysis can be used throughout a typical audit cycle. While individual audit cycle definitions and steps may vary, the following breakdown provides some of the ways data analysis can be employed during various stages in an audit cycle. Planning 4.2 Data analysis can be greatly effective in identifying data-driven indicators of risk or emerging risk in an organization. This can help audit define and create an audit plan that focuses on the areas of highest concern. The audit activity should consider prioritizing the use of data analysis for risk assessment during the audit planning stage, where the data is available, and where this approach is applicable. Data analysis technology can be effectively employed to identify indicators of risk in a variety of processes. Consider the following examples:  Revenue by location, division or product line.  Revenue backlogs by value and age.  Personnel changes in key positions (legal, finance, research and development).  Volume of manual journal entries or credit notes.  Aging accounts receivable balances or inventory levels.  Vendor management (number of vendors, volume of transactions).  Procurement card vs. purchase order procurement.  Average days for customer payment.  Industry code of supplier on credit card purchases. Preparation 4.3 Data access and preparation can be a challenging step within the 735 Compendium of Generic Internal Audit Guides audit process. Requests to IT departments can take weeks and the resulting data can often be incomplete or incorrect, making for an inefficient process. By using data analysis technology during the audit preparation phase, many of these delays can be avoided. Auditors skilled in the use of data analysis can source the data required for the audit engagement, do data integrity and validity checks, and prepare test routines for staff auditors to use once the audit commences. This will provide audit teams with streamlined access to reliable data sets or even automated access to multiple data sources to allow for quick and efficient analysis of data. Data should be housed in a centralized repository allowing the audit team to analyse data sets according to their authorization and need for access. Testing 4.4 A great deal of audit testing uses organizational data to some extent, often to a significant extent. Due to ever increasing amounts of data, some auditors have relied on techniques, such as, sampling or spot checks. These techniques may be ineffective at uncovering anomalies and indicators of failed or inefficient internal controls. To improve effectiveness in the search for errors and unusual transactions, audit teams can use data analysis technology to analyse entire data populations. Once initial analysis is done, efforts can be focussed on areas where exceptions were found, making more efficient use of audit resources. The ability to automate repetitive tests by using analytic scripts increases overall departmental efficiency and allows for greater insight into high risk areas. Results and scripts should be stored in a central repository allowing audit team members to review findings and access and re-deploy analytical procedures. Review 4.5 The analytic routines and the results they generate should be included in the audit review. This helps to ensure that conclusions drawn from using data analysis can be relied on and that any mistakes in the query are identified and corrected or that conclusions that were drawn from those results are not erroneous. 736 Chapter 5 Benefits Derived by Using General Audit Softwares 5.1 Data Analysis can help auditors meet their auditing objectives. By analysing data within key organizational processes, internal audit is able to detect changes or vulnerabilities in organizational processes and potential weaknesses that could expose the organization to undue or unplanned risk. This helps identify emerging risk and target audit resources to effectively safeguard the organization from excessive risk and improve overall performance. This also enables audit to identify changes in organizational processes and ensure that it is auditing today’s risks – not yesterday’s. By analysing data from a variety of sources against control parameters, business rules and policies, audit can provide fact-based assessments of how well automated controls are operating. Data analysis technology also can be used to determine if semi-automated or manual controls are being followed by seeking indicators in the data. By analysing 100 percent of relevant transactions and comparing data from diverse sources, audit can identify instances of fraud, error, inefficiencies and / or non-compliance. 5.2 A number of significant benefits accrue from the use of General Audit Softwares for data analysis. Some of them are:  Meet Current Audit Standards  Supports the enterprise risk management system  Uncover Fraud and Money Laundering  Recover Costs  Improves compliance with controls, business policies and regulation  Facilitate Enterprise wide Continuous Auditing and Monitoring initiatives  Enables insight into business operations and performance  Improves auditor confidence and reduces audit costs  Documents and retains learning 737 Compendium of Generic Internal Audit Guides  Enables faster reaction  Improves governance, performance and accountability  Responds to scrutiny from regulators  Reduces compliance-related costs with Sarbanes Oxley and others regulations  Improves financial reporting reliability  Provides an essential component of the COSO model  Generates support and documentation for CFO/CEO certification and auditors. 738 Chapter 6 Common General Audit Software Applications across Business Functions and Industries 6.1 General Audit Software applications can be used for intelligent analysis of electronic data from key business processes like, Purchase to Pay, Order to Cash, Payroll, Inventory and IT Security. Purchase to Pay 6.2 Purchase to pay serves as a vital business cycle in any organization with valuable data analytical insights from a compliance, fraud and MIS point of view. The checklist below has been presented as a sample case study for reader creative visualization. Procurement Area Control Data Analysis Purchasing Application will not allow Obtain purchase order data. a duplicate payment to Validate that no duplicate be processed payments (same vendor/ same account) were processed. Purchase orders (POs) Obtain a list of all POs older than three months processed. will not be processed. Determine if POs older than three months were processed. The person who creates Obtain a list of all POs created the PO can’t release/ (by originator) approve the same PO. Obtain a list of all POs released or approved. Determine, if any, inappropriate segregation of duties (SOD) existed. Receiving All goods received (GR) Obtain a list of all GR and POs are validated against placed. PO. Validate that quantities are the 739 Compendium of Generic Internal Audit Guides same. Invoicing PO should be created Compare PO dates against before supplier invoice invoice dates and make sure is received. that there are no POs dated after invoice dates. Amount on PO should Compare the PO amount agree with amount on against the invoice amount. invoice. Validate there are no differences. Payment Application should not Obtain a list of payments that allow duplicate have been made to vendors in payments. the last 12 months. Determine if duplicate payments have been made, for example:  Same vendor ID and amount but different invoice number.  Same vendor ID and invoice number but different amounts.  Different vendor ID with same bank account numbers. Value adding N/A  Total Spend. services to  Vendor wise spend. organizational  Budget vs. actual users  Age analysis.  Top vendors, products, locations Order to Cash 6.3 The following audit tests are suggested when auditing an Accounts Receivable system. However, the exact tests carried out for a particular client will depend upon the system used and the data available. Common tests include: 740 Data Analytics and Continuous Controls Monitoring (i) Mechanical Accuracy and Valuation  Total the file. It often pays to separate debits and credits.  Revalue foreign debts, if applicable.  Check transaction totals to the balance on each account. (ii) Analysis  Profile debtors using Stratification to see the number of large debts and what proportion of value is in the larger items.  Produce an aging debt analysis. Consider how to deal with unallocated cash and credit notes. IDEA, by default, ages these on their date rather than allocating against the oldest item or any other treatment. It is often worthwhile to split the file into invoices, unallocated cash, and so on using multiple extractions, and then to age the individual files. (iii) Exception Tests - Existence and Valuation  Identify old items (i.e., greater than three months old).  Identify large balances either in their own right or compared to turnover.  Select accounts for which no movements have been recorded in a set time.  Report credit balances.  Identify unmatched cash or credits.  Compare balances with credit limits and report exceptions (i.e., accounts with balances in excess of their credit limits or accounts with no credit limits, etc.).  Test for items with invoice dates or numbers outside the expected range.  Identify partial payments of debts.  Identify invalid transaction types.  Identify customer addresses that are “care of” or flagged not to be sent out. 741 Compendium of Generic Internal Audit Guides (iv) Gaps and Duplicates  Test for duplicate invoices (both invoice number and customer/ value).  Use duplicate exception testing for less obvious input errors, such as the same vendor ID assigned to two different vendor names, the same vendor name assigned to two different vendor IDs, payment of the same invoice number and amount to two different vendors, and so on. (v) Matching and Comparison Tests  Compare the balance on an account with its turnover.  Match the sales transactions to the customer master information to identify sales to new or unauthorized customers, and those with exceeded credit limits.  Compare to Accounts Payable for possible contra accounts. (vi) Sampling Select samples (random or specific) for functional testing and confirmation (and produce confirmation letters). Payroll 6.4 Payroll auditing is an excellent application of IDEA. The main objective is validity and accuracy by testing existence of employee and correctness of pay. There are many regulations and taxes associated with payroll and compliance with these can be checked easily. Privacy concerns may limit your testing. (i) Analysis  Summarize and stratify salaries by department/grade, etc.  Profile employee ages/years of service to assist in forward planning.  Analyze costs for special pay, overtime, premiums, etc.  Summarize payroll distribution for reconciliation to general ledger.  Summarize and compare costs for special pay, overtime, premium, etc. 742 Data Analytics and Continuous Controls Monitoring (ii) Calculations  Total gross pay, net pay, deductions and any other value fields.  Check calculation of gross pay.  Check calculation of net pay. (iii) Exception Tests  Extract all payroll checks where the gross amount exceeds set amount. (iv) Reasonableness Checks  Tax rates  Pay/grade comparison  Hours worked  Overtime claimed  Sickness taken  Holiday taken  Date of birth (under 18, over 60 years of age)  Identify bonuses and other allowances  Report activity on records for new or terminated employees  Find changes in key payroll data, such as, gross pay, hourly rates, salary amounts, exemptions, etc.  Identify and records with missing information (National Insurance number/Social Security number, tax code, employee number etc.). (v) Gaps and Duplicates  Duplicate employees (Social Insurance, National Insurance, Social Security numbers, Employee numbers, addresses) on payroll file  Duplicate bank account details  Duplicate names and date of birth. (vi) Matching and Comparing  Comparison of payroll file at two dates to determine recorded starters 743 Compendium of Generic Internal Audit Guides and leavers, (hires and terminations) and changes in pay, etc., are as expected.  Join payroll transactions file, to payroll master to determine if there are "ghost" employees on the payroll.  Compare time-card entries and pay to payroll and indicate variances.  Compare vendor addresses/ phone numbers and employee addresses/ phone numbers to identify conflict-of-interest (e.g., postcodes, phone numbers). (vii) Sampling  Most sampling options apply. Inventory 6.5 The following tests are suggested when analyzing an inventory system. However, the exact tests carried out for a particular client will depend upon the system used and the data available. Common tests include: (i) Mechanical Accuracy and Valuation  Total the file, providing sub-totals of the categories of inventory.  Re-perform any calculations involved in arriving at the final stock quantities and values.  Re-perform material and labour cost calculations on assembled items. (ii) Analysis  Age inventory by date of receipt.  Compute the number of months each inventory item is held based on either sales or purchases. Produce a summary of this information.  Stratify balances by value bands.  Analyze gross profit.  Analyze price adjustment transactions. 744 Data Analytics and Continuous Controls Monitoring (iii) Exception Tests - Existence and Valuation  Identify and total inventory held in excess of maximum and minimum inventory levels.  Identify and total obsolete or damaged inventory (identified as such in the database).  Identify balances in excess of a reasonable usage period that are probably obsolete.  Identify items past their shelf life (if a sell by date or bought date is present on the system).  Identify any items with excessive or negligible selling or cost prices.  Identify differences arising from physical stock counts.  Test for movements with dates or reference numbers not in the correct period (cut-off).  Identify balances that include unusual items (i.e., adjustments).  Identify work in progress that has been open for an unreasonable period.  Identify inventory acquired from group companies. (iv) Gaps and Duplicates  Test for missing inventory ticket numbers.  Test for missing transaction numbers.  Identify duplicate inventory items. (v) Matching and Comparison Tests  Compare files at two dates to identify new or deleted inventory lines or to identify significant fluctuations in cost or selling price.  Compare cost and selling price and identify items where cost exceeds net realizable value.  Compare holdings and inventory turnover per product between stores. 745 Compendium of Generic Internal Audit Guides Computer Security 6.6 General Audit Softwares gives any user the power to sift through Windows network security event logs to extract the entries that may have a security impact. Functions within the tool can be used to identify deviations from corporate policy, security breaches and inappropriate usage. (i) System Logs When auditing system logs, you may wish to:  List: o Accesses outside standard office hours or during holiday/sick leave o All users with their normal computers o All computers with their normal users o Users on unusual computers.  Identify users, particularly those with supervisory rights who are logged in for long period of time.  Analyze by user - identify those with higher use than might reasonably be expected.  Summarize by network address to identify.  Summarize charges by user to determine resource utilization.  Analyze utilization by period, such as, daily, weekly, and monthly, to show historical trends. (ii) File Lists When performing auditing tests in regards to computer security, you may wish to:  List duplicate names (both software for multiple copies and data where there is a risk of accidental deletion).  Identify old files.  Analyze by directory.  Analyze file sizes by owner.  Identify last access dates for old files. 746 Data Analytics and Continuous Controls Monitoring  Analyze file type (by file name extension).  Identify all files without an owner, such as where user accounts have been removed from the system.  Test for .com, .exe or .bat files in areas where there should not be programs, DOS/Windows systems. (iii) Access Rights In regards to access rights, you might decide to audit:  Lists of: o Accounts with passwords not set or not required for access o Group memberships.  Accounts with: o Short access passwords (less than the recommended six characters) o No activity in the last six months o Access to key directories o Supervisor status o Equivalence to users with high level access, such as supervisory equivalence.  Aging of password changes. (iv) E-mail Logs E-mail logs generally contain information such as, the sender and recipient address, subject title, date and time of transmission, size of file, service provider, etc. Ensure the organization has a published policy related to employee use of e-mail before undertaking any of these tests. Common tests include:  Total length of time spent on e-mails (receiving and responding) by organization as a whole, by individuals, by month  Analyze internal and external e-mails  Summarize by service providers  Summarize numbers of e-mails by employee, sort in order  Isolate, summarize and examine personal e-mails 747 Compendium of Generic Internal Audit Guides  Stratify by time and examine any unusual activity e.g., lunchtime, weekends, bank holidays  Stratify by size of files  Analyze file attachments, by size, by type  Analyze incoming e-mails, identify common domain addresses  Calculate length of time individuals spent on e-mail in given time period, sort in order  Match with list of employees and extract any e-mails that are sent by invalid employees  Analyze any dormant accounts  Identify non-work related e-mails by searching for specific words in the subject title e.g., weekend Auditing E-mail Logs, (v) Firewalls Many organizations implement a range of controls, including installing sophisticated firewalls to eliminate the risk of unauthorized access to their networks, especially via the Internet. Firewall logs record all incoming and outgoing transmissions on a network and it is not unusual to record hundreds of thousands of activities in a single day. IDEA can be used to analyse the logs, identifying trends and exceptional items to follow up. Firewalls generally contain information such as, the source and destination IP address, date and time of admission, action by the firewall on receipt of the transmission, the service type and the service port accessed. Common tests include:  A summary of the type of service being requested or being used  Identifying the most common IP addresses attempting access to the network  A summary of actions upon connection, i.e. control, accept or drop  Analysing trends to determine the most common access times and identifying requests at unusual times  Extract all dropped transmissions  Identify potential attacks by looking for a pre-defined sequence of port scans e.g., SATAN, ISS attacks or searches for ports which can be used. 748 Data Analytics and Continuous Controls Monitoring 6.7 General Audit Software applications can be used for transaction testing, compliance review, fraud investigation, MIS reporting, advanced statistical forecasting and correlation, large database reconciliation of electronic data from different industry verticals. Some of the illustrative usage scenarios are mentioned below: (i) Manufacturing  Detection of duplicate vendor bill booking and payment.  Identification of ghost employees in a payroll file.  Monitoring duplicate round sum journal entries booked on public holidays.  Related party transaction scrutiny.  Overtime reconciliation between payroll and departmental data. (ii) Banking  Capturing high value transactions on newly opened retail liability accounts.  Presenting on retail assets having inconsistent credit score grading/classification.  Monitoring trading on government security investments which are in the ‘Held to Maturity’ category.  Tracking accounts opened with Prohibited party list. (iii) Insurance  Detecting healthcare fraud – same procedure, same third party administrator, same hospital different procedure cost.  Capturing repetitive motor claims without related premium increase.  Displaying insurance undertaken of stolen vehicles.  Capturing close proximity life insurance claims. (iv) Retail  Computing inconsistent discounts offered towards the same retail selling scheme.  Operational throughput analysis of cashier performance.  MIS report generation of ‘Top Schemes’, ‘Top Brands’, and ‘Top Cross-Selling Products’.  Unauthorized system access of departed employee accounts and/or ghost accounts. 749 Chapter 7 Fraud Detection Using General Audit Softwares – Case Studies Introduction 7.1 Today the genre of frauds and fraudsters are growing at an unbridled rate given availability of abundant complex data from legacy systems, ERP’s and bespoke applications. This provides the Auditors, Fraud Investigators, Fraud Risk Management Experts and Business Process Owners the opportunity to mine and thereby generate intelligent patterns, trends and red- flag alerts from raw data. Companies need to incorporate a culture spanning related process and technology of making the best of Data Analytics in their Fraud Risk Management framework. Evolution of Audit Automation Tools has been remarkable. The advent of new enabling technologies and the surge in corporate scandals has combined to increase the supply, the demand, and the development of enabling technologies for a new system of continuous assurance and measurement. Fraud analytic monitoring based assurance will change the objectives, timing, processes, tools and outcomes of the fraud investigation process definitively. Given below are practical case-studies on the use of CAATs for detecting red flags, patterns, anomalies and alarming trends across industry verticals like ‘Healthcare’, ‘Retail’, ‘Utilities’, ‘Banking’ and ‘Technical Plant Study’s’. Healthcare Index of Case Studies 7.2 Index of Case Studies are as follows:  Excessive Procedure Billing Of Same Diagnosis, Same Procedures.  Identify excessive number of procedures per day or place of service per day / per patient.  Identification of diagnosis and treatment that was clearly inconsistent with patient age and/ or gender. 750 Data Analytics and Continuous Controls Monitoring Case Studies Explained 7.3 Excessive Procedure Billing of Same Diagnosis, Same Procedures (i) Objective To identify instances of excessive medical procedure billing for the same diagnosis and medical procedure. (ii) Method In this exercise, the Healthcare Claims transaction file was linked with the master file on the basis of the Diagnosis Code. A computed numeric field was added to arrive at instances where excessive procedural charges had been claimed by the insured, in comparison to the current master charge list. Cases were extracted where the difference exceeded 15% (Hypothetical acceptable variance norm across hospitals). (iii) Functionality Covered The exercise used the following GAS functionalities:  Join files The Healthcare Claims transaction file is opened and chosen as the active database. This file is the primary database. The master file for procedure rates is chosen as the secondary file. The two files are linked together based on the similar field Diagnosis Code. The field is named differently in both the primary and secondary file as Diagnosis Code and Diagnosis Reference Code respectively. The link is still possible as both the fields are character in nature. The option ALL RECORDS IN PRIMARY FILE is used as the joining command.  Append a computed numeric field Existing field values cannot be altered in the joined database hence preserving the data integrity of the whole database. However, a computed field of numeric nature is added to the resultant joined database. This computed field will contain the values based on the linked diagnosis code from the master file. 751 Compendium of Generic Internal Audit Guides  Use the equation editor to write the criteria in the computed numeric filed A command is entered through the Equation Editor to arrive at the difference in medical procedure charges as per the transaction file and masters captured from the master file. The command can be checked for syntax and validated for field nomenclature and construction.  Data extraction to filter out the exceptions Data extraction involves filtration of transactions from the joined file which meets the filtration command criteria. The values in the computed numeric field above are filtered for non-zero cases. Zero values indicate billing of medical procedure charges as per the master table of charges. Non-zero cases represent deviations from the master table of medical procedure rates. Non-zero cases were trapped through the Data Extraction – Equation Editor Facility using the command “Audit Charge <> 0”. Here “<>” refers to NOT EQUAL TO. Normally billings should proceed as per the master table of rates. However, options are available within the Med-Plus Software for overriding the master charges and applying manual charges on a case to case basis. These manual overrides were specifically investigated for its particulars. 7.4 Identify Excessive Number of Procedures Per Day or Place of Service Per Day / Per Patient (i) Objective To identify instances of excessive number of medical procedures conducted per day or place per patient. (Ii) Method In this exercise, the Healthcare Claims transaction file was used as the basis for the red flag check. A duplicate check was run on the Insured Name, Policy Number, and Hospitalization Date to identify possible duplicate claims for excessive medical procedures for the same insured patient. This test was further corroborated by a summarization/ consolidation of claims based on the insured name and policy number to generate multiple claim instances in excess of one hospitalization/ medical procedure. 752 Data Analytics and Continuous Controls Monitoring Cases were identified where multiple medical procedures had been conducted on the same insured at the same hospital. The cases were referred by the Team to the expert medical officer who clearly identified the claims as unrelated and fictitious. For example, a cornea transplant of the eye was followed by a hernia operation which was medically absurd. (Iii) Functionality Covered The exercise used the following GAS functionalities:  Duplicate detection In the duplicate test, exact vertical matches are detected within specific field or fields designated. The transactions file was used as the basis for the test. The insured name, policy number, and hospitalization date were selected as the key fields on the basis of which duplicates were to be detected. In the GAS, an auto key field indexing was performed on the insured name, policy number, and hospitalization date to fasten the process of duplicate key detection. The duplicate test revealed a list of vertical matches which were to be investigated.  Summarization The GAS had a popular transaction consolidation function called summarization. The advantage of this function was that multi-field summarization was possible with generation of valuable insightful statistics like, MIN, MAX, AVG, VAR, DEVIATION and more. This superior functionality was accompanied by generation of multi-chart and multi-graph utilities in user friendly color rich formats which could be ported across office applications. Summarization/ consolidation of claims was performed based on the insured name and policy number to generate a report of multiple claim instances in excess of one hospitalization / medical procedure. Here the key statistic used was COUNT rather than SUM. Just like in the first stage duplicate test, summarization was also preceded by an auto index facility on the key objective fields to increase the throughput of results.  Data extraction to filter out the exceptions Data extraction involves filtration of transactions from the joined file which meets the filtration command criteria. Multiple claim instances in excess of one hospitalization/ medical procedure were trapped through the Data Extraction – Equation Editor Facility using the command “Count > 1”. 753 Compendium of Generic Internal Audit Guides These vital cases and potential red-flag indicators were immediately taken up for scrutiny with the Chief Medical Officer at the concerned hospital. Patient health history reports were also studied to provide allowance for multi-health issues and failures on the same day warranting multi-medical procedures. 7.5 Identification of Diagnosis and Treatment that was Clearly Inconsistent with Patient Age and/ or Gender (I) Objective To identify diagnosis and treatment that was clearly inconsistent with the patient/ insured age and gender. (ii) Method The team set up value bands from the Claim Transaction file. The value bands were set up for 0-20000, 20001-50000, 50001-100000, 100001- 200000, and more. The high value bands were designated as “A Class High Risk”. “A Class High Risk” band corresponded to 10, 00,000 to 20,00,000. All the claims in this category were culled into a separate dump within the GAS. All the claims in the A Class category were examined through the search function for the insured details like, age, gender, past medical history. Specific instances were observed with the assistance of the ace team medical expert wherein open heart surgeries were conducted for minors even though the medical history suggested otherwise. In one critical high value instance the insured (a male) had claimed large amounts for complex medical procedures normally conducted on elderly women. (iii) Functionality Covered The exercise used the following GAS functionalities -  Stratified random sampling In Stratified Random Sampling credence is given to distribution of individual transaction values between low, medium and high. Judgment on the interpretation of low, medium and high rests with the GAS user based on consultation with the Medical Expert and past Industry experience of the team members. The team set up intervals from the Claim Transaction file. The intervals were set up for 0-20000, 20001-50000, 50001-100000, 100001-200000, and more. The high value bands were designated as “A Class High Risk”. “A Class High Risk” band corresponded to 10, 00,000 to 20, 00,000. All the claims in this 754 Data Analytics and Continuous Controls Monitoring category were culled into a separate dump within the GAS using the random number table within the GAS. The random number table generates a list of random numbers from the “A Class High Risk” interval based on its internal algorithms and generates a separate file of such instances.  Data search Data Search is an advanced tool within the GAS which can undertake simple, complex, structured, unstructured, fuzzy, single word or multi word searches quite similar to a web portal search engine. Here with the aid of the medical expert specific key strings and character occurrences were trapped. Suspicious transactions were studied in depth along with the patient case paper file. Specific instances like, open heart surgeries were conducted for minors even though the medical history suggested otherwise. In one critical high value instance the insured (a male) had claimed large amounts for complex medical procedures normally conducted on elderly women. Retail Index of Case Studies 7.6 Index of Case Studies are as follows:  Reconciliation of Net Sales with Cash Takings, and Card Receipts.  Inconsistent scheme discount rates offered by Cashier’s to different customers against the same Scheme ID.  Identifying the most efficient Cashier across all the Malls – Operational Throughput.  Detecting transactions Out of Office hours. Case Studies Explained 7.7 Point of Sale Systems from the Retail Industry – Malls Point of Sale Applications deployed in Malls, generate comprehensive Sales Reports. These Reports may be conveniently saved in MS-Excel Data formats. This is an alternate to File Print options. 755 Compendium of Generic Internal Audit Guides These Sales Reports contain fields, like:  Date of Sale  Time of Sale  Transaction Number  Cashier Name  Cashier ID  Product Sold  Quantity  Rate  Gross Value  Taxes  Scheme Discounts  Net Value  Scheme ID  Scheme Details  Collections in Cash  Collections by Card  Dues. (i) Data Import These MS-Excel Data Files once saved on the workstation containing the GAS or on the Local Area Network in a shared audit data folder can be accessed through the GAS’s Import Assistant – Excel component. The process of import is simple and easy to apply, since Excel file Record Definitions are readily recognized by the GAS. (ii) Data Analysis (a) Reconciliation of Net Sales with Cash Takings, and Card Receipts. The fields of reference relevant to the objective being tested are:  Net Sales  Cash Collected  Card Receipts 756 Data Analytics and Continuous Controls Monitoring The process of interrogation in GAS followed is:  Import the Sales Report for a given period through GAS’s Import Assistant – MS Excel.  Navigate to the Field Statistics in the Database Toolbar.  View the numeric control totals for the Net Sales, Cash Collected and Card Receipts fields respectively.  Normally the Net Sales should be arithmetically balanced by Cash Collections and Card receipts.  In the case under review we notice a high percentage on Unpaid Bills almost 25% of the period’s Net Sales.  An overview of the Unpaid Bill cases through a Field Summarization reveals that the Due amounts are significantly concentrated on Cashier A and Cashier D. These cases may be specially looked into by interrogating the concerned Cashier’s, to ascertain their motive. (b) Inconsistent scheme discount rates offered by Cashier’s to different customers against the same Scheme ID. The fields of reference relevant to the objective being tested are:  Cashier ID  Scheme ID  Scheme Discounts  Gross Value The process of interrogation in GAS followed is:  Navigating to Data in the Menu Tool Bar and selecting Field Manipulation.  In Field Manipulation, appending a computed Virtual Numeric Field Discount % with the Criteria (Scheme Discounts*100 / Gross Value), rounded off to the nearest integer.  Navigating to Analysis in the Menu Tool Bar and selecting Duplicate Key Exclusion.  In Duplicate Key Exclusion, we identify different Discount % values for the same Scheme ID. 757 Compendium of Generic Internal Audit Guides  We get a list of cases where varying Discount % have been applied for the same Scheme ID.  Some cases are extremely glaring, with the Discount % being as high as 45% where the Scheme ID warrants a Discount % of 15% only. These cases may be specially looked into by interrogating the concerned Cashier, to ascertain his motive. (c) Identifying the most efficient Cashier across all the Malls – Operational Throughput The fields of reference relevant to the objective being tested are:  Cashier ID  Cashier Name  Start Time  End Time  Quantity The process of interrogation in GAS followed is:  Create a new computed numeric field in the imported Sales File with the difference between the Start Time and the End Time using the criteria ‘@agetime(End Time, Start Time)’. This new field will give us the time taken by each cashier in seconds to scan, bag and bill all the items against that transaction.  Create another computed numeric field with the criteria ‘Difference in Time/ Quantity’ to arrive at the Time taken to scan each item.  Now perform a Field Summarization on the Cashier ID and Cashier Name with regard to the numeric field containing the Time taken to scan each unit.  In the Field Summarization also include additional statistics like, Count and Average along with Min and Max. These statistics will give us the number of scans by a single Cashier in a given period, the minimum time for scan, the maximum time for scan and the average time to scan.  In the Summarization result, sort the Time to Scan (Average) on a Descending basis. 758 Data Analytics and Continuous Controls Monitoring  The Cashier with the best scan rate appears right on top. The Management of the Mall Chain can select the Top 10 Cashier’s from the above exercise and place them at the front desks on crucial days like, weekends or public holidays. This test is a concrete measure of customer service. (d) Detecting transactions Out of Office hours The fields of reference relevant to the objective being tested are:  Start Time  End Time  Cashier ID  Cashier Name  Net Sales The process of interrogation in GAS followed is:  Perform a Data Extraction on the imported Sales File.  Build criteria using the function .NOT. @betweenagetime(Start Time, “10:00:00”, “22:00:00”) .OR.. .NOT. @betweenagetime(End Time, “10:00:00”, “22:00:00”).  This criteria will isolate all transactions out of the normal Mall working hours of 10 AM to 10 PM. Here we trap both Start Time and End Time.  The Direct Extraction function within GAS is very popular on large databases say upwards of 1 Crore Transactions. The function first sorts the entire database and then runs the equation through the sorted database. Hence the results arrive faster than running an ordinary command on an unsorted database. The case reveals around 50 transactions out of 1 Lac transactions where the Start Time and End Time are after office Hours at 10:30 PM. An explanation from the Mall In charge reveals that these transactions were all pertaining to Public Holidays, when schemes were launched and working hours were extended by two hours with local administration permission. 759 Compendium of Generic Internal Audit Guides (e) Demand Study of New Products introduced into Pilot Mall Outlets across India Malls introduce certain new products into Pilot outlets to study the Customer Behavioural patterns, spending patterns, loyalty to existing products rather than new substitutes and more. In this interesting Business Case Study the following fields are considered:  Transaction Number  Product Number  Quantity  Net Sales The process of interrogation in IDEA is as follows:  The Transaction Number contains a combination of the Mall Outlet ID, the financial year and the transaction ticket number. The first 3 digits of the Transaction number represent the Mall Outlet ID.  We append a new computed character field with the aim of getting the Mall Outlet ID into this field. This is performed through a criteria/equation @left (Transaction ID, 3). This function removes the first 3 digits from the Transaction Number and places the same in a separate computed field.  A Field Summarization is performed on the imported Sales file on Mall Outlet ID and Product Number /Code with respect to Quantity and Net Sales.  In the Summarization result, a direct extraction is performed on the Pilot Product Malls through the Equation @ list(Mall Outlet ID, “003”, “005”…).  A Top Records Extraction is performed with the Key field being the Mall Outlet ID, and the top 5 products in each of the 10 pilot malls are identified. A detailed review of the final result broadly confirms the Management’s expectation. All the new products have fared well in the 10 pilot malls save one product which has not been preferred over its long lasting existing competitor. This exercise has armed the Management with factual historical data from a truly representative sample of Mall Outlets. Now the Management is in a position to slowly and surely roll out the most liked products to the remaining Mall outlets over the next month. 760 Data Analytics and Continuous Controls Monitoring Utilities – Electricity Companies Index of Case Studies 7.8 Index of Case Studies are as follows:  Recalculation of Revenue Heads.  Verification of Subsidies provided by the State Government to defray the levy of Full Energy Charges to the Final Customer.  Monitoring of Faulty Meters  Duplicate Tests on Billing Information. Case Studies Explained (i) Recalculation of Revenue Heads– Electricity Companies levy a host of charges to both household and industry customers. These charges vary from fixed processing cycle charges like, Meter Rent to variable charges like, Energy Charges. Many times the Company buys power from state private players to meet the power deficit. Charges levied by the private player to the electricity company are passed on to the final consumer. These Additional Supply Charges or Fuel Escalation Charges vary on an average from month-to-month. The objective, description, rational and authority to raise these charges are stated in a Power Tariff Manual which is issued in the common interest of operators and customers for transparency. This manual always contains the formulae for the calculation of each charge very clearly. The user can get possession of this manual and identify the charges to be recalculated along with the formulae. Nowadays under the Right to Information Act, these Tariff Manuals are also available on the website of the Energy Major. The user can then create a new computed numeric field (Virtual Numeric Field) within GAS and replicate the tariff manual formulae in the GAS’s Equation Editor. Illustration – (Units_Consumed * 0.45) - ASC ASC – Additional Supply Charges stands for purchase of power from private players. The rate of 0.45 per unit as seen in the formulae above is announced by the State Electricity Regulatory Commission on a month-on- month basis. In this equation we are recalculating the ASC and arriving at possible differences between the recalculated ASC and the ASC levied by the billing system. 761 Compendium of Generic Internal Audit Guides (ii) Verification of Subsidies Provided by the State Government to Defray the Levy of Full Energy Charges to the Final Customer. In many States in India, the energy charges to be recovered by the Electricity Company are distributed between the final customer and the State itself. Here the State steps in and contributes to the Energy charges by way of a State Subsidy. The State Subsidy is invariable a percentage of the Net Billed Amount. The objective of the test is to ensure that the right amount is being recovered from the State by way of the Subsidy. The GAS user can accomplish this task easily by creating a new computed numeric field with the formulae: (Net_Amt * 0.40) – Subsidy Here we assume that the State supports the Energy Bill up to 40%. Subsidies are normally provided to households and critical industry units. Hence the GAS user should obtain a listing of Customer Code Categories who are entitled to the Subsidy and those who have to bear the entire Energy Bill. With this information efforts can be made to identify incorrect Subsidies raised on the State for Customer Categories ineligible for the Subsidy. The User can make use of the Display or Extraction function in GAS to identify eligible and ineligible Customer Categories. (iii) Monitoring of Faulty Meters After power theft which ranges between 10%-30% in India, faulty meters are the next high-risk prone area for an Energy Major. Billing Data Files invariably contain a field for Faulty Meters. If the meter is Faulty a flag ‘Y’ appears against the concerned Customer. If the meter is running, the flag ‘N’ appears in the respective field and cell. There is also an additional field available which states the date since when the meter has been faulty and the average units consumed. The average units consumed is updated based on the past usage and history of each user. This field is invariably manually updated by the Billing clerk. In the absence of automatic system generation of average units consumed, this area is ripe for mismanagement of revenues. With the help of the GAS, the user can link the faulty meters, the average units consumed and the last consumption prior to the meter going faulty through the Visual Connector. The user can then create a new computed numeric field where the average units being billed fall short of the last active consumption reading by say 20% (norms can be decided on a case-to-case 762 Data Analytics and Continuous Controls Monitoring basis depending on the Customer Class, Geographical Region and more). These cases can be taken up for review, discussion and scrutiny with the respective Regional Chief Electricity Engineers. (iv) Duplicate Tests on Billing Information The Billing file contains the Customer Number, Meter Number, Bill Number and Receipt Number where the Bill has been duly paid. As a part of the standard financial and revenue integrity testing, the user can employ the Duplicate Key test within GAS to look for possible duplicates in the combination of the following fields: Customer Number Meter Number Bill Number and Receipt Number This test should normally reveal duplicates. The existence of duplicates could indicate an irregularity which needs to be investigated further or a Billing System application error. Plant Technical Reviews Index of Case Studies 7.9 Index of Case Studies are as follows:  Plants experiencing frequent Breakdown Maintenance (BM)  Plants experiencing Breakdown Maintenance (BM) immediately after Preventive Maintenance (PM) in the same month.  Plants halted for Breakdown Maintenance (BM) beyond 24 hours. Case Studies Explained The Central Maintenance Cell (CMC) of a Manufacturing company was entrusted with breakdown maintenance and preventive maintenance for ten plant centres in the company. An electronic dump containing the following file layout was provided - S No Field Name Field Type Description 1 Plant Code Character 2 Plant Description Character 3 Maintenance Code Character “BM” for Breakdown 763 Compendium of Generic Internal Audit Guides Maintenance and “PM” for Plant Maintenance 4 Description of Character Maintenance 5 Start Date Date DD/MM/YYYY 6 End Date Date DD/MM/YYYY 7 Start Time Time HH:MM:SS 8 End Time Time HH:MM:SS (i) Plants experiencing frequent Breakdown Maintenance (BM) Summarize the electronic dump on the Plant Code and Plant Description along with filtered criteria to extract all Maintenance Codes containing "BM". Performed this summarization to arrive at count of breakdown maintenance instances for each Plant centre. With the summarization file in place she finally performed a Top Records Filter to capture the ‘Top 5’ Plant Centres by highest frequency of breakdown maintenance. Armed with this information, the Head – CMC was able to investigate and diagnose the reasons for high breakdowns on specific Plant centres by looking at the age, usage, history of maintenance, nature of maintenance, plant output quality and allied details. (ii) Plants experiencing Breakdown Maintenance (BM) immediately after Preventive Maintenance (PM) in the same month Appended a new field to the electronic dump and captured the month of maintenance against each maintenance transaction activity. Perform a duplicate (exclusion) test on the Plant Code, Plant Description and Month with the field that must be different being Maintenance Code. The resultant report provided a listing of plants being halted for “BM” immediately after “PM” in the same month. With the instances generated, the Head – CMC was able to investigate and diagnose the reasons for sudden breakdowns after preventive maintenance by studying the nature of preventive maintenance undertaken and the quality of maintenance spares used. (iii) Plants halted for Breakdown Maintenance (BM) beyond 24 hours Appended a new field to the electronic dump and captured the time taken to complete each maintenance activity by simply arriving at the difference between the ‘Maintenance Start Time’ and ‘Maintenance End Time’. 764 Data Analytics and Continuous Controls Monitoring Applied a filter to list Plants under ‘BM’ for more than 24 hours. Finally converted the filtered report of ‘Above 24 Hour BM cases’ into a frequency distribution as below: Stratum No Stratum Details Count Maintenance Cost 1 24-48 5 50000 2 49-72 10 100000 3 73 & Above 3 250000 This frequency distribution allowed the Head – CMC to focus on pain areas in the Plant Maintenance process. Benford’s Law of Digital Analysis Evolution of the Law and its Concept 7.10 Frank Benford was a physicist at GE Research Laboratories in the 1920s. He noted that the first parts of the log table books were more worn than the back parts. The first pages contain logs of numbers with low first digits. The first digit is the left-most digit in a number. Frank Benford collected data from 20 lists of numbers totaling 20,229 observations. He found that the first digit of 1 occurred 31 percent of the time. Using integral calculus, he calculated the expected digit frequencies that are now known as “Benford’s Law”. It took Frank Benford six years to perform his analysis and develop his law of expected digit frequencies. The Benford’s Law task in IDEA can provide a valuable reasonableness test for large data sets. IDEA only tests items with numbers over 10.00. Number sets with less than 4-digits tend to have more skewed distributions and do not conform as well to Benford’s Law. Positive and negative numbers are analyzed separately. This is because abnormal behavior patterns for positive numbers are very different from those for negative numbers. Application to Data Mining 7.11 The application of Digital Analysis and the Benford Module is also permissible in the framework of Data Mining when certain distinctive facts in a data supply are measured against the personal expectations of the user and interpreted according to them. In this case it is not necessary for the data that is to be analysed, to create a Benford Set in a strict sense. In fact, it is permissible under these circumstances to analyse the numerical distribution of the leading digits of each data quantity and to interpret it independent of Benford’s Law. 765 Compendium of Generic Internal Audit Guides Assumptions of Benford’s Law Geometrical series 7.12 The mathematical pre-condition for the examination of a data supply based on Benford’s Law is that the data supply is based on a geometrical series (thus, it is presented as a Benford Set). In reality this condition is rarely met. Experience shows however, that data must only partially meet this condition, i.e., the constant increase, percentage-wise of an element compared to the predecessor must only be met partially. Otherwise, this would mean that no number may occur twice which is quite improbable in the case of business data supplies. However, the pre-condition is that there is at least a “geometrical tendency”. Description of the same object 7.13 The data must describe the same phenomenon. Examples are:  The population of cities  The surface of lakes  The height of mountains  The market value of companies quoted on the NYSE  The daily sales volume of companies quoted on the Stock Exchange  The sales figures of companies. Unlimited data space (non-existence of minima and maxima) 7.14 The data must not be limited by artificial minima or maxima. A limitation to exclusively positive numbers (excluding 0) is permissible as long as the figures to be analyzed do not move within a certain limited range. This applies, for example, to price data (e.g., the price of a case of beer will generally always range between 15 and 20 dollars) or fluctuations in temperature between night and day. No systematic data structure 7.15 The data must not consist of numbers following a pre-defined system, such as account numbers, telephone numbers, and social security numbers. Such numbers show numerical patterns that refer to the intentions of the producer of the number system rather than to the actual object size, represented by the number (e.g., a telephone number starting with 9 does not mean that this person possesses a bigger telephone). 766 Data Analytics and Continuous Controls Monitoring Statistical explanations for the Law 7.16 Basically, data complies best with Benford’s Law if it meets the rules mentioned above, namely that the data consists of large numbers with up to 4 digits and the analysis is based on a sufficiently large data supply. A large data supply is necessary in order to come as close to the expected numerical frequencies as possible. For example, the expected frequency of the digit 9 in any data supply is 0.0457. If the data supply consists of only 100 numbers, the numbers which have a 9 as their first digit may be 5% of the data supply. Thus, in the case of a small data supply, there may be an over-proportional deviation from Benford’s Law. In large data supplies, the numerical distribution is increasingly closer to the expected frequencies. 7.17 If the data supply has, or just roughly has, the characteristics mentioned above, it can be analyzed based on Benford’s Law. However, the results of the Benford analyses are not interpretable on the basis of Benford’s Law. As stated before, the expected frequencies according to Benford’s Law often represent, in the practical use, nothing more than a type of benchmark for the observed frequencies. Since the observed frequencies will only be compared with the legality discovered by Benford, not interpreted accordingly, it is not necessary that all conditions mentioned above be met. In fact, the analysis results will help the internal auditor interpret the personal expectation of the user, without including the reference value according to Benford in the argumentation. If, for example, the personal expectation of the user is that the starting digit 4 must occur twice as often in the analyzed data than the starting digit 2, the results of the analyzed values must not be compared with the expected frequencies according to Benford but with the individual expectation of the user. 767 Compendium of Generic Internal Audit Guides Case Study on Benford’s Law within IDEA 7.18 Following are steps to run a Benford’s Law analysis on any Accounts Payable database: (i) From the Analysis menu, select Benford’s Law in IDEA Data Analysis Software. (ii) In the Benford’s Law dialog box, select AMOUNT as the field to be analysed. Accept all other default options as displayed in the image below. Click OK to perform the analyses. The Benford First Digit database becomes the active database. Other databases must be opened from the File Explorer. 768 Data Analytics and Continuous Controls Monitoring (iii) To graph the data, select Chart Data from the Data menu. In the Y field’s box, select ACTUAL. In the X axis title box, enter Digit Sequence. In the Y axis title box, enter Count. In the Chart title box, enter AMOUNT – First Digit – Positive Value. Click OK. The Chart Data Results output becomes active. 769 Compendium of Generic Internal Audit Guides The first digit graph shows a spike in the digit 7 results. Technical Notes The First Digit test is the test of first digit proportions. The first digit of a number is the leftmost digit in the number. Zero can never be a first digit. This is a high level test. Analysts will not usually spot anything unusual unless it is blatant. This is a test of goodness-of-fit to see if the first digit actual proportions conform to Benford’s Law. The First Digit test is an overall test of reasonableness. The upper and lower bounds are merely guidelines for the auditor. The First Digit graph could show a high level of conformity but the data set could still contain errors or biases. (iv) Click the Data link in the Properties Window to return to the Benford First Digit database that was created as part of this analysis. The DIFFERENCE field shows the difference between the expected occurrences of the digits and the actual occurrences of the digits. When the DIFFERENCE field is indexed in ascending order, the digit 7 results show the largest negative difference (positive spike). This result warrants further investigation as the CFO has indicated that any items in excess of Rs. 80,000.00 require additional approval. This spike could be indicating an abnormal level of items being processed just below the additional approval level – suspect skimming. 770 Chapter 8 Documentation of Process of Use of General Audit Softwares 8.1 Data identification and acquisition play a crucial role in the use of General Audit Softwares to facilitate the efficient and effective use of tools and pave the way to guaranteed results and returns from its use. The stages in Data Identification and Acquisition are:  Planning the deployment of the Tool  Objective and Assurances  Availability of data  The flow of data in a system  Identifying the file for interrogation  Specifying the information required for use in the Tool  Specifying the format of the data file  File downloading and conversion  The Standard requirements for data  Modes of Data storage and transfer  Help for Data Identification / Acquisition. Regulatory Admissions 8.2 The Information Systems Audit and Control Association, U.S.A., has issued an IS Auditing Guideline on ‘Use of Computer Assisted Audit Techniques (CAATs) Document G 3. The excerpts of this Guideline on CAATs Planning Steps are as follows: The major steps to be undertaken by the IS Auditor in preparing for the application of the selected CAATs is:  Set the audit objectives of the CAATs.  Determine the accessibility and availability of the organisation’s IS facilities, programs/ system and data. 771 Compendium of Generic Internal Audit Guides  Define the procedures to be undertaken (e.g., statistical sampling, recalculation, confirmation, etc.)  Define output requirements.  Determine resource requirements, i.e., personnel, CAATs, processing environment (organisation’s IS facilities or audit IS facilities).  Obtain access to the organisation’s IS facilities, programs/ system, and data, including file definitions.  Document CAATs to be used, including objectives, high-level flowcharts and run instruction. The documentation to be built up during the stages of Data Identification and Acquisition has been explained below. Planning the Deployment of the Tool 8.3 The following are steps in planning  The user needs to select the most appropriate file/ files for CAATs interrogations best suited to the objective on hand for testing.  The user should make use of flowcharts of the client department’s system to ascertain which files are being used. It is important to select data that is as close to the original data entry process as possible.  The flow charts and file/ files selected should be documented and kept on record.  Preferably the objectives along with the file/ files selected should be documented as below : Illustration from a bank data analysis engagement S Objective File Form Fields Source Owner Import No Method 1 Identifying CASA Data Account Core DBA IDEA - Current Interest Dump No, Banking ODBC accounts Dump Customer System where ID, Name, interest ROI, has been Product paid Code, Base Amt, Int Amt 772 Data Analytics and Continuous Controls Monitoring Objectives and Assurances 8.4 For any type of engagement it is necessary for the user to get to know the function and practices/ policies in place of the entity to be audited. This knowledge will help the user plan the engagement effectively. For example, in a Know Your Customer (KYC) Compliance Review – Duplicate Key Exclusion, Extraction, and Sampling plays a pivot role. In order to achieve the stated objectives, a detailed knowledge of the system procedures needs to be made. These documents, policy notes, flow charts, need to be documented by the user as a part of his engagement evidence. In forensic reviews, the engagement evidence has to be irrefutable, exhaustive and unambiguous. IDEA has History. The History is the log of operations performed on a file within IDEA. The log cannot be deleted or altered but it can be printed. Availability of Data 8.5 The user needs to have thorough knowledge of the operating system used by the entity being reviewed. He/ She needs to have a detailed knowledge of the application system being reviewed to identify the best possible data source and data format for each objective being reviewed. User needs to engage in a meaningful discussion with the IT personnel of the entity. At times it makes sense to have an intermediary accompany the user. The intermediary could be chosen as a member having a good grasp of both audit and IT fundamentals like, an IT Auditor/ Functional Group Member/ Bank Reports Group Member. This meeting with the IT personnel needs to be undertaken formally with a clear written agenda and with space for the IT personnel response. Any format can be followed which is convenient to the user team so long as consistency of the approach document is always maintained. The Flow of Data in the System 8.6 The user needs to obtain from the entity, Accounting Hand Books/ Process Manuals, Operational Process Flow Charts, etc., to have a clear understanding of details like, transaction files, master files affecting given lot of transactions. These flow charts need to be documented with the user and clear notes should be placed on the nature of data within the system. The approach document in terms of data identification, transfer, access and import from the auditee application System needs to be charted and buy-in should be obtained from the auditee, System Vendor, Database Administrator (DBA), User Wing and Top Management. This documentation will help the user in the current engagement as well as future cyclical engagements. 773 Compendium of Generic Internal Audit Guides Identifying the File for Interrogation 8.7 The user must aim at selecting files which are closer to the raw data or initial input file. The study done by the user in the preceding stage will assist and facilitate in identification of such files. The user may choose to liaise with the Application Vendor or DBA to identify appropriate data files. This liaison may be done through email, written documents, in person, but never orally. When sending a request through email always insist on a read receipt acknowledgement. Combined requests will be preferred by the reader rather than piece meal request which can be annoying and time consuming. For example, the user must know when to use a detailed transaction file, or a summarized version of a file or a table directly from the database or a customer master files for instance. Specifying the Information Required for the CAAT 8.8 Once the right file has been identified, it may contain information not required for the audit. At this stage it is prudent for the user to seek specific fields for his review. This has performance benefits for the user as the file import will get hastened with specific fields rather than all fields from the file. For example, a Data Table with 40 Million rows and 25 fields will take around x minutes for import within IDEA. The same table with 5-10 relevant fields will get done much faster. If the information to be sourced is not in the ideal format or key information is missing it may be necessary to liaise with the IT personnel to arrange some form of file manipulation such as an embedded audit module or a file manipulation program to produce the data in a more useful format. This request to IT has to be done in writing. For example, the Balancing Reports of Letter of Credit, Guarantees and Bills – customer wise, type wise, age wise are complex to generate within IDEA. These reports are ordinarily available in the Bank’s Report Group Suite like, Business Objects. It is prudent to source the Balancing Reports from Business Objects in such a case. File Download and Conversion 8.9 Once the data is readied the data may be placed on the User’s PC, or it may be placed on a shared audit folder on the Local Area Network. If the data is not too large it can be sent through group office mail or even through secondary storage devices like, CDs, and Pen Drives. Data Transfer should always be accompanied by a virus scan at all times. The user upon receiving the data must sanitize the data i.e., clean the data to make it suitable to an IDEA Import compatible format. For example, MS-Excel files should be 774 Data Analytics and Continuous Controls Monitoring cleaned – the first row should reflect the header row, there should be no blanks in the data grid, there should be no repeating header or footer rows in the data grid. Once the data is finally readied the user can deploy the best technique within the Tool for Data Import. For example, MS-Excel for Excel Files from Business Objects/ SQL, Text for Comma Separated Value Files from Business Objects, Report Reader for Print Files from Crystal reports, ODBC for Data Tables from the ERP or Core Banking System Application Database and more. 8.10 The user may initiate further technical liaison in writing with the IT to improve the file layout – record layout for future. This usually occurs when the entity changes its Enterprise Resource Planning (ERP) or Core Banking System or migrates to a contemporary version of the application. Who or What can help in Data Identification 8.11 The user needs to identify the right resource from the IT Section and Audit Section for the data analysis project. This identification can be done by seeking assistance from the Reports Group and the Heads of IT and Audit respectively. The criteria for selection like, knowledge of data, knowledge of file formats, cross sectional knowledge of functions, and more should be documented by the user. These criteria need to be provided to the DBA, IT Head and Audit Head while making the selection. Specimen Format of a Data Indent – Bank Data Analysis Software Audit 8.12 The following is a specimen format for bank data analysis software audit: To – Ms. ABC (DBA) From – PQR (Audit Team Lead) Date – 15th February, 2012 Subject – Data Request for review of ‘Transactions on Newly Opened Current Saving Accounts (CASA)’ Pursuant to our recent meeting with respect to our planned audit of CASA, using IDEA Data Analysis Software, we would like to arrange for download of the attached data files and fields to the FTP Server set up for this purpose. This review involves the audit of Transactions on Newly Opened Current Saving Accounts (CASA) in the following entities: Branch A, B, C and D. We understand your office can provide information for the following areas: 775 Compendium of Generic Internal Audit Guides ‘Branch Transactions and Customer Account Masters’. Since this is an enterprise-wide review, we will be requesting similar data from Zonal Officers P, Q, R and S. We request that each of the above entities be forwarded as separate files and that three files be created for each entity, to reflect all transactions captured by the systems for 1st April 2011 to 31st December, 2011. To meet our planned review objectives and timing, the data must reflect all transactions captured by the system up to and including 31st December, 2011 and for Branches A, B, C and D. To facilitate our CAAT analysis, the data should be given to us in the form of comma delimited text files and placed in “Data Analysis Audit” on Drive F. Together with the data, please document the file record layouts, including the skip length, if applicable and record lengths. For each field, document the field name, field start position, field length, data type, and formats of numeric and date items. We also require documentation of Key control information, including the transaction cut-off date and time, the number of records in the file and control totals of numeric fields where applicable. This represents our initial data request associated with this audit. We anticipate that it may be necessary for subsequent data requests, but we will endeavour to keep these requests to a minimum, in consideration of your time and resources. We appreciate your assistance with data access, and look forward to working with you during the course of our audit. Kindly submit the requested electronic data no later than 20th February, 2012. If you have any questions please do not hesitate to contact me on 123456789. Specimen Format of a Data Analysis Software Working Paper 8.13 The following is a specimen format ef a data analysis software working paper: CAATs Working Paper Format (Client Name) 1. Client and Location – ABC Bank Ltd 2. Review Period – As on 01/03/2012 776 Data Analytics and Continuous Controls Monitoring 3. Audit Area – High Value Transactions on Newly Opened CASA Accounts 4. Team Leader and Team Members – PQR 5. Audit Checklist Reference – Bank Branch/Concurrent Audit/11- 12/Branch Operations 6. Audit Checklist Item Number – 14 7. Audit Objective (List in Detail) – Transactions greater than 1 Lac on newly opened CASA accounts within 6 months of opening. 8. Data Identified and Gathered - Nature of Data – Branch Transactions and Customer Account Masters Source of Data – Finacle – DBA Ms. ABC Format of Data – Comma Text Delimited Relevant Fields – CUST ID, ACCOUNT ID, TXN NO, TXN DATE, AC OPEN DATE, DEBIT, CREDIT, CUST NAME, ACCOUNT TYPE, TOTAL TXN VALUE, and PAN NO 9. Input Reconciliation of Data Imported – Record count and numeric total of field ‘TOTAL TXN VALUE’ reconciled between IDEA v8.5 and Comma Text Delimited file and found correct. 10. Tests performed in IDEA – Data – Extractions – Direct Extraction with criteria @age(@date(), AC OPEN DATE)>180 .AND. TOTAL TXN VALUE > 100000 11. Results obtained – YES. Exported to MS-Excel 12. Conclusions and Recommendations – Result file sent to Auditee Mr. Brown on 21.02.2012 by email on his email id brown@abcbank.com 13. Auditee Feedback – Feedback received on 23.02.2012 attesting to and accepting data analytical tool findings. Non-compliances accepted. 14. Learning’s – 50 entries out of 5000 entries had blank AC OPEN DATE. This created false positives in the results obtained which were brought to our attention post use of IDEA Software. We have asked the auditee to populate the 50 blank cells with valid account opening dates from the account opening forms and resubmit for fresh data analysis by 24.02.2012. 777 Chapter 9 Challenges while Implementing Data Analytics 9.1 Embarking on an increased focus on data analysis using technology will likely have obstacles and challenges. The most common obstacles include underestimating the effort required to implement correctly, lack of Senior Management and Audit Committee support, lack of sufficient understanding of the data and what it means and the need to develop expertise to appropriately evaluate the exceptions and anomalies observed in the analysis. These and other obstacles are best addressed through a well thought out plan that commits sufficient resources and time. 9.2 A few recommendations to ensure that any implementation of a data analysis project is done with maximum benefit and least cost are: (i) Align your overall data analysis strategy with your risk assessment process, current audit plans and long terms audit goals and objectives. (ii) Manage your data analysis initiative like a program, focusing on your desired end-state of maturity. (iii) Develop a uniform set of analytic practices and procedures across assessment functions. (iv) Assign responsibility for data management, quality assurance and other key roles. (v) Document and/or comment scripted analytics to record the intent and context of the analysis being automated. (vi) Review and test analytics being used to ensure the results being generated are accurate and appropriate for the audit step being run. (vii) Establish a peer review of supervisory review process of analytics performed to safeguard against the reliance on results generated from using incorrect logic or formulas during analysis. (viii) Standardize procedures and tests in a central and secure repository. (ix) Safeguard source data from modification/ corruption – either through 778 Data Analytics and Continuous Controls Monitoring the type of technology being used to conduct the analysis or by analysing back-up data or mirrored data for audit purposes. (x) Address the potential impact of the analysis on production systems, either by scheduling analysis at off peak times or by using back-up or mirrored data. (xi) Educate staff on how to interpret the results of the analysis performed. (xii) Treat training as a continuous process, measured by on-going growth and continuous development of capabilities. (xiii) Aim for constant improvement through leveraged use of data analysis software as analytics evolve over time. 779 Chapter 10 Application of CAATs to Bank Audit Practical Case Studies on Audit of Term Deposits Introduction 10.1 Term Deposits are deposits repayable after the expiry of a certain period. They are considered time liabilities of any bank. Term Deposits include fixed deposits, cumulative and recurring deposits, cash certificates, certificates of deposits, annuity deposits, deposits mobilized under various schemes, ordinary staff deposits, foreign currency non-resident deposit accounts, etc. The internal auditor should satisfy himself that controls are in place and working as intended on acceptance of deposits, renewal of deposits, premature closure of deposits, maturity payment of deposits, and interest computation through the use of IDEA Data Analysis Software. 10.2 Banks also hold deposits designated in foreign currency e.g., foreign currency non-resident deposits. The auditor should examine whether internal instructions for reporting acceptance of such deposits to the RBI have been complied with. It should also be examined whether the bank has taken steps to ensure that it does not have to bear any loss arising out of exchange fluctuations between the date of acceptance of deposit and the date of its repayment. 10.3 Term Deposit Master Files normally contains the following fields:  Term Deposit Account Number  Deposit Certificate Number  Deposit Line Number  Currency Code  Customer ID  Customer Name  Product Code  Deposit Start Date 780 Data Analytics and Continuous Controls Monitoring  Deposit Value Date  Tenor  Maturity Date  Deposit Rate of Interest ( ROI)  Principal  Maturity Value  Deposit Closure Date  Closure Rate of Interest  Deposit Status. Term Deposits Prematurely Closed, Interest Paid at Deposit Rate. 10.4 When term deposits are prematurely closed, interest on closure is normally paid at deposit rate for the period run less penal interest. The penal interest varies from Bank to Bank and Deposit to Deposit. This field is a computed field and normally not available at a native field within the database. The application system vendors should create such a field in the database which gets populated once a deposit is prematurely withdrawn or otherwise blank. This computed field is very critical to the process within IDEA. A term deposit may be renewed more than once in which case a single term deposit account number will have multiple line entries and records which are represented by the Deposit Line Number in the database. Depending on the scope of review, the IDEA user may consider all the renewals i.e. all the line items or just the last renewal using Top Records Extraction within IDEA. The IDEA user extracts a list of cases where deposit closure date is before maturity date (i.e. premature closures) and closure Rate of Interest is equal to zero. This would mean that the bank has paid the deposit holder the deposit ROI rather than the premature closure ROI which is a clear violation of internal rules. On arriving at a list of exceptions the IDEA user may perform a summarization of interest paid on closure for such violations so as to put a monetary value to the exception. 781 Compendium of Generic Internal Audit Guides Term Deposits Closed within 15 days of Opening, Interest Paid 10.5 Where term deposits are prematurely closed before the maturity date and within 15 days of the account opening date, no interest should be paid on such deposits. Here the IDEA user creates a computed field within IDEA to reflect the differences in days between the Deposit Start Date and Deposit Closure Date. This test is conducted line item wise. Furthermore, an extraction is performed within IDEA using Top Records Extraction to cull out latest Term Deposit Accounts where Difference in Days, i.e., computed field is less than 15 and Closure Interest is not zero. In one of the recent Reserve Bank inspections, the inspection team used IDEA to detect substantial interest payments to directors of the private sector bank even though their deposits had been prematurely closed within 15 days of opening. In fact in a very serious violation of rules, a single director had opened and closed deposits to the tune of 1 million within a single day and interest had been paid on such deposits. Term Deposits Accepted for a Tenor Greater than 10 Years 10.6 In line with the RBI Guidelines, Banks are not allowed to issue Term Deposits for a term in excess of 10 years. The field “Tenor” in the Term Deposit Master file is maintained in months in this case. The IDEA user is required to perform an extraction on the Term Deposit Master file with the criteria tenor is greater than 120 (i.e. 10 years * 12 Months). At times the tenor is maintained in days in which case a complex equation like the one below will have to be written to cater to day approximations. (@age(dat_maturity_date,dat_value_date_date) / 365 > 10 ) .AND. (@day(dat_maturity_date) <> @day(dat_value_date_date)) .AND. (@month(dat_maturity_date) <> @month(dat_value_date_date)) Normally, the banks systems are configured to prohibit this non-compliance through Core Banking System Internal Checks. Seldom will you encounter an exception on this control assertion. Term Deposit Accounts Opened Subsequent to Value Date 10..7 Term Deposits when opened affect two date fields within the system – Deposit Start Date and Deposit Value Date. When a deposit-holder opens 782 Data Analytics and Continuous Controls Monitoring a deposit for the first time his deposit start date and deposit value date will almost resemble the same date ordinarily. However if it is a renewal of a deposit (i.e. say maturity date of earlier deposit is 30.06.09 and renewal is done on 12.07.09 – within 15 days of earlier maturity date, then the start date of the new deposit will be 01.07.09 but the value date will be 12.07.09 – Interest will accrue on the renewed deposit from 01.07.09. On the other hand - say maturity date of earlier deposit is 10.06.09 and renewal is done on 12.07.09 – greater 15 days of earlier maturity date, then the start date of the new deposit will be 12.07.09 and the value date will also be 12.07.09 – Interest will accrue on the renewed deposit from 12.07.09.). From the above one may notice that the start date will always precede the value date or be equal to the value date but it should not be greater than the value date. The auditor can test such control point failures by extracting deposit accounts where the value date is lesser than the start date. Term Deposits where Maturity Proceeds Above Rs. 20,000 are Paid in Cash 10.8 Term Deposits where the maturity amount is greater than Rs. 20,000 must be settled through an account transfer or check or pay order but not through cash. This is a violation of the Income Tax Act and Rules and normally is a reportable finding in Bank Tax Audits. The IDEA incumbent must proceed to identify term deposits where the deposit status is closed and closure amount paid is greater than Rs. 20,000/- Armed with this information, the auditor needs to perform a look up on the Term Deposit Account Ledger through Account Number. Once the file is combined the user must identify general ledger codes in the TD Ledger which represent cash codes for the Bank. Term Deposit maturity payments in cash over Rs. 20,000/- tantamount to an exception and a statutory compliance violation. Identifying Irregular Recurring Deposits during the Review Period 10.9 Where a recurring deposit installment is not paid on time and when the number of delayed installment payments is more than 4 in a given period, this RD is treated as irregular. Where a recurring deposit installment is not paid on time and when the number of delayed installment payments is more than 4 in continuation for a given period, this RD is treated as discontinued. 783 Compendium of Generic Internal Audit Guides The auditor adds a computed field to the RD INSTALLMENT TRANSACTION FILE where if the installment paid date is greater than the maturity date, installment line wise a flag (for e.g. “YES”) is placed in the new computed field. If the payments are within the maturity date a flag “NO” is placed in the computed cell. This test can be performed through a @IF function within IDEA. The auditor proceeds to sum up the count of ‘’YES” flags in the file against each RD account for a given review period through IDEAs SUMMARIZATION function. If the count exceeds 4 the auditor extracts such RDs into a separate file called irregular RDs. Missing Term Deposit Certificates 10.10 The auditor is bound to check serial control on Term Deposit Receipt generation. Special attention needs to be paid to Lost Receipts, Cancelled Receipts, Duplicate Receipts Generated and Issued and more since they affect the monetary interest of the Bank directly. The Term Deposit Account Master file contains the Deposit Certificate Number. The IDEA user can run a GAP DETECTION on the above file, on the Deposit Certificate Number field for OPEN Term Deposits only. Missing certificate numbers need to be taken up for close scrutiny with the Physical Register for Term Deposit Maintenance. For instance lost TD Receipts can only be secured / administered through a formal process of indemnity by the deposit holder on notarized stamp paper. Through the process of GAP DETECTION the auditor will get an inventory of missing receipts (some lost) where he could check record of the indemnity submissions at the Bank. Practical Case Studies on Revenue Assurance Introduction 10.11 Section 30 of the Banking Regulation Act, 1949 requires the auditor of a banking company to state whether the profit and loss account shows a true balance of profit and loss for the period covered by such account. Similar provisions exist in the Banking Companies (Acquisition and Transfer of Undertakings) Acts of 1970 and 1980 which are applicable in respect of nationalized banks. 784 Data Analytics and Continuous Controls Monitoring 10.12 The profit and loss account as set out in Form B of the Third Schedule to the Act has three broad heads: income, expenditure and appropriations. Interest/ discount on advances/bills and Interest on Deposits form a valuable component of Income. The auditor should, on a test basis, check the rates of interest etc. with sanctions and agreements and the calculation of interest. He should examine with the aid of CAATs whether:  Interest has been charged on all performing accounts up to the date of the balance sheet. According to the guidelines for income recognition, asset classification etc., issued by the Reserve Bank of India, a bank cannot take to income unrealized interest on any non- performing advanced;  Discount on bills outstanding on the date of the balance sheet has been properly apportioned between the current year and the following year;  Interest on inter-branch balances has been eliminated in the consolidated profit and loss account of the bank; and  any interest subsidy received (or receivable) from the Reserve Bank of India in respect of advances made at a concessional rates of interest is correctly computed. 10.13 The CAAT auditor may also co-relate the interest on advances/deposits with the amount of outstanding advances/deposits outstanding using advanced statistical functions like, Correlation. The following items under Income category can be checked with the aid of CAATs:  Commission on bills for collection.  Commission/exchange on remittances and transfers.  Commission on letters of credit and guarantees.  Brokerage on securities.  Earnings on exchange transactions.  Earnings on sale of investments.  Earnings on sale of Fixed Assets. 785 Compendium of Generic Internal Audit Guides Practical Case Studies – Illustrations Account Maintenance 10.14 The following are important aspects: Risk - Non-recovery of Service Charges on non-maintenance of minimum balance in Saving and Current accounts. Risk Description - Saving and Current accountholders need to mandatorily maintain a minimum quarterly balance in their accounts. The minimum balance to be maintained depends upon the type of account (Saving General, Current etc.), type of customer (Individual, Staff, Pensioner, Corporate Salary Account etc.), cheque book issue status (issued, not issued) and type of branch (urban, rural etc.). The minimum balance required to be maintained by each account holder is entered in the Core Banking System by the Branch under the field “minimum balance required” in the CASA Master. Since this activity is performed at the Branch level and not the Central IT level it may be subject to branch errors of commission. Non-maintenance of the required minimum balance attracts a system levied service charge. Once again this service charge may be waived with due permission (in case of dormant accounts for instance) or possibly with certain mal-intentions at the account level by the Branch by applying a flag “N” in the field “SC MIN BAL FLAG” in the CASA Master. The Bank Auditor must verify the accuracy of both the “minimum balance required” and “SC MIN BAL” to be maintained in the CASA Master. Procedure within IDEA 10.15 The following procedure may be applied: (i) Open the CASA Master within IDEA. (ii) SAVING ACCOUNT WITH CHEQUE BOOK AND INCORRECT MIN BALANCE REQUIRED TO BE MAINTAINED - Perform Data - Direct Extraction on the CASA Master by applying the command - (@list(product code, “SB GEN”) .AND. chequebook issued flag = "Y" .AND. @nomatch(customer type code, "STAFF", ‘EX STAFF”, "PENSIONER") .AND. minimum balance required <> 1000). 786 Data Analytics and Continuous Controls Monitoring This report will provide a list all Saving accounts (other than NRE), who are not STAFF, EX-STAFF, PENSIONER, having a cheque book facility and where minimum balance required to be maintained in the account as per the system is other than Rs. 1000. Rs. 1000 is defined by the Bank Policy. (iii) SAVING ACCOUNT WITHOUT CHEQUE BOOK AND INCORRECT MIN BALANCE REQUIRED TO BE MAINTAINED - Perform Data - Direct Extraction on the CASA Master by applying the command - (@list(product code, “SB GEN”) .AND. chequebook issued flag = "N" .AND. @nomatch(customer type code, "STAFF", ‘EX STAFF”, "PENSIONER") .AND. minimum balance required <> 500). This report will provide a list all Saving accounts (other than NRE), who are not STAFF, EX-STAFF, PENSIONER, having no cheque book facility and where minimum balance required to be maintained in the account as per the system is other than Rs. 500. Rs. 500 is defined by the Bank Policy. (iv) CURRENT ACCOUNT WITH CHEQUE BOOK AND INCORRECT MIN BALANCE REQUIRED TO BE MAINTAINED - Perform Data - Direct Extraction on the CASA Master by applying the command - (@list(product code, “CURRENT”) .AND. chequebook issued flag = "Y" .AND. minimum balance required <> 5000). This report will provide a list all Current accounts, having a cheque book facility and where minimum balance required to be maintained in the account as per the system is other than Rs. 5000. Rs. 5000/- is defined by the Bank Policy. CASA ACCOUNTS WHERE MINIMUM BALANCE SERVICE CHARGES NOT RECOVERED - Perform Data – Direct Extraction on the child files generated above at Step 1, 2, 3 and 4 by applying the command – SC MIN BAL FLAG = “N” This report will provide a list of all Saving and Current accounts where minimum balance required to be maintained is other than the policy and system is not applying service charges for non-maintenance of minimum balance. Transaction Maintenance 10.16 The following are important aspects: Risk - Non-recovery of Folio Charges on Saving accounts. 787 Compendium of Generic Internal Audit Guides Risk Description - Folio charges are to be recovered in case of Saving accounts having withdrawals in excess of 50 numbers/lines per half year. The charges per withdrawal in excess of 50 may differ from Bank to Bank and type of Saving account. Procedure within IDEA 10.17 The following are procedures that may be applied: (i) Open the CASA Ledger within IDEA. (ii) SAVING ACCOUNT WITH WITHDRAWALS FOR HALF YEAR - Perform Data - Direct Extraction on the CASA Ledger by applying the command - (@isini(“SAVING”, product name) .AND. @list(tran code, 1001, 6101, 1006, 1013) .AND. @betweendate(tran date, "20080401", "20080930")) This intermediate report will provide a list all withdrawals through cash (1001), cheque (6101), debit funds transfer (1006) for all Saving accounts for the half year transaction period April 2008 to September 2008. (iii) SAVING ACCOUNTS WITH CUMULATIVE WITHDRAWALS FOR HALF YEAR - Perform Analysis - Summarization on the above intermediate report. “Fields to Summarize” to be selected from drop down field list as “account number”. This intermediate report will provide account wise summary of all withdrawals - cash, cheque, debit funds transfer for all SAVING accounts for the transaction period April 08 to September 08 along with the number of withdrawals (i.e. entries). (iv) COMPUTATION OF SERVICE CHARGES - Perform - Data - Field Manipulation - Append - Virtual Numeric field having name “Service Charges” to the intermediate report generated at Step 3 above. Enter the command no_of_recs * 1 in the parameter. This new field will provide Service Charges (Folio Charges) to be recovered from the account holder towards excess withdrawals over 50 entries. (v) IDENTIFYING SAVING ACCOUNTS WITH WITHDRAWALS IN EXCESS OF 50 - Perform Data - Direct Extraction on the intermediate report generated at Step 4 above by applying the command - (no_of_recs > 50) This final report will provide all SAVINGS accounts where half yearly withdrawals are greater than 50 entries along with Service Charges to be recovered. 788 Data Analytics and Continuous Controls Monitoring These cases can be checked physically with the Statement of Accounts for the relevant Saving accounts in the final report for recovery of folio charges and the accuracy of charges recovered. Cheque Maintenance 10.18 The following are important aspects: Risk - Non-recovery of Cheque Book Issue Charges on Saving accounts. Risk Description - Cheque Book issue charges are to be recovered in case of Saving accounts having cheque leaves issued in excess of 60 numbers per year. The charges per cheque leaf issued in excess of 60 may differ from Bank to Bank and type of Saving account. Procedure within IDEA 10.19 The following procedure may be applied: (i) Open the Cheque Report within IDEA. (ii) SAVING ACCOUNTS WITH CHEQUES ISSUED DURING ANY YEAR - Perform Data - Direct Extraction on the Cheque Report by applying the command - (@isini(“SAVING”, product name) .AND. @betweendate(cheque issue date, "20080101", "20081231") .AND. cheque leaves > 60 .AND. .NOT. @isini( "staff", product name)) This intermediate report will provide a list all cheque leaves issued in excess of 60 leaves for SAVING NON STAFF accounts in the transaction period of January 2008 to December 2008. (iii) COMPUTATION OF CHEQUE ISSUE CHARGES - Perform - Data - Field Manipulation - Append - Virtual Numeric field having name “Cheque Issue Charges Savings” to the intermediate report generated at Step 2 above. Enter the command (cheque leaves-60) * 2. This new field will provide Cheque Issue Charges to be recovered from the account holder. (iv) CHEQUE BOOK ISSUE CHARGES RECOVERED DURING ANY YEAR - Perform Data - Direct Extraction on the CASA Ledger by applying the command - (tran descp = "SC For Cheque Book Issue" .AND. @isini("SAVING", product name)) This intermediate report will provide a list of transactions on SAVING 789 Compendium of Generic Internal Audit Guides accounts where service charges for cheque book delivery have been recovered. (v) CHEQUE BOOK ISSUE CHARGES NOT RECOVERED DURING ANY YEAR – Perform - File - Join - select the intermediate report generated in Step 2 above as the Primary File. Select the intermediate report generated in Step 4 above as the Secondary File. Click on Match. Match the two files on matching key – “account number” in Primary file and “account number” in Secondary file. Use the Join condition "Records with no Secondary Match". This final report will provide a list of SAVING accounts where cheque leaves issued in any year are more than 60 (annual free cheque leaves entitlement) and cheque book issue charges have not been recovered. 10.20 The following are important aspects: Risk - Non-recovery of Cheque Book Issue Charges on Current accounts. Risk Description - Cheque Book issue charges are to be recovered in case of all cheques issued to Current account holders. The charges per cheque leaf issued may differ from Bank to Bank. Procedure within IDEA 10.21 The following procedure may be applied: (i) Open the Cheque Report within IDEA. (ii) CURRENT ACCOUNTS WITH CHEQUES ISSUED DURING ANY YEAR - Perform Data - Direct Extraction on the Cheque Report by applying the command - (@isini(“CURRENT”, product name) .AND. @betweendate(cheque issue date, "20080101", "20081231") This intermediate report will provide a list all cheque leaves issued to CURRENT accounts in the transaction period of January 2008 to December 2008. (iii) COMPUTATION OF CHEQUE ISSUE CHARGES - Perform - Data - Field Manipulation - Append - Virtual Numeric field having name “Cheque Issue Charges Current” to the intermediate report generated at Step 2 above. Enter the command (cheque leaves) * 2. This new field will provide Cheque Issue Charges to be recovered from the account holder. (iv) CHEQUE BOOK ISSUE CHARGES RECOVERED DURING ANY YEAR - Perform Data - Direct Extraction on the CASA Ledger by applying the command - 790 Data Analytics and Continuous Controls Monitoring (tran descp = "SC For Cheque Book Issue" .AND. @isini("CURRENT", product name)) This intermediate report will provide a list of transactions on CURRENT accounts where service charges for cheque book delivery have been recovered. (v) CHEQUE BOOK ISSUE CHARGES NOT RECOVERED DURING ANY YEAR – Perform - File - Join - select the intermediate report generated in Step 2 above as the Primary File. Select the intermediate report generated in Step 4 above as the Secondary File. Click on Match. Match the two files on matching key – “account number” in Primary file and “account number” in Secondary file. Use the Join condition "Records with no Secondary Match". This final report will provide a list of CURRENT accounts where cheque leaves are issued in any year and cheque book issue charges have not been recovered. 10.22 The following are important aspects: Risk - Non-recovery of Stop Payment Charges on Cheques Stopped for Payment Risk Description - Stop Payment charges are to be recovered in case of all cheques stopped for payment in Savings accounts. Stop Payment charges vary between Banks. Reserve Bank of India has instructed Commercial Banks in India to rationalize and maintain reasonableness to the levy of such charges. Procedure within IDEA 10.23 The following procedure may be applied: (i) Open the CASA Ledger within IDEA. (ii) SAVING ACCOUNTS WITH CHEQUE STOP PAYMENT CHARGES - Perform Data - Direct Extraction on the CASA Ledger by applying the command - (@isini("stop", tran descp) .AND. @isini("SAVING", product name) .AND. staff flag = "N" .AND. customer type name = "INDIVIDUAL") This intermediate report will provide a list of all INDIVIDUAL SAVING NON STAFF accounts where the transaction narration contains the word 'STOP'. This report will display a list of all stop payment charges recovered from the customer through the CASA Ledger. (iii) Open the Stop Cheque Report file within IDEA. 791 Compendium of Generic Internal Audit Guides (iv) STOP PAYMENT INSTRUCTIONS ISSUED on SAVINGS ACCOUNTS - Perform Data - Direct Extraction on the Stop Cheque Report by applying the command - (cheque status flag = "S" .AND. @isini("SAVING", product name) .AND. staff flag = "N" .AND. @betweendate(stop date, "20080101", "20081231")) This intermediate report will provide a list of all cheque stop payment instructions issued on SAVINGS NON STAFF accounts in the transaction period of January 2008 to December 2008. This query can be modified to any annual review period. (v) CHEQUE STOP CHARGES NOT RECOVERED DURING ANY YEAR – Perform - File - Join - select the intermediate report generated in Step 4 above as the Primary File. Select the intermediate report generated in Step 2 above as the Secondary File. Click on Match. Match the two files on matching key – “account number” in Primary file and “account number” in Secondary file. Use the Join condition "Records with no Secondary Match". This final report will provide a list of SAVING NON STAFF accounts where stop payment instructions are issued in any year and cheque stop payment charges have not been recovered. This objective can be suitably modified to check stop payment charges for CURRENT, OVERDRAFT, and CASH CREDIT accounts too. (vi) CHEQUE STOP CHARGES NOT CORRECTLY RECOVERED DURING ANY YEAR – Perform - File - Join - select the intermediate report generated in Step 4 above as the Primary File. Select the intermediate report generated in Step 2 above as the Secondary File. Click on Match. Match the two files on matching key – “account number” in Primary file and “account number” in Secondary file. Use the Join condition "Matches Only". This final report will provide a list of all SAVINGS NON STAFF accounts where stop payment instructions have been issued and stop charges have been recovered. These cases need to be checked physically by the auditor for accuracy of recovery of stop charges. Temporary Overdraft Interest Charges 10.24 Non recovery of interest on Temporary Overdrafts (TODs) granted to Saving Accounts. 792 Data Analytics and Continuous Controls Monitoring Introduction 10.25 TODs are granted by the Bank to an account holder when the account holder is short of available balance to meet specific payments on his account. The TOD is granted under the assurance by the account holder that the temporary overdraft would be made good through incoming funds in transit. TODs can be System TODs or Adhoc TODs. An accountholder should normally not be granted multiple TODs until earlier TODs are regularized. TODs which are not regularized within the limit end date should be specially taken up for scrutiny. Consistent delay in regularizations on few accounts should be dealt with strictly through punitive action. Method within IDEA 10.26 The following method is recommended: (i) Open CASA TOD Ledger within IDEA. (ii) SAVING ACCOUNT TOD INSTANCES GRANTED - Perform Data - Direct Extraction on the CASA TOD Ledger by applying the command - (product name = "SAVING") (iii) Open CASA ledger within IDEA. (iv) INTEREST CHARGED on SAVING ACCOUNT TOD INSTANCES - Perform Data - Direct Extraction on the CASA Ledger by applying the command – (tran code = 5002 .AND. product code = 101) Tran code 5002 stands for INTEREST DEBITS and PRODUCT CODE 101 stands for SAVING GENERAL accounts. (v) ACCOUNT SUMMARY LIST OF SAVING TODs – Perform Analysis - Summarization on the intermediate report generated at Step 2. Select ‘account number’ as Fields to Summarize. ACCOUNT SUMMARY LIST OF INTEREST CHARGED ON SAVING TODs - Perform Analysis - Summarization on the intermediate report generated at Step 4. Select ‘account number’ as Fields to Summarize. INTEREST NOT CHARGED ON SAVINGS TODs GRANTED – Perform - File - Join - select the intermediate report generated in Step 5 above as the Primary File. Select the intermediate report generated in Step 6 above as the Secondary File. Click on Match. Match the two files on matching key – “account number” in Primary file and “account number” in Secondary file. Use the Join condition "Records With No Secondary Match". 793 Compendium of Generic Internal Audit Guides Practical Case Studies on Compliance Review Introduction 10.27 The importance of internal control in banks cannot be over- emphasised. Bank deal primarily with cash and readily encashable documents. It is essential that they take every precaution to guard themselves against errors and frauds committed by their constituents or by its own employees. The following are the main principles of internal control in a bank: (a) Every transaction should be checked and authorized by authorized persons before it actually takes place. (b) Every transaction should be entered in the books before the next transaction is authorized. (c) The routine procedure should be such as to prevent and detect errors and frauds in the normal course and before interests of the bank are adversely affected. (d) There should be a regular as well as surprise checks by inspectors and internal auditors who should constantly review the working of all departments. 10.28 The Statement on Standard Auditing Practices (SAP) 1, Basic Principles Governing an Audit1, issued by the Institute of Chartered Accountants of India, states (paragraphs 19-20): “The auditor should gain an understanding of the accounting system and related internal controls and should study and evaluate the operation of those internal controls upon which we wishes to rely in determining the nature, timing and extent of other audit procedures. Where the auditor concludes that he can rely on certain internal controls, his substantive procedures would normally be less extensive than would otherwise be required and may also differ as to their nature and timing.” Internal control evaluation is a key phase in Compliance Audits. In the case of audit of banks, it assumes even greater importance due to the enormous volume of transactions entered into by banks. Evaluation of the design and 1Refer SA 200 (Revised), “Overall objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Standards on Auditing”. 794 Data Analytics and Continuous Controls Monitoring operation of internal control system enables the auditor of a bank to perform more effective audits. Therefore, the auditor of a bank should study and evaluate the design and operation of internal controls. This would assist him in determining the nature, timing and extent of substantive procedures in various mainstream bank areas, depending upon whether the internal controls are adequate and observed in practice. CAATs facilitate the Internal Control evaluation through deployment of comprehensive analytical routines to detect control failures and missing controls. Introduction of Current Accounts by an Accountholder other than Current 10.29 In the CASA Account Master file, identify introducer customer number/account number with product type through file join operations and data extraction. If the introducer product type is a current account and the introduced account product type is a current account, these cases serve as a control point deviation. (i) Cash credited to Non-Resident Saving accounts In the CASA Ledger, identify cash deposit transaction codes/transaction types for Non-Resident Saving product types through data extraction. The presence of a cash mnemonic in the ledger would prove a control point deviation. (ii) Non-Resident Saving Accounts where a resident Indian is a joint- holder In the joint holder account master, filter constituent joint holders for Non- Resident Saving product types where the joint holder is a resident. A resident joint holder would prove a control point deviation resulting into non- compliance with RBI directives.  Credits to Non-Resident Saving accounts from resident Indian accounts.  Cash credited to Non Resident Ordinary (NRO) accounts. (iii) Term Deposit accounts where joint-holders are in excess of 4. In the “Joint holder account master file”, perform a summarization on the Term Deposit account number with respect to the corresponding joint holder customer number. Where the summarization count for a particular account 795 Compendium of Generic Internal Audit Guides number exceeds 4, extract these cases into a separate child file for further review.  Term Deposit accounts where maturity proceeds in excess of Rs. 20,000/- are paid in cash. (iv) In case of renewal of overdue deposits whether the system has applied Rate of Interest (ROI) applicable on the deposit at the time of maturity or at the time of renewal whichever is lower. In this control assertion, the ROI applicable on the deposit at the time of maturity is available readily in the “Term Deposit Account Master File”. ROI applicable on renewal is a system computed field. This data is normally not available as a ready field within the Database. This field must be computed through system logic and provided for further analysis. Overdue deposits are Term Deposits where the maturity date is less than the system date by 15 days and more. These instances may be culled out through an extraction within IDEA – lesser of the two ROI’s need to be selected. (v) In case of premature closure of Term Deposits check whether ROI paid is not equal to the ROI for the deposit period run as prevailing on the date of the deposit less penal interest charges. In this control assertion, the ROI applicable on the deposit at the time of maturity is available readily in the “Term Deposit Account Master File”. ROI applicable on premature withdrawal is a system computed field. This data is normally not available as a ready field within the Database. This field must be computed through system logic and provided for further analysis. Premature deposits are Term Deposits where the maturity date is greater than the system date and account closure date is before the deposit maturity date. These instances may be culled out through an extraction within IDEA – lesser of the two ROI’s need to be selected. (vi) List of Term Deposits where Tax Deducted at Source (TDS) is not deducted in respect of interest payments/accruals above Rs. 10,000/- per annum and where Form 15G/15H has not been submitted. Firstly, summarize all the interest debits in the “Term Deposit Ledger file” customer number wise through the Summarization function in IDEA. Secondly, extract all customer numbers from the above summarization where the sum of interest debits is greater than Rs. 10,000/- for a given financial year. Thirdly, match the file in stage 2 above with the “Tax Waiver File” i.e. 796 Data Analytics and Continuous Controls Monitoring Form 15G/15H submissions. Exclude all Term Deposits where Tax Waiver flag is enabled. Finally, match the resultant file (non waiver cases) with the “TDS Ledger File” using the Join function in IDEA. Records with no Secondary Match will cull out interest debits greater than Rs. 10,000/- per annum for which TDS has not be deducted at all.  Term Deposits closed prematurely within 15 days of account opening where interest has been paid. (vii) List of Non Resident – Term Deposit accounts accepted for a tenor in excess of 120 months. In the “Term Deposit Account Master File” locate Non Resident TD product types where the tenor of the deposit is greater than 120 months through direct extraction within IDEA. Such instances are violations and in non- compliance with RBI directives.  Non Resident – Term Deposit accounts opened subsequent to the value date.  Term Deposit accounts which have been renewed from a retrospective date where the overdue period is more than 14 days. (viii) List of foreign currency accounts opened with balance less than 100. Filter out CASA accounts from the “CASA Account Master file” where the currency code is not local and the book balance is less than 100 using the extraction command within IDEA.  Partnership accounts constituted with Hindu Undivided Family (HUF) member constituents. (ix) Loans have collateral security where insurance not taken by borrower. Detect missing insurance policy number in the “loan collateral insurance file” for specific loan and loan collaterals using the extraction command in IDEA. (x) Loans have collateral security where insurance not renewed in time by borrower. Identify break in insurance policy renewal in the “loan collateral insurance file” for specific loan and loan collaterals using the field manipulation and extraction command in IDEA. Capture the date constant from the renewal date field for the same loan collateral across a period of 5 years. Identify 797 Compendium of Generic Internal Audit Guides specific instances where the dates do not match using the Duplicate Key Exclusion function within IDEA. These instances should be investigated for breaks in insurance. (xi) Overdraft/ Cash Credit accounts where ad hoc limits have been granted after expiry of the normal limits. Firstly identify expired Overdraft Cash Credit (ODCC) normal limits through the “CASA Account Master file” using direct extraction within IDEA. Link the expired ODCC limit cases with the “Temporary Overdraft File” which contains both system and ad hoc temporary overdraft limits. In the linked file, cull out cases where the ad hoc limit issue/start date is greater than the ODCC normal limit expiry date. Of the above, few control assertions have been explained through a detailed explanation using IDEA Data Analysis Software as below. Non Resident Transaction Monitoring 10.30 Credits to Non-Resident Saving accounts from Resident Indian accounts. Introduction As per directives issued by the Reserve Bank of India and under the Foreign Exchange Management Act (FEMA), resident / domestic transactions cannot be undertaken on Non-Resident Saving accounts. As a part of compliance review, auditors are bound under law to verify these compliances. Method within IDEA 10.31 The following are method within IDEA: (i) Open CASA Non Resident Ledger within IDEA (ii) GENERATING THE PAYER PRODUCT CODE – Navigate to Data - Field Manipulation – Append – Virtual Numeric Field. Enter title as ‘PAYER PRODUCT CODE’ In the Field Manipulation dialog box. An account number contains 12 digits in a Core Banking System. The first 4 digits represent the Branch Code, the next 3 the Product Code and the last 5 the account number. With this information, click on criteria and enter the equation @right (@left (payer account number,7), 3) in the Equation Editor. This equation will give us a new field with payer product codes. (iii) IDENTIFYING CREDIT TRANSACTIONS FROM RESIDENT ACCOUNTHOLDERS IN NON RESIDENT SAVING ACCOUNTS – Perform Data - Direct Extraction on the CASA Non Resident Ledger by applying the command – 798 Data Analytics and Continuous Controls Monitoring (product code = 103 .AND. debit credit flag = "C" .AND. payer product code <> "103" ). In this equation, 103 represent Non Resident Saving accounts. The extraction will give us a list of credit transactions in the CASA Non Resident Ledger which originate from domestic accounts. Tax Deducted At Source Compliance 10.32 List Non Resident Ordinary (NRO) accounts where interest is paid but Tax has not been deducted at source. Introduction 10.33 Tax must be mandatorily deducted at source on NRO account interest payments under the Income Tax Act, 1961. The Auditor is bound under law to verify statutory compliance. Procedure within IDEA 10.34 The following procedure may be applied: (i) Open the CASA Ledger within IDEA. (ii) INTEREST PAYMENTS TO NRO ACCOUNTS - Perform Data - Direct Extraction on the CASA Ledger by applying the command - (@isini("NRO", product name) .AND. tran code = 5001) The tran code 5001 represents interest payments to NRO accounts. This intermediate report will provide a list of interest payments to NRO accounts. (iii) TAX DEDUCTIONS ON INTEREST PAYMENTS TO NRO ACCOUNTS - Perform Data - Direct Extraction on the CASA Ledger by applying the command - (@isini("NRO", product name) .AND. tran code = 5008) The tran code 5008 represents TDS deducted on interest payments to NRO accounts. This intermediate report will provide a list of TDS deductions on interest payments to NRO accounts. (iv) TDS NOT DEDUCTED ON INTEREST PAYMENTS – Perform - File - Join - select the intermediate report generated in Step 2 above as the Primary File. Select the intermediate report generated in Step 3 above as the Secondary File. Click on Match. Match the two files on matching key – 799 Compendium of Generic Internal Audit Guides “account number” in Primary file and “account number” in Secondary file. Use the Join condition "Records with no Secondary Match". This final report will provide a list of all NRO accounts where interest has been paid but TDS has not been deducted on interest payments. Practical Case Studies on Asset Classification Introduction 10.35 In line with the international practices and as per the recommendations made by the Committee on the Financial System Chaired by Shri. M. Narasimham, the Reserve Bank of India has introduced, in a phased manner, prudential norms for income recognition, asset classification and provisioning for the advances portfolio of the banks so as to move towards greater consistency and transparency in the published accounts. The policy of income recognition should be objective and based on record of recovery rather than on any subjective considerations. Likewise, the classification of assets of banks has to be done on the basis of objective criteria which would ensure a uniform and consistent application of the norms. Also, the provisioning should be made on the basis of the classification of assets based on the period for which the asset has remained non-performing and the availability of security and the realisable value thereof. 10.36 As per Para 2.1 of the RBIs master circular dated 01-07-2005, an asset, including a leased asset, becomes non-performing when it ceases to generate income for the bank. A non-performing asset (NPA) is a loan or an advance where;  interest and/ or installment of principal remain overdue for a period of more than 90 days in respect of a term loan,  the account remains out of order, in respect of an Overdraft/Cash Credit (OD/CC), the bill remains overdue for a period of more than 90 days in the case of bills purchased and discounted,  a loan granted for short duration crops will be treated as NPA, if the instalment of principal or interest thereon remains overdue for two crop seasons. a loan granted for long duration crops will be treated as NPA, if the instalment of principal or interest thereon remains overdue for one crop season. 800 Data Analytics and Continuous Controls Monitoring Internationally income from non-performing assets (NPA) is not recognised on accrual basis but is booked as income only when it is actually received. Therefore, the RBI has made it obligatory for the banks to not to charge and take to income account interest on any NPA. 10.37 The Guidelines also deal with appropriations of recovery in NPA Accounts. Interest realised on NPAs is allowed to be taken to income account provided the credits in the accounts towards interest are not out of fresh/ additional credit facilities sanctioned to the borrower concerned. The Guidelines are also flexible in respect of appropriation of recoveries in NPAs towards principal or interest due. The Guidelines provide that in the absence of a clear agreement between the bank and the borrower for the purpose of appropriation of recoveries in NPAs, the banks may adopt an accounting principle and exercise the right of appropriation of recoveries in a uniform and consistent manner. The guidelines are also flexible in respect of Interest Applications The RBI has no objection to the banks using their own discretion in debiting interest to an NPA account taking the same to Interest Suspense Account or maintaining only a record of such interest in proforma accounts. Different Banks hence have different policies in this regards. As regards the Reporting of NPAs, Banks are required to furnish a Report on NPAs as on 31st March each year after completion of audit. The NPAs would relate to the banks global portfolio, including the advances at the foreign branches. The Report should be furnished as per the prescribed format Credit Risk Rating 10.38 The following are important aspects with regard to credit risk rating: (i) Risk - Single borrower having a different asset credit risk grade classification – could the same borrower have multiple loans with credit grade status performing and non-performing ? How do we conveniently cull out such cases ? How could such a situation occur ? (ii) Risk Description – Same borrower have multiple loans with credit grade status performing and non-performing. Bank Asset Classification is an area warranting special merit of mention and overview in view of the high composition of Non-Performing Assets (NPA’s) in the banking channel. The Reserve Bank of India is making concerted efforts to control, regulate and treat high NPA levels in both nationalized and private banks within India. 801 Compendium of Generic Internal Audit Guides Procedure within IDEA 10.39 The following procedure may be applied within IDEA: (i) Open the file CREDIT_RISK_GRADING Database Structure for CREDIT_RISK_GRADING File S No FIELD NAME FIELD DESCRIPTION 1 ac no account number 2 prod cod product code 3 cust no customer number 4 crr old credit grade old 5 crr new credit grade new 6 crr date grading date 7 crr descp grade descp 8 shrt name short name 9 limit sanctioned limit 10 book bal book balance 11 ac open date account open date 12 branch branch code 13 ac status account status 14 Prod name Product Name (ii) This file contains the credit risk grading awarded to different assets for different borrowers for a period of 9 years. (iii) We are to review the latest credit risk grading for each borrower for all of his asset accounts. Here we use the TOP RECORDS EXTRACTION function within the Audit Tool. (iv) Perform Data – Extractions – Top Records Extraction. (v) In the Top Records Extraction dialog box, enter 1 as the Number of Records to Extract. Click the cursor on KEY and choose field - AC_NO, direction - ascending and field - CRR DATE, direction – descending. 802 Data Analytics and Continuous Controls Monitoring (vi) By choosing AC_NO, ascending and CRR_DATE, descending, will filter the last credit risk grading performed for each account number and output the result to a separate child file. Name the child file CURRENT CRR. (vii) The above child file has given us a list of current credit risk grading’s for different loan accounts. The loan account numbers will be unique but the customer numbers will not be unique. For instance one customer may avail of a Housing Loan, and Vehicle Loan. Hence a single customer number will have multiple loan account numbers. (viii) We are interested in identifying cases where a single customer number has multiple loan account numbers and where each loan account 803 Compendium of Generic Internal Audit Guides number has different credit risk grading’s. This is a clear exception and needs to be reported. (ix) To arrive at the cases stated in h) above we use Duplicate Key Exclusion within the Audit Tool. (x) Perform Analysis – Duplicate Key – Exclusion. This function will be run on the child file CURRENT CRR generated in f) above. (xi) In the Duplicate Key Exclusion dialog box check Fields to Match as CUST_NO and Field that must be different as CRR_NEW. Title the output file as Same Customer Different CRR New Analytic Conclusion 10.40 The exceptions sighted in (I) above should be shared with the Branch Manager. The Branch Manager should be advised to correct the disparate credit risk grading’s through standardization and unification of risk scores customer number wise and report on action taken immediately. Upgradation of Asset Classification 10.41 The following aspects are important with respect to upgradation of asset classification: Risk - Up gradation of asset accounts during the review period - could a branch user initiate movement of credit risk grades/scores from Non- Performing to Performing for specific loans ? Would his action warrant investigation ? How do we identify such instances in a jiffy ? 804 Data Analytics and Continuous Controls Monitoring Risk Description – Branch user initiates movement of credit risk grades/scores from Non-Performing to Performing for specific loans. Procedure within IDEA 10.42 The following procedure may be applied within IDEA: (i) Open the file CURRENT_CRR arrived at in the last session under Objective 1 (ii) Perform Data – Extractions – Direct Extraction. This function will be run on the child file CURRENT CRR. (iii) Enter the File Name as Upgrading CRR. Perform Data - Direct Extraction on the Cheque Report by applying the command - @betweendate( CRR_DATE, "20070313", "20090314") .AND. crr_old > crr_new. This equation will list all loan accounts where the CRR has been changed with upward revision within the review period of 13th March 2007 to 14th March 2009. (iv) A look up of the child file Upgrading CRR generated below will reveal list of loan accounts where the CRR OLD has changed from 50 or 60 or 2 (Non Performing) to CRR NEW - 1 (Performing) Analytic Conclusion 10.43 The list of loan accounts generated in d) above needs to be reported 805 Compendium of Generic Internal Audit Guides to the Branch Manager and scrutinized by his Retail Assets Manager in detail for the grounds and tenability of upgrading the CRR from non-performing to performing. Practical Case Studies on Non-Performing Assets Provisioning Introduction 10.44 Non-Performing Asset means an asset or account of borrower, which has been classified by a bank or financial institution as sub-standard, doubtful or loss asset, in accordance with the directions or guidelines relating to asset classification issued by The Reserve Bank of India. Here we take a look at some pedagogical issues: (i) Thirty Days Past Due – Historical Approach 10.45 An amount due under any credit facility is treated as "past due" when it has not been paid within 30 days from the due date. Due to the improvement in the payment and settlement systems, recovery climate, upgradation of technology in the banking system, etc., it was decided to dispense with 'past due' concept, with effect from March 31, 2001. Accordingly, as from that date, a Non performing asset (NPA) shall be an advance where: (i) interest and /or installment of principal remain overdue for a period of more than 180 days in respect of a Term Loan, (ii) the account remains 'out of order' for a period of more than 180 days, in respect of an overdraft/ cash Credit(OD/CC), (iii) the bill remains overdue for a period of more than 180 days in the case of bills purchased and discounted, (iv) interest and/ or installment of principal remains overdue for two harvest seasons but for a period not exceeding two half years in the case of an advance granted for agricultural purpose, and (v) any amount to be received remains overdue for a period of more than 180 days in respect of other accounts. Many institutions now try to sell their non-performing assets thru companies like KIM-LAR, INC. which helps facilitate the sale of these bundled portfolios. The non-performing assets often include mortgage loans, car loans, credit card debt and installment loans. 806 Data Analytics and Continuous Controls Monitoring (ii) Ninety Days Overdue – Contemporary Approach 10.46 With a view to moving towards international best practices and to ensure greater transparency, it has been decided to adopt the '90 days overdue' norm for identification of NPAs, form the year ending March 31, 2004. Accordingly, with effect from March 31, 2004, a non-performing asset (NPA) shall be a loan or an advance where: (i) interest and /or installment of principal remain overdue for a period of more than 90 days in respect of a Term Loan, (ii) the account remains 'out of order' for a period of more than 90 days, in respect of an overdraft/ Cash Credit(OD/CC), (iii) the bill remains overdue for a period of more than 90 days in the case of bills purchased and discounted, (iv) interest and/ or installment of principal remains overdue for two harvest seasons but for a period not exceeding two half years in the case of an advance granted for agricultural purpose, and (v) any amount to be received remains overdue for a period of more than 90 days in respect of other. (iii) Out of order - Exemplified 10.47 An account should be treated as 'out of order' if the outstanding balance remains continuously in excess of the sanctioned limit/ drawing power. In case where the outstanding balance in the principal operating account is less than the sanctioned limit/ drawing power, but there are no credits continuously for six months as on the date of balance sheet or credits are not enough to cover the interest debited during the same period, these account should be treated as 'out of order'. Detecting Out of Order Credit Facilities using IDEA Software Arranging for the Data 10.48 Assuming Cash Credit facilities are going to be taken up for scrutiny, we arrange for the CASA ledger for the audit review period (say 2 years) for a specific branch under off-site surveillance. 807 Compendium of Generic Internal Audit Guides The CASA ledger contains the following key fields:  Post Date  Value Date  Transaction Reference  Transaction Type  Account Number  Account Code  Account Head  Narration  Dr Cr Indicator  Amount  Account Product Code The data can be obtained in a report format and conveniently imported into IDEA through IDEA’s Report Reader using Standard Layers, Traps and Field Settings. Interrogating the Data Imported 10.49 In case where the outstanding balance in the principal operating account is less than the sanctioned limit/ drawing power, but there are no credits continuously for six months as on the date of balance sheet or credits are not enough to cover the interest debited during the same period, these account should be treated as 'out of order'. Comparison of Outstanding Balances with Sanctioned Limit/ Drawing Power 10.50 The CASA Account Master file as on review date contains the Cash Credit sanctioned limit, last month drawing power and current outstanding balance. Use IDEA’s Equation Editor to identify cases where the account clear balance exceeds the lower of the sanctioned limit/drawing power. As a rule, borrowers who do not submit their stock statements are penalized by extinguishment of drawing power. Here the account clear balance is compared with the sanctioned limit directly for determining Out of Order status. 808 Data Analytics and Continuous Controls Monitoring Reconciliation of Interest Debits with Account Credits 10.51 The following procedure may be followed:  Filter out all Account Product Codes for Cash Credit facilities.  Extract all debits to cash credit accounts containing Interest Debit Capitalizations.  Summarize the above extract account wise and month wise with a numeric total on Interest Debit Capitalizations- Debit Summary.  Extract all credits to cash credit accounts.  Summarize the above extract account wise and month wise with a numeric total on all account Credits – Credit Summary.  Join the Debit Summary with the Credit Summary through the Account Number and with the join condition being “All Records in Both Files”.  The above join will provide a list of matches and mismatches.  Mismatches – cash credit facilities having credits with no debits in respect of interest and cash credit facilities having debits in respect of interest with nil credits. The latter case is representative of Out of Order facilities.  Matches – reflect cash credit facilities having matching account credits and interest debits. Here we criteria the matched instances for debits > credits. These instances represent Out of Order facilities. Identifying Non-Performing Credit Facilities Based on an Underlying Out of Order Status using IDEA Software Arranging for the Data 10.52 Non-Performing facilities evolve when an overdraft/ Cash Credit(OD/CC) remains 'out of order' for a period of more than 90 days. Assuming Cash Credit facilities are going to be taken up for scrutiny, we arrange for the CASA ledger for the audit review period (say 2 years) for a specific branch under off-site surveillance. 809 Compendium of Generic Internal Audit Guides The CASA ledger contains the following key fields:  Post Date  Value Date  Transaction Reference  Transaction Type  Account Number  Account Code  Account Head  Narration  Dr Cr Indicator  Amount  Account Product Code The data can be obtained in a report format and conveniently imported into IDEA through IDEA’s Report Reader using Standard Layers, Traps and Field Settings. Interrogating the Data Imported Revolving Reconciliation of Interest Debits with Account Credits 10.53 The following procedure may be followed:  Filter out all Account Product Codes for Cash Credit facilities.  Extract all debits to cash credit accounts containing Interest Debit Capitalizations.  Summarize the above extract account wise and month wise with a numeric total on Interest Debit Capitalizations - Debit Summary.  Extract all credits to cash credit accounts.  Summarize the above extract account wise and month wise with a numeric total on all account Credits – Credit Summary.  Join the Debit Summary with the Credit Summary through the Account Number and with the join condition being “All Records in Both Files”. 810 Data Analytics and Continuous Controls Monitoring  The above join will provide a list of matches and mismatches.  Mismatches – cash credit facilities having credits with no debits in respect of interest and cash credit facilities having debits in respect of interest with nil credits. The latter case is representative of Out of Order facilities.  Matches – reflect cash credit facilities having matching account credits and interest debits. Here we criteria the matched instances for debits > credits. These instances represent Out of Order facilities.  The summary of Out of Order accounts generated will now be taken as the base to identify continued underlying out of order status for more than 90 days.  The summary contains the account wise, month wise, sum of credits and debits together in a single file plus cases where sum of debits are more than sum of credits.  These cases can be manually indexed on an ascending basis for the field “month” using the Sort function within IDEA.  The sorted file can then be manually reviewed to identify continued underlying out of order cash credit facilities. For example Cash Credit account CC1 has 5 line items as below. A careful review of the table shows that CC1 moves into the out of order status in March. The account continues to remain out of order till June. Hence CC1 is a non-performing asset. Account No Month Sum Interest Debit Sum Credit CC1 Feb 100 250 CC1 Mar 125 90 CC1 Apr 145 60 CC1 May 135 0 CC1 Jun 165 35 Alternatively the following situation is often encountered Account No Month Sum Interest Debit Sum Credit CC1 Feb 100 250 CC1 Mar 125 90 CC1 Apr 145 300 CC1 May 135 75 CC1 Jun 165 500 811 Compendium of Generic Internal Audit Guides In the table above, CC1 has been out of order in March, and May. However there is no continued default for more than 90 days. Hence this account cannot be considered as an active case for Non-Performing Asset provisioning but since there has been a history of out of order instances, it will form a part of the special watch list for potential conversion into a Non- Performing status. Conclusion 10.54 In March 2009 RBI issued a notice to banks that stated, "Banks may voluntarily make specific provisions for NPAs at rates which are higher than the rates prescribed under existing regulations. Banks can now head and make additional provisions without the risk of not being able of write back of that provision, when the NPAs turn performing assets." CAATs – IDEA Software can facilitate, simplify and elevate the process of NPA determination and provisioning from a cumbersome manual monitoring function to an automatic continuous monitoring system enabled environment. Practical Case Studies on Audit of Non-Fund Based and Contingent Liabilities Introduction 10.55 Contingent Liabilities are of the following types and nature: (i) Bills for Collection Bills held by a bank for collection on behalf of its customer are to be shown at the foot of the balance sheet. These bills are generally hundies or bills of exchange accompanied by documents of title to goods. Frequently, no bills of exchange are actually drawn; the bank is asked to present invoices and documents of title with instructions to collect the amount thereof from the party in whose name the invoice has been made. The documents of title are usually not assigned to the bank when enclosed with the bills for collection. A bank may get bills for collection from – (a) Its customer, drawn on outstation parties; (b) Its other branches or other outstation banks or parties, drawn on local parties. 812 Data Analytics and Continuous Controls Monitoring On receipt of the bills drawn on outstation parties, the bank forwards them to its branch or other correspondent at the place where they are to be collected. Such bills are called Outward Bills for Collection. Bills received by the Bank from its outstation branches and agents, etc. are called Inward Bills for Collection. From a control perspective, it is necessary to see that the customer’s account is credited only after the bill has actually been collected from the drawee either by the bank itself or through its agents, etc. From a revenue perspective the bank’s commission falls due only when the bill has been collected. Therefore, no income should be taken in the bank’s accounts in respect of the bills outstanding on the closing date. (ii) Liability on account of Forward Exchange Contracts Traditionally the auditor verifies the outstanding Forward Exchange Contracts through the register maintained by the Bank and with the brokers’ advice notes. In particular, the net “position” of the bank in relation to each foreign currency should be examined to see that the position is generally square and not uncovered by a substantial amount. If it is probable that a loss with be incurred on forward contracts and a reasonable estimate of such loss can be made, the auditor should insist that a provision be made against the same. (iii) Guarantees given on behalf of constituents One of the important functions of banks is to issue guarantees on behalf of their customers. A guarantee may be either a specific guarantee (i.e. in respect of a specific transaction) or a continuing guarantee (extending to a series of transactions). In either case, the banks generally specify a time limit up to which they will be liable unless, of course, the guarantee is renewed for a further period. It is also generally provided that any claim under the guarantee should be made within a specific time after the expiry thereof. All guarantees outstanding as at the date of the balance sheet have to be shown as contingent liabilities of the bank, showing separately the guarantees given on behalf of constituents in India and outside India. (iv) Letters of Credit A letter of credit is a document under which a bank agrees to meet the obligations of its customer (such as a bill drawn on the customer) provided certain conditions mentioned in the letter of credit are satisfied. A letter of credit may be clean or documentary. In the latter case, the bills drawn under them are to be accompanies by documents of title of goods. Again, a letter of 813 Compendium of Generic Internal Audit Guides credit may be ‘revocable’ at banker’s option before the shipment is made or it may be ‘confirmed’ or ‘irrevocable’ in which case it cannot be revoked or cancelled without the consent of all parties. Letters of credit are opened by the customers to facilitate import or purchase of goods. By means of such letters, the customers use the credibility of the bank in as much as the exporter or the seller relies upon the promise of a reputed bank instead of the customer. A letter may be opened in respect of a single transaction or it may be a revolving credit specifying an amount up to which bills may remain outstanding at any time. Banks issue letters of credit against guarantees obtained from the customer with or without some other security. When the bills drawn under the letter of credit are paid by the bank (through its branch or agent) to the exporter or seller, the amount is recovered from the customer. The amount is either recovered from the customer immediately or is treated as an advance to the party or as bill discounted. If the bill of exchange is documentary, the documents constitute the security of the bank. The tenor of the bills, the date by which the shipments shall be made and other terms are incorporated in the letter of credit. At the time of accepting a bill, the bank should ensure that all the terms of the letter are complied with. (v) Other Contingent Liabilities Arrears of cumulative dividends, bills re-discounted commitments under underwriting contracts, estimated amounts of contracts remaining to be executed on capital account, etc. Underwriting involves an agreement by the bank to subscribe for the shares or debentures which remain unsubscribed in a public issue, in consideration of commission. The auditor should examine whether commitments under all outstanding underwriting contracts have been disclosed as contingent liabilities. For this purpose, the auditor should examine the terms and conditions of critical contracts. Suitable sampling techniques within IDEA could be used for the selection. Rediscounting is generally done with the Reserve Bank of India, Industrial Development Bank of India or other financial institutions or, in the case of foreign bills, with foreign banks. If the drawer dishonors the bill, the rediscounting bank has a right to proceed against the bank as an endorser of the bill. Traditionally the auditor may check this item from the register of bills discounted maintained by the bank. He should satisfy himself that all the bills are properly marked at the time of their maturity and payment. 814 Data Analytics and Continuous Controls Monitoring Case Studies on Contingencies and Non-Fund Based Items using CAATs 10.56 In these case studies we have illustrated the use of IDEA Software on Core Banking System “Flexcube” Flexcube Corporate i.e. FCC. FCC deals with all Non-Fund Based Items, Contingencies and Corporate Loans. Guarantees 10.57 List of Guarantees issued/ closed during a review period On the CSTB_CONTRACT data table perform an extraction with the criteria: @left(product_code, 1) = "G" .AND. (contract_status = "S" .OR. contract_status = "L" .OR. contract_status = "K" ) .AND. @betweendate( LATEST_EVENT_DATE_DATE , "20070501", "20090430") This report will display all Guarantees closed within the review period. Now perform an extraction with the criteria: @betweendate(book_date_date, "20070501", "20090430") .AND. @left(product_code, 1)="G" This report will display all Guarantees opened within the review period (i) User modification regarding Guarantee charges collected (commission and postage, etc.) On the CFTB_CHARGE_APPLN data table perform an extraction with the criteria: @left(association_product, 1) = "G" .AND. computed_charge_amount <> charge_amount) This report will present a list of Guarantees issued for which the system charges collected do not match with the actual charges collected. These cases present a vital finding in terms of revenue assurance. The auditors must investigate these cases with the Bank Functional team on FCC. (ii) Balancing of Guarantees partywise/agewise/expired guarantees including type of Guarantees On the Business Objects Report for “Guarantees Balancing” perform an extraction with the criteria: maturity_date < @date() This extraction will give us a derived file of matured guarantees. 815 Compendium of Generic Internal Audit Guides On the derived file, perform an Aging function. Field to Use to be taken as AC_OPEN_DT. Amount Field to Total - RUPEE_AMOUNT. Aging Interval by default to be taken in Days. Check the box GENERATE KEY SUMMARY DATABASE. In the KEY box enter CUST_ID, CUST_FULL_NAME, and AC_STATUS. This aging result will depict party wise age wise analysis for all expired guarantees. (iii) List of invoked guarantees On the CSTB_CONTRACT_EVENT_LOG data table perform an extraction with the criteria: module = "LC" .AND. event_code = "DEBG" This extract will provide a list of all devolved Bank Guarantees where User Defined Events (UDE) has been triggered within the CBS to mark the Guarantee as invoked. On the LDTB_CONTRACT_MASTER data table perform an extraction with the criteria: PRODUCT = “DIBG” .OR. product = "DFBG" .AND. @betweendate(value_date_date, "20070501", "20090430") This report will represent a list of all devolved Bank Guarantees which have been converted into a loan. (iv) Conclusion After running the above analytical tests within IDEA, the bank auditor should verify the guarantees appearing in the above IDEA Reports with the copies of the letters of guarantee issued by the bank and with the counter-guarantees received from the customers. He should also verify the securities held as margin. If a claim has arisen, the auditor should consider whether a provision is required. On the LDTB_CONTRACT_MASTER data table perform an extraction with the criteria: @list(product, "PCFC", "PCRS") .AND. MATURITY_DATE_DATE < "20090414" .AND. CONTRACT_STATUS = "A") The above criteria will give us a derived file of overdue Packing Credit Accounts. 816 Data Analytics and Continuous Controls Monitoring Packing Credit Overdue PC/PCFC with overdue period - party wise 10.58 Now perform an Analysis - Summarization on the derived file with Fields to Summarize on being USER_DEFINED_STATUS. The summarization result will provide a display of all user defined status tags. User defined tags, DBAS = Doubtful, LSAS = Loss Asset, SSAS = Sub Standard STAS and NORM = Standard Assets. This consolidated view of the derived file will display a list of UDF’s with the number of packing credit contracts under each category. Our concern would be the Doubtful, Loss and Sub Standard categories. The same analysis can be done party wise. Here in the Summarization, Fields to Summarize on should be taken as PARTY_ NAME and USER_ DEFINED STATUS. The outcome will present party wise UDF’s. This exercise is even more value based since the auditor can identify specific packing credit contracts having high count of non-standard asset categorization. (i) PC is closed otherwise by Export proceeds, list of such accounts with details On the ACVW_ALL_AC_ENTRIES data table perform a Field Manipulation. Append a Virtual Character field with the name ‘PROD CODE’ in ACVW_ALL_AC_ENTRIES. The ‘PROD CODE’ will contain the 7 left most digits of the TRN REF NO. Now JOIN ACVW_ALL_AC_ENTRIES with the LDTB CONTRACT MASTER on common field TRN REF NO. On the joined file perform an extraction with the criteria: @isini("PC", contract_ref_no) .AND. contract_status = "L" .AND. (amount_tag = "PRINCIPAL_LIQD" .OR. amount_tag = "PRINCIPAL_LCRY") .AND. drcr_ind = "D" .AND. ac_no <> "149016100" The resultant file will provide a list of packing credit contracts liquidated; where the closure is not through export bill proceed realizations. 817 Compendium of Generic Internal Audit Guides Bills 10.59 List of bills due for delinking of Bills on any date (export & import separately) On the Business Objects Report for “Bills Due for Delinking” perform an extraction with the criteria: @left(productcode, 2) = "EX" This will give a balancing report of export bills due for delinking. On the Business Objects Report for “Bills Due for Delinking” perform an extraction with the criteria: @left(productcode, 2) = "MB" This will give a balancing report of import bills due for delinking. (i) Bills returned unpaid/unrealized details subsequently realized by local proceeds with details ROI charged On the ACVW_ALL_AC_ENTRIES data table perform an extraction with the criteria: event = “IBDH" .OR. event = "EBDH" This extract provides a list of all bills dishonored. On the ACVW_ALL_AC_ENTRIES data table perform an extraction with the criteria: event = “IBDR" .OR. event = "EBDR" This extract provides a list of all bills recovered. Conclusion After running the above analytical tests within IDEA, the bank auditor should verify that if the amounts paid on the bills which are drawn against a letter of credit are debited to the customer’s account and remain outstanding, they should be included under advances. The auditor should see that such amounts are allowed to remain outstanding only where the agreement with the customer contains a provision to this effect. In such cases, it should also be seen that the documents of title accompanying the bills are assigned to the bank as to provide security. 818 Data Analytics and Continuous Controls Monitoring Forward Exchange Contracts 10.60 List of Forward contracts opened/overdue On the FCT_FX_CONTRACTS data table perform a Field Manipulation Append a Virtual Date field titled 'SYS DATE' in FCT_FX_CONTRACTS with parameter equation: @DaysTOD(@dtodays(@date())-7) Perform a Direct Extraction on FCT_FX_CONTRACTS with equation criteria: n_eop_bal_fcy <> 0 .AND. d_bought_value_date_date < sys_date These are bought forward contracts which are overdue. Perform a Direct Extraction on FCT_FX_CONTRACTS with equation criteria: n_eop_bal_fcy <> 0 .AND. d_sold_value_date_date < sys_date These are sold forward contracts which are overdue Perform a Direct Extraction on FCT_FX_CONTRACTS with equation criteria: @betweendate(d_bought_value_date_date, "20070416", "20090417") . These are bought forward contracts opened during the review period of inspection. Perform a Direct Extraction on FCT_FX_CONTRACTS with equation criteria: @betweendate(d_sold_value_date_date, "20070416", "20090417"). These are sold forward contracts opened during the review period of inspection. Conclusion The auditor must verify the outstanding Forward Exchange Contracts through the register maintained by the Bank and with the brokers’ advice notes. In particular, the net “position” of the bank in relation to each foreign currency should be examined to see that the position is generally square and not uncovered by a substantial amount. If it is probable that a loss with be incurred on forward contracts and a reasonable estimate of such loss can be made, the auditor should insist that a provision be made against the same. 819 Chapter 11 Continuous Auditing with IDEA Introduction 11.1 Organizations are producing more data than ever before, creating an environment where users of financial information require assurance that the data contained in any report is accurate, complete, and relevant to their needs. As data proliferates, management functions are becoming more dependent upon executive information systems, balanced scorecards and dash-board level decision tools. Therefore, monitoring outputs and auditing controls surrounding the systems used to create those outputs is an important organizational priority. Traditional audits conducted in annual (or less frequent) cycles cannot provide the level of assurance management needs in these areas, so the potential for continuous auditing to provide more effective monitoring of the control environment and the resultant output more than justifies the cost and effort. 11.2 Under the COSO Guidance on Monitoring Internal Control Systems, 2009 - periodical, one-time and adhoc review of controls is not effective as controls can fail, deteriorate or become irrelevant during the intermittent period resulting into fraud, abuse, wastage and non-compliance. Continuous auditing allows the user to monitor the functioning of the controls during the intermittent period’s referred to as blind-spots. Many are looking at continuous auditing as a software application or tool that can help internal auditors meet this challenge while surviving the critical professional staffing shortage that is prevalent today. Continuous auditing is not a tool, but rather a process that brings together fundamental practices all auditors follow, including planning, risk assessments, control assessments and use of technology to perform much of the audit work. It should bridge the gap between audit reports submitted under traditional assurance services and continuing evidence that the issues identified (for those critical controls) have been rectified. Nearly 9 in 10 rated continuous monitoring and auditing software applications the most important technology to internal audit over the next five years. [Use] is expected to increase from 39% to 89% within the period. 820 Data Analytics and Continuous Controls Monitoring In years to come, experts predict, many companies will use information technology to become a “real-time enterprise” – an organization that is able to react instantaneously to changes in its business entire. And as firms wire themselves up and connect to their business partners, they make the economy more and more real-time, slowly but surely creating not much a ‘new’ but a ‘now’ economy.” – The Economist, February 1, 2002. 11.3 If your audit function is struggling with a decision on how to best implement continuous auditing to benefit your organization, consider audits currently in progress or recently completed, and align the scope and objectives of future audits with management's strategic, operational, financial, compliance and competitive analysis levels. By making use of this information and incorporating it into the control and risk assessments that require more frequent monitoring, internal auditors can easily move into continuous auditing - without reinventing your staff or charter, while ensuring that the most critical controls receive attention at a frequency reflected by your risk assessment. This chapter outlines a strategic approach to implementing continuous auditing in your organization. Continuous Auditing 11.4 The Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring and Risk Assessment released by the Institute of Internal Auditors defines the term Continuous Auditing as “Continuous auditing is any method used by auditors to perform audit-related activities on a more continuous or continual basis. It is the continuum of activities ranging from continuous controls assessment to continuous risk assessment – all activities on the control-risk continuum. Technology plays a key role in automating the identification of exceptions and/or anomalies, analysis of patterns within digits of key numeric fields, analysis of trends, detailed transaction analysis against cut-offs and thresholds, testing of controls and the comparison of the process or system over time and/or other similar entities.” 11.5 In 1999, the Canadian Institute of Chartered Accountants (CICA) defined continuous auditing as follows: a methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors’ reports issued simultaneously with, or a short period of time after, the occurrence of events underlies the subject matter…”  Price water house Coopers – “Internal Audit 2012 821 Compendium of Generic Internal Audit Guides This definition is broad and covers both internal and external audit. By focusing on the basic requirement that audit reports (opinions for external auditors and findings and conclusions for internal auditors) be supported by evidential matter about the subject matter, it becomes clear that continuous or continuing procedures must be performed if reports are to be issued with or shortly after the audit period ends. Even when the report is only needed annually, a continuous audit approach can help identify and correct errors before the period ends, which results in a stronger control environment. 11.6 The following case study illustrates how a three-year cycle for an audit of expense reports became the starting point for development of a continuous auditing approach that reduces risk and improves controls overall. In the past, the auditors had tested expense reports by randomly selecting a few individuals and reviewing the expense reports, then examining larger charge outs to travel expense categories. While exceptions were found, there was no adverse conclusion and the area was assigned for review again in three years. During that time, the company experienced substantial growth. For the current year, internal auditors used data analysis software to summarize travel and entertainment expense details for 60 cost centres, noting which cost centres had higher instances of exceptions or anomalies in multiple test areas. Test areas included such things as late personal expense reports (date entered was more than 30 days after date of travel or expenditure), high charge outs to miscellaneous travel expenses, high airfare, high bonus, duplicate payments, etc. The auditors found that one third of the cost centres with the highest instances of exceptions and anomalies were related to marketing. They identified three individuals who were submitting expenses from actual receipts and credit card statements, and uncovered several instances of inappropriate purchases charged to travel-miscellaneous, and a scheme where multiple parties dining together were claiming the same meals for reimbursement. 11.7 Going forward, internal auditors created scripts from the data analysis tests that had been used in order to provide for unattended monthly reports of marketing travel expenses so that this high-risk area could be monitored for possible continuing fraud and abuse. The risk ranking (see figure below) allowed the auditors to select which cost centres to audit more frequently 822 Data Analytics and Continuous Controls Monitoring The symbols illustrated in this IDEA Software database are editable multistate fields that have underlying numerical values representing risk assignments based on the results of each test. Total risk is a cross-footing of the columns (not all columns are displayed). The database was then indexed in descending order by total risk. This example of continuous auditing is quite strategic in nature — more like a data driven analysis process used by internal auditing functions to determine where internal audit resources will be deployed over the next audit plan cycle. Most internal audit functions plan for a year in advance, but the cycles will continue to shorten as internal auditing functions bring more processes into the data driven model. (See Appendix A for other examples of continuous auditing.) Continuous auditing today is maturing and evolving into a process to be used by chief auditing leaders to determine when and where to deploy internal auditing resources. It enables them to learn what issues and patterns exist or could exist that would cause internal audit to change future audit plans. Recognizing that improvements will drive increasingly higher maturity levels, internal audit leaders see continuous auditing not as a place but a path. 823 Compendium of Generic Internal Audit Guides Difference in Continuous Auditing and Continuous Monitoring 11.8 In the last five years, automated risk management solutions have entered the market place under the name “continuous monitoring”. The mission of these systems is primarily to provide assistance to companies interested in meeting compliance with regulations such as Sarbanes Oxley. The marketing press associated with these systems almost always includes the potential to provide a future stepping stone to venturing into Enterprise- wide Risk Management (ERM). Recent acquisitions of enterprise-level ad- hoc reporting tools by major information systems companies indicates a continuing increase in the need for management to put into place automated mechanisms for monitoring the controls within a system. “Continuous Monitoring uses control automation to reduce fraud and improve financial governance, typically resulting in a substantial return on investment. It improves the reliability of the controls, and its improves the management oversight, policy enforcement and operational efficiency for critical financial processes, often producing hard-dollar savings.” – Gartner CCM Magic Quadrant 2010. “Automated control monitoring…can enhance the effectiveness, efficiency and timeliness of monitoring specific controls.” - 2009 COSO Guidance on Monitoring Internal Control Systems. 11.9 Internal auditors have played an important role in working with management to evaluate these systems. In many cases, audit routines (including the data analysis tools used) designed by internal audit have been passed over to the applicable business unit so that management can begin to monitor the areas themselves without having to invest in more costly continuous monitoring applications. Auditors should be aware that when this happens, their independence could be affected in subsequent periods if the routines are simply placed in service or if they continue to be involved in the disposition of matters. A solution to this problem would be to share tools and knowledge gained with the IT and business unit functions. Empowering them to perform self-audits using data analysis techniques moves audit processes into control activities. Everyone wins, but the auditor should be careful to remain independent of this activity once it is transferred. Confusion about independence and ownership of these control activities can be avoided by understanding the key differences between continuous auditing and continuous monitoring: 824 Data Analytics and Continuous Controls Monitoring “Continuous monitoring is a feedback mechanism, primarily used by management, to ensure that systems operate and transactions are processed as prescribed…Continuous auditing is the collection of audit evidence, by an auditor, on systems and transactions, on a continuous basis through a period…monitoring systems [can] provide the evidence to be collected and assessed…” The case referenced provides an example of continuous auditing where the auditor might extract details of unusual or large adjusting journal entries on a daily basis, then validate the reasons for the entries and document his findings. Management benefits by having this information and being able to correct errors before the reporting requirement. Audit benefits by gaining earlier knowledge of what is happening in the company, which will improve the audit planning and risk assessment process. If the daily extraction report is part of a continuous monitoring program, the review and response activity should belong to management. Audit evidence will then become a review of management's response to the anomalies identified by the continuous monitoring system. Benefits of Continuous Auditing and Continuous Monitoring 11.10 Continuous auditing can enable an enterprise to:  Improve risk and control assurance, usually in the same or less time than previous approaches.  Reduce costs, including internal audit costs and costs associated with unaddressed control deficiencies.  Increase the level of risk mitigation for business risks.  Achieve a more robust, more effective auditing process.  Expand internal audit coverage with minimal (or no) incremental cost.  Shorten audit cycle time.  Identify control issues in real time. Continuous monitoring can enable an enterprise to:  Handscombe, “Continuous Auditing From a Practical Perspective,” Information Systems Control Journal, Volume 2, 2007. 825 Compendium of Generic Internal Audit Guides  Increase value through improved financial and operating controls.  Accelerate reporting to support more rapid decision making and business improvement.  Detect exceptions in real time to enable real-time responses.  Reduce – and ultimately minimize – on-going compliance costs.  Replace manual preventive controls with automative detective controls.  Establish a more automated, robust, risk-based control environment with lower man-power costs.  Heighten a competitive advantage and increase value to stakeholder. Five Steps to Implementing Continuous Auditing 11.11 Setting a strategy should involve defining your vision for the future; a self-assessment of where you are now and what time, talent and other resources will be needed to get there. Deeply embedded in the strategy must be the decision to empower the internal auditing function with data analysis software. The chief audit executive (CAE) must be involved at the very beginning for any continuous auditing program to be successful. The following activities should have already been completed before the CAE embarks on a path to implement continuous auditing:  Develop and implement a risk-based methodology that focuses on setting audit  priorities based on probability of occurrence and impact of the risks.  Create a perpetual inventory of all current and future business information systems. Learn how to monitor the integrity and reliability of information coming from these systems.  Document data life cycles for each system  Know what can go wrong  Identify the red flags that management uses to identify potential problems  Be alert for changes in the red flags 826 Data Analytics and Continuous Controls Monitoring  Build programs that identify the red flags  Follow through on investigating all identified red flags  Develop a close working relationship with the IT department.  Increase management participation in engagement planning and engagement wrap-up processes. Communicate your plan to revise the focus of audit to incorporate continuous auditing. Auditors who participated in Sarbanes Oxley or similar legislative compliance initiatives will quickly recognize that most of this work already exists in the documentation. Appendix B reviews continuous auditing maturity levels you may use for benchmarking your audit function. 11.12 After completing a self-assessment and determining the internal audit function's readiness to move towards continuous auditing, the following five steps will lead to successful implementation: (i) Assess risks and controls (What to test and why) Evaluate each area on the basis of management's tone and commitment to monitoring its controls, whether continuously or periodically. If the area represents a high risk and controls are not being monitored continuously, you have identified a gap that would be a good candidate for continuous auditing. You should document the audit objectives and reasoning for selection as a continuous audit technique. If management has implemented effective monitoring, but their system produces many “false positives” or provides indications that exceptions are not being cleared on a timely basis, you might offer consulting services to help management further analyse the alerts generated by the monitoring system. (ii) Determine data available and arrange for transfer to an independent platform (Whether the tests can be data driven) Ideally, the systems have already been documented and data has been obtained during prior audits where data analysis was used in the audit. IT departments frequently resist requests for data because they interrupt the workflow processes. Communicating to them the benefits of establishing automatic 827 Compendium of Generic Internal Audit Guides transfers to reduce future periodic requests should help you get past this potential roadblock. For example, an automatic extract of all journal entries that are not system generated could be transferred to an audit data warehouse on a daily basis. An independent platform can be a server or high capacity workstation. (iii) Develop audit program steps and test routines using scripts or assistance (initially) from IT, taking into consideration the frequency for running automated tests (How the tests will achieve the audit objectives) For continuous auditing in an area where data analysis has already been used, a script can very easily be developed from the history file of past audits. For new areas, the tests can be recorded as they are performed within the software. In the journal entry example above, the routine to develop might include extraction of large value entries and creation of a population of all entries over a given time period, with trend analysis and time series analysis being performed on the monthly or quarterly data. In order to provide timely reports to management, determine how and when audit results will be communicated. If possible, build alerts into the reporting process. (iv) Apply a continuous improvement process to the tests (How the results can be most effective) For each test, you should analyse anomalies, and adjust parameters and criteria to eliminate false positive results. This will be an iterative process, and is the primary reason tools such as IDEA are more effective than out-of- the-box solutions. For example, a continuous auditing process initially used by a large energy company's internal audit department that was passed on to accounts payable became more and more sophisticated as the users learned from their system what conditions most often resulted in duplicate payments. (v) Practice continuous planning (How to build on successes) Monitor the change processes within internal auditing to be sure continuous auditing activities stay on track and the maximum benefits are obtained. Use successes in marketing internal auditing services to other areas. This and previous steps can be accomplished within the context of conducting this year's audit plan. As each planned audit is completed, it should be assessed for inclusion in your continuous auditing activities. Your internal auditors will 828 Data Analytics and Continuous Controls Monitoring benefit by learning more about each system or process they review, and their use of technology will continue to improve. Conclusion 11.13 Today, management and internal audit find themselves working on the same problem but on opposite sides of the fence. If management controls and monitoring processes do not stop errors and fraud, then the auditing routines must. Going forward, management will be evaluated on sustainability of compliance and competitiveness. Internal audit will be evaluated based on the ability to tailor its activities to the areas of highest risk and opportunities to add the most value. As new ways of looking at the data from information systems are developed and perfected, the processes will be transferred to that function's leadership. Continuous auditing will eventually lead to continuous reporting. In the Information Age, this is essential as investors and creditors also demand timely financial information for their decision making. Some companies have gone so far as to embed the analysis directly into the production system. In real-time mode, alerts are immediately generated to notify internal auditing and management that a transaction with certain characteristics has entered the production environment. 11.14 CAEs can achieve and maintain their status as strategic leaders amid the grind of management roll-call meetings, budget and planning activities, SOX and other regulatory compliance deadlines, and staffing and resource issues by implementing continuous auditing as the best path to enterprise wide risk management implementation. Continuous Monitoring through CAATs enables decision making for business users, by empowering them with comprehensive relevant Enterprise Business Intelligence, across technology platforms. This is greatly accentuated by the understanding of the underlying business process by the business user. With CAATs, users can jumpstart their Analytic journey, and enjoy improved margins, better customer retention, process efficiency and effectiveness thereby impacting the top-line and bottom-line performance of their business positively .  Deloitte — optimizing the role of internal audit in the Sarbanes-Oxley Era (Second Edition, page 10). 829 Compendium of Generic Internal Audit Guides 11.15 In culmination CAATs:  Help accelerate your organisation’s analytic maturity, taking you one step closer to achieving excellence.  Create such business benefits by delivering enhanced usability speaking and thinking, anticipating the evolving needs of decision makers, and ensuring a faster adoption rate amongst users.  Through simple screen guided analytics, empower every decision maker in every role in your organization and it takes the load off the IT Reports Group, by being easily extendable and maintainable.  Reduce the latency, cost and project management challenges within reasonable tolerance levels associated with a traditional BI deployment, and enjoy unparalleled Speed to Benefits.  Transform business intelligence from being a 'Decision Support System' to a 'Decision Making System'. 830 Data Analytics and Continuous Controls Monitoring Appendix A Continuous Auditing in Practice Many approaches to continuous auditing involve using audit specific data analysis tools such as IDEA Software to audit databases. Responses to a recent informal interview of internal auditors regarding the use of continuous auditing in their organizations resulted in the following examples already in operation:  Continuous auditing can aid in the streamlining of audit efforts. For example, focusing on revenues and expenses depends on a key driver. Data from operations and finance are then combined to come up with ratios. These ratios are a) reviewed from month to month and b) cross-checked against price catalogues. Identified anomalies result in inquires to the appropriate functions in operations and/or detailed tests.  Monitoring of purchasing card usage provides early detection of errors and improper purchases. For example, the internal auditor receives transaction data from the bank monthly, using data analysis techniques to identify potential misuse. When misuse is identified, the auditor can demonstrate to management through the data analysis that the risk of misuse is higher than expected.  Human Resources data anomalies and payroll trends, patterns, relationships in hours and rupees can be monitored. Out of balance conditions between subsidiary ledgers and general ledger control account balances, along with the monitoring of key master file fields against company standards allow the monitoring of changes in business units included in financial statement consolidation.  Continuous auditing can involve obtaining data outputs from critical processes several times per year, resulting in ‘traffic light’ overviews, substantiated with key operational and financial data, limited review work and interviews.  Key indicators such as those related to financial and operational measures, and regression models (net revenue and earnings (usually EBITDA)) can be monitored. Quarterly, the information is downloaded into the profile; outliers are highlighted in RED based on formulas, 831 Compendium of Generic Internal Audit Guides and staff members follow-up on outliers with emails, with phone calls and review of other documentation used to resolve the outliers.  Continuous auditing in lending might include having retail loans disbursed at the branch submitted to a central location within 2 days for checking completeness of documentation, adherence to policy and procedures and recovery of income. 832 Data Analytics and Continuous Controls Monitoring Appendix B Continuous Auditing Maturity Levels HIGH Enterprise Risk Management Build data analysis across the Enterprise – road to continuous ERM Repetitive Continuous Audits Improve data analysis in areas audit knows best. at impact & frequency of certain patterns. What if - Fraud Apply lessons learned to seek out gaps in monitoring. Assist in Fraud cases. Risk Assessment Using data to set audit resource priorities. CAAT’s & Store Audits. LOW Data Challenged May use and seek out reports and lists to improve audits. Primary tool is spreadsheets. May look for justification to improve data analysis skills and tools. Priority – Sustainable Internal Audit Resources Internal Audit function stabilizing and interested in best practices and continuous Improvement. 833 Chapter 12 Continuous Monitoring with Big Data Using Caseware Monitor “Detect, correct and protect – immediate results for long- term peace- of-mind” About 12.1 CaseWare™ Monitor is a sophisticated risk and controls monitoring solution that allows business, risk and control professionals as well as auditors to quickly and confidently monitor any automated system. Our solution manages risks and controls across the enterprise by continuously monitoring business activities. This ensures that executives and other key decision makers are given the opportunity to maximize every possible advantage in monitoring risk and making better business decisions to boost profitability. CaseWare™ Monitor can be applied to any business process, regardless of the underlying system or platform, across the entire organization. Overview CaseWare™ Monitor Framework Concept Enterprise-wide Controls Portal 12.2 The use of effective internal controls systems, when implemented properly, is good business, as it provides assurance that financial information is correct, businesses are operating efficiently and assets are safeguarded. Addressing breakdowns in internal controls in a timely and efficient manner allows businesses to improve their profitability. Being able to determine the state of internal controls across the enterprise through a single portal is one key component of Monitor's value proposition. Controls at remote locations can be examined centrally, including actions being taken to mitigate risks. The solution is designed to meet the requirements of any business ranging from small businesses to Fortune 500 companies with diverse global operations across multiple languages. 834 Data Analytics and Continuous Controls Monitoring 12.3 CaseWare™ Monitor provides a single controls portal that enables all stakeholders within any organization to independently monitor controls across multiple businesses and systems. By providing a collaborative framework, our technologies detect breakdowns in internal controls and allow users to solve the underlying problems and prevent negative impacts on the company. Source – Caseware Monitor framework from Caseware RCM Inc., Canada Open Design, Universal Application 12.4 Consider a group of companies with global operations in telecommunications, manufacturing, banking and insurance. These are diverse businesses with their own controls and compliance needs, requiring a monitoring framework that is universally applicable. 835 Compendium of Generic Internal Audit Guides CaseWare™ Monitor is perfectly suited to access and monitor data from telecom switches, ERPs, custom-made applications, and core banking and insurance applications. Regardless of the databases being used, the solution can monitor all these business processes and effectively improve compliance and controls. 12.5 While CaseWare™ Monitor has pre-built solutions for many business processes and industries; its open design allows customers to build customized controls using established scripting tools such as IDEA®, ACL™, Arbutus and SQL Scripts. With these scripting tools and the framework approach, customers can monitor any control in any business process. This approach allows the customer to focus on scripting the basic logic and having the framework handle everything else. For example, to monitor the creation of overtime claims in excess of the number of work hours in the period, the script writer can apply a simple logic of OvertimeClaim > HoursInPeriod. The remaining stages of the process are handled by CaseWare™ Monitor including:  when and how often the data is to be monitored.  who is to be notified.  how they are to be notified (e-mail, SMS, dashboards, etc.).  the risk level associated with the control exception.  who is responsible for resolving the issue and the turnaround time.  who the exception is to be escalated to, if unresolved. Solutions 12.6 CaseWare™ Monitor solutions are built around a continuous controls monitoring framework with predefined business rules. With a comprehensive suite of tests and the ability to monitor business processes regardless of the underlying data sources, platforms, or locations, CaseWare™ Monitor offers an effective solution to enable Continuous Controls Monitoring throughout the entire organization. The Solutions offer:  standardized rules for specific business processes.  monitoring of ERPs such as Oracle™ and SAP™.  faster and more efficient implementations. 836 Data Analytics and Continuous Controls Monitoring Anti-Money Laundering 12.7 The focus of CaseWare™ Monitor AML is to assist institutions in meeting compliance requirements in an effective and efficient manner by automating regulatory reporting and monitoring financial transactions and customer information. The ability to assign responsibility for anomalies detected and maintain accurate records of all actions taken is key in allowing institutions to take all reasonable steps and exercise the necessary due diligence to avoid committing an offense. Retail and Distribution 12.8 Effective loss prevention continues to be an essential activity for the Retail Industry. The constantly changing nature of retail shrinkage can only be contested through a greater understanding of the business activities within an organization's internal control environment. In a recent KPMG Fraud Survey Report, inadequate oversight and lack of clarity regarding ownership of controls are cited as key factors leading to ineffective fraud prevention. Examples include individuals being temporarily assigned 'super' user rights but are not revoked at the correct time or exception reports going to stakeholders that cannot take action to remediate issues before they become material to the organization. Through a single portal coupled with built-in workflow and notification, all stakeholders and key decision makers can independently monitor processes across varying businesses and systems. This collaborative framework helps users across multiple departments such as loss prevention, procurement, finance, operations, and audit, to detect and correct errors and abuses before they become detrimental. Health Insurance Fraud 12.9 The health insurance industry suffers tremendous losses globally and the resulting impact is higher premiums. For example, in the U.S. alone health insurance fraud was estimated to cost $68 billion. (National Health Care Anti-Fraud Association, 2008) The methods being used by many health insurers lack the sophistication to stay ahead of the threat. CaseWare™ Monitor Health Insurance Fraud Monitoring employs a combination of business rules and predictive analytics to detect fraudulent claims. CaseWare™ Monitor integrates seamlessly requiring no changes to existing business systems in the organization. All 837 Compendium of Generic Internal Audit Guides claims are examined against business rules in addition to advanced analytics to detect anomalies. Every $2 million invested in fighting health-care fraud returns $17.3 million in recoveries, court-ordered judgments, plus bogus claims that weren't paid and other anti-fraud savings. (National Health Care Anti-Fraud Association, 2008) Loan Portfolio 12.10 The focus of the solution is to automate the definition of governance, risk and controls within the financial institution's lending process. The financial institution is allowed to define the control environment from loan origination to servicing and portfolio management. Once completed, the monitoring framework examines all electronic activity to detect control breaches and alert the relevant persons automatically. Order to Cash 12.11 CaseWare™ Monitor O2C enables all Order to Cash processes to be monitored, regardless of the underlying systems, data sources, platforms or locations. Results from these disparate sources are consolidated and presented in CaseWare™ Monitor O2C for use by any authorized users, regardless of location. Continuous monitoring solutions provide an organization with an independent point of observation over its O2C business processes. It enables identification of control breaches, fraud and money leakage, while ensuring data quality and providing feedback on key performance metrics across the entire process. An independent point of observation is important in continuous monitoring because solutions that are embedded tend to only provide insight into that system. CaseWare™ Monitor however enables all aspects of the O2C process to be monitored holistically and provides assurance that the interfaces between systems are working correctly. Purchase to Payment 12.12 CaseWare™ Monitor for P2P suite of tests is comprehensive and covers the full lifecycle of P2P. The suite includes tests and reports for Segregation of Duties, Master Data Monitoring, Exception Reporting and Metrics & Performance Monitoring. 838 Data Analytics and Continuous Controls Monitoring Using CaseWare™ Monitor, all facets of the P2P process, from Requisitioning through to Payment, can be monitored, providing insight into specific issues as well as the overall health of procurement controls. Notifications and workflow management are built into the CaseWare Monitor™ framework ensuring that issues receive proper attention and their resolution managed. Payroll 12.13 According to the Association of Certified Fraud Examiners (ACFE), companies lose 7% of their annual revenues to occupational fraud. The focus of the CaseWare™ Monitor Payroll solution is to define and automate tests for the controls within the organization's payroll processes. CaseWare™ Monitor Payroll Solution is compatible with any source of data, including ERP and bespoke applications. By continuously monitoring the systems and applying a comprehensive resolution workflow, the audit and compliance process becomes independent and auditable. A key feature of payroll controls monitoring in CaseWare™ Monitor is the ability to detect erroneous, suspicious and fraudulent activities before payments are made. This provides organizations with a valuable window of time to investigate exceptions to prevent losses due to error or fraud. This solution is deployed to all the relevant stakeholders, assigning them fraud mitigation tasks and ensuring that they are addressed in a timely manner. Revenue Assurance for Utilities 12.14 Utility companies generally face mounting difficulties in safeguarding their revenues. In times of increasing data volume and complex systems, finding methods to detect revenue leakage and implementing an infrastructure to address it is challenging. With the CaseWare™ Monitor framework approach there are no "blind spots" because there is a virtual consolidation of the systems to create a single view of the business. The focus of the solution is to automate the monitoring of the company's service and billing processes. Detecting anomalies and alerting the relevant persons will prevent and/or minimize revenue leakage. Most errors that result in revenue losses occur in advance of the actual loss. For example, a customer whose account is incorrectly rated will not result in a loss until billing is done but if detected early, the loss is preventable. 839 Compendium of Generic Internal Audit Guides Segregation of Duties 12.15 The CaseWare™ Monitor SoD solution enables Segregation of Duties to be monitored holistically, ensuring that user authorities are properly compartmentalized regardless of the business application, and as a secondary benefit, provides assurance that interfaces between different systems and business operations are working correctly. Key Benefits 12.16 The following are key benefits:  early detection of SoD issues  simple regulatory compliance reporting  enhanced view of potential SoD violations  reduction in the risk of fraud through SoD violations  historical record of SoD exceptions and remediation  common portal for Segregation of Duties across the enterprise  greater transparency and effectiveness in the protection of information Taxation 12.17 Our Tax Monitoring solution is compatible with any source of data, including ERP and bespoke applications. By continuously monitoring the systems and applying a comprehensive resolution workflow, the compliance process becomes independent and auditable. This solution is deployed to all the relevant stakeholders, assigning them issues to be dealt with and ensuring that they are addressed in a timely manner. Continuous Auditing 12.18 CaseWare™ Monitor enables Continuous Auditing of the entire business regardless of underlying systems, data sources, platforms or locations. CaseWare™ Monitor analyzes 100% of the applicable data and presents a consolidated view of these disparate sources. Internal Audit (IA) is allowed to define the control environment by utilizing a monitoring framework, and alerts are sent once control breaches occur. The solution allows auditing to become more independent and repeatable. IA can now automate scripts to have more frequent testing of controls, and, with the 840 Data Analytics and Continuous Controls Monitoring issue management workflow and distribution, can always know the status of internal controls. Windows Security Logs 12.19 In most Windows environments, audit logs are underutilized. They are often examined only for investigation purposes and usually after an incident. However Windows logs, when properly configured and efficiently monitored, have tremendous value. System logging generates vast amount of data from varying sources. As a result, the process of consolidating, inspecting and analyzing them may be tedious and inefficient. The challenges are compounded by inadequate configuration resulting in logs being full, overwritten, incomplete and useless. Our solution focuses on automating analysis, reporting, alerts and issues management within the organization's Windows logging environment. The resulting logs are collated to a centralized CaseWare™ Monitor server for analysis and interrogation. Once completed, CaseWare™ Monitor utilizes a monitoring framework that examines all electronic activities to detect reportable events and alert the relevant individuals. Features 12.20 CaseWare™ Monitor examines transactions and data within business processes to detect exceptions based on business rules and parameters. Once detected, CaseWare™ Monitor can alert the relevant users using a variety of contact options such as e-mails and text messaging. All alerts and reports are managed within a comprehensive workflow solution. The workflow is distributed across the enterprise to engage all stakeholders in achieving internal control and compliance objectives. Issue Management Workflow Detecting compliance and control breaches is only part of the core objective. The resolution of issues and the associated improvements in the control environment are critical to realizing the value of continuous monitoring. Anyone attempting to monitor business process controls manually can attest to the challenges. CaseWare™ Monitor boasts impressive functionality to manage issues. This includes:  ability to automate the execution of tests via schedules  selecting users/groups to be alerted for information purposes only 841 Compendium of Generic Internal Audit Guides  setting up an escalation process  controlling whether or not the assigned user can close the issue  performing all of the above based on conditions The conditional management of issues is a powerful feature that allows the customer to determine different treatment of exceptions based on predefined criteria. For example, all exceptions for Branch A get routed to Manager A and Branch B to Manager B, and so on. In another instance, exceptions above US$50,000 get routed to the CFO’s attention. Once results are assigned, users can:  review/close  reassign  comment  export reports to portable formats  view history of activities Exemptions 12.21 CaseWare™ Monitor allows for the exemption of specific records as a way of reducing false-positives. Applications that detect issues and allocate work must provide for the reduction of false-positives or the user may become overburdened. Specific records in a report can be exempted or a condition can be applied to exempt them. For example, inactive employees in a report on employees with missing demographics could be exempted by using the condition "Employee Status = INACTIVE". Exemptions are reversible and can be viewed at any time. This functionality can also be used to extend the business rules used to generate reports without amending scripts. Review Process 13.22 Issues can be reviewed by the user to whom they were assigned. He or she has the option to make comments on actions taken and may attach screenshots, spread sheets, and other documents, to evidence work done. Reassigning the issue to another user allows the Manager or Supervisor to manually allocate work to others. All issues reassigned are kept on the assigner's dashboard until they are closed by the assignee. 842 Chapter 13 Conclusion 13.1 In today’s economic environment many companies are striving to reduce costs. Together with new audit standards this provides audit departments with an opportunity to make use of data analysis and accentuate the credo “do more with less” a potential reality. Data analysis also can be an enabling technology that assists audit departments in fulfilling their responsibilities to evaluate and improve the governance, risk management, and control processes as part of the assurance function and seek to deliver timely value to the enterprise by distributing, tracking and escalating potential issues for better organizational insight and control. In culmination the reader must introspect and act upon the following immediately:  Understand why data analysis is significant to your organization.  Know how to provide assurance more efficiently with the use of data analysis technology.  Be familiar with the challenges and risks that you will face when implementing data analysis technology within your department.  Know how to incorporate data analysis at your organization through adequate planning and appropriate resource structures.  Recognize opportunities, trends and advantages of making use of data analysis technology. 843 Chapter 14 Case Studies – Using MS Excel for CAAT, Data Analysis and MIS Reporting Case Study 14.1 The following are same case studies on using MS Excel for CAAT, Data Analysis and MIS Reporting: Case Study 1: Compute 7th of next month Application area: Computing due dates of statutory payments based on invoice dates. Used to check whether payment has been made on or before due date. Solution: =EOMONTH(start_date, months) Example: =EOMONTH(A7,0) with “0” as parameter helps compute end of Current Month [first picture]. Adding 7 after the end of this formula helps jump the resulting date 7 days ahead [second picture]. 844 Data Analytics and Continuous Controls Monitoring Case Study 2: Compute 90 days vs. 3.0 months from Invoice Date Application area: Computing exact due dates for debtors, tender cut-off date, project deadline Solution: =EDATE(start_date, months) Example: Adding “90” to the Invoice Date will compute due dates based on days. The resulting due date may be different from the due date based on 3.0 months caculation as shown in the second picture. 845 Compendium of Generic Internal Audit Guides Case Study 3: Compute Days from given list of Dates. E.g. Sunday, Monday etc. Application area:  Derive day (e.g. Saturday, Sunday) to analyse sales data (day-wise sales trend), locating ghost employees if their date-of-join falls on Sunday, ensuring deadline dates does not fall on a Sunday  Representing dates in “dd/mm/yyyy” format as required while uploading dates during e-filing of VAT returns Solution: =TEXT(value, format_text) Example: “format_text” Resulting Output Dddd wednesday Ddd Wed 846 Data Analytics and Continuous Controls Monitoring Dd 15 mmmm June Mmm Jun Mm 6 Yyyy 2011 Yyy 2011 Yy 11 dd/mm/yyyy 15/07/2011 [ 847 Compendium of Generic Internal Audit Guides Case Study 4: Cleaning dates from ERP downloaded “DD.MM.YYYY” format in to Excel acceptable “MM/DD/YYYY” format Application area: Pre-requisite step before applying date-based Sorting, Filtering and applying Date formulas such as =EDATE(), EOMONTH(), TEXT() etc. Solution: Text-to-Columns Example: Applying date based formulas on dates stored in DD.MM.YYYY format will result in errors as Excel reads date in MM/DD/YYYY format. Sort, Filter, Pivot Table and other such techniques will not work correctly unless the date is corrected as per Excel Standards i.e. MM/DD/YYYY format. Step 1: Select affected dates 848 Data Analytics and Continuous Controls Monitoring Step 2: DATA tab-> TEXT TO COLUMNS Step 3: TEXT TO COLUMNS (Step 1 of 3) -> Delimited Step 4: TEXT TO COLUMNS (Step 2 of 3) -> Turn-off all checkboxes [e.g. Tab, Comma etc.] 849 Compendium of Generic Internal Audit Guides Step 5: TEXT TO COLUMNS (Step 3 of 3) -> “Date” drop-down list -> DMY -> “Finish” button Step 6: Result: Internally, all dates turn into MM/DD/YYYY [refer cell A6]. Although, the skin (presentation) can be modified to DD-MMM-YY as shown in the subsequent step. 850 Data Analytics and Continuous Controls Monitoring Step 7: Select cells -> Right-click -> “Format Cells” -> “Date” option -> Choose appropriate format for display-presentation of dates 851 Compendium of Generic Internal Audit Guides 852 Data Analytics and Continuous Controls Monitoring Case Study 5: Adding Subtotal at the end of every Category of item Application area: Documentation of Inventory items by Category, Fixed Asset items by Asset Class Solution: SUBTOTAL Example: Step 1: Sort the Data Set as per the Column (e.g. Asset Class Description) based on which the Subtotal is needed 853 Compendium of Generic Internal Audit Guides Step 2: After Sorting, select the entire data set. Go to DATA tab -> SUBTOTAL Step 3: “At each change in:” – Asset Class Description | “Use function:” – Sum | “Add Subtotal to:” – Acquisition Value, Acc. Depn., Current Bk. Val. Step 4: The Subtotal adds an extra row with Subtotals at the end of every category of “Asset Class Description” 854 Data Analytics and Continuous Controls Monitoring Case Study 6: Cleaning database – Deleting the errors Application area: Final Documentation & Reporting Solution: Go To (Special) – Formulas with errors Example: Step 1: Select data -> Press together to activate “Go To” box -> Choose “Special” button from the “Go To” box 855 Compendium of Generic Internal Audit Guides Step 2: Choose “Formulas” with “Errors” Step 3: The above mechanism helps select all the cells with errors simultaneously. Pressing key will help delete the errors in one go. 856 Data Analytics and Continuous Controls Monitoring 857 Compendium of Generic Internal Audit Guides Case Study 7: Filling up Blank cells with appropriate date pieces to enable use of Filter & Pivot table Application area: Preparing ERP downloaded raw data file (e.g. Vendor Master, Transaction files) for further analysis Solution: Go To (Special) – Blanks Example: Step 1: Choose affected range of columns/cells 858 Data Analytics and Continuous Controls Monitoring Step 2: Press together to activate “Go To” box -> Choose “Special” button from the “Go To” box Step 3: Choose “Blanks” 859 Compendium of Generic Internal Audit Guides Step 4 Write formula in the first selected cell keeping the "Blank" range selected -> Press together to fill the formulas in the entire region of "Blank" range selected 860 Data Analytics and Continuous Controls Monitoring Case Study 8: Debtors Ageing Application area: Preparing ERP downloaded raw data file (e.g. Vendor Master, Transaction files) for further analysis Solution: VLOOKUP(lookup_value, table_array, col_index_num, range_lookup) with range_lookup as Example: Step 1: Write =VLOOKUP() and choose lookup_value Step 2: Choose table_array i.e. “reference table” on the right as shown, press to lock the range ($) 861 Compendium of Generic Internal Audit Guides Step 3: Choose col_index_num as 2 since “Age Bracket” values are in the second column of the “Reference table” Step 4: Choose range_lookup as since the “Reference table” refers to a data in “greater than equal to” format in the first column and is sorted in ascending order 862 Data Analytics and Continuous Controls Monitoring Step 5: Drag the formula so written to subsequent cells downwards to pull the “Ageing Bracket” value based on “Days due for” 863 Compendium of Generic Internal Audit Guides Case Study 9: Finding Instances of Duplicates Application area: Finding how many times a particular Invoice No. / Voucher No. may have been duplicated Solution: COUNTIFS(criteria_range1, criteria1, criteria_range2, criteria2 …) Example: Step 1: Write =COUNTIFS() and choose criteria_range1 as illustrated. 864 Data Analytics and Continuous Controls Monitoring Step 2: Press to lock the selected range ($) Step 3: Choose criteria1 as the Invoice No. Step 4: Copy the formula and paste it subsequent cells as shown. 865 Compendium of Generic Internal Audit Guides 866 Data Analytics and Continuous Controls Monitoring Case Study 10: Removing Duplicate Names to arrive at unique list Application area: Preparing a list of vendor names, client names, product names Solution: Remove Duplicates Example: Eliminating duplicate names will help us arrive at a list that has unique names Step 1: After choosing the data set, DATA tab -> “Remove Duplicates" 867 Compendium of Generic Internal Audit Guides Step 2: The resulting dialog box with “Vendor Names” ticked on should be continued with. 868 Data Analytics and Continuous Controls Monitoring Step 3: “Remove Duplicates” keeps the first instance of the unique name and deletes the duplicates occurring thereafter. 869 Compendium of Generic Internal Audit Guides Case Study 11: Pivot Table - I Application area: Multi-dimensional Data Analysis on Columnar data sets. E.g. Fixed Asset Register, Sales, Purchase, Goods Dispatch, Employee Master, Payroll Solution: Pivot Table - Basic Example: Given below is a snapshot of a data set of employees of a company with details of date of join, name, salary, department, performance rating and age. 870 Data Analytics and Continuous Controls Monitoring Step 1: Choose entire data set and then INSERT Tab -> “Pivot Table” Step 2: “Create Pivot table” reconfirms selection of data range. Press OK. 871 Compendium of Generic Internal Audit Guides Step 3: A Pivot table shell template is created (left) 872 Data Analytics and Continuous Controls Monitoring Step 4: Right-click on the report area and choose “Pivot Table options” 873 Compendium of Generic Internal Audit Guides Step 5: Go to “Display” tab and activate the setting as mentioned – “Classic Pivot Table Layout” Explanation: “Row Fields”, “Column Fields”, “Page Fields” and “Data Items” (left) are template areas which exhibits area where the field lists (top right) will subsequently be dragged and dropped to form Pivot Table report. 874 Data Analytics and Continuous Controls Monitoring Explanation: “Row Fields”, “Column Fields”, “Page Fields” and “Data Items” (left)are represented by “Row Labels”, “Column labels”, “Report Filter” and “Values” (bottom right), respectively. The “Data Items” or “values” area represents the region where all mathematical computations are performed – Sum, Count, Average etc. 875 Compendium of Generic Internal Audit Guides Step 8: Select “Division” and drag/place it under “Row Fields” (left) or “Row Labels” (bottom-right) 876 Data Analytics and Continuous Controls Monitoring Step 9: Select “Salary” and drag/place it under “Data items” (left) or “Values” (bottom-right). Automatically, the “action area” will compute “Sum of Salary” 877 Compendium of Generic Internal Audit Guides Step 10: To calculate “Head Count” or “Count” of “Salary”, double-click on the heading “Sum of Salary” as marked Step 11: As a result of the double-click, “Value Field Settings’ box gets activated and from the “Summarize by” tab, one can choose “Count” 878 Data Analytics and Continuous Controls Monitoring Explanation: Resulting output data suggests “Count of Salary” indicating a total of 417 employees 879 Compendium of Generic Internal Audit Guides Step 12: Based on the headcount (absolute numbers), if % is to be computed, double-click, “Value Field Settings’ box and from the “Show Values as” tab, one can choose “% of Total” 880 Data Analytics and Continuous Controls Monitoring Explantion: As a result, the total workforce headcount is displayed in % format 881 Compendium of Generic Internal Audit Guides Case Study 12: Pivot Table – II Application area: Creating Pools – Debtor Ageing, Salary Pools, Solution: Pivot Table – Advanced (Grouping) Example: Based on the previously generated Pivot Table report template. Step 1: Select and Drag “Age” from “Pivot Table Field List” (top-right) to “Row Labels” (bottom-right) to get the ages listed vertically as shown. 882 Data Analytics and Continuous Controls Monitoring Step 2: Right-click on the heading “Age” and choose “Group” from the resulting options box. 883 Compendium of Generic Internal Audit Guides Step 3: Keeping the preferred Interval as “10”, press OK. Resulting Output: 884 Data Analytics and Continuous Controls Monitoring Step 4: Keeping the preferred Interval as “10”, press OK. Step 5: Select and Drag “Division” from “Pivot Table Field List” (top-right) to “Column Labels” (bottom-right) to get division-wise age-bracket wise template report 885 Compendium of Generic Internal Audit Guides Step 4: Select and Drag “Name” from “Pivot Table Field List” (top-right) to “Values” (bottom-right) to get age-bracket division-wise headcount of employees 886 Data Analytics and Continuous Controls Monitoring Case Study 13: Pivot Table - III Application area: Creating date-wise reports for stock in hand, purchases, sales, transactions, date of joining, date of payment disbursements Solution: Pivot Table – Grouping Example: Based on the previously generated Pivot Table report template. Step 1: Select and Drag “DoJ” from “Pivot Table Field List” (top-right) to “Row Labels” (bottom-right) to get the dates listed vertically as shown. 887 Compendium of Generic Internal Audit Guides Step 2: Right-click on the heading “DoJ” and choose “Group” from the resulting options box. 888 Data Analytics and Continuous Controls Monitoring Step 3: Choose “Months” and “Years” and press “OK” button. Resulting Output: 889 Compendium of Generic Internal Audit Guides Step 4: Select and Drag “Name” from “Pivot Table Field List” (top-right) to “Values” (bottom-right) to get year-wise month-wise report on employee joining. Note: This Dates - Grouping strategy shall only work if the date is as per Excel format. E.g. dates in DMY format - 22/7/2009 is not accepted as date by Excel (unless default “Region & Language” settings under “Control Panel” have been changed). To rectify the DMY format to Excel accepted MDY format, refer case study 4 890 Data Analytics and Continuous Controls Monitoring Case Study 14: Pivot Table - IV Application area: Creating Pools – Debtor Ageing, Salary Pools, Fixed Asset – High value vs. Low Value Solution: Pivot Table – Advanced (Grouping) Example: Based on the previously generated Pivot Table report template 891 Compendium of Generic Internal Audit Guides Step 1: Select and Drag “Salary” from “Pivot Table Field List” (top-right) to “Row Labels” (bottom-right) to get Salaries listed vertically 892 Data Analytics and Continuous Controls Monitoring Step 2: Right-click on the heading “Salary” and choose “Group” from the resulting options box. Step 3: After changing the “Starting at” value to zero, and keeping the preferred Interval as “100,000”, press OK. 893 Compendium of Generic Internal Audit Guides Resulting Output: Step 4: Select and Drag “Name” from “Pivot Table Field List” (top-right) to “Values” (bottom-right) to get salary-bracket wise headcount of employees 894 Data Analytics and Continuous Controls Monitoring Step 5: Select and Drag “Division” from “Pivot Table Field List” (top-right) to “Column Labels” (bottom-right) to get division-wise salary-bracket wise headcount of employees Note: Any numbers (invoice amount, salary, account balance etc.) or date based field can be grouped in Pivot Table if it is placed under “Row Fields” or “Column Fields” 895 Compendium of Generic Internal Audit Guides Case Study 15: Developing Logical Statements (“IF”) Application area: Logical decision making, Data analysis Solution: IF(logical_test, value_if_true, value_if_false) Example: To find the list of suppliers whose amount due is less than Rs. 1.0 lac. Step 1: Insert “=IF(” formula. The starting parameter – “logical_test” refers to a user defined question whose answer can be in True or False (Yes or No). Step 2: The next parameter “value_if_true” refers to the message or action that shall be displayed or activated, respectively, if the question’s answer is True/Yes. Any non-numeric message (e.g. Check, Yes, No etc.) should be enclosed in a pair of double quotes (“ ”). 896 Data Analytics and Continuous Controls Monitoring Step 3: The next parameter “value_if_true” refers to the message or action that shall be displayed or activated, respectively, if the question’s answer is False/No. Resulting Output: 897 898 G-8 TECHNICAL GUIDE ON SOCIAL AUDIT Compendium of Generic Internal Audit Guides 900 Foreword Technical Guide on Social Audit Social audit is a way of measuring, understanding, reporting and ultimately improving an organization’s social and ethical performance. Social audit helps to narrow gaps between vision/ goal and reality, between efficiency and effectiveness and so creates an impact upon governance. The success of process of social audit lies in its potential to make certain aspects of organizational activity more transparent to external stakeholders, who may then be empowered to hold management accountable for their actions insofar as they are affected by them. Current social reporting initiatives are, therefore, to be judged on the basis of whether they offer more emancipatory alternatives that may improve the situation in terms of delivering greater levels of organisational accountability. Chartered accountants can play a vital role in the social reporting framework by ensuring the effectiveness of the social audit program in non-corporate as well as corporate sector, which in turn would contribute positively to the society at large. The Internal Audit Standards Board of the Institute has taken first step in this direction by issuing this “Technical Guide on Social Audit” that deals comprehensively with Social Audit as an efficient tool for promoting accountability and the related concepts and practices in detail. I would like to congratulate CA. Rajkumar S. Adukia, Chairman, Internal Audit Standards Board, CA. Naveen N.D. Gupta, Vice- Chairman, Internal Audit Standards Board and other members of the Board for bringing out this remarkable publication on this emerging concept of social significance. I am sure that the members and other interested readers would utilise this publication and would surely take a lead in this emerging area. November 19, 2010 CA. Amarjit Chopra New Delhi President, ICAI 901 Compendium of Generic Internal Audit Guides Preface Increased transparency and pressure to extend the boundaries of responsibility are highlighting the importance of clear organizational policies to protect reputation and gain competitive advantage. Social audit is based on the need of organizations to create a balance in the way they plan and measure their commercial and non commercial operations, and to prove that there is consistency between what an organizations says it will do and what it actually does. Social Audit redefines the meaning of viability from the narrow financial profit and loss account to a broader set of values and examines the procedure and performance of an organization’s social and commercial actions in relation to its stated objectives and its external and internal position. Organizations that apply Social Audit adopt responsibility for issues broader than profitability and accept that today’s organizations have to operate with considerable care. To support any mechanism, organizations, governments, tax authorities, market regulators and stakeholders need to rely on credible information flows if they are to operate effectively. The mechanism of social audit is, thus, dependent on the support provided by reporting and assurance. Chartered accountants have a role to play by providing assurance to this mechanism through assurance process. Definitely this leads to the need for our members to maintain and expand their knowledge base on this emerging area. Considering the above, the Board has decided to bring out this “Technical Guide on Social Audit”. This publication covers in detail concept of social auditing, need for social auditing, various contexts of social auditing, regulatory and voluntary codes for social audit, framework for social auditing, role of chartered accountants in social audit, data for social auditing and operationalizing social auditing in India. It also includes sample social audit questionnaires with respect to MGNREGA and a government educational 902 Technical Guide on Social Audit programme. Appendix I illustrates indicators of social development which have been defined under the Millennium Development Goals. Appendix II lists social indicators issued by the OECD and Appendix III includes various standards that have been introduced to serve the purpose of social accounting/ reporting. At this juncture, I am grateful to CA. Rajib Basu for sharing his experience and knowledge with us and preparing the draft of the Guide. I also wish to thank CA. Amarjit Chopra, President and CA. G. Ramaswamy, Vice President for their continuous support and encouragement to the initiatives of the Board. I must also thank my colleagues from the Council at the Internal Audit Standards Board, viz., CA. Naveen N. D. Gupta, CA. Nilesh S. Vikamsey, CA. Atul C. Bheda, CA. K. Raghu, CA. J. Venkateswarlu, CA. Abhijit Bandyopadhyay, CA. Ravindra Holani, CA. Charanjot Singh Nanda, Ms Usha Sankar, Shri Prithvi Haldea and Shri Sidharth Birla for their vision and support. I also wish to place on record my gratitude for the co-opted members on the Board, viz., CA. Sushil Gupta, CA. Smita Satish Gune, CA. Nagesh Dinkar Pinge, CA. Sumant Chadha and CA. Deepak Wadhawan as also special invitees on the Board for their devotion in terms of time as well as views and opinions to the cause of the professional development. I also appreciate efforts put in by CA. Jyoti Singh, Secretary, Internal Audit Standards Board and her team of officers, viz., CA. Arti Aggarwal and CA. Gurpreet Singh, Senior Executive Officers, for their inputs in giving final shape to the publication. I am confident that this publication would help the members to be well-equipped in this emerging area and take a lead. December 20, 2010 CA. Rajkumar S. Adukia Mumbai Chairman Internal Audit Standards Board 903 Compendium of Generic Internal Audit Guides Contents Chapter 1 Concept of Social Auditing .................................. 905 Chapter 2 Need for Social Auditing ..................................... 912 Chapter 3 Various Contexts of Social Auditing .................... 915 Chapter 4 Regulatory and Voluntary Codes for Social Audit .......................................................... 922 Chapter 5 Frame Work for Social Audit ............................... 928 Chapter 6 Role of Chartered Accountants in Social Audit .......................................................... 944 Chapter 7 Data for Social Auditing ...................................... 947 Chapter 8 Operationalising Social Auditing in India ............ 952 Chapter 9 Sample Social Audit Questionnaire..................... 955 Appendix I Indicators of Social Development Defined under the Millenium Development Goals ............ 979 Appendix II Social Indicators Issued by the Organisation for Economic Co-operation and Development (OECD).......................................... 987 Appendix III Standards for Social Accounting/ Reporting ............................................................. 989 904 Chapter 1 Technical Guide on Social Audit Concept of Social Auditing Definition of Social Auditing 1.1 The term “Social Auditing” has been defined as a process that allows any organization to assess its social impact and ethical performance vis-à-vis its stated vision, mission and goals. It helps the organization to set up measurement criteria for its social impact, account for its social performance, report on that performance and draw up action plans to improve that performance. The “organization” being discussed here could be a corporate body, government agency or any other agency whose actions or decisions have a “social” consequence. The scope of social auditing is not merely restricted to corporate decisions or actions that have a “social focus”. 1.2 Some other definitions of “Social Auditing” provided by some well known social organizations are as under: “Social Auditing is a process that enables an organization to assess and demonstrate its social, economic, and environmental benefits and limitations. It is a way of measuring the extent to which an organization lives up to the shared values and objectives it has committed itself to. Social auditing provides an assessment of the impact of an organization’s non-financial objectives through systematically and regularly monitoring its performance and the views of its stakeholders.”1 “Social Audit is an independent evaluation of the performance of an organization as it relates to the attainment of its social goals. It is an instrument of social accountability of an organization. In other words, Social Audit may be defined as an in-depth scrutiny 1 Caledonia Centre for Social Development, United Kingdom. 905 Compendium of Generic Internal Audit Guides and analysis of the working of any public utility vis-à-vis its social relevance.”2 Characteristics and Principles of Social Auditing 1.3 From the above definitions, it could be deduced that social audits have the following characteristics: · Audit of non-financial impact of the activities/ policies of an organization; · Audit in respect of the achievement of social objectives; · Audit carried out from the point of view of various social stakeholders (not merely owners) who can influence or are affected by the activities of the organization; and Allows comparability of organizations over time and between stakeholder groups. 1.4 In the past, there have been substantial efforts to define common themes in social audit. From the experience of all those involved, a good social audit carries all the following characteristics3: (i) Improved social performance - This is the overarching principle, and this refers to the continuous improvement in performance by the organization relative to the chosen social objectives as a result of social audit. (ii) Multiple stakeholder perspective - It is important for all groups affected or who affect the organization to be included in the process of social audit. (iii) Comparability - The process should allow for comparison with other organizations, over time and between stakeholder groups. 2 Centre for Good Governance – Andhra Pradesh. 3 Euro Coop General Assembly, Op. cit., May 1999, pp. 4-5. (Note: Principles 1 to 7 are common to all social audit models.) 906 Technical Guide on Social Audit (iv) Comprehensiveness - The process should be designed to collect all relevant materials and areas of concern should not be left out simply because the organization would not like the result. (v) Regularity of coverage - To facilitate comparability and to demonstrate a commitment to the process, it should be regular, with a frequency of once every two years. (vi) Independent verification - Verification by independent auditors gives the process credibility. (vii) Transparent reporting - The result (or a synopsis) of the social audit should be published so that the stakeholders can see the results, and this will accordingly encourage openness. Differences between Social Auditing, Operational Auditing and Financial Auditing 1.5 The following are the major differences between Financial Auditing, Operational Auditing and Social Auditing: Financial Auditing Operational Auditing Social Auditing · It involves audit of · It involves measuring · It looks at the impact financial statements the operations and caused on the and transactions. processes of any society by the entity against organization. established oper- ational standards and suggesting ways and means to improve adherence to standards. · Coverage of non- · It might also involve · It takes an “outside- financial matters suggestions for in” approach of limited only to those resetting the looking at 907 Compendium of Generic Internal Audit Guides aspects that operational standards organization, dealing provide additional based on the more with how the information to experiences of the non-financial stakeholders of the entity with respect to stakeholders view the business who are its environment. business rather than mainly interested in how the managers/ the financial status owners of the of the entity. organization plan it to be. · Financial Audit is · Operational Auditing done keeping in is done basically to mind the objective of report on operational issuing an opinion inefficiencies. on the state of financial of affairs. · It deals mainly with · It deals with the study · It deals with the study study of financial of operational of social impact data. parameters of the parameters, most of organization. which can be gathered from outside the organization which is being audited. Agencies for Conducting Social Audits 1.6 In India, due to lack of mandatory Auditing Standards in the sphere of Social Audit, there are no pre-qualifications that can be imposed on agencies that can act as Social Auditors, unlike the spheres of financial audits and other forms of auditing. Consequently, there are no accreditation standards, qualification norms, eligibility criteria that can be applied to select agencies that can act as Social Auditors in specific circumstances. 1.7 Nevertheless, there needs to be adherence to the basic auditing principles by whosoever acts as a Social Audit agency. Adherence to basic auditing principles can be achieved by demonstrating a set of characteristics that the Social Auditor should possess. Some of these are given below: 908 Technical Guide on Social Audit (i) Independence and fairness - The Social Auditor should have no stake in the outcome of the audit and should be totally independent of the management of the organization being audited. (ii) Objectivity - The Social Auditor should be able to understand the relevance of the various types of data available to him and should be able to assess and interpret the data on some objective basis and avoid subjective judgment. (iii) Inquisitiveness coupled with a healthy skepticism - Social Auditing is more an art than a science. It requires someone unwilling to accept things at face value and capable of digging deeper to uncover what lies beneath the surface. (iv) Ability to understand programs in their wider social context - Social performance must be understood within the context of diverse stakeholders and a diverse set of perceptions, values, objectives, etc. An effective Social Auditor must be both willing and able to consider a variety of sources and perspectives to paint a more comprehensive portrait of social performance. (v) Expertise in social auditing - The Social Auditor should be someone who possesses the right set of competence required in conducting the various stages of social audits. He should be one who possesses appropriate training and experience. 1.8 There are various agencies engaged in the conduct of Social Audits in various scenarios. These could be independent agencies, accounting firms, or other types of organizations (including accredited agencies that fulfill certain qualification criteria) that demonstrate the above characteristics. On a broad scale, Social Auditing system can be thought of being composed of some key players that have their own roles. Social Auditor should be independent of each of the other players and should have equal access to each of them, for effective discharge of his role. 909 Compendium of Generic Internal Audit Guides Organisation Social Auditor Implementing Stockholders Agencies The Social Audit System: Key Players The other important consideration for selecting any agency as a Social Auditor is the ability of the agency to scale up to the requirements of the Social Audit engagement either singly or through a consortium4. 1.9 The Centre for Good Governance established by the Andhra Pradesh Government has envisaged Social Audit to be done at two levels. The first level is the Organizational Level and the second is at the Civil Society level. (i) At the Organizational Level, Social Auditing system has two components namely, Internal and External: · The Internal component deals with the creation and maintenance of an independent information system that is able to generate, capture and record data for measuring the social impact of the organization (of the nature of Social Accounting). 4 The National Consortium on NREGA is a loosely federated collective of Civil Society Organizations (CSOs) that have come together to try and make NREGA a success. The Consortium seeks to move beyond the more traditional civil society role of acting as a watchdog for NREGA. 910 Technical Guide on Social Audit · The External component relates to the independent assessment by an independent Social Auditor of the information system and the information generated therefrom. (ii) At the Community or the Civil Society Level, a Social Audit can be carried out by gathered independent data from stakeholders on community values, social benefits, social capital and quality of department/ programme interface with people. This is matched with outcomes of Social Audit carried out at the organization/ department level. Based on the analysis, the programme or its activities are oriented towards community/ society’s expectations. The Audit at the Civil Society level tends to be intensive and as such there is need to have trained hands at that level. 911 Compendium of Generic Internal Audit Guides Chapter 2 Need for Social Auditing 2.1 Social Auditing has emanated from the need for making the organizations more responsible to people and communities and a method to communicate the non-economic impact of organizations, both good and bad, to the stakeholders and the society at large. The fact that some organizations’ business decisions and activities have deep impact on the community and the lives of the people needs to be recognized and accounted for on the grounds of social responsibility of the organization. In recent years, the scope of the social audit has been expanding to include greater integration of the social accounting processes, which involve a detailed preparation and accounting of social accounts, targets, and milestones. Factors Leading to the Demand for Social Auditing 2.2 Several factors have lead to the demand for Social Auditing in recent times. Some of these are enumerated below: · Reports by media on the negative impact of corporate bodies and other institutions on the community, people and environment. · Increased awareness of consumers and consumer organizations on the impact of their consumption pattern on the corresponding actions of businesses and governments. · Broadening of the concept of “stakeholders of organizations” with the understanding that an organization affects far more people than that was earlier envisaged. 912 Technical Guide on Social Audit Objectives of Social Auditing 2.3 The broad objectives of any Social Audit engagement are as follows: · Assessing the physical and financial gaps between needs and resources available to meet targeted social objectives. · Creating awareness among beneficiaries and providers of social and productive services. · Increasing efficacy and effectiveness of development programmes. · Scrutiny of various policy decisions, keeping in view stakeholder’s interests and priorities, particularly of marginal sections of the society. · Estimation of the opportunity cost for stakeholders of not getting timely access to public services. The specific objectives of Social Audit engagements will, however, depend upon the context of audit. Benefits of Social Auditing 2.4 There are several benefits that Social Audit can bring to an organization. Some of them are as follows: · Enhanced credibility: Social Audit enhances the credibility of an organization with its stakeholders. For a corporate enterprise it could mean enhancement of the brand image which could result in higher equity with stakeholders. In case of a positive report from the Social Audit, the value added to the owners’ financial capital could far outweigh the auditing cost incurred. · Helps in policy decision: Based on the Social Audit findings, the policymakers of the organization could re-strategize for 913 Compendium of Generic Internal Audit Guides course corrections to ensure that its social impact is as intended. · Positive support from stakeholders: Organizations that emerge with a positive Social Impact through their objectives and actions tend to have a higher sustainability as they enjoy the support of the social environment in which they operate. · Increased social focus – tool for risk management: Organizations can better manage it’s risks, as it can enhance its social focus by covering any adverse social impacts highlighted by it in a social audit report. 914 Chapter 3 Technical Guide on Social Audit Various Contexts of Social Auditing Government Programmes 3.1 The Central and the State Government agencies institute several programmes from time to time under their development initiatives. These programmes need Monitoring and Evaluation systems to ensure that the resources that have been allocated are used in the right manner to yield the desired results5. CAG’s Audit and Social Audit6 3.2 Comptroller and Auditor General of India (CAG) has conducted performance audits of most of the key socio-economic programmes of the Government of India e.g., National Rural Employment Guarantee Scheme (NREGS), National Rural Health Mission (NRHM), Sarva Shiksha Abhiyan (SSA), Mid-day Meals Scheme, Accelerated Rural Water Supply Programme (ARWSP), and Pradhan Mantri Gram Sadak Yojana (PMGSY). CAG’s audits have also covered several niche areas of public interest like, Consumer Protection Act, Waste Management, Police Modernization Scheme, etc. CAG’s audit of Government departments, offices, and agencies in the States, dealing with implementation of Government schemes, also touches upon the performance of schemes or their components at various levels of the audit process. CAG’s performance audit procedures have some connotations of Social Auditing. However, the CAG audit procedures are designed more from the point of view of the Government and the taxpayers 5 One of the key objectives of the first phase of the project undertaken to Support to Operationalization of the National Rural Employment Guarantee Act is building capacity for M&E systems including Social Audit. 6 Report of the Task Group on Social Audit: The Office of the Comptroller and Auditor General of India, 2010. 915 Compendium of Generic Internal Audit Guides and not from the point of view of the beneficiaries of the Government schemes. Social Audit system seeks to fill this void. 3.3 The Task Group on Social Audit formed by the CAG of India envisages Social Audit initiatives at two levels. Firstly, Social Audits carried out by Gram Sabhas/ Panchayats or local level Vigilance and Monitoring Committees as stipulated by the Government in the guidelines of various social sector programmes, and secondly those carried out by civil society groups. In both these types, the Social Auditors are in a position to obtain direct feedback from beneficiaries on a large scale through Gram Sabha meetings, Jan Sunwais, Sammelans and other oral evidence gathering methods to ascertain the outputs of social sector programmes and pinpoint grass root level failures. The Government of India has embedded social audit in one form or the other (like, village level monitoring committees/vigilance committees) in almost all the flagship social sector programmes like NREGS, ARWSP, NRHM, MDM, etc. 3.4 There have been suggestions with respect to Social Audit from the CAG’s office for: · Social Audit findings to be used as inputs in the risk assessment to be conducted for CAG audit. · Including a summary of Social Audit reports in CAG’s Performance Audit reports. · Capacity building of Social Auditors. · Uniformity of Social Audit procedures (i.e., standards) across the various development programmes undertaken by the Central Government. Social Auditing in Corporate Sector 3.5 The concept of social auditing for corporates emerged from the view that there was a moral case for businesses, in addition to, reporting on their use of shareholders’ funds, to account for their impact on social and natural environments. While accounting instruments already existed for reporting financial performance, 916 Technical Guide on Social Audit there was not any accounting for non-costable impacts, and it was this that gave rise to modern social and environmental accounting. However, there have been several instances of stocks of companies taking a beating at bourses due to adverse social issues reported despite having put up very satisfactory financial performance. 3.6 On a global scale, the relationship between social performance and shareholders’ values is gaining wider acceptance as the voice and influence of shareholders increases. The shareholders of publicly traded companies, particularly the institutional investors of pension and insurance companies, are becoming more concerned about the social impact of the companies in which they invest. These shareholders that act as financial intermediaries in the economic system, are actively investing in ‘best-in-the-industry’ companies for their handling of social issues. The success and growth of ‘green’ funds supports this view. In the United Kingdom’s pensions market, draft government legislation requires all pension funds to disclose the extent to which ethical and social considerations have been taken into account in investment strategies. There are significant efforts underway among companies, as well as investors, to establish methodologies to improve reporting of social and environmental performance. Shareholders, who currently form opinions based largely on historical financial evidence, may soon demand data verified by major auditing firms using accepted standards as evidence of continued social performance of the companies in which they invest. 3.7 Due to the larger interaction of the Indian and Global economies and the growing propensity of global investments to look towards India, it will not be long before the Indian corporates feels the urge to adopt similar standards as their global counterparts to reflect their “social” performance in their Annual reports. As such companies, particularly, those that are being publicly traded or have the intention of being so in the near future, need to have a clear roadmap to move towards proactive accounting and reporting on their social performance. 917 Compendium of Generic Internal Audit Guides 3.8 In summary, the key drivers for Social Accounting and Reporting, particularly on the environmental aspects, are as follows: · There is a growing belief that social and environmental issues represent a source of risk in terms of unforeseen (or foreseen) liabilities, reputational damage, or similar risks. · The ethical performance of a business, such as its social and environmental impact, is increasingly becoming a factor in decision to engage with these businesses in its resource and product markets. This means, for example, that some consumers will not buy from companies with unfavourable ethical reputations (i.e., in product markets) and, in resource markets, potential employees may use ethical performance as a criterion in their choice of potential employer. · An increasing number of investors are using social and environmental performance as a key criterion for their investment decisions. Roadmap for Indian Corporates to Move towards Social Accounting and Social Auditing 3.9 The adoption of standards is the first step towards institutionalization of Social Accounting. Irrespective of regulatory requirements, Indian corporates have a clear case to adopt voluntary Accounting and Reporting Standards on Social Performance to enhance their equity in the investor community. Indian corporates belonging to similar industries (that tend to have similar Social and Environmental impacts) can adopt common standards in these areas so that it is efficient and effective for Social Auditors to assess their performance using those standards. 3.10 The corporate sector also has a specific role to play in the demand side of Social Auditing. When standards of Social Accounting and Reporting are adopted, the next step becomes the independent assessment of performance with respect to the desired 918 Technical Guide on Social Audit social impact – this will require the deployment of independent audit following accepted auditing methodologies and standards. The results of independent audit will communicate to the investors/ potential investors on the social equity of their investment and that will ultimately be reflected in the stock price of the equity which could vary significantly from the price that would be fetched by the stock if measured only on the basis of financial performance. Corporate Social Responsibility 3.11 It is well established that the scope of Social Audit is not limited to the audit of impact of corporate decisions and actions that are designed to have a “social” impact (e.g., Corporate Social Responsibility Programmes). The concept encompasses audit of all activities of a business that has a direct or an indirect social impact whether or not specifically designed to be so. 3.12 There are several reporting standards followed across the globe for measuring the social impact of corporate actions in the normal course of business so far as those are linked with its social responsibility. Some of the well accepted Corporate Social Reporting Standards are given below: (i) Global Reporting Initiative (GRI) G3 Guidelines7 There are various sector supplements that have been issued by the above body for reporting on various industry sectors like, Financial Services, Metal and Mining, NGO sector, etc. (ii) Social Accountability International - SA 8000 Social Accountability 8000 (SA 8000) has been developed by Social Accountability International (SAI). SA 8000 is promoted as a voluntary, universal standard for companies interested in auditing and certifying labour practices in their facilities and those of their suppliers and vendors. It is designed for independent third party certification. 7 http://www.globalreporting.org/ReportingFramework/G3Guidelines. 919 Compendium of Generic Internal Audit Guides SA 8000 is based on the principles of international human rights norms as described in International Labour Organisation Conventions, the United Nations Convention on the Rights of the Child and the Universal Declaration of Human Rights. It measures the performance of companies in eight key areas: child labour, forced labour, health and safety, free association and collective bargaining, discrimination, disciplinary practices, working hours and compensation. SA 8000 also provides for a social accountability management system to demonstrate ongoing conformance with the standard. (iii) AA 1000 - Standard for Ethical Performance Accountability 10008 (AA 1000) is the work of The Institute for Social and Ethical Accountability (ISEA). ISEA (also known as AccountAbility) is an international membership organisation, based in the UK. It was formed to encourage ethical behaviour in business and non-profit organisations. AA 1000 is promoted as a standard for measuring and reporting of ethical behaviour in business. It provides a framework that organisations can use to understand and improve their ethical performance. It aims to assist an organisation in the definition of goals and targets, the measurement of progress made against these targets, the auditing and reporting of performance and in the establishment of feedback mechanisms. (iv) Triple Bottom Line Reporting9 (TBL) Triple bottom line accounting means expanding the traditional reporting framework to take into account ecological and social performance, in addition to financial performance. The triple bottom line is made up of “social, economic and environmental”. The term “people, planet, profit” phrase was coined for Shell by Sustainability. 8 http://www.accountability.org.uk. 920 Technical Guide on Social Audit There are various options available for corporates considering TBL reporting, namely: · Include environmental and social information in Annual report · Separate environment report or community report · Separate environment and social report · Combined environment and social report · Full TBL report. Millennium Development Goals 3.13 The Millennium Development Goals (MDGs) are international development goals that all 192 United Nations member states and at least 23 international organizations have agreed to achieve by the year 2015. There are 8 MDGs with 21 targets (defined to make these goals measurable). These targets in turn have one of more indicators that can be used to measure progress against the MDGs. These indicators (Refer Appendix I) can also serve the purpose of Social Accounting and Auditing as detailed in the later chapters. Apart from the financial audits carried out by the CAG of India in respect of projects instituted by government agencies to support Millennium Development Goals, there is a need for carrying out Social Audits to complement the financial audits10. 9 For some examples of TBL reports, refer: • http://www.camelotgroup.co.uk/crreport2008/docs/Corporate_Responibility_ Review_2008.pdf • http://telstra.com.au/abouttelstra/corporate-citizenship/reporting-and- performance/gri-index/ • http://www.bp.com/liveassets/bp_internet/globalbp/STAGING/global_assets/ e_s_assets/e_s_assets_2009/downloads_pdfs/bp_sustainability_review_ 2009.pdf. 10 An example of how Social Audit process can support MDGs, refer http://ridanepal.org, for a report on - Improving Local Service Delivery for the MDGs in Asia: Education Sector in Nepal. 921 Compendium of Generic Internal Audit Guides Chapter 4 Regulatory and Voluntary Codes for Social Audit 4.1 There are no specific regulatory requirements for Social Audits to be done as a mandatory measure for every organization to assess its direct or indirect impact on society. This is true internationally. However, in various countries, including India, there are several regulations or government policies that apply to various corporate bodies, government and civil society organizations, to monitor the implementation of which, audit in the nature of Social Audit may be felt necessary from time to time. The policies and regulations referred to here are those that govern/ define the social impact of the objectives and activities of an organization. For example, a Social Audit can be taken up by a consumer protection group to assess the impact caused by a drug manufacturer on consumers due to violation of certain manufacturing norms that are regulated. Another such engagement could be done to check whether an organization, in its process of production, has adhered to the internationally/ nationally applicable Human Rights Code and assess the impact of any violation of the same. International Scenario 4.2 In leading countries across the world, Social Audit is generally not backed by regulatory mandate. This may be because the appraisers of performance of corporate or government departments have not realized the need for focusing on the social aspect of their performance. A secondary study conducted for the purpose of this guide reveals that largely Social Audit is taken up by Civil Society organizations that follow their own standards and train their own auditors to conduct social audits under mandates from auditee orgnisations. 922 Technical Guide on Social Audit Certain examples of endeavors to instituionalise Social Audit system have been noted below. 4.3 In Brazil, the idea of publishing a Social Audit report by corporates gained substance in June 1997 when Betinho, the founder of Ibase, launched the campaign to make the concept of Social Audit known. IBASE launched the Ibase/ Betinho Social Audit Stamp which is offered to the companies that publish their Social Audit results according to the model recommended by the institution. Ibase have made the quantitative indicators simple to follow which has induced a large number of corporations to adopt their model as a standard for Social Audit. 4.4 In the United Kingdom, Social Audit Network is set up as a not-for-profit company limited by guarantee based in the UK with an international membership including associate members based in Australia, India and mainland Europe. They provide training programmes for members of public who wish to function as accredited Social Auditors. Sedex is another such non - profit organization in the UK started by a group of UK retailers and their first tier suppliers. These businesses recognised a need to collaborate and drive convergence in social audit standards and ethical self-assessment questionnaires. Companies from all over the world have joined Sedex ( www.sedex.org.uk) to become members under various categories for having their supply chain monitored for compliance with some identified social indicators. Sedex in turn registers professional Audit Agencies as part of its Associate Auditor group for conducting Social Audit for its members and issuing reports. 4.5 There are several voluntary non - profit organizations that have been set up that have defined some Social Accountability and Auditing standards for assessing the social impact of organizations in specific areas. 923 Compendium of Generic Internal Audit Guides Some such organizations are11: · Social Accountability International · The Business Social Compliance Initiative (BSCI) · The International Social and Environmental Accreditation and Labelling Alliance (ISEAL) · The International Textile, Garment and Leather Workers’ Federation · Joint Initiative on Corporate Accountability and Workers’ Rights (Jo-In) · Inter Action Alliance · The International Organization for Standardization (ISO) · Transparency International · The MFA Forum · Cotton Made In Africa (CmiA). Indian Scenario 4.6 A study was commissioned by the Planning Commission12 in 2005 on the assessment of the then status of Social Audit in respect of the Panchayati Raj Institution (PRI) and for making recommendations to make Social Audit a viable instrument for sustainable programme delivery. This study brought to light several deficiencies in India in the area of Social Audit. Observations have been made by the Central Employment Guarantee Council in its 11th meeting stating that the social audit 11 Details of these organizations, their purpose and their Social Accountability and Audit Standards may be found in the web. 12 This study was conducted by Vision Foundation and the report was submitted in 2005. 924 Technical Guide on Social Audit process in respect of the Mahatma Gandhi NREGA scheme was not effective, to this it has been recommended that Social Audit should be “viewed as a tool for corrective measures and not as a punitive measure”. Legislative Support Available to Social Audit 4.7 The 73 rd amendment to the Indian Constitution that empowered the Gram Sabhas to conduct Social Audits in addition to its other functions, is by far the only legislative reference to the concept of Social Audit. Right to Information Act, 2005, is also a key pillar of support for Social Audit system in India. This was enacted by the Parliament of India “to provide for setting out the practical regime of right to information for citizens”. The Act applies to all the States and the Union Territories of India, except the State of Jammu and Kashmir. Under the provisions of the Act, any citizen (excluding the citizens within J&K) may request information from a “public authority” (a body of Government or “instrumentality of State”) which is required to reply expeditiously or within thirty days. The Act also requires every public authority to computerise it’s records for wide dissemination and to proactively publish certain categories of information so that the citizens need minimum recourse to request for information formally. 4.8 Section 17 of National Rural Employment Guarantee Act, 2005 provides for regular ‘Social Audits’ so as to ensure transparency and accountability in the Scheme. It is the responsibility of the State Government to conduct the Social Audit. The State Governments will conduct the Social Audit according to the pre-designed “Schedule of Social Audit”. The State Governments should ensure that the agencies for conducting Social Audits are trained. The Draft NREGA Transparency and Public Accountability Rules13 lay down detailed guidance for conduct of Social Audits. 13 http://nrega.nic.in/circular/draft_transparency_rules.pdf. 925 Compendium of Generic Internal Audit Guides 4.9 Apart from these, other social sector programmes also have laid down provisions for such audits. For example the Ministry of Housing and Urban Poverty Alleviation, GOI, has laid down Social Audit Methodology and Operational Guidelines for BSUP & IHSDP Schemes under JnNURM. From time to time State Governments appoint agencies to conduct Social Audits of other development programmes.14 4.10 In terms of creating an institutional basis for Social Audit, the initiatives of the Department of Panchayat and Rural Development, Government of Andhra Pradesh, can be seen as a good example in India. The Government has been instrumental in establishing an independent Social Audit Society for carrying out the Social Auditing of NREGS in the State. This Society is called “Society for Social Audit, Accountability and Transparency” (SSAAT) and is responsible for the training as well as facilitating Social Audits, ensuring methods of transparency and accountability within the Scheme. Rule 10 of the Social Audit Rules specifies that “the costs of establishing and running a Social Audit Cell and conduct of Social Audits shall be met from the administrative costs allowed for NREGS”. The Government has decided to earmark 0.5% of the total NREGA funds for conduct of social auditing of NREGS. Commissioner Rural Development has been authorized to release to the Society requisite funds from Social Audit Fund on quarterly basis, to ensure smooth conduct of social auditing of NREGS in all the villages at least once in 6 months. 4.11 So far as the corporate scenario in India is concerned, it is largely voluntary action that has driven large Indian corporations to publish details of their Social Accountability as part of their Annual reports. Companies like, ITC Ltd, Unilever are some of the examples. Aditya Brirla group discloses in its portal its plans and monitors its social projects. It stresses on the fact that its projects are planned after a participatory need assessment of the communities around the plants. Each project has milestones and 14 Andhra Pradesh Government engaged M V Foundation, a voluntary organization working on issues of child labour and children’s right to education, to conduct Social Audit of Mid-Day Meal Scheme in Andhra Pradesh. 926 Technical Guide on Social Audit measurable targets. The group, along with internal performance assessment mechanisms, has its projects audited by reputed external agencies, who measure it on qualitative and quantitative parameters, helping us gauge the effectiveness of the project. This is another example of a self initiated Social Audit framework demonstrated by a large Indian corporate group. However, the fact remains that unless the investors appreciate and react to the Social performance of the corporates, not much headway can be made in the area of Social Accounting and Audits apart from those that originate from voluntary action. At the same time Social Accounting and Reporting standards need to be developed/adopted so that the social performance of corporates can be measured on a standard and consistent basis. 927 Compendium of Generic Internal Audit Guides Chapter 5 Framework for Social Auditing Need for a Framework 5.1 There is a need for an overall framework that could be followed to ensure that the social auditor follows a uniform structured approach for any such engagement. A framework for social audit will not vary too much from that of external or internal audits but there are certain differences to address the unique nature of such engagements. As mentioned earlier, the objectives of social audit engagements may vary from case to case. However, it is important to be clear about and being driven by objectives of the engagement, and then follow a structured approach to achieve those objectives. 5.2 The Social Auditing Framework has certain key elements that are depicted below: Social Organisation and its Objectives Social Audit Process Social Stake- Accounting holders Social Auditing Framework All the above elements are to be considered for the Social Audit Framework to deliver value to the society. 928 Technical Guide on Social Audit Social Organisation and it’s Objectives 5.3 The first element of the framework is the organization to be audited and it’s objectives. The word “organization” is used here in a broad sense and could include a wide variety of entities like, large government departments, corporate body, NGO, funded development projects, etc. In summary, “organization” in this context could mean any entity that has a measurable non-financial impact on its stakeholders. 5.4 It is very important to understand the organisation that is to be subjected to a social audit. At times there may be various objectives that the organization is trying to achieve. Not all of those objectives may have a “social angle” to it but may end up having a social impact. For example, a large corporate may have a two fold revenue growth as its primary objective which, typically, does not have a direct social angle. In achieving this objective the corporate may have to institute projects that may have an environmental ramification. This is where the social angle comes in and the corporate attracts various indirect stakeholders that are linked to this social angle. As another example, the same corporate may have another explicit objective of contributing a certain percentage of its profits towards the development of education infrastructure in the local area in which it has its business units. This has a direct social angle and, thus, creates direct stakeholders. Stakeholders 5.5 Stakeholders are the next important element in the framework. The various types of stakeholders that an organisation can have are: · Primary stakeholders are those who are ultimately affected, either positively or negatively, by an organization’s actions. · Secondary stakeholders are the ‘intermediaries’, i.e., persons or organizations who are indirectly affected by an organization’s actions. 929 Compendium of Generic Internal Audit Guides · Key stakeholders have significant influence upon or importance within an organization and can also belong to the first two groups. It is essential to identify the stakeholders who influence and are influenced by the social angle of the organisation’s objectives. We can use various popular models for identifying stakeholders and this exercise is called Stakeholder’s Analysis/ Stakeholder Mapping15. The degree and nature of communication that the social auditors should have with the stakeholders at various stages of the audit process varies with respect to the type of stakeholders being dealt with. 5.6 For a simple stakeholder mapping exercise, the following “Importance Influence Model” can be used: Potential Importance of Stakeholder High Low Potential Influence of Stakeholder High Influence + High High Influence + Low Importance Importance High Manage Closely – Most critical Keep Satisfied – Stakeholder stakeholder group: collaborate group critical for decision and with closely. opinion formulation, brokering: mitigating impacts. Low Influence + High Low Influence + Low Importance Importance Low Keep Informed – Important Monitor (minimal effort) – stakeholder group, in need of Least priority stakeholder group empowerment. may need to be monitored or ignored. 15 There are several models that can be used for stakeholder mapping. For details, reference can be made to the web: ·ÿ Influence-interest grid (Imperial College London) ·ÿ Power-impact grid (Office of Government Commerce UK 2003) ·ÿ Mendelow’s power-interest grid. 930 Technical Guide on Social Audit Once the stakeholder mapping model is chosen, the various stakeholders should be classified into the classification grid to understand the type of communication strategy that should be followed with each of those during a social audit engagement. 5.7 An illustration of stakeholder mapping for a Microfinance programme could be as given below: Stakeholder Areas of Impact Influence Importance Group Beneficiaries Policies and procedures, High High Wealth creation, Access to better living standards Lenders, Business survival, growth Low High depositors potential, ability torepay, financial management, public image Government Tax revenues, legal Low High compliance, employment, employment practices, environment Local Environmental impact, High Low community products or services, contribution to community projects and activities General public Business standards and Low Low practices, environmental impact, social contribution (assistance to disadvantaged groups, cultural support, social services related to organizational activities) Social Accounting 5.8 Social accounting (also known as social and environmental accounting, corporate social reporting, corporate social responsibility reporting, non-financial reporting, or sustainability accounting) is the process of communicating the social and environmental effects 931 Compendium of Generic Internal Audit Guides of organizations’ economic actions to particular interest groups within society and to society at large.16 5.9 Several models of social accounting and reporting have been tried out in a number of countries but a single standardised model is yet to shape up. Where social accounting (at least in the nature of metrics to measure the incremental benefits against the costs incurred) does not exist, the social auditor should look for indicators that provide a measure of social cost and social benefits of an organization’s activities. In this context, one may refer to the OECD Social Indicators17 that may serve as a good guidance as it provides some metrics that could be used for measuring impact created by organizations on various aspects of social life. 5.10 Typically, corporate bodies in co-operation with their stakeholders, set out certain relevant topics for the purpose of preparing their Corporate Social Responsibility report cards. For each of these topics certain relevant metrics are developed by the corporate on which reporting and comparison of performance can be done year on year. Social Audit Process 5.11 The final element of the Social Audit Framework is the Audit Process. Given the basic nature of social audit, that is always drawn from the context in which it is set up, the process for such audit engagements can be defined only at a high level. Like any other auditing engagement, we can broadly divide the audit into the following stages namely: · Audit planning · Execution/ fieldwork · Reporting to stakeholders 16 R.H. Gray, D.L. Owen & K.T. Maunders, Corporate Social Reporting: Accounting and Accountability. 17 http://www.oecd.org/document/24/0,3343,en_2649_34637_2671576_1 _1_1_1,00.html#data. 932 Technical Guide on Social Audit Under each of these stages there will be broad level of activities that the auditor needs to perform to achieve the objectives of the audit engagement. As such, the auditor should first list the objectives of the engagement so that the later steps are aligned with it. 5.12 Unlike other forms of audits (e.g., Financial Statement Audits, Internal Control Audits, Audit of Operational Performance, etc.) where there can be well established objectives, the objectives of social audit engagements may vary. This is primarily because the type of entity being audited and the nature of its direct and indirect social impact may vary widely. For example, the objectives of social audit of the CSR programme of a corporate and that of a civil society organisation18 will be quite different and the metrics used will also vary. 5.13 The various stages of a typical social audit process are explained in detail in the following paragraph: Audit Planning 5.14 The Audit Planning phase would, generally, involve the following broad activities: Understand Understand Social Impact Map Organisation Define Metrics of Stakeholders Organisation Understand Organisation 5.15 This essentially involves gaining an understanding of the entity and it’s primary objectives. This can be done by reading the charter/ memorandum of inception of the entity. The auditor would need to list down the primary and the secondary objectives of the organization/ entity being audited. 18 OECD definition of Civil Society Organisation: The multitude of associations around which society voluntarily organizes itself and which represent a wide range of interests and ties. These can include community-based organisations, indigenous peoples’ organisations and non-government organisations. 933 Compendium of Generic Internal Audit Guides The organization/ entity here could be: · Government departments · Civil Society organizations · Local bodies · Corporate bodies · Any specific development project undertaken by any of the above. Understand Social Impact of the Organisation 5.16 After the objectives are understood, the various direct and indirect social impacts of the entity need to be envisaged and documented. This is a very critical step in the entire auditing process as this has a direct bearing on the later stages in the planning phase. There are various established methodologies for assessing the various components of social impact. 5.17 A more straight-forward way of determining the various areas where the organization has social impact is to consider the following: · Areas that are directly identified from the organizational objectives; · Sources of key inputs to the entity’s processes (e.g., raw materials, labour etc.); · Source of land; · Facilities that support the main processes of the entity; and · End use and end users of key outputs and other outputs of the organization. Map Stakeholders 5.18 As referred in the earlier section, stakeholders are a key element of the social audit framework. Therefore, it is important 934 Technical Guide on Social Audit for the social auditor to understand who the stakeholders of the organization are, in respect of the various social impacts that it creates. Once the social auditor identifies the areas of social impact, the identification of primary and secondary stakeholders becomes structured. Certain key questions to be asked by the auditor in this context include: · Who are the suppliers of the factors of production/ key inputs to the organisation? · Who are the key people involved in the process of production or service delivery? · Who are the buyers/ users of the key outputs of the organisation? · Where are the inputs and the outputs in terms of the geographical location? · Who are those other groups who can have interest/ influence on the objectives of the organization? 5.19 The auditor will come up with a list of cross section of public, civil society organization, government agencies, shareholders of corporate bodies, environmental agencies/ advocates, land owners, providers of capital, etc., on whom the organization has a direct or indirect social impact. These become the potential stakeholders in relation to the audit engagement. A social audit engagement is, generally, aimed at providing information to a finite number and a definitive group of stakeholders. These groups need to be identified at the planning stage. 5.20 Once the stakeholder groups are identified for the purpose of the engagement, the auditor then needs to define the information requirement of the stakeholders. By definition, the information requested from the social auditor is of non- financial type. However, those should be such that can be measured qualitatively and or 935 Compendium of Generic Internal Audit Guides quantitatively. The information requirement of the various stakeholders groups can be defined by following steps: · Discussions with the stakeholder groups. · Review of the stated social objectives of the organization and the measures adopted by it to monitor those objectives. · The areas where impact is caused on the stakeholder groups/ the influence that the stakeholders intend to have on the organisation. Define Metrics 5.21 A well accepted management principle states, “that which can be measured, can be managed effectively”. This principle also holds good for social auditing engagements. Stakeholders’ information requirement needs to be translated into metrics. These form the basis of reporting for the auditor and help the auditor to plan the later stages of the audit effectively. 5.22 For defining metrics, the following need to be considered: · Key ratios that provide measures of Social Indicators19 (Refer Appendix II for some indicative Social Indicators). · Definition of measurement scale/ rating scales that can be used for comparing indicators. This approach should be applied in cases where the indicators are purely qualitative (e.g., measuring the degree of difficulty faced by a particular stakeholder group to access the intended benefits of a programme). · Benchmark measures defined by the organisation itself for various aspects of social impact intended to be created through its activities (e.g., a corporate in tele-media business may have one of the desired social impact of its business as “creating socially responsible programming”. This is very 19 Reference may be made to OECD Social Indicators that are published from time to time defining standard measures for various aspects of social life. 936 Technical Guide on Social Audit difficult to measure in absolute terms and therefore the corporate has to define a benchmark measure for itself to report on its performance in this respect). Fieldwork 5.23 A simple fieldwork process can be followed for any Social Audit Engagement. These are elaborated below: Analyse Data Discuss and Define Data Collect Data and Interpret finalise Action requirement results Plan Define Data Requirement 5.24 Data required for social auditing is determined by the social accounting framework followed by the organisation or any metrics developed by it. Data required for measuring metrics may often be available in qualitative form. In such cases data tends to be categorical type of data and can be measured using either the nominal or the ordinal scale. These aspects have been described in detail in the following sections. Collect Data 5.25 The social auditor may himself need to collect data with or without a Social Accounting system in place. There are typically two standard types of data, namely, Primary and Secondary. Primary Data Primary data is obtained by the auditor from first hand sources. These sources are typically the stakeholders of the organizations which is involved in the particular social impact creating activities. There are various methods of primary data collection namely, individual interviews, questionnaires, focus group interviews, 937 Compendium of Generic Internal Audit Guides surveys, etc. Some of these methods are described in detail in Chapter 6. Sampling techniques may be required to determine the elements of population from where primary data needs to be collected. Various considerations for using sampling technique for social audits have been discussed in detail in the next Chapter. Secondary Data Secondary data is obtained from sources that already have repository of information. Typically, secondary data can be accessed from Social Accounting system of the organization being audited, government sources20 and International Development organisation21. A source of basic secondary data is also the various records that the organization maintains as a part of the requirement of various programmes it undertakes. For example, in the social audit of an important Government Initiative like, Sarva Siksha Abhiyan certain very basic but important secondary data is required to be maintained. The implementers of this programme are required to maintain information about all the children up to the age of 14 years – enrolled or never enrolled, out-of-school or within the system, studying in private sector schools or schools of autonomous bodies/ government. Accordingly, a detailed assessment of educational needs has to be carried out. Although a major portion of information could be available with schools/ government departments, it is essential to conduct household surveys and micro planning in every habitation – rural or urban, to track the status of each child. The programme provides for various formats for maintaining data. The data collected from primary and secondary sources, has to be presented suitably, if required, to meet the requirements of the 20 In India Central Statistical Organisation under the Ministry of Statistics and Programme Implementation provides official statistical data on various aspects of the economy. Information regarding social indicators is available from UN agencies, research journals, periodicals, Census of India, NSSO database, Economic Survey of India, State Human Development Reports, State Statistical Abstracts, publications of the concerned Government departments. 21 Example: United Nations Research Institute for Social Development. 938 Technical Guide on Social Audit metrics that have been identified by the auditor at the planning stage. Analyse Data and Interpret Results 5.26 Data gathered above needs to be analysed to reach audit conclusions. The aim of the data analysis is, generally, to benchmark with expectation set by the organization and ensure comparability of its performance with peer organization, where relevant, in respect of the desired social objectives and the actual social impact. The application of appropriate methods of analysis is essential to interpret the data meaningfully. Simple statistical measures like, Analysis of Variance, Regression techniques, Measures of central tendency can be used. 5.27 The results of data analysis need to be interpreted after comparison with expected outcome or benchmark data. In the study of outcomes, the auditor needs to build a theory, also called a hypothesis, of the effects of organizational outputs on the community, given the various factors that co-exist within it. The theory gives focus and accounts for all the forces that caused a certain phenomenon to occur, as it guides the direction of the study, limits what shall be studied and provides a framework for organizing the conclusions that will come out. One possible way is to put comparatives for each area of concern being measured, and comparatives of the organization’s targets. Another is the use of multiple indicators of the same area of concern or variables and multiple measures of each indicator. One more method is studying the convergence of all findings or finding the causes of the findings. Discuss and Finalise Action Plan 5.28 The analysis of data and its interpretation needs to be discussed in an exit conference. The exit conference is, typically, held at the field level with people who are able to validate the data and the analysis made of it. At this stage, the social auditor should 939 Compendium of Generic Internal Audit Guides be able to benchmark the value of the organization’s social impact to that which was desired by the organization. For example, let us take the case of a NGO’s programme for providing free education for the adults of a community to make them capable of imparting basic education to their children. The desired social impact for the NGO would be an increase in the number of school going children in the families from which the beneficiaries of their programme come. Going with the hypothesis that this programme will increase the registration and attendance in local schools, the primary metrics that could be adopted to measure this objective is the number of new registration in the local schools and the frequency of attendance of existing students. Accordingly, when data is collected through primary and secondary sources and these indicators are measured, the hypothesis needs to be validated. 5.29 In case it is seen that the data is showing reverse trends as compared to what was hypothesized, then the results need to be discussed and a cause for the reverse trend needs to be found out by the auditor after discussions with representatives of various stakeholder groups. Additional information or data may be available from these discussions which the auditor may need to validate to draw final conclusions. A tentative action plan needs to be ideated and discussed with the stakeholders’ representatives. Reporting 5.30 The Social Audit report should address the aspects of the organisations’ social impact that the stakeholders will be interested in. A three stage reporting process should be followed to ensure that the issue that are identified are discussed with the right stakeholders, issued at the right level and followed up for monitoring the action taken. Draft Report Final Report Follow up Report 940 Technical Guide on Social Audit Draft Report 5.31 A Draft Report is, typically, a fact sheet that is issued to the various people who have been interviewed to ascertain the factual accuracy of the issues pointed out in the fact sheet. Typically, this exercise is done with the leads of the various stakeholder groups who are able to provide views on behalf of their groups. Based on the interactions and agreed facts, the auditor should finalise the report after doing any further procedures that may be required, at the Draft Report stage. Final Report 5.32 Final Report formats may vary according to the type of social audit. For example, if the social auditor is vetting the assertions made by a corporate body in its Sustainability Reporting, one could follow the reporting guideline that has been specified by the Reporting Standards that the corporate adopts for its reporting purposes. For example, the G3 Guidelines for GRI Sustainability Reporting Framework are given below: Part 1 – Reporting Principles and Guidance · Principles to define report content: materiality, stakeholder inclusiveness, sustainability context, and completeness. · Principles to define report quality: balance, comparability, accuracy, timeliness, reliability, and clarity. · Guidance on how to set the report boundary. Part 2 – Standard Disclosures · Strategy and Profile · Management Approach · Performance Indicators 941 Compendium of Generic Internal Audit Guides As a result, the final Social Audit Report will have to be suited to the above corporate reporting standards. Similarly, for corporates following other reporting standards like, AA1000, SA8000, etc, the Social Audit report format should be suited to provide independent view on reporting. 5.33 In case of Government programmes like, NREGS, the format of the Social Audit and Action Taken Report has been specified by the NREGA.22 Where no such reporting format needs to be followed by the auditor, the format of the report needs to be decided. In such cases, the final Audit Report needs to have certain essential parts namely: (i) Background of the engagement (ii) Scope, Objectives, Approach - Objectives of the audit - Steps followed - Stakeholders identified - Stakeholders’ objectives - Limitations (iii) Executive Summary (iv) Data Collection Sources · Primary data · Secondary data (v) Social accounting approach followed and key indicators used (vi) Organisations’ view of social impact (based on organizations reporting, if any) 22 Refer nrega.nic.in/circular/so_audit_Nagaur.pdf for a sample report in the stated format. 942 Technical Guide on Social Audit (vii) Views of stakeholders on social impact - Data Analysis - Interpretation (viii) Overall conclusions and recommendations. Follow up Report Often referred to as the Action Taken Report (ATR), the Follow up Report is used to track the implementation status of the issues identified by Social Audit. The NREGA mandates an Action Taken report to be filed with the NREGS Authorities. The Follow up Report should clearly state the following: (i) Objective and Methodology adopted for follow up; (ii) Stakeholders interviewed; (iii) Data analysis and interpretation; and (iv) Overall conclusion on the status of implementation of earlier recommendations. 943 Compendium of Generic Internal Audit Guides Chapter 6 Role of Chartered Accountants in Social Audit 6.1 A social auditor should possess certain specific characteristics. Some of them are as follows: (i) Unbiasedness and Independence: The social auditor should have no stake in the outcome of the audit and should be totally independent of the management. (ii) Expertise and knowledge: The social auditor should be someone who specializes in conducting social audits with appropriate training and experience. (iii) Inquisitiveness and professional skepticism: Social Auditing requires someone unwilling to accept things at face value and capable of drilling down deeper to uncover issues that are deeper than what appears prima facie. (iv) Ability to understand impact of programs/ corporate actions in their wider social context: Social performance must be understood within the context of a diverse stakeholders and a diverse set of perceptions, values, objectives, etc. An effective social auditor must be both willing and able to consider a variety of sources and perspectives for developing an understanding of social performance. (v) Adherence to Standards: Social auditor should be able to follow certain standards in their audit process and standards on reporting so that the users of social audit reports are able to rely on the information contained in those reports. 6.2 Given the above characteristics, chartered accountants are one of the groups of professionals that are able to fulfill the requirements of Social Auditors. By professional training in auditing and being sworn to ethical standards, a chartered accountant 944 Technical Guide on Social Audit possesses the required acumen and independent mindset to deliver Social Audits in India. As of date, there is no regulatory mandate for chartered accountants to act as social auditors or for any other professional body for that matter. However, creation of appropriate institutional mechanism for training and capacity building will be one of the key deciding factors for pre-eminence in this very critical and emerging area of professional service. 6.3 The essential requisites for CAs to be able to be the first choice as independent social auditors are to be able to train themselves in two specific aspects namely: · Social Auditing and Reporting standards · Mapping stakeholders and Social Indicators While training on Social Auditing and Reporting Standards is a generic requirement, mapping of stakeholders and identification of Social Indicators that can be used for the purpose of social audit will vary from engagement to engagement. Chartered accountants could rely on established Social Indicators that have been formulated by agencies like, United Nations, World Bank, Investment Commission of India, OECD and several others. These indicators that are relevant for a particular engagement may need to be identified specifically by the auditor after discussion with the various stakeholders group who need to be interviewed at the planning phase. 6.4 There is definitely a case for chartered accountants to collaborate with practitioners of social science for complex social audit projects to add greater value to the users of social audit reports. On the supply side, chartered accountants firms have the option of consortiums to build capacity and methodologies, specifically, targeted for social audits. Specific training modules and certification/ accreditation system could be introduced to induce confidence in the minds of the users of social audit services about the quality standards being followed for audit engagements. 945 Compendium of Generic Internal Audit Guides On the demand side there is a need to push for regulatory mandate for social audit for public utility projects undertaken by Government Social Sector expenditure projects in the lines of MGNREGA. Certain such projects where Social Audit could be looked at are as follows: · Rajiv Gandhi Grameen Vidyutikaran Yojana · Sarva Siksha Abhiyan · Pradhan Mantri Gram Sadak Yojana · Pradhan Mantri Gramodaya Yojana · Swarnjayanti Gram Swarozgar Yojana · Swarna Jayanti Shahari Rozgar Yojana · Bharat Nirman ( specific programmes under the same). 946 Chapter 7 Technical Guide on Social Audit Data for Social Auditing Social Accounting 7.1 A Social Accounting framework should cater to a large extent to the need of secondary data that may be needed for the purpose of social audit. Social Accounting systems that are used by the organizations comprise of procedures that help the organization generate, record and process data that is systematically classified and helps in measuring the social impact of its activities. 7.2 Social Accounting format may vary with the organisation whereas the basic objective remains the same. Often the Social Balance Sheet may be in the form of a statement showing social capital, along with the social costs and benefits. Research and literature can be found on the topic of social accounting, including attempts to define methodologies for organisations to carry out their own social accounting. However, there are many unanswered questions and discussion points which need to be addressed. The area of social accounting is not as ‘clear cut’ as other strands of accounting and one key difference is that it needs to account for both organisational and social value23. 7.3 One of the emerging approaches to address the need for independence in social accounting is the concept of Shadow Accounting24. Shadow accounting is a system whereby non- organisational entities create accounts of the organisation’s actions and impact using information provided by the organisation in its existing reports and information that is publicly available and may or may not be provided by the organisation. 23 The Association of Chartered Certified Accountants. 24 For some examples refer http://www.st-andrews.ac.uk/~csearweb/aptopractice/ silentacc.html. 947 Compendium of Generic Internal Audit Guides Several Corporate Social Reporting initiatives and standards have been issued internationally. An illustrative list of these initiative and standards are provided in Appendix III. Determining Data Required to Measure Impact 7.4 For determining data that is required for measuring Social Impact, as discussed earlier, the following aspects need to be determined upfront: · Organization’s desired social objectives · Organization’s potential social impact · Stakeholders that affect and are affected by the organization’s various activities. Once the above are determined the sources of Secondary data and Primary data can be mapped. 7.5 Secondary data may be of two types: · Classified data · Data in public domain – available from the internet, other public information agencies (either free or on payment of specified fees). The RTI Act could be of use to the social auditor to obtain data from any public authority. The source of Classified data could be the following: · the Organisation that is being audited · Research organisations that have gathered and analysed data for specific research purposes The sources of Primary data should be determined by the auditor at the audit planning stage (refer Chapter 5 for details). 948 Technical Guide on Social Audit Techniques for Gathering Primary Data 7.6 There are several techniques of gathering primary data as aforesaid. The most effective techniques are interviews and surveys through questionnaires. Collecting data is time consuming and expensive, even for relatively small amount of data. Hence, it is highly unlikely that a complete population will be investigated. Considering time and cost elements, the amount of data collected will be limited and also the number of people or organizations contacted will be small in number. Therefore, the quality of data and the interpretation made from it will be largely depending on the appropriateness of the sampling techniques used. The two key points that need to be considered here by the social auditor are: · Sample size · Sampling units. 7.7 To ensure reliability, accuracy and validity of the information gathered from the surveys/ interviews, the sampling methodology has to be tailored to the specificity of the stakeholder being surveyed. In general, there are two general classifications of sampling methodologies: the probability sampling, where the researchers use a random selection of elements to reduce or eliminate sampling bias; and the non-probability sampling, where the researchers have choices which groups or persons to include in the samples. 7.8 Determination of sample sizes is a complete subject matter in statistics. For the purpose of this guide we have looked at the some simple methods. To determine the number of respondents to the social audit survey, even before the survey is done and be within acceptable margins of error, we may use the following formula: Sample size = Population size (total count) / [1 + Population size (Desired margin of Error)2] 949 Compendium of Generic Internal Audit Guides The lower the desired margin of error, higher the sample size. After determining the sample size, the sampling units need to be determined. For this purpose, the social auditor could choose from the various well known sampling methods both probabilistic or non-probabilistic that are available, namely: (i) Probabilistic Sampling Methods · Simple Random Samples are drawn using a random number table, where everyone in the population have equal chance of being included. · Systematic Every ‘n’ th element is sampled beginning at a random start of 1. · Cluster Sub-division of the population into clusters or areas, and randomly choosing a number of areas which are then studied. · Stratified Sub-division of the population into homogeneous substrata, and randomly choose elements from within the chosen strata, beginning at a random start of 1. (ii) Non-Probabilistic Sampling Methods · Judgemental The researchers handpick the samples to conform to some criteria, i.e., all land-losers that are affected due to a project. · Quota The researchers study certain characteristics and dimensions of the population, and draw samples based on that to represent the whole population. 950 Technical Guide on Social Audit · Snowball This method uses referrals, e.g., from one interviewee to another through the referral of the former. 7.9 Once we know the number of respondents to be interviewed or sampled for the purpose of gathering primary data, we need to structure questionnaires/ checklists to solicit the data we need to gather. Questionnaires may vary with the group of respondents that are to be interviewed or surveyed. The questions should be easy to comprehend and answers to the questions should be measureable. The questions are often termed as the variables in a questionnaire and the responses to the variables are termed as indicators. The indicators can either be quantitative or qualitative in nature. Methods of Analysis of Data 7.10 Once the interview/ survey results are tabulated the same need to be analysed with reference to metrics defined at the planning stage. The data gathered already may either be in the form of metrics or may need to be further analysed. 7.11 Simple statistical techniques that can be used for analyzing data are as follows: · Measures of central tendency · Dispersion · Correlation The above and several others analysis, as required by the social auditor to meet the requirements of the social indicators/ metrics can be performed using spreadsheets. Complex statistical packages may not be required unless the data structure is complex and very voluminous. 951 Compendium of Generic Internal Audit Guides Chapter 8 Operationalising Social Auditing in India Challenges in Implementation in India       8.1 The lack of Indian Social Audit Standards is one of the biggest roadblocks in India for successful implementation of social audit. Social Accounting framework does not exist in India. This makes it difficult for the social auditor to access data and often the definition of data required to measure the social impact has to be done by the auditor himself. The OECD Social Indicators can serve as a good guidance that can be used for Social Accounting. 8.2 The next challenge in the way of institutionalizing social auditing in India is the lack of data. This problem, generally, takes a bigger proportion when it comes to Welfare Programmes instituted by the Government/ Government agencies. The information system created to support these programmes mainly generates data that shows the receipts and expenditures associated with those programmes but rarely can measure the impact it creates on the sections of society to which those are aimed. “Perhaps the most serious difficulty faced by the social auditor is the absence of a well conceived information system as a part and parcel of a social welfare programme. Government agencies which design programmes often commit the error of relying on traditional government systems of information such as government accounts and government methods of reporting for conveying a picture of how a programme is progressing.”25 8.3 The problem though is not as acute when it comes to availability of data in respect of CSR programmes of corporate bodies. In those cases the challenge remains, so far as that data relates to the measurement of some aspect of public life, being of 25 Social Audit and Its Relevance to Audit of Public Utilities: M. Parthasarathy. 952 Technical Guide on Social Audit similar nature as in above case. So far as the data relates to the kind the corporate is able to generate through its own information system, availability is not of concern. The other important lacunae in the system as is anywhere else in the world, is the lack of regulatory demand for social audits. Social audits are largely voluntary. Coupled with the other constraints, social audit costs can also be quite prohibitive at time if social accounting and data capturing process becomes complex. Essential Criteria for Success 8.4 The most essential criteria for success of social auditing system in India can be enumerated after considering the demand and the supply side of it. (i) Demand Side The demand side of social auditing deals with the following: · Need for social audits from various affected sections of the Indian society; · Regulations in India that have direct social impact and necessitate independent monitoring; · Social responsibility programmes of corporate bodies; · Government programmes that have direct social impact; and · Civil society organizations that exist for creating defined social benefit. The criteria essential for the success of social auditing in the above areas are: · Establishment of the need for social auditing in the organisation charter; and 953 Compendium of Generic Internal Audit Guides · Creation and empowerment of Social Audit Committees for organizations. (ii) Supply Side The supply side deals with the following: · Social Accounting and Auditing Standards; · Social auditing agencies that are trained in Auditing standards and methodologies; and · Key social indicators. The essential criteria for success of social auditing in India on the supply side are: · Creating/ adopting a set of Social Accounting and Auditing Standards; · Developing Social Auditing framework and training social auditors to implement those; Creating a database of benchmark Social indicators that could serve as a tool in helping social auditors to analyze facts gathered during the social audit engagement. 954 Chapter 9 Technical Guide on Social Audit Sample Social Audit Questionnaire Social Audit checklists vary depending on the nature of the engagement and the type of organization being audited. As discussed earlier, focus and approach of the Social Audit for a corporate could be quite different from that for a development programme being undertaken by a Government department. Sample Social Audit guidelines for following are given: · Mahatma Gandhi National Rural Employment Guarantee Act (MGNREGA) Scheme (Refer Proforma A, B and C) · A Government Educational Programme MGNREGA Scheme The sample Social Audit Reports has been provided by the NREGA. Some of the instruments/ formats as described by the NREGA that would be useful in Social Audit can be seen in Proforma A, B and C. 955 Compendium of Generic Internal Audit Guides Proforma (A) Specimen Social Audit Report (Village Schedule) Padyatra Group No…………………… Date: ……….. Village:……………Panchayat:………… Panchayat Samiti:………… 1. Approximate number of people in the meeting:………………… Registration 2. Have people in this village registered under the NREGA……………............................Y/N 3. How many people have applied but not been registered ……… 4. How many have complained about irregularities in the registration process................................................................. who are the people (indicate names) 5. What action has been taken on each complaint......................... Job Card 6. Have job cards been issued in the village. ………………Y/N Which month were they issued …………………………………… 7. How many have registered, but have not received job cards …………………………….… 8. How many have filed complaints regarding job cards ………… 9. What action has been taken on these complaints …………...… Application for work 10. How many people have applied but not got work yet ………… 956 Technical Guide on Social Audit 11. How many have applied for work and got receipts? ………… 12. If people have not given written applications, and not received receipts, what are the reasons (a) Application forms not available (b) Cannot write (c) Panchayat did not accept the application (d) Panchayat did not give a receipt 13. How many people applied for work who (a) Got work in 15 days (b) Got work after 15 days (c) Have not yet got work 14. Has anyone applied for unemployment allowance……………… name & details Payment 15. In how many days was payment made ………………………… 16. How many people got payment after 15 days ………………….. how many people got payment after 30 days…………………… 17. Was some part of the wages paid as advance ……………Y/N If yes, at what rate………………………………………… 18. Was payment made at a public place ……………………...Y/N If not, then where was the payment made?……………………… 19. Was payment made in the day ……………………………...Y/N 957 Compendium of Generic Internal Audit Guides 20. At the time of payment – (a) Was the payment made on the muster roll? (b) Was the muster roll read out? (c) Was the Muster roll displayed at the time of payment? (d) Paid without the muster roll 21. How far is the work-site from the village…………………………. 22. Was the work identified in the Gram Sabha ………………Y/N 23. Is there a monitoring committee set up for the works at the village level…………… 24. Do people in the village think that the work is useful..............Y/N 25. Is there any complaint in respect of the NREGA -: Corruption Irregularities other……………………………. Give details Name of person filling the schedule Signature 958 Technical Guide on Social Audit Proforma (B) Specimen Social Audit Report (Work-Site) Padyatra Group No....................... Date: .................. Name of work.............Panchayat.............Panchayat Samiti............. Agency executing the work …………. Sanctioned Amount…………………… Muster roll numbers of the muster rolls at the work-site …………….. 1. No of workers on the work-site…………………………………… 2. Is there a board displaying the details of the work..............Y/N If yes, which of the following is displayed (a) sanctioned amount (b) amount of the work/task assigned to each worker (c) number of workers on the M.R. (d) number of workers present (e) estimated worker days (f) materials needed (g) material received on the day, specify date (h) description of the sanctioned work and specifications 3. Do workers know of the sanctioned amount and the usefulness (?) of the work 959 Compendium of Generic Internal Audit Guides 4. Is the muster roll available at the work-site ? 5. Has the Monitoring Committee checked the muster roll ............. Y/N 6. Has the Village Monitoring Committee evaluated the quality and usefulness of the work …………………………….Y/N If yes, describe the details 7. If it is a “pucca” work, is there a Material Register maintained on the work site……………………………………………. Y/N 8. Is attendance taken on the muster roll or in a note book/ register? specify 9. Is there an anganwadi or creche at the work-site? 10. Is there provision for shade/water/medicines at the work-site? 11. Are Job Cards of workers available at the work-site? 12. Have details of work been entered in the Job Card? 13. Who keeps the Job Cards? Questions that should be asked during discussions with workers on the work-site 14. Was the task measured and given before work started...........Y/N 15. If there are groups of workers per task, what is the size of the group? 16. Is task given on an individual or group basis? 17. Is the task measured daily and the worker informed about the quantum of measurement? 18. Does the junior engineer measure the work at the end of each work period (Pakhwada) in front of the workers? 960 Technical Guide on Social Audit 19. Is there a fixed time for workers to be present at the work- site? 20. How many times is the attendance taken in a day ……………… when is it taken? 21. Is the lift and lead taken into consideration at the time of fixing the task? Suggestions of activities for the Padyatra Group at the work-site 22. Check the muster roll, read out muster roll, how many workers are entered on the muster roll . How many workers are present at the work-site? 23. Is the muster roll available for checking by all workers at the work-site? 24. No.of women / men workers at the work-site men ……………… women ………………… 25. Are there any complaints of workers regarding conditions at the work-site? 26. Is the work being done through a Contractor? 27. Are machine/s being used at the work-site or have they been used? If yes, please describe for what purpose Name of person filling the schedule Signature 961 Compendium of Generic Internal Audit Guides Proforma (C) Specimen Social Audit Report (Panchayat Office) Padyatra Group No…………………… Date: ……….. Panchayat…………… Panchayat Samiti................... Name of Sarpanch………… Name of Panchayat Secretary............................... 1. Does the Panchayat office have a board displaying the details of work under the NREGA? …………………………………… If yes, then is the following information entered (a) Name of the work (b) Sanctioned amount – labour/materials (c) Expenditure – labour/materials (d) State of work – completed/incomplete 2. Is there a shelf of projects for NREGA works prepared by the Gram Sabha, including a list of works in order of priority, available in the Panchayat office? (a) Has this list of works been displayed? (b) How many of the on-going works sanctioned have been taken from the shelf of projects approved by the Gram Sabha? (c) In how many of these works have work orders been issued? (d) Has the order of priorities in the shelf of projects been followed in the issuing of work orders? 962 Technical Guide on Social Audit 3. How many works have started and how many labour are working on each work-site? 4. Are copies of muster rolls displayed at the Panchayat Bhavan for public scrutiny? …………………………….Y / N 5. Is there a Complaint Box or register available at the Panchayat Office? ..…Y/N ……………..If yes, then how many complaints have been received? What action has been taken on them? 6. Is the list of Job Cards issued available for public scrutiny? Y/N ……………………………….. 7. What is the method for receiving applications from workers? 8. Is the Panchayat Secretary available at the Panchayat office time at a fixed time every day? …………………………… Y/N 9. How many people are employed by the Panchayat office to look after the NREGA? 10. Is the process of registration and issue of Job Cards open at all time….?…………………………………….Y/N 11. Is the Perspective Plan or the sanctioned list of works approved by the Gram Sabha, open for public scrutiny at the Gram Panchayat? 12. What are the suggestions of the Sarpanch, Panchayat Secretary and the Ward Panchs regarding the NREGA? Name of person filling the schedule Signature 963 Compendium of Generic Internal Audit Guides 26 Government Educational Programme - Sample Questionnaire Sample Questionnaire for Students of Residential Schools and Colleges under Educational Support Programmes of a Social Welfare Department of a Government is Given Below: My name is ……………………….. No. General Information 1. Name of the village Code 2. Name of the mandal Code 3. Name of the district Code 4. Name of the Institution Address and contact person 5. Type of Institution Government 1 Government Aided 2 6. Hostel/College Boys 1 Girls 2 7. Type of the college Intermediate 1 Degree 2 8. Age Age Code Up to 20 1 21 – 25 years 2 26 – 30 years 3 Above 30 years 4 9. Class and subject Inter 1 year st 1 (specify) Inter 2 year nd 2 Degree I year 3 Degree II year 4 Degree III year 5 Engineering/Medicine 6 Any other (specify) 7 26 Social Audit: A Toolkit A Guide for Performance Improvement and Outcome Measurement. 964 Technical Guide on Social Audit No. Questions Responses Code Column numbers 10. What is the type of Non-residential 1 scholarship received? Residential 2 Any other (specify) 3 11. Since how long have Record actual number you been receiving the of years: scholarship? Since this academic year; 1 1 to 3 years; 2 4 to 7 years; 3 8 to 10 years; 4 Above 10 years. 5 12. What is the amount Actual (in ) Record of scholarship as mentioned received? Up to 100 per month 1 101 to 250 2 251 to 500 3 Above 501 4 13. Can you give the Fees break-up of scholar- Accommodation ship amount? Food (State actual amount Purchase of books received) Expense toward study tours Expenses for typing thesis Any other (specify) …… ……………… 965 Compendium of Generic Internal Audit Guides No. Questions Responses Code Column numbers 14. Have you received any Yes 1 grant under the No 2 Integrated Book Bank Scheme? (In case of professional courses) 15. If Yes, how much did As mentioned you receive? Up to 1500 1 1501 to 3000 2 3001 to 4500 3 4501 to 6000 4 Above 6001 5 16. How has the Helped in continuing scholarship benefited higher studies 1 you in your education? Payment of college fees 2 Payment of examination fees 3 Payment of books and study materials 4 Hostel accommodation 5 Other incidental expenditures 6 Any other reasons (specify) 17. In your opinion to what To a great extent 1 extent has the scholar- To some extent 2 ship contributed to Cannot say 3 improving your Not contributed at all 4 performance? 18. What are your views Necessary for poor on scholarships students 1 provided to Scheduled Scholarship amount is Caste students? insufficient. 2 It should be awarded based on merit 3 966 Technical Guide on Social Audit No. Questions Responses Code Column numbers 19. Is such a scholarship Yes 1 enabling you to achieve No 2 long-term career goals? 20. If yes, how is it helping in achievement? (Record verbatim) 21. Do you think scholar- ships for Backward Yes 1 Classes motivate students from these communities to pursue No 2 their studies? Education and other activities 22. How often do you have Once in a week 1 examinations in your Once in a month 2 college? Once in a year 3 Never 4 23. Does the examination evaluate the student Yes 1 based on the perfor- mance providing a No 2 measure to improve? 24. Have you achieved any Yes 1 rank/grade in class? No 2 25. If yes, what is your First rank 1 current rank in class? Within top three ranks 2 Within the top ten ranks 3 Between 11th rank up to 25th rank 4 Above 26th rank 5 No rank (arrears) 6 26. Have you any other Please specify: (scholastic) achievements during this year (for instance, University rank/ State rank)? 967 Compendium of Generic Internal Audit Guides No. Questions Responses Code Column numbers 27. Is the progress Yes 1 monitored on a continuous basis? No 2 28. Are you given feedback Yes, always 1 on your performance Yes, sometimes 2 in the examinations? No, never 3 29. If yes, state how? 30. Do teachers/tutors Yes, always 1 take special interest and coach students Yes, sometimes 2 on difficult topics? Do teachers complete No, never 3 the syllabus on time and give sufficient time Yes 1 for revision? No 2 31. How many hours on Less than half-an-hour 1 an average is the Half-an-hour to one duration of class for hour 2 each subject? More than one hour 3 32. With the current teach- ing approach, are you Very confident 1 confident you can succeed in the final Confident 2 examinations? Not confident 3 33. Do you participate in Yes 1 any games or sports? No 2 34. Have you participated in any sports and Yes 1 games events conduct- ed in your college? No 2 968 Technical Guide on Social Audit No. Questions Responses Code Column numbers 35. What has been your Sport Achievement achievement in the (e.g., district, events you participated? state level) Cricket Volleyball Basketball Kabaddi Kho Kho Others(Specify) 36. What is your achieve- Activity Achievements ment in other extra- (e.g., Inter- curricular activities? collegiate prize) Essay Elocution Debate Quiz Singing Any Other 37. In the above said Mandal level 1 activities, at what level District level 2 did you represent? State level 3 National level 4 38. What has been your Competitive exam achievement in the appeared……………….. competitive exams? Rank achieved………… 39. What is your perception Excellent 1 of the overall quality of Good 2 education imparted in Average 3 colleges? Bad 4 Very bad 5 40. How do you rate the Excellent 1 quality of teaching at Good 2 the college? Average 3 Bad 4 Very bad 5 969 Compendium of Generic Internal Audit Guides No. Questions Responses Code Column numbers Hostel facility 41. Since when have you Record as stated……… been availing hostel (in number of years) facility? Last 1 year 1 1 to 3 years 2 4 to 6 years 3 7 to 10 years 4 Above 10 years 5 42. From which standard Record as stated………. did you start availing I to V standard 1 the hostel facility? VI to X standard 2 Intermediate I year 3 Intermediate II year 4 Degree I year 5 Degree II year 6 Degree III year 7 Other professional course 8 Others (specify)………… 9 43. How has the hostel Helped in pursuing facility helped you? higher studies 1 Helped in reducing burden on the family 2 Others (specify)……….. 3 44. What are the facilities Accommodation 1 provided at the hostel Study facilities 2 Mess facility 3 Television 4 Others (specify)………… 5 45. What is your opinion Ade- Inade- on the facilities provi- quate quate ded in the hostel? Accommodation 1 2 (Circle the appropriate Study facilities 1 2 one) Mess facility 1 2 Television 1 2 Others (specify)…………… 970 Technical Guide on Social Audit No. Questions Responses Code Column numbers 46. What is the quality of Very Good 1 basic amenities such Good 2 as drinking water, Average 3 electricity, and Bad 4 sanitation? Very Bad 5 47. What is the extent of Very satisfactory 1 satisfaction with the Satisfactory 2 facilities provided to Unsatisfactory 3 you in the hostel? Very unsatisfactory 4 48. What are the Record verbatim distractions that affect .………………………… the youth studying in (Probe for causes such college/staying in as ‘peer pressure to hostels? roam around’, ‘watching movies’, ‘habits like smoking and alcoholism’) 49. Any other comments 971 Compendium of Generic Internal Audit Guides Sample Questionnaire for Parents of the Beneficiaries of Social Welfare Hostels under Educational Support Programmes of Social Welfare Department of a Government: My name is ………………………………………… Profile of student (to be Responses Code filled in by interviewer) 1. Name of the village 2. Name of the mandal 3. Name of the district 4. Name and address of the school in which the student is studying? 5. Type of the hostel in Boys 1 which the student is Girls 2 studying? Co-education 3 6. Name of the respondent: son’s/daughter’s name: No. Questions Responses Code Hostel facility (For parents whose children are in hostel) 7. For how many Record as stated…………. years (name of (in number of years) the child: ...........) has been availing hostel facility provided by Social Welfare department? 8. From which class Record as stated : onwards did (name of the child) start availing the hostel facility? 972 Technical Guide on Social Audit No. Questions Responses Code (Record class) 09. Currently (name of the child) is in which standard? 10. What were the Agree Disagree reasons for We could not afford putting (name of educational expenses 1 2 the child) in Child had to travel long hostel? distance to school 1 2 (Circle the There are no schools in appropriateone) close vicinity 1 2 Being at home, child had to contribute towards work to earn money 1 2 Any other (Specify) 1 2 11. In your opinion have those reasons been addressed adequately after putting the child in hostel (Probe how and why?) 12. Do you ask Yes 1 (name of the child:......) about No 2 amenities received Excellent Good Average Poor at the hostel? Accommo- What is your dation 1 2 3 4 opinion of the facilities provided Education 1 2 3 4 to (name of the child:............) in Food 1 2 3 4 the hostel? (Circle the appropriate Sports 1 2 3 4 one) 973 Compendium of Generic Internal Audit Guides No. Questions Responses Code 13. What is the Accommodation reason for this Education opinion? Food Sports 14. How often do you Once in a week 1 visit the hostel to Once in a month 2 see (name of Once in three months 3 the child)? Once in six months 4 Once in a year 5 Never visited 6 15. When you visit the hostel do you Yes 1 interact with any staff in the hostel? No 2 16. If yes, with whom and for what purpose? 17. Do you receive any feedback on Yes 1 your child’s performance in No 2 the examinations? 18. Has he/she Yes 1 achieved any rank/ No 2 grade in class? Do not know 3 19. In your opinion has (name of the child’s) the performance in studies improved after hostel admission? 20. What, according to you, are the reasons for this? 974 Technical Guide on Social Audit No. Questions Responses Code 21. How in your Agree Disagree opinion has Gives him/her more hostel facility time for study 1 2 helped (name of Reduces travel time to the child: .............. reach education facility 1 2 .........................)? A better environment for study 1 2 Opportunity to interact with people from other backgrounds 1 2 Any other (Specify) 22. Does (name of the child:............. Yes 1 ..............) like staying in the No 2 hostel? Why? (state reason/s) Cannot say 3 23. Now I would like to understand from you what could be the benefits of the hostel facility received from government has helped (name of the child) and your family. 24 How has staying Agree Disagree in the hostel To continue studies 1 2 benefited (name Avail good infrastructure 1 2 of the child)? facilities Improve his/her performance 1 2 Increased opportunities for overall development 1 2 In achieving his/her ambition in life 1 2 Others (specify) 1 2 Cannot say 1 2 25 What do you feel Agree Disagree is the treatment Hostel staff is very given to hostel warm and cordial 1 2 students by staff Hostel staff takes members at the good care of students 1 2 975 Compendium of Generic Internal Audit Guides No. Questions Responses Code hostel? Hostel staff provides for needs of all children 1 2 Hostel staff is indifferent towards children 1 2 Hostel staff discriminate students on basis of their caste 1 2 Cannot say 1 2 Any other (Specify) 26. For negative Record verbatim : statements of indifference and discrimination probe further to learn their direct or indirect experiences. 27. Does (name of the child) share Yes 1 his/her experience of stay in the No 2 hostel? 28. What has (name Agree Disagree of the child) Other students are shared about friendly with him/her 1 2 other students’ Other students help interaction with him/her in studies 1 2 him/her? Has Other students look (name of the down upon him/her 1 2 child) mentioned Other students create any of the disturbance in studies 1 2 following regarding Cannot say 1 2 hostel amenities? Any other (Specify) 29. Do you think that Agree Disagree if (name of the Hostel amenities take child ................... care of all his/her basic .........................) needs 1 2 976 Technical Guide on Social Audit No. Questions Responses Code did not get hostel Hostel food is very good 1 2 facility, he/she He/she likes hostel staff 1 2 would have … He/she prefers to stay in hostel rather than at home 1 2 Hostel stay and amenities let him/her concentrate on studies 1 2 Cannot say 1 2 Any other (Specify) 30. On a long-term Agree Disagree perspective, what Discontinued studies 1 2 do you think are Taken up wage labour/ the benefits of farming/etc 1 2 scholarships to Would have wasted SC students and childhood 1 2 the community? Cannot say 1 2 Any other (specify) 31. On a long-term Agree Disagree perspective, what Improves overall living do you think are standard of the family 1 2 the benefits of SC community gets scholarships to opportunity to join the SC students and mainstream society 1 2 the community? Increases awareness about scholarship facilities through achievements of students who have received scholarships 1 2 Increases confidence of students to face challenges in the society 1 2 Empowers SC community with equal opportunities and 977 Compendium of Generic Internal Audit Guides No. Questions Responses Code exposures through education Any other (Specify) 32. In your opinion, Agree Disagree have hostel 1 2 facilities provided to students over last 20-30 years contributed to the upliftment of SC community? 33. If yes, How? If No, Why? 978 Technical Guide on Social Audit Appendix I Indicators of Social Development Defined under the Millenium Development Goals Several indicators of social development have been defined under the Millennium Development Goals. These indicators can also be used for Social Audit, as appropriate, to measure the social impact of organizations. Goal 1: Eradicate Extreme Poverty and Hunger Target 1.A: Halve, between 1990 and 2015, the proportion of people whose income is less than one dollar a day 1.1 Proportion of population below $1(PPP) per day 1.2 Poverty gap ratio 1.3 Share of poorest quintile in national consumption Target 1.B: Achieve full and productive employment and decent work for all, including womenand young people 1.4 Growth rate of GDP per person employed 1.5 Employment-to-population ratio 1.6 Proportion of employed people living below $1 (PPP) per day 1.7 Proportion of own-account and contributing family workers in total employment 979 Compendium of Generic Internal Audit Guides Target 1.C: Halve, between 1990 and 2015, the proportion of people who suffer from hunger 1.8 Prevalence of underweight children under-five years of age 1.9 Proportion of population below minimum level of dietary energy consumption Goal 2: Achieve Universal Primary Education Target 2.A Ensure that, by 2015, children everywhere, boys and girls alike, will be able to complete a full course of primary schooling 2.1 Net enrolment ratio in primary education 2.2 Proportion of pupils staring grade 1 who reach last grade of primary 2.3 Literacy rate of 15-24 year- olds, women and men Goal 3: Promote Gender Equality and Empower Women Target 3.A: Eliminate gender disparity in primary and secondary education, preferably by 2005, and in all levels of education no later than 2015 3.1 Ratios of girls to boys in primary, secondary and tertiary education 3.2 Share of women in wage employment in the non-agricultural sector 3.3 Proportion of seats held by women in national parliament 980 Technical Guide on Social Audit Goal 4: Reduce Child Mortality Target 4.A: Reduce by two-thirds, between 1990 and 2015, the under-five mortality rate 4.1 Under-five mortality rate 4.2 Infant mortality rate 4.3 Proportion of 1 year-old children immunised against measles Goal 5: Improve Maternal Health Target 5.A: Reduce by three quarters, between 1990 and 2015, the maternal mortality ratio 5.1 Maternal mortality ratio 5.2 Proportion of births attended by skilled health personnel Target 5.B: Achieve, by 2015, universal access to reproductive health 5.3 Contraceptive prevalence rate 5.4 Adolescent birth rate 5.5 Antenatal care coverage (at least one visit and at least four visits) 5.6 Unmet need for family planning 981 Compendium of Generic Internal Audit Guides Goal 6: Combat HIV/AIDS, Malaria and Other Diseases Target 6.A: Have halted by 2015 and begun to reverse the spread of HIV/AIDS 6.1 HIV prevalence among population aged 15–24 years 6.2 Condom use at last high-risk sex 6.3 Proportion of population aged 15–24 years with comprehensive correct knowledge of HIV/AIDS 6.4 Ratio of school attendance of orphans to school attendance of non-orphans aged 10-14 years. Target 6.B: Achieve, by 2010, universal access to treatment for HIV/AIDS for all those who need it 6.5 Proportion of population with advanced HIV infection with access to antiretroviral drugs Target 6.C: Have halted by 2015 and begun to reverse the incidence of malaria and other major diseases 6.6 Incidence and death rates associated with malaria 6.7 Proportion of children under 5 sleeping under insecticide- treated bed nets 6.8 Proportion of children under 5 with fever who are treated with appropriate anti-malarial drugs 6.9 Incidence prevalence and death rates associated with tuberculosis 982 Technical Guide on Social Audit 6.10 Proportion of tuberculosis cases detected and cured under directly observed treatment short course Goal 7: Ensure Environmental Sustainability Target 7.A: Integrate the principles of sustainable development into country policies and programmes and reverse the loss of environmental resources Target 7.B: Reduce biodiversity loss, achieving, by 2010, a significant reduction in the rate of loss 7.1 Proportion of land area covered by forest 7.2 CO2 emissions, total, per capita and per $1 GDP (PPP) 7.3 Consumption of ozone-depleting substances 7.4 Proportion of fish stocks within safe biological limits 7.5 Proportion of total water resources used 7.6 Proportion of terrestrial and marine areas protected 7.7 Proportion of species threatened with extinction Target 7.C: Halve, by 2015, the proportion of people without sustainable access to safe drinking water and basic sanitation 7.8 Proportion of population using an improved water source 7.9 Proportion of population using an improved sanitation facility 983 Compendium of Generic Internal Audit Guides Target 7.D: By 2020, to have achieved a significant improvement in the lives of at least 100 million slum dwellers 7.10 Proportion of urban population living in slums Goal 8: Develop a Global Partnership for Development Target 8.A: Develop further an open, rule-based, predictable, non-discriminatory trading and financial system Includes a commitment to good governance, development and poverty reduction – both nationally and internationally Target 8.B: Address the special needs of the least developed countries Includes tariff and quota free access for the least developed countries’ exports; enhanced programme of debt relief for heavily indebted poor countries (HIPC) and cancellation of official bilateral debt; and more generous ODA for countries committed to poverty reduction Target 8.C: Address the special needs of landlocked developing countries and small island developing States through the Programme of Action for the Sustainable Development of Small Island Developing States and the outcome of the twenty-second special session of the General Assembly Target 8.D: Deal comprehensively with the debt problems of developing countries through national and international measures in order to make debt sustainable in the long term 984 Technical Guide on Social Audit Some of the indicators listed below are monitored separately for the least developed countries (LDCs), Africa, landlocked developing countries and small island developing States. Official Development Assistance (ODA): 8.1 Net ODA, total and to the least developed countries, as percentage of OECD/DAC donors’ gross national income 8.2 Proportion of total bilateral, sector-allocable ODA of OECD/ DAC donors to basic social services (basic education, primary health care, nutrition, safe water and sanitation) 8.3 Proportion of bilateral official development assistance of OECD/DAC donors that is untied 8.4 ODA received in landlocked developing countries as a proportion of their gross national incomes 8.5 ODA received in small island developing States as a proportion of their gross national incomes Market Access: 8.6 Proportion of total developed country imports (by value and excluding arms) from developing countries and least developed countries, admitted free of duty 8.7 Average tariffs imposed by developed countries on agricultural products and textiles and clothing from developing countries 8.8 Agricultural support estimate for OECD countries as a percentage of their gross domestic product 8.9 Proportion of ODA provided to help build trade capacity Debt Sustainability: 8.10 Total number of countries that have reached their HIPC decision points and number that have reached their HIPC completion points (cumulative) 985 Compendium of Generic Internal Audit Guides 8.11 Debt relief committed under HIPC and MDRI initiatives 8.12 Debt service as a percentage of exports of goods and services Target 8.E: In co-operation with pharmaceutical companies, provide access to affordable, essential drugs in developing countries 8.13 Proportion of population with access to affordable essential drugs on a sustainable basis Target 8.F: In co-operation with the private sector, make available the benefits of new technologies, especially information and communications 8.14 Telephone lines per 100 population 8.15 Cellular subscribers per 100 population 8.16 Internet users per 100 population 986 Technical Guide on Social Audit Appendix II Social Indicators Issued by the Organisation for Economic Co-operation 27 and Development (OECD) Social Indicators: 1. Headline Social Indicators   2. Measuring Leisure in OECD Countries 3. Interpreting OECD Social Indicators   4. General Context Indicators        Net national income per capita        Fertility rates        Migration        Marriage and divorce  5. Self-sufficiency Indicators        Employment        Unemployment        Childcare        Student performance        Not in employment, education or training        Age of labour force exit        Spending on education  27 Refer http://www.oecd.org/document/24/0,3343,en_2649_34637_2671 576_1_1_1_1,00.html for details. 987 Compendium of Generic Internal Audit Guides 6. Equity Indicators:       Income inequality        Poverty        Poverty among children        Adequacy of benefits of last resort        Public social spending        Total social spending  7. Health Indicators Life expectancy        Perceived health status        Infant health        Obesity        Height        Mental health        Long-term care recipients        Health care expenditure  8. Social Cohesion Indicators        Life satisfaction        Work satisfaction        Crime victimisation        Suicides        Bullying       Risky behavior   988 Appendix III Technical Guide on Social Audit Standards for Social Accounting/ Reporting Various Standards that have been introduced to serve the purpose of Social Accounting/ Reporting are as follows: Initiatives/ Standards Organisation Universal Declaration of Human United Nations (UN) Rights United Nations Environment International Labour Programme Organisation (ILO) Core Conventions on Labour Standards(Conventions No. 29,87,98,100,105,111,138,182) Conventions No. 107 and 169 on Indigenous Peoples Declaration on Fundamental Principles and Rights at Work Tripartite Declaration of Principles concerning Multinational Enterprises and Social Policy Guidelines on Occupational Safety and Health Management Systems Corporate Social Responsibility. International Organisation of An IOE Approach Employers The Role of Business within Society. Position Paper Green Paper on Promoting a European Union (EU) European Framework for Corporate Social Responsibility Eco- Management and Audit Scheme (EMAS) 989 Compendium of Generic Internal Audit Guides Initiatives/ Standards Organisation Ethical Conduct Resolutions European Convention on Human Rights Eco – Label Scheme Guidelines for Multinational Organisation for Economic Enterprises Cooperation and Development (OECD) Convention on Combating Bribery of Foreign Public Officials in International Business Transactions Business Charter for International Chamber of Sustainable Development Commerce Business in Society: Making a Positive and Responsible Contribution Rules of Conduct to Combat Extortion and Bribery Principles of Business CAUX Roundtable Exploring Pathways to a Global Environment Sustainable Enterprise: Management Initiatives (GEMI) Sustainable Development Planner Sustainability Tool Designing a CSR Structure Business for Social Responsibility Consumer Charter for Global Consumer International Business Global Reporting Initiative (GRI) Global Reporting Initiatives Sustainability Reporting Guidelines Accountability 1000 (standard Institute of Social and Ethical series) Accountability 990 Technical Guide on Social Audit Initiatives/ Standards Organisation ISO 14000 Management Internal Standards Organisation System Standards Social Accountability 8000 Social Accountability International The Business Principles for Social Accountability Countering Bribery International and Transparency International Sunshine Standards for The Stakeholder Alliance Corporate Reporting to Stakeholders 991 G-9 TECHNICAL GUIDE ON INTERNAL AUDIT OF TENDERING PROCESS 993 Compendium of Generic Internal Audit Guides 994 Foreword A proper tendering process is one of the building blocks of a sound governance system. Procedure for the acceptance of tenders and awarding of contracts, in government or private organizations, must be transparent, fair and open. Tendering and procurement processes must be robust and fair to all the parties involved, such as contractors, consultants, and purchasers and they must also meet the expected standards for good practice. Further, E -Tendering, E-Procurement are some of technology borne issues that introduce new layers of complexity in tendering process. Chartered accountants are well equipped to play a meaningful role in this area by helping the organizations to promote fair and open competition for their business while minimizing exposure to fraud and collusion. Considering this, the Internal Audit Standards Board is issuing “Technical Guide on Internal Audit of Tendering Process” to help the members to play an important role in this area. The objective of the tender audit is to assess the present controls of the organization over the tendering process and assist in developing a transparent and effective tender process. I congratulate CA. Rajkumar S. Adukia, Chairman, Internal Audit Standards Board, CA. Rajendra Kumar P., Vice Chairman, Internal Audit Standards Board and other members of the Board for bringing out this “Technical Guide on Internal Audit of Tendering Process” as tender is an important document of business processes. This comprehensive publication would surely help the members to understand entire spectrum of operational, conceptual and practical issues related to internal audit of Tendering process. I am sure that this Technical Guide would be an informative and useful publication for the members. May 11, 2012 CA. Jaydeep Narendra Shah New Delhi President, ICAI 995 Compendium of Generic Internal Audit Guides Preface Establishing an objective and unbiased approach based on which an equitable and fair decision can be reached is ultimately the goal of an efficient and effective tendering process. This requires a well chartered approach and high standard of ethics throughout the tendering process, thus resulting in efficient, economical and effective use of public and human resources. Cultivating openness, accountability and responsiveness is the aim of Internal Audit of Tendering Process. Access to information which is timely, accessible, accurate and transparent ensures social evils like corruption, collusion and all other forms of criminality are mitigated. This possible with the help of an effective internal control system in place, which requires frequent monitoring in the form of Internal Audit procedures. Tender audit is a mechanism to ensure that the existing process is in line with the documented process and adequate controls exist to prevent and detect fraud and errors in the tendering process. Success of any project relies on making the right decision during tendering processes. The need for tender audit has grown with high value orders involving both capital and revenue purchases. Chartered accountants with their multi-faceted knowledge are well equipped to conduct the internal audit of tendering processes which are in a growing trend both in terms of complexity and volume. Having understood the need for a well chartered audit plan, the Internal Audit Standards Board of ICAI is issuing this publication “Technical Guide on Internal Audit of Tendering Process”, to provide extensive knowledge to the members on the laid down practices and procedures followed by large departments, agencies and other organizations in the tendering process. While the methodology and procedure may differ in different situations but the guiding philosophy of tendering is to obtain materials/ services of the desired quality and quantity at the most suitable technical specifications, commercial terms, affordable risk and competitive rates within a given time frame and in a transparent manner. This Guide covers types of tender, stages of tender, e-tendering, risk based internal audit, pitfalls in tender and detail audit checklist of tendering process. It contains important Central Vigilance Commission Guidelines. This 996 Technical Guide on Internal Audit of Tendering Process Guide does not cover tender process from vendor end, process of auctions, special audits and investigations. At this juncture, I am grateful to CA. P. R. Roy for sharing his experience and knowledge with us in this area and CA. Monark Shah for preparing the draft of the Technical Guide. I would also like to thank to CA. Guru Prasad M. for reviewing the draft. I also wish to thank CA. Jaydeep N. Shah, President, ICAI and CA. Subodh Kumar Agrawal, Vice President, ICAI for their continuous support and encouragement to the initiatives of the Board. I must also thank our colleagues from the Council at the Internal Audit Standards Board, viz., CA. Rajendra Kumar P., CA. Amarjit Chopra, CA. Shiwaji B. Zaware, CA. Ravi Holani, CA. Anuj Goyal, CA. Nilesh S. Vikamsey, CA. Atul C. Bheda, CA. Charanjot Singh Nanda, CA. Pankaj Tyagee, CA. G. Ramaswamy, CA. J. Venkateswarlu, CA. Abhijit Bandyopadhyay, CA. S. Santhanakrishnan, Shri Prithvi Haldea, Smt. Usha Narayanan, Shri Gautam Guha, Ms. Revathi Bedi, Shri Manoj Kumar, Shri Sidharth Birla for their vision and support. I also wish to place on record my gratitude for the co-opted members on the Board viz., CA. Porus Doctor, CA. Masani Hormuzd Bhadur, CA. Ghia Tarun Jamnadas, CA. Deepjee A Singhal, CA. Nitin Alshi, CA. Narendra Aneja and CA. Guru Prasad M for their invaluable guidance and also their dedication and support to various initiatives of the Board. I also wish to express my thanks to CA. Jyoti Singh, Secretary, Internal Audit Standards Board and CA. Harsh Kumar, Executive Officer for giving final shape to the Guide. I firmly believe that this publication would serve as basic guide for the members and other readers interested in the subject. May 14, 2012 CA. Rajkumar S. Adukia Mumbai Chairman Internal Audit Standards Board 997 Compendium of Generic Internal Audit Guides Abbreviations BG Bank Guarantee CAG Comptroller Auditor General of India CVC Central Vigilance Commission EMD Earnest Money Deposit EOQ Economic Order Quantity HOD Head of Department IEM Independent External Monitors IP Integrity Pact IT Information Technology LOI Letter of Intent NOC No Objection Certificate OEM Original Equipment Manufacturer PO Purchase Order PSU Public Sector Units RFP Request for Proposal RFQ Request for Quote TCC Tender Consideration Committee TOC Tender Opening Committee 998 Contents Abbreviations .......................................................................................... 998 Introduction .......................................................................................... 1000 Chapter 1 General Aspects ................................................................ 1003 Chapter 2 Tendering – A Form of Procurement ................................. 1014 Chapter 3 Types of Tender ................................................................ 1021 Chapter 4 Stages of Tendering Process ............................................ 1028 Chapter 5 E-Tendering ...................................................................... 1054 Chapter 6 About Internal Audit ........................................................... 1062 Chapter 7 Risk Based Internal Audit .................................................. 1074 Chapter 8 Internal Audit Checklist...................................................... 1078 Chapter 9 Pitfalls in Tendering Process ............................................. 1088 Appendices Appendix 1 .......................................................................................... 1092 Appendix 2 .......................................................................................... 1108 999 Introduction 1. Indian economy shed its policy of protectionism and opened up in the nineties to integrate with the global economy. To scale up, it became essential to invest staggering amounts of resources in infrastructure, energy, health and defense. The IT revolution that took the world by storm around this time, helped in deepening and broadening the understanding of world affairs while at the same time, accentuating the process of governance, transparency and accountability. 2. The sense of urgency to hasten the process of inclusive growth has led to the need to understand, appreciate and leverage the process of tendering to ensure optimal deployment of resources and timely implementation of plans and projects. 3. To corroborate this approach relevant portion of an address by the first CAG of India Shri V. Narahari Rao delivered at ICAI HQ way back on April 5, 1954 is quoted “Accounting is becoming more and more intricate with the advance of modern technique in industry. After all, accounts follow facts… an accountant must have a very good inkling- a very comprehensive idea of what he is looking into…. He has to know a great deal in each sphere of activity. He has to be a jack of all trades. He has got to know something of everything.” (Source: Front cover, The Chartered Accountant Journal, Volume 60 l No.5 l November 2011) 4. Chartered Accountants are increasingly joining industry and those who are in practice are increasingly asked to provide advisory services, expert opinion and undertake auditing assignments of business processes ever growing in complexity and volume. Keeping in mind, these requirements, this Technical Guide is meant to enhance the capability of Chartered Accountants in evaluating and reporting while undertaking internal audit assignments from the perspective of a business process analyst. This Technical Guide is prepared on the basis of the laid down practices and procedures followed by large departments, agencies and public sector undertakings in India. 5. Tendering methodology and procedure may differ from place to place, situation to situation, country to country, but the basic concept of tendering is to source materials and or services of the desired quality, quantity at the 1000 Technical Guide on Internal Audit of Tendering Process most suitable technical specifications, commercial terms, affordable risk and competitive rates within a given time frame and in a transparent manner. A proper tendering process is one of the building blocks of a sound governance system. Tendering is not only the source of procurement by government departments but also for private companies at large. 6. Objectives of tender audit are as follows: (i) Assessing the present controls of the organization over the tendering process (ii) A documented process. (iii) Existing process is in line with the documented process. (iv) Identifying cost saving measures and effective utilization of resources. (v) Prevention and detention of frauds and errors. 7. This Guide is meant for awarding works and purchase contracts to the bidder. The lowest bidder (L1) is awarded the contract. However, in case of disposals, the process is reverse and the contract is awarded to the highest bidder (H1). Any service provider can be termed as a vendor whether providing service or supplying materials. Hence vendor covers the entire gamut of service providers in this guide. 8. The purpose of this Guide is to provide members guidance regarding conduct of audit of tender process. (i) This Guide should be read with other standards which elaborate other aspects relating to conduct of audit and reporting. (ii) Tenders are very common for sourcing vendors for routine orders. The need for tender audit arises since the value of orders is large involving both capital and revenue purchase and due to inherent risk of wastage and fraud. (iii) The Guide covers various aspects about tender – general aspects, types, stages and audit procedures. (iv) At the end of each chapter, relevant extracts of CVC guidelines1 have been given for reference. 1 It may be noted that CVC guidelines applies primarily to enterprises covered under CVC Act, 2003. Its reference is drawn to make document more inclusive and also to serve as benchmark for better practices. 1001 Compendium of Generic Internal Audit Guides 9. This technical guide does not cover following aspects: (i) Tender process from vendor end; (ii) Auctions; (iii) Special audits; and (iv) Investigations. 1002 Chapter 1 General Aspects Meaning 1.1 The word ‘Tender’ comes from the Latin word tendre which means to offer. Historically, in past ages the merchant ships arrived at a port of call, they would post a notice describing the goods they wished to buy or sell. This notice was delivered ahead of the ship by a tender—a small boat—and hence, the process is known as tendering. 1.2 Purchase/ Procurement is the acquisition of goods or services. It is favorable that the goods/ services are appropriate and that they are procured at the best possible cost to meet the needs of the purchaser in terms of quality and quantity, time, and location. Corporations and public bodies often define processes intended to promote fair and open competition for their business while minimizing exposure to fraud and collusion. Definition 1.3 Legal definition of a Tender: (i) to present to another person an unconditional offer to enter into a contract. (ii) to present payment to another. (iii) delivery, except that the recipient has the choice not to accept the tender. However, the act of tender completes the responsibility of the person making the tender. A formal offer, as: a. Law An offer of money or service in payment of an obligation. b. A written offer to contract goods or services at a specified cost or rate; a bid. 2. Something, especially money, offered in payment. Tender Function – a: an act or instance of tendering b: an unconditional offer of payment or performance (as in discharge of an obligation) that is coupled with a manifestation of willingness and ability to follow through (as 1003 Compendium of Generic Internal Audit Guides by producing a check). Details are given in under legal principles in this chapter. Party to Float Tender 1.4 In India, any individual, partnership firm, Limited liability partnership, corporate or a legal entity competent to contract can float a tender for goods and services from manufacturers/ service providers/ suppliers who should also be competent to contract and respond to tender invitation. Floating a tender and/ or responding to a tender does not per-se amount to an offer and acceptance. Purpose of Tendering 1.5 A tender is floated to ensure that the process of sourcing materials, services, etc. is conducted in a more transparent manner and value for money is obtained. The main criteria of a tendering process are as follows: (i) A structured approach ensuring transparency and fair play (ii) Value for money (iii) Accountability. 1.6 The guiding philosophy of tendering process is same all over the world notwithstanding differences in methodology and nomenclature. This Guide up is meant to explain the tendering process followed in India. Keeping in mind the extensive level of computerization, in certain government departments, armed forces, business houses the records, registers etc, may be in softcopy format, etc. Advantages and Weaknesses of Tendering 1.7 The advantages of tendering include: (i) Transparency; (ii) Better negotiations/ better price; (iii) An audit trail; (iv) Compliance with the organization’s policy; (v) Fairness to all parties; (vi) The encouragement of competition; 1004 Technical Guide on Internal Audit of Tendering Process (vii) The production of a written quotation, along with relevant supporting information, against a prescribed need; (viii) An easier comparison of offers. 1.8 The weaknesses of tendering include: (i) It can be bureaucratic. (ii) It may provide a barrier for SMEs. (iii) It can be a triumph of process over substance. (iv) It can inhibit flair, creativity and innovation. (v) It can be expensive for all parties e.g., the time and resource in preparation and evaluation of tenders. (vi) It can inhibit negotiation. (vii) Prices submitted are often inflated to allow room for negotiation. (viii) Formation of cartels defeat the benefits of tendering. Pre-Requisites for Tendering 1.9 A good specification is the only important factor in achieving value for money. It is vital when inviting tenders. Purchasing and supply management ensure the existence of an appropriate specification. Generally, the specification should be about output or outcome. 1.10 There are various elements that could comprise an invitation to tender (ITT) document such as: (i) A covering letter providing instructions, e.g., labels to be used, return date, contact names and numbers etc., with some background to the requirement and also a statement that reads along the lines of "we are not bound to accept any, or the lowest tender". (ii) In case of a limited tender, a acknowledgement form - to be returned stating whether or not the supplier is intending to submit a tender. (iii) A cost, price and delivery schedule - to be completed with the price and corresponding costs component e.g., information to assist whole life costing along with the expected delivery or lead time. (iv) A quality schedule - declaring which quality standards are met by the supplier. 1005 Compendium of Generic Internal Audit Guides (v) A Guarantee/ parent company guarantee/ performance bond to be completed as appropriate. (vi) A list of information required on the supplier's company profile, certificates pertaining to registration with various statutory bodies. (vii) A request for the supplier's company accounts for the last three years. (viii) List of satisfied customers along with at least one reference. Legal Principles Governing Tendering 1.11 A tender when accepted by both parties becomes a contract. Contract A contract is any agreement enforceable by law. The proposal or offer when accepted is a promise, a promise and every set of promises forming the consideration for each other is an agreement and an agreement if made with free consent of parties competent to contract, for a lawful consideration and with a lawful object is a contract. Proposal or Offer When one person signifies to another his willingness to do or to abstain from doing anything, with a view to obtaining the assent of the other to such act or abstinence, he is said to make a proposal or offer. In a sale or purchase by tender, the tender signed by the bidders is proposal. The invitation to tender and instructions to vendors do not constitute a proposal. Offer versus Invitation to Treat It is important to distinguish between an offer and an invitation to treat which, taken alone, will not lead to a contract. An invitation to treat is no more than an invitation to others to make an offer and cannot be accepted to make a contract. In context of procurement, the issue of tender advertisements and requests for tender (RFTs) is usually considered an invitation to treat, and a tender is usually an offer. Although the tender invitation or RFT may be a mere invitation to treat, provisions in relevant codes of practice could result in the courts finding that a tender gives rise to an binding obligation of good faith and fair dealing in running the procurement process (requiring the inviter, for example, to give 1006 Technical Guide on Internal Audit of Tendering Process equal opportunity to vendors and evaluate the tenders as described in the RFT documents. Acceptance of the Proposal When the person to whom the proposal is made signifies his assent thereto, the proposal is said to be accepted. A proposal when accepted becomes a promise. Accepting an offer creates contractual relations between the parties. The acceptance is the act that completes the formation of the contract. Before acceptance, there is usually only a revocable offer that binds neither party. After acceptance, a contract is formed which binds both parties. The acceptance must be absolute and unconditional, and must indicate willingness to contract on the exact terms put by the proposer. An acceptance that seeks to add or vary some terms of the offer is in law, no acceptance at all. In this case, the purported acceptance is treated as a counter offer, which can be accepted by the proposer. Consideration Contracts bargain move from the promisee contract where both for the other. Consideration is defined as “something of value given or promised in return for something of value given or promised.” Consideration cannot be: (i) A mere moral obligation; (ii) Past consideration; (iii) Illusory; or (iv) The performance or promise to perform either a public duty already imposed by law on the promisor or a duty already imposed on the promisor by an existing contract between the same promisor and promisee. The consideration may not be adequate but must be sufficient. Where a standing offer agreement, such as a State Contracts Control Board (SCCB) period panel contract for goods and services, is created following a procurement process, there is usually no consideration paid by the inviter to the vendor. Instead, the standing offer agreement is made binding by putting it into the form of a deed. Agreement An agreement is a contract, enforceable by law when the following conditions are satisfied. (a) Competency of the parties 1007 Compendium of Generic Internal Audit Guides (b) Freedom of consent of both parties (c) Lawfulness of consideration (d) Lawfulness of object (e) Time is essence of contract and time elapsed A defect affecting any of these renders a contract in enforceable. Withdrawal of an Offer or Proposal A vendor firm, who is the proposer, may withdraw its offer at any time before its acceptance, even though the firm might have offered to keep the offer open for a specified period. It is equally open to the bidder to revise or modify his offer before its acceptance. Such withdrawal, revision or modification must reach the accepting authority before the date and time of opening tender. No legal obligations arise out of such withdrawal or revision or modification of the offer. However, a vendor agrees to keep his offer open for a specified period for a consideration, such offers cannot be withdrawn before the expiry of the specified date. This would be so where earnest money is deposited by the vendor in consideration of his being supplied the subsidiary contract and withdrawal of offer by the vendor before the specified period would entitle the purchaser to forfeit the earnest money. Competency of Parties 1.12 Under law, any person who has attained majority and is of sound mind or not debarred by law to which he is subject, may enter into contracts. It, therefore, follows that minors and persons of unsound mind cannot enter into contracts nor can insolvent person do so. 1.13 Categories of persons and bodies who are parties to the contract may be broadly sub-divided under the following heads: (a) Individuals: Individuals tender either in their own name or in the name and style of their business. If the tender is signed by any person other than the concerned individual, the authority of the person signing the tender on behalf of another must be verified and a proper power of attorney authorizing such person should be insisted on. In case, a tender is submitted in a business name and if it is a concern of an individual, the constitution of the business and the capacity of the individual must appear on the face of the contract and 1008 Technical Guide on Internal Audit of Tendering Process the tender signed by the individual himself as proprietor or by his duly authorized attorney. (b) Partnership: A partnership firm is an association of two or more individuals formed for the purpose of doing business jointly under a business name. It should be noted that a partnership is not a legal entity by itself, apart from the individuals constituting it. A partner is the implied authority to bind the firm in a contract coming in the purview of the usual business of the firm. The implied authority of a partner, however, does not extend to enter into arbitration agreement on behalf of the firm. While entering into a contract with partnership firm care should be taken to verify the existence of consent of all the partners to the arbitration agreement. (c) Limited Companies: Companies are associations of individuals registered under Companies Act in which the liability of the members comprising the association is limited to the extent of the shares held by them in such companies. The company, after its incorporation or registration, is an artificial legal person who has an existence quite distinct and separate from the members or shareholders comprising the same. A company is not empowered to enter into a contract for purposes not covered by its memorandum of association; any such agreement in excess of power entered into the company is void and cannot be enforced. Therefore, in cases of doubt, the company must be asked to provide its memorandum for verification or the position may be verified by an inspection of the memorandum from the office of the Registrar of Companies before entering into a contract. Normally, any one of the Directors of the company is empowered to present the company. Where tenders are signed by persons other than Directors or authorized Managing Agents, it may be necessary to examine that he person signing the tender is authorized by the company to enter into contracts on its behalf. (d) Corporations other than Limited Companies: Associations of individuals incorporated under statutes, such as Trade Union Act, Cooperative Societies Act and Societies Registration Act are also artificial persons in the eye of law and are entitled to enter into such contracts as are authorized by their memorandum of association. If any contract has to be entered into with any one such corporations or associations, the capacity of such associations to enter into contract 1009 Compendium of Generic Internal Audit Guides should be verified and also the authority of the person coming representing Association. (e) Joint Venture (JV)/ Consortiums: Joint ventures and consortiums are generally engage (f) in large tenders, a JV/ consortium agreement should be obtained. For tenders submitted as Joint Venture/ Consortium, the turnover and working capital of each of the partners of the Joint Venture/ Consortium is added to determine the Bidders minimum average annual turnover. All the Partners of the Joint Venture/ Consortium are liable jointly and severally for the execution of the contract in accordance with the contract terms and a copy of the contract entered into by the Joint Venture/ Consortium Partners having such a provision is submitted with the Bid during the subsequent tendering. A firm/ company is entitled to form only one joint venture/ consortium under a tender. Communication of an Offer or Proposal 1.14 The communication of a proposal is complete when it comes to the knowledge of the person with whom it is made. A time is, generally, provided in the tender forms for submission of the tender. Purchaser is not bound to accept a tender, which is received beyond that time. Communication of Acceptance 1.15 A date is invariably fixed in tender forms upto which tenders are open for acceptance. A proposal or offer stands revoked by the lapse of time prescribed in such offer for its acceptance. If, therefore, in case it is not possible to decide a tender within the period of validity of the offer as originally made, the consent of the vendor firm should be obtained to keep the offer open for further period or periods. Communication of an acceptance is complete as against the proposer, where it is put in the course of transmission to him, so as to be out of the power of the acceptor, and it is complete as against the acceptor when it comes to the knowledge of the proposer. The medium of communication in government contracts is, generally, by post and the acceptance is, therefore, complete as soon as it is posted. So that there might be no possibility of a dispute regarding the date of communication of acceptance, it should be sent to the correct address by some authentic foolproof mode like registered post acknowledgement due, 1010 Technical Guide on Internal Audit of Tendering Process etc. Lately, however, e-tendering is being made mandatory for government departments, agencies, PSUs, etc. Discharge of Contracts 1.16 A contract is discharged and parties are normally freed from the obligation of a contract by due performance of the terms of the contract. A contract may also be discharged: (a) By mutual agreement: If neither party has performed the contract, no consideration is required for the release. If a party has performed a part of the contract and has undergone expenses in arranging to fulfill the contract, it is necessary for the parties to agree to a reasonable value of the work done as consideration for the value. (b) By breach: In case, a party to a contract breaks some stipulation in the contract which goes to the root of transaction, or destroys the foundation of the contract or prevents substantial performance of the contract, it discharges the innocent party to proceed further with the performance and entitles him to a right of action for damages and to enforce the remedies for such breach as provided in the contract itself. A breach of contract may, however, be waived. (c) By refusal of a party to perform: On a promisor’s refusal to perform the contract or repudiation thereof even before the arrival of the time for performance, the promisee may at his option treat the repudiation as an immediate breach putting an end to the contract for the future. In such a case, the promisee has a right of immediate action for damages. (d) In a contract where there are reciprocal promises: If one party to the contract prevents the other party from performing the contract, the contract may be put to an end at the instance of the party so prevented and the contract is thereby discharged. CVC Guidelines 1.17 As per CVC Guidelines circulated vide letter No. 8 (1) (h)/ 98 (1) dated. 18.11.98, it has been brought out that “the tenders are generally a major source of corruption. In order to avoid corruption, a more transparent and effective system must be introduced. As post tender negotiations are the main source of corruption, post tender negotiations are banned with immediate effect except in the case of negotiations with L-1 (i.e. Lowest 1011 Compendium of Generic Internal Audit Guides Bidder)”. CVC has also issued guidelines on adoption of Integrity Pact (IP) which is given in Appendix 1. 1.18 Efforts should be initiated to bring transparency and fairness in the tendering process by the organization. This will enable the prospective vendors to formulate competitive tenders with confidence. The following are some important measures to achieve it and secure best value for money: (a) The text of the tender document should be user-friendly, self- contained, comprehensive, unambiguous, and relevant. The use of terminology used in common parlance in the industry should be preferred. (b) The specifications of the required goods should be framed giving sufficient details in such a manner that it is neither too elaborately restrictive as to deter potential vendors or increase the cost of purchase nor too vague to leave scope for sub-standard supply. The specifications must meet the essential requirements of the user department. Efforts should also be made to use standard specifications, which are widely used in the industry. (c) The tender document should clearly mention the eligibility criteria to be met by the vendors, such as, minimum level of experience, past performance, technical capability, manufacturing facilities, financial position, ownership or any legal restriction, etc. (d) Restrictions relating to qualifications in taking part in tender should conform to policies and be judiciously chosen so as not to suppress competition amongst potential vendors. (e) The procedure for preparing and submitting the tenders; deadline for submission of tenders; date, time and place of opening of tenders; requirement of earnest money and performance security; parameters for determining responsiveness of tenders; evaluating and ranking of tenders and criteria for acceptance of tender and conclusion of contract should be incorporated in the tender enquiry in clear terms. (f) Tenders should be evaluated in terms of the criteria incorporated in the tender document, based on which tenders have been received. Any new condition, which was not incorporated in the tender document, should not be brought into consideration while evaluating the tenders. (g) Sufficient time should be allowed to the vendors to prepare and submit their tenders. 1012 Technical Guide on Internal Audit of Tendering Process (h) Suitable provisions should be kept in the tender document allowing the vendors reasonable opportunity to question the tender conditions, tendering process, and/ or rejection of its tender and the settlement of disputes, if any, emanating from the resultant contract. (i) It should be made clear in the tender document that vendors are not permitted to alter or modify their tenders after expiry of the deadline for receipt of tender till the date of validity of tenders and if they do so, their earnest money will be forfeited. (j) Negotiations with the vendors must be severely discouraged. However, in exceptional circumstances, where price negotiations are considered unavoidable, the same may be resorted to, but only with the lowest evaluated responsive bidder (L1), and that too with the approval of the competent authority, after duly recording the reasons for such action. (k) The name of the successful vendor to whom the contract is awarded should be appropriately notified by the purchase organization for the information of general public, including display at notice board, periodical bulletins, website, etc. 1013 Chapter 2 Tendering – A Form of Procurement 2.1 Procurement (purchase) is the most essential part for any entity, both manufacturing and service concern. It deals with acquisition of goods/ services. It is favorable that the goods/ services are appropriate and that they are procured at the best possible cost to meet the needs of the purchaser in terms of quality and quantity, time, and location. Enterprises define processes intended to promote fair and open competition for their business while minimizing exposure to fraud and collusion. 2.2 Every company should make its procurement plan. A procurement plan refers to the planned approach of cost-effectively purchasing a company's required supplies, taking into consideration several elements and factors, such as, the timeline for procurement, the funding and budget, the projected risks and opportunities, among others. 2.3 Planning for the most effective procurement systems should include looking for suppliers not only on the basis of which would give the cheapest and most inexpensive deals, but also the supplier that would be most reliable and would offer the best quality within a reasonable price range on sustainable basis. 2.4 Procurement can be broadly divided in following types: Procurement Procurement Procurement Procurement of services of labour Others of material Vendor Management Scrap Sales Maintenance & admin 2.5 Depending on the nature of the required goods, the quantity and value involved and the period of supply and frequency of purchase, the 1014 Technical Guide on Internal Audit of Tendering Process organization decides the appropriate mode of purchase. There are various ways of procuring common in organizations: (i) Purchase without a purchase order. It is, generally, followed for petty purchases, where procurement value does not exceed a certain predefined limit. The purchase order could be generated in system for regularization. Normally, quotes are not called and negotiated. Orders may be awarded based on previous order and negotiations, if any, may be oral in nature. Materials required on urgency basis (though not petty in value) can also be called categorized under this head. However, care needs to be taken to check the repetitiveness of such purchases. (ii) Purchase with purchase order. This process starts with receipt of requisition, calling of quotes, raising purchase order and ends with receiving materials. Based on the amount is need to have the quotes are called from number of persons and negotiations are done. There a trail of communication with vendor available. Govt. departments/ agencies, railways, armed forces, PSUs have laid down delegation of authority guidelines and Purchase Orders (POs) are placed following such DOAs only through a tendering process. It is also called traditional purchase process since it might not involve any system intervention. (iii) Rate contracts. Rate contracts are entered where the quantum of purchase is small and its routine purchase. Normally, they are entered for a fix period of one year and negotiated annually. At time discounts are linked to quantum of purchase, needs to be taken care especially, in rate contracts. 1015 Compendium of Generic Internal Audit Guides (iv) Tenders. Tender is followed normally for high value items, though not necessarily, can be routine or not. The costs and time involved in tender process must also be considered while selecting it as method of purchase. 2.6 Following table illustrates the criteria that may be adopted by an enterprise to decide the means of procurement: Frequency Price of goods/services procured of purchase Low price & quantum Medium price High price Routine Purchase without PO, PO purchase Tender Rate contracts Non routine PO purchase PO purchase PO purchase, Tender The quantum of price what constitutes as low, medium and high is to be decided by the enterprise depending on its size and nature of industry. 2.7 At many organizations, there are monetary limits guiding the demand for goods should not be divided into smaller quantities for making piece meal purchases for the sole purpose of avoiding the necessity of obtaining the sanction of higher authority required with reference to the estimated value of the total demand. 2.8 Timing of procurement is of utmost importance. It is essential that tenders are finalized and contracts are awarded in a time bound manner within original validity of the tender, without seeking further extension of validity, to prevent cost over runs. Organizations should fix a reasonable time for the bids to remain valid while issuing tender enquiries, keeping in view the complexity of the tender, time required for processing the tender and seeking the approval of the Competent Authority, etc., and to ensure the finalization of tender within the stipulated original validity. 2.9 Delays which are not due to unforeseen circumstances should be viewed seriously and prompt action should be initiated against those found responsible for non-performance. Cases requiring extension of validity should be rare and in the exceptional situations where the validity period is sought to be extended, it should be imperative to bring on record in real time, valid and logical grounds, justifying extension of the said validity. 1016 Technical Guide on Internal Audit of Tendering Process CVC Guidelines 2.10 CVC has issued guidelines in its circular no. 007/CRD/008 dated 15/2/2008 regarding measures to curb the menace of counter feit and refurbished IT Products. The relevant extract of the said circular is as follows: All buyers should insist on a signed undertaking from some authority of the system OEM that would certify that all the components/parts/ assembly/ software used in the Desktops and Servers like Hard disk, Monitors, Memory etc. were original/ new components/ parts/ assembly/ software, and that no refurbished/ duplicate/ second hand components/ parts/ assembly/ software were being used or would be used, so that the buying organizations are not cheated and get the original equipment as ordered by them. Also one could ask for ‘Factory Sealed Boxes’ with System OEM seal to ensure that the contents have not been changed en route. Following advisory checkpoints it is hoped shall help identify the fraudulent practices that have come to notice and help guard against spurious and refurbished/ duplicate/ second hand components/ parts/ assembly/ software being received by purchasers and consignees who receive such goods and may not have much technical knowledge. 1. CPU. Buyers are cautioned against buying IT Hardware with remarked CPUs that are freely/ readily available in the market today. Entry Level processors get Remarked/ Over clocked and sold as high end processors. These CPUs, come disguised as higher clock speed processors (e.g. a Celeron CPU can be remarked as a P4 CPU) while their real clock speed may be lower. Since Operating System is loaded from CD bundled with Motherboard, the CD contains image of configured OS. Hence information as seen in ‘My Computer’ – System Properties’ shall give deceptive information. In other words, a Celeron CPU remarked as a P4 CPU, shall be seen as a P4 CPU only. Buyers should therefore, use various tool/ utilities like the ‘CPU-Z’ Utility or the ‘sSpecNo.’ for ascertaining the real parameters of the CPU. Utility like CPU-Z (approx. 1.3 MB size) are available free on the web. 2. Hard Disk. IT Hardware with refurbished Hard Disks that are actually 2nd hand/repaired hard disks are readily available at low cost. In hard disk drives, the factory repaired hard disk drives, which are mainly used in the warranty replacements are substituted in the new 1017 Compendium of Generic Internal Audit Guides machines. Same is the case observed with floppy drive and Optical disk drives many times. Most of the competent hard disk makers use a sticker on such hard disks sold by them that clearly distinguishes such hard disks from the fresh ones. There is No border or Refurbished label on genuine new HDD. In addition to this, buyers may also use HDTUNE_210 Utility. This utility shall return Hard Disk Manufacturers’ Serial no. and Date of manufacturing of the Hard Disk. These parameters can be used to cross-verify with the hard disk vendor. Various Hard Disk vendors also put a date code on the hard disk. A mismatch between this date and the one returned by HDTUNE_210 Utility can also be viewed as tampering with the actual information of the hard disk. 3. Monitors. IT Hardware with refurbished Monitors that are actually 2nd hand/repaired monitors are given a “new look” by changing the body, with internal components remaining “old/ repaired”. These CRT monitors are usually discarded from developed countries like US and Europe. There are also B Grade (New but Low Quality) CRT Monitors used in place of new monitors. Many times these can be distinguished by opening the cabinet body and noticing that the label on the tube does not carry various certifications and there are scratch marks on the tube. While ‘Genuine’ Picture Tubes have all mandatory Certifications, ‘Counterfeit’ Picture Tubes would not have these certifications. Certification gives an assurance of Reliability. In ‘B’ Grade LCD Monitors, panels used are B grade in which the number of spots may be higher, response time & brightness of lower specs than what is stated. Above monitors are all available at low cost. The “Signed Undertaking” as suggested shall serve as a deterrent and as a safeguard to ensure that bidders are not fleecing them by supplying such monitors. 4. Operating System. Purchasers should check the IT Hardware supplied (randomly selected IT Hardware) for Certificate of Authenticity (COA) pasted on the PC for product serial number and OEM’s/ Supplier’s name to be printed on it. In Operating systems, pirated OS software with fake Certificates of Authenticity is used by some suppliers to cut costs. They look as good as the real ones. In PCs, counterfeiters buy legitimate software and copy the box design and packaging. Using sophisticated and expensive copiers, many copies of illegal CDs are created in a day. Purchasers should guard 1018 Technical Guide on Internal Audit of Tendering Process against buying IT Hardware with pirated copies of Operating Systems. Such Operating Systems, though, available at low prices, do not have the updated patches and security features that help safeguarding the PC and also improve its lifespan. Purchasers, therefore, may use the standard testing procedures (randomly on randomly selected IT Hardware) available on the following URL for ascertaining the in authenticity of the operating system installed on their PC. http://www.microsoft.com/resources/howtotell/ww/windows/ default.mspx. microsoft provides an inbuilt tool to diagnose the “Genuineness of its Operating System”. One could go to ‘My Documents’, and ‘Help’, from where one shall get step by step instructions to find out whether the windows installed is genuine. http://www.microsoft.com/resources/howtotell/ww/windows/default.ms px 5. Mechanical Keyboards. Fake mechanical keyboards that are partially mechanical, with only the key plunger being that of a real mechanical keyboard and rest of the keyboard features remaining the same as those of membrane keyboard are being passed on as true mechanical keyboards. While these keyboards are available at low prices, they do not offer the robustness and long key-stroke life expected of a real mechanical keyboard. Real Mechanical Keyboards are expected to have Keystroke life of 50 Million as against 10 million for Membrane and Semi-Mechanical Keyboards. In case of bulk orders, it is recommended to physically examine a few keyboards for their construct to ascertain the genuineness of their being real mechanical keyboards. 6. Low Quality Memory Module. Memory chips are remarked or downgraded wafers are plastic packed under unknown brands or remarked with names of well-known brands. Such memory modules have lower performance levels. It is better to go in for proven reputed brands available in the market. 7. Fraudulently Marked SMPS. In power supplies, wrong marking of the wattage is done. The power supplies do not carry all required certifications. While ‘Genuine’ Power supplies carry all mandatory certifications, in counterfeit Power supplies these certifications shall be found missing. Further Short circuit & over voltage protection circuitry could be missing in counterfeit Power Supply to reduce cost. 1019 Compendium of Generic Internal Audit Guides 8. Counterfeited Consumables. Counterfeited consumables such as printer cartridges etc. are used which are refilled with ink of poor quality leading to poor performance and clogging, smudging in printers etc. It is advisable to buy such consumables from OEM authorized suppliers or distributors to ensure quality and longevity of the printer equipment. 1020 Chapter 3 Types of Tender Types of Tender 3.1 Taking into account various factors like technical complexities, availability/ suitability of services/ materials/ products, monetary implications, gestation period, validity period of contracts, distribution of risk, urgency of completion, economy and overall cost of operation etc., the type of tender to be floated is decided. Depending on the nature, complexity, value and scope, a tender may be a single bid, two-bid or even a multi-bid tender. Respondents are screened for eligibility through evaluation of credential and/ or technical bids. Thereafter, financial bids are opened. 3.2 Though nomenclature may vary from industry to industry, tenders may broadly be classified as: (i) Global Tender (i) Public Tender, Deemed Public Tender (ii) Limited, CAPEX/ Regional/Zonal Tender (iii) Single Tender or Tender on Nomination Basis (iv) Lump sum Turnkey Tender. (v) Tender on LOT system (vi) Tender on Percentage Basis (vii) E-Tender (viii) International Competitive Bidding (ICB)/ National Competitive Bidding (NCB) (ix) Request for Proposal (RFD)/ Expression of Interest (x) Request for Quote (RFQ) (xi) Corrigendum (xii) Addendum (xiii) Open Bid 1021 Compendium of Generic Internal Audit Guides Global Tender 3.3 A global tender is usually floated when: (a) The technology/ service/ product/ material is not available in the country or it makes economic sense to import rather than produce indigenously. (b) There are different technology platforms that can be evaluated against the requirements. (c) There is a potential of technology transfer. (d) The scale of procurement justifies the cost of tendering in terms of expenditure, social/ political/ economical/ security exigencies. 3.4 Such tenders are subject to import and other relevant policies of the government in force. Though most likely an open tender, a global tender in specific circumstances may be limited in nature as well. The tender notice covers all such conditionality and per-requisites. Public Tender (PT), Deemed Public Tender 3.5 The terminology means that it is a tender open to public for participation subject to the terms and conditions of the tender. The term “public” encompasses individuals and enterprises alike. In Open Tender anyone can participate. The participant has to ensure that they fulfill the minimum pre-qualification criteria specified in the tender document to qualify. If they do not meet the pre-qualification criteria, their bid will be rejected and they will lose the document fees they have paid. It is necessary that Open Tender is advertised in newspaper. The Lowest Bidder (L1), generally, wins the contract. 3.6 Depending on the requirements, a public tender may be a single bid, a two-bid or even a multi-bid tender. For purchasing capital equipment, high value plant, machinery, etc. of complex and technical nature, tender enquiry document, complete in all respects, may be issued as usual. However, the vendors should be asked to bifurcate their quotation in two parts. Such tender notices usually specify eligibility parameters. 3.7 Sometimes from earlier experience, an enterprise may have an adequate data of entities capable of execution. In such cases, instead of floating a fresh public tender, an enterprise may ask for quotations from empanelled entities. It is usually done to economize expenses and time also at same time ensuring transparency, quality and implementation. Enterprises 1022 Technical Guide on Internal Audit of Tendering Process that resort to deemed public tenders usually have a sound tendering system and procedure in place to take care of charges of favoritism and other legal implications. Limited Tender (LT), CAPEX/ Regional/ Zonal Tender 3.8 Where there is no time or need to float a public tender or it is not proper to float a single tender and at the same time the enterprise has a pool of tested material/ service providers, a limited tender is called. A deemed public tender is usually floated as a sequel to a PT; it is not to be confused with an LT. An LT is floated for repetitive jobs not involving high technological requirements, usually not of a huge monetary implication but requiring the vendors to have requisite experience of working with/ for the enterprise. An LT may also be floated to vendors short-listed and empanelled. Enterprises should have approved policies and procedures for calling an LT. A minimum number of vendors are usually prescribed for floating an LT. Care needs to be exercised to prevent impersonation in LTs. 3.9 A variant of an LT may be in the form of a CAPEX/ Regional/ Zonal tender. Nomenclature may vary from industry to industry or in enterprises in the same industry. It may be necessary to roll out projects/ facilities involving standard design, technology etc., in different regions/ zones, etc., Capital budgets are usually centrally controlled, allocated and monitored. Job/ material requirements are standardized, vendors/ service providers are short- listed through an internal process of due diligence. Work schedules, departmental estimates are also standardized. In such cases. instead of going through a PT, short-listed vendors are asked to submit their quotes which are evaluated against departmental estimates. 3.10 For the sake of transparency, an enterprise should have a laid down procedure for short-listing of vendors, exclusion from or inclusion in such lists. Single Tender (ST) or Tender on Nomination Basis 3.11 Obtaining quotation by issuing single tender enquiry to a selected source amounts to purchase without generating competition. Therefore, this mode of purchase should be resorted to only in unavoidable situations. Single Tender, whenever possible should be avoided. However, in cases of emergencies, proprietary/ specialized jobs, absence of other vendors for specialized job/ specific material, jobs of small value/ field offices, locations, etc. a single tender is floated. Concurring and approving authority should be careful with the justification while concurring and/ or approving. Proprietary 1023 Compendium of Generic Internal Audit Guides Article Certificate needs to be collected while purchasing on single tender basis. Purchase through STI may be adopted when: (i) It is in the knowledge of the user department that only a particular firm is the manufacturer of the required goods. The reason for arriving to this conclusion is to be recorded and approval of the competent authority obtained. (ii) In a case of emergency, the required goods are necessarily to be purchased from a particular source subject to the reason for such decision being recorded and approval of the competent authority obtained. (iii) For standardization of machinery or components or spare parts to be compatible to the existing sets of machinery/ equipment (on the advice of a competent technical expert and approved by the competent authority), the required goods are to be purchased only from a selected firm. Lump Sum Turnkey Tender (LSTT) 3.12 Large projects, like, construction of dams, highways, airports, etc. involve a long gestation period, synergy of intricate technologies, huge capital expenditure over a period of time while guarding against time and cost overruns. Established service providers with requisite expertise, resources and market standing are invited together to participate in such tenders for execution and delivery on a turnkey basis. LSTKs are usually global or public tenders. In exceptional cases, it may be an LT too. This is a way of outsourcing the different components of deliverables in giant projects. The major service provider chosen at the end of selection process award sub-contracts, co-ordinate all activities, deliver and gets compensated as per the terms and conditions of the contract. Tender on LOT System 3.13 In some cases, such as, large transportation, building, material procurement contracts, job may have to be awarded to more than one vendor at a time. Geographical spread, capacity constraint, spreading of risk, QC facilities, etc. may be some of the reasons for award of jobs on lot basis. Entities awarding such tenders have their own internal procedures and control system for awarding such tenders. 1024 Technical Guide on Internal Audit of Tendering Process Tender on Percentage Basis 3.14 At times, tenders on unit rate basis for a number of items are to be floated. Tenders are evaluated by comparing the total of quoted amounts with departmental estimate. These tenders may be PT or LT. Experience tells that at times rates quoted by vendors may differ significantly. It may so happen that the overall lowest bidder might quote unusually high rates against certain items. In such case, acceptance of such bids becomes tricky, open to audit comments or even vigilance reports. 3.15 To avoid such situation, rates are furnished in the tender on the basis of departmental estimates. Vendors are required to quote in percentage plus or minus with respect to the estimates. Abnormal variations are avoided. Chances of change in status of vendors due to change in quantity of any item becomes less. It makes preparation of comparative statements, work orders, revision, if any, required easier. E – Tender 3.16 Purchase of goods through electronic mode of interface with vendors and IT enabled management of the entire procurement process (notice inviting tenders, supply of tender documents, receipt of bids, evaluation of bids, award of contract, and execution of contract through systematic enforcement of its various clauses and tracking of claims, counter-claims and payments) is gradually gaining popularity. It helps to cut down transaction costs and improve efficiency and transparency. 3.17 Internal auditor should ensure secure IT platform addressing concerns, like encryption/ decryption of bids, digital signatures, secure payment gateways, date/ time stamp for activities, access control, etc. The system should be secure, capable of maintaining complete confidentiality at appropriate stages of the bidding process. 3.18 However, since all the tendering firms don’t have the facility of transmitting their quotations through e-mail, companies allow the receipt of quotations through hard copies as well as by e-mail. The closing date and time for receipt of tenders should be identical for both types of tenders. 3.19 It is, however, to be kept in mind that the entity floating a tender and awarding a tender remains liable and responsible as the principal employer. Hence, scrutiny of the legalities in tenders is crucial and an internal auditor should be aware of his responsibilities in this regard. 1025 Compendium of Generic Internal Audit Guides International Competitive Bidding (ICB)/ National Competitive Bidding (NCB) 3.20 International Competitive Bidding (ICB) is a bidding in which companies from outside India can also participate. National Competitive Bidding (NCB) which restricts right to participate only to Indian bidders. Request from Proposal/ Expression of Interest 3.21 In Request from Proposal (RFP), a company is supposed to submit only the Technical proposal. Indicative price bid can also be invited, if so, required by Buyers. Once RFP round is over, RFQ or Request for Quote can be invited from shortlisted Bidders. 3.22 Another purpose of RFQ is to understand the current technology available in the market. For e.g. if a new power plant is to be built, the government can float an RFP stating, that it wants to build a 1000 MW power plant, different Bidder will submit their response stating that they can build either Thermal, Nuclear, Solar, Fuel, Coal based plant. On the basis of response from different bidders, buyer will select either of the technology and then float a fresh tender or just invite bids from pre-qualified bidders. Request for Quote 3.23 In RFQ, a company has to submit their best offer and on the basis of this decision, the contract is awarded. For example, if someone wants to buy 1 Window AC, only RFQ is floated because no Technical pre-qualification is required as it is a standard product. Corrigendum 3.24 If any change/ correction is to be made in Tender Notice or Tender Document, the same can be made by issuance of corrigendum. Please note that Corrigendum can only be issued before the due date and time of tender submission expires. Against a tender, any number of corrigenda can be issued. Corrigendum is issued after pre-bid meeting to post clarifications Addendum 3.25 If any new content is to be incorporated in Tender Document, the same is done by means of issuance of Addendum. However, in many Tenders, it is also done by issuing a corrigendum notice. 1026 Technical Guide on Internal Audit of Tendering Process Open Bid 3.26 All the tendering vendors would be invited to the e-commerce website at the same time, to post the bid, wherein no other vendor will know the bid of others vendors because of technology. The system itself throws out the specifications as to which tender is chosen based on the price and other parameters. 1027 Chapter 4 Stages of Tendering Process 4.1 The Tendering Process covers following steps: (i) Preparation of tender documents (ii) Floating a tender (iii) Issue of tender documents (iv) Pre-bid conference (v) Receipt of bids Tender Quotations (vi) Scaling and making of tender (vii) Opening and tabulating bids (viii) Evaluation of price (ix) Lack of competition (x) Rejection of Tender (xi) Scrutiny of tender documents and attachments (xii) Awarding a Work Order (WO) or a Purchase Order (PO) (xiii) Securities and Co-laterals, Staggered payments and Liquidated Damages (xiv) Final Settlement Pre-Tender Process 4.2 One of the most important parts of pre-tender process is appointment of selection team. Selection team should consist of independent members from diverse fields concerning the decision. Tendering method is finalized at this stage. All specifications concerning the decision are finalized and key selection criteria are also decided. As part of the preparation work, and before any tender is advertised, the procuring department requires a realistic estimate of the cost of the expected to incur and also check whether the same is within budgeted limits. Decision-making criteria needs to be documented, must be clear, justifiable and objective (with a written record) with no room for discretion at any time, especially, in the evaluation and comparison of the bids. 1028 Technical Guide on Internal Audit of Tendering Process Preparation of Tender Documents 4.3 A tender involves expenditure. Now-a-days many of the techno- commercial enterprises are run on RDBMS platforms, like, SAP. Budgetary provision and cash outlay become a pre-requisite to enable a tendering process through the system to be taken forward. Tenders for items of capital nature are usually large and requires sanction in capital budget and adequate provision for cash outlay for the period starting with floating of a tender to conclusion of procurement and final settlement. Tenders for items of revenue nature, need revenue budget approvals and cash outlay for the relevant revenue time frame. 4.4 A tender document is the basic document in the tendering process, defining all the requirements, rights and liabilities, legalities, deliverables, time limit, damages and payment process, etc. Utmost care is to be taken in preparation of tender documents. A tender may comprise of: (i) An administrative section: An administrative section may inter alia include: (a) the exclusion criteria (b) the eligibility criteria again based on  compliance of the statutory requirements and production of documentary evidence.  the technical and/or professional capacity criteria..  the financial, economic capacity criteria. (c) An instruction that all the pages of tender document should be read and understood and require to be signed and stamped to that effect. (d) No white ink is to be used, any correction is to be neatly struck off, clearly re-written and countersigned. A notification that tenders must be submitted within the time and date specified. Any tender submitted late or in an open envelope will be rejected. (ii) A technical section: A technical section contains: (a) The technical specifications of the work to be done. (b) The technical specification of the materials to be procured. (c) Documentary proof the technical capability to deliver. 1029 Compendium of Generic Internal Audit Guides (iii) A financial section: The financial section specifies: (a) The financial implication and structure of the tender. (b) Payment schedules. (c) Clauses relating to damages and penalties. (d) Documentary proof required to establish financial capacity. 4.5 A draft tender document should, therefore, be scrutinized by concerned functions and vetted by legal department or counsel. A tender once floated, responded and the offer accepted becomes a contractual obligation between both the parties. Issuing a corrigendum after floating a tender is a sloppy business practice - better avoided. 4.6 A tender document could consist of the following: (i) Index of contents with page numbers. There may be different chapters but all the pages should be serially numbered. (ii) Notification/ letter inviting the tender. (iii) List of pre-qualification criteria. (iv) Format of letter requesting issue of tender documents. (v) General conditions of work/ service/ purchase requirements. (vi) Requirement and format of co-laterals, like, security deposit (SD), earnest money deposit (EMD), bank guarantee (BG), etc. (vii) Work schedule, purchase schedule. (viii) Technical specifications. (ix) Time schedule. (x) Clauses related to liquidated damages for delay, defect, non- performance, etc. (xi) General and/ or special instruction to the respondent. (xii) Agreed terms and conditions (usually in a questionnaire form). (xiii) Price/.billing/.payment schedule format. (xiv) Any other special conditions. (xv) List of Board of Directors or web address link. (xvi) A format of declaration by a vendor that he had read and understood the tender requirements and conditions. (This is an indicative, not an exhaustive list) 1030 Technical Guide on Internal Audit of Tendering Process 4.7 Government departments, PSUs, other corporate usually have printed tender documents/ booklets that have been finalized after collective consultation, bear approval of competent authority and have been standardized. Any deviation in content and tendering methodology introduced by related function should be concurred by finance and vetted by legal department or counsel. A tender to be floated should have the approval of the HOD of the related function. 4.8 Concept notes, observations, replies, concurrence, approval must be serially numbered. Each page of the concept note should be signed by the initiator. If a file has separate sections, volumes, these are also to be numbered separately and serially with appropriate prefixes/ suffixes as required. A top sheet called the movement sheet traces the journey of the file. A repeat order proposal should come as a part of the original order. Floating a Tender 4.9 A notice inviting tenders (NIT) needs to be published in leading daily newspapers, put on the web or given to potential respondents. Depending on the type of tender, the notice may take different forms. For example, in case of petty office jobs, a notice may be pasted on the office notice board. For a single tender the vendor can be called and handed over the tender papers. 4.10 For an Limited Tender, documents can be sent by registered post to empanelled vendors. Tender papers are to be sent to all nominated vendors through the same medium and at the same time. A register or list is maintained. If tender documents are physically handed over, then signed and stamped acknowledgement is to be taken. A list of authorized signatories of empanelled vendors is required to be maintained. If sent by registered post/ courier, postal/ courier receipts with date and time are usually pasted against the name and address of each addressee. In other words, irrefutable documentary evidence of dispatch of tender documents to each vendor with same time allowance is to be maintained. 4.11 In case of a Public Tender, advertisement has to be given in at least two widely circulated daily newspapers, one of which should be in English and the other should be in the local language. In case of all India Public Tender, advertisements are given in all major newspapers covering the country. Now-a-days, tenders are posted on the department or company website. The process of e-tendering is different from tendering through tender papers. 1031 Compendium of Generic Internal Audit Guides Each and all respondent must be, in a visible and documented manner, given equal opportunity to participate. 4.12 A tender notice should specify the following particulars: (i) Description of the work to be awarded or the material to be procured. (ii) Cost of tender papers payable either in cash or by an account payee banker’s cheque/ demand draft. (iii) Place, date, time of selling tender papers. (iv) Place, date, time for submission of tender papers. (v) Amount of earnest money to be deposited along with tender papers. (vi) Pre-qualification criteria, if any. (vii) List of other documents to be submitted with tender papers. Usually, photocopies of the documents are asked along with originals to verify, at the time of opening of tenders. (viii) Office/ authority to whom tender is to be submitted. (ix) An instruction that the tender papers along with attachments/ enclosures are to be submitted in a sealed envelope clearly super scribed with tender name, number and date, time of opening of tender. Envelopes are either supplied with tender papers or size, type, etc. of envelopes are specified. Technical and price bids may be required to be submitted in different sealed envelopes and all such envelopes are to put in another sealed envelope. (x) Tender notice usually contains a provision of a right to reject any tender or any part thereof so received without assigning any reason. However, except in case of petty tenders, such a disclaimer may not lend any meaningful protection from complaints from unsuccessful vendors. With the introduction of RTI, in particular, it is very much unadvisable to modify, withdraw or scrap tenders once floated and more so after submission. (This is an indicative, not an exhaustive list) Tendering Process 4.13 Here the decision is taken about the advertising date, tender validity period, closing, venue, date and time. Tender is advertised and tenders are received. Controls need to be evaluated on process of receipt of tender at the designated office location. 1032 Technical Guide on Internal Audit of Tendering Process Issue of Tender Documents 4.14 Tender documents are, generally, issued against a tender fee to be deposited by vendors desirous of participating in a tender either in cash or by an account payee banker’s cheque/ demand draft. A cash receipt is to be issued to the payer. A register must be maintained by department concerned listing out the details of the prospective vendors that have been issued tender papers. Some companies exempt Government departments, agencies, PSUs, small scale industries registered with NSIC from tender fees. Pre-bid conference 4.15 In case of large and complicated tenders, a pre-bid conference may be held. For Limited Tenders and Single Tenders holding, a pre-bid conference may not be difficult as the details of empanelled vendors are known and they can be called. In case of global tenders, however, it is not easy. So, wherever a need for a pre-bid conference is felt, details of venue, date, time, etc. must be specifically mentioned in the tender documents. Some of the benefits of such a pre-bid conference are as follows: (i) All techno-commercial issues can be discussed and clarified. (ii) If there is a possibility that vendors may come up with counter conditions either or both on commercial and technical matters, a pre- bid conference helps in sorting out the issues and putting in disclaimer clauses in the bid documents to the effect that any counter condition or deviation will render a quotation to be summarily rejected. (iii) Sometimes the entity floating a tender may be aware of its requirements but may not be fully knowledgeable about different and emerging technologies. In such a scenario, it may not be possible to specifically or comprehensively define the technicalities that may leave a scope of ambiguity. It may also be possible that the vendors are more knowledgeable about the emerging or state of the art technologies and processes which may differ from one to another. In such a scenario, it is always advisable to hold a pre-bid conference. On one hand, the entity floating the tender may get a better insight into the technologies best suited for their purpose, may introduce suitable amendments in the tender documents with unanimous agreement in writing of the participants in such a meeting and such 1033 Compendium of Generic Internal Audit Guides an interactive exercise helps in creating a level playing field for all the participants. (iv) A reasonable time interval is to be allowed between the last date of sale of tender documents and the pre-bid conference. (v) Minutes of the conference are to be prepared and got signed by all participants with date and time. (vi) If necessary revised date and time of submission and opening of tenders are to be decided and intimated in writing to all participants under acknowledgement. (vii) Vendors absent from such a conference are to be notified in writing or through mail in similar lines. (viii) All vendors are to be categorically advised that except for the deviations, etc. agreed to in the conference no other deviations will be allowed; otherwise bids will get summarily rejected. (ix) No discussion on NIT qualifying clauses is to be held in a pre-bid conference. Receipt of Tender Quotations 4.16 The Notice Inviting Tender (NIT) must specify the place, date, time limit of the quotations to be submitted. In case of e-tendering, the place is substituted by an email address. However, in case of e-tendering, a specified number of hard copies of quotations and supporting papers are also required to be submitted. There should be no confusion in receipt of quotations so that nobody can complain of partiality or obstruction. 4.17 A locked and sealed box or trunk with a hatch/ aperture for dropping tenders is kept at a prominent place of the office of the designated officer. If tender papers are too bulky, a separate room with suitably restricted access may be arranged. The empty box/ trunk/ room should be inspected before it is put to use. It is to be clearly marked with the details of the tender concerned. A double locking system requiring simultaneous use of two keys should be used. The keys to the box are kept in a closed and sealed cover with the designated officer till the opening time. 4.18 Tender papers received by post within notified time limit should be immediately acknowledged, date and time of receipt recorded and the tender 1034 Technical Guide on Internal Audit of Tendering Process papers dropped in the tender box. The opening/ aperture in the tender box/ room is to be immediately sealed/ closed once the notified time limit is over. 4.19 To avoid confusion, counter claims, tender boxes, tender rooms and tender dropping and opening processes are monitored through CCTVs in certain organizations. The video recordings are preserved till conclusion of tendering process and completion of the project. 4.20 It is the responsibility of the concerned department to build up a tender file starting with departmental/ Head Office/ Corporate Office approval, as the case may be, advertisements in newspapers, proof of dispatch of tender documents, receipt of bids and all other related papers and correspondence. 4.21 There should not be more than ½ an hour time gap between the time limit of submission of tender papers and opening of the tender. A tender opening committee (TOC) is nominated to oversee the tender opening process. A tender box should be inspected by TOC to ensure that the seal/ lock is intact before opening it. 4.22 In case, the designated tender opening day happens to be a closed day, the tender should be opened at the same place and time on the next working day. If possible, a notice/mail to this effect may be given to concerned vendors. Such postponements need to be brought to the notice of competent authority and yet approved by them. A tender is to be opened in the presence of all the respondents. Sealing and Marking of Tenders 4.23 The tender document is to indicate the total number of tender sets (e.g., in duplicate or in triplicate, etc.) required to be submitted. The vendor is to seal the original and each copy of the tender in separate envelopes, duly marking the same as “original”, “duplicate” and so on and also putting the address of the purchase office and the tender reference number on the envelopes. Further, the sentence ‘’NOT TO BE OPENED” before (due date and time of tender opening) are also to be put on these envelopes. The inner envelopes are then to be put in a bigger outer envelope, which will also be duly sealed marked, etc. as above. If the outer envelope is not sealed and marked properly as above, the purchaser will not assume any responsibility for its misplacement, premature opening, late opening, etc. All the above instructions are to be suitably incorporated in the tender documents. 1035 Compendium of Generic Internal Audit Guides Evaluation Stage 4.24 Here assessment of tenders is carried out for conformance with tender requirements and reject late or non-conforming tenders. key selection criteria and agreed weights to conforming tenders are applied to identify the best value tender as the preferred tender. Opening and Tabulating Bids 4.25 In government departments and PSUs, by practice, a tender opening committee (TOC) is nominated to open the tenders submitted within the stipulated date and time. Time and date of opening a tender, unless already extended with due notification to all concerned and with approval of competent authority, must be maintained without any exception to avoid complications. Any deviation for any reason whatsoever must be got approved by competent authority and notified to all concerned. TOC usually comprises of an officer from function and one officer from finance. 4.26 Function and responsibility of a TOC may, generally, be described as below: (i) To be physically present during the time of closing of the tender to ensure that all tenders submitted within the time limit have been dropped in the tender box and no tender received thereafter was allowed to be dropped in the tender box. (ii) Any tender envelope received after the time limit should be clearly marked as either “Late” or “Delayed” and the time and date of receipt should be written on the envelope and tender register. Those tenders that have been posted/ dispatched before the time limit but received after the time limit are called “delayed” tenders. Tenders posted/ dispatched and consequently received after time limit is called “late” tenders. A TOC should acknowledge receipt of such delayed/ late tender’s record the time and date in tender register but cannot allow such tenders to participate. (iii) Once submission of tenders is closed, TOC must check the lock and opening/ aperture of the tender box/ room to satisfy them that those are intact and not tampered with, and record it in the tender register. Any suspicious circumstances must be immediately noted, reported and tender opening is postponed for further instruction from competent authority. 1036 Technical Guide on Internal Audit of Tendering Process (iv) To verify from the tender register that quotations have been received only from vendors who purchased tender documents. (v) The seals of the covers are to be checked for any sign of tampering. Once satisfied, one by one the covers are to be slit open keeping the seals intact. Unsealed covers are liable to be rejected forthwith. (vi) The covers are marked with serial numbers. For example 10 quotations have been received. The covers are to be marked as 1/10, 2/10 and so on. All the covers must be signed by each member of TOC with date and time. Covers are to be retained with respective tender papers. (vii) Each page of tender must be marked with the same serial number on its cover and jointly signed with date and time by TOC. (viii) In case of a two or multiple bid tender, TOC is to fill out the technical particulars in the tender evaluation sheet first. (ix) TOC should record whether all the prescribed attachments have been received. (x) Wherever necessary TOC is to verify the credentials with the originals like PAN card, NOC from department of environment, explosives, registration with commercial tax authorities, regional provident fund commissioner, trade license etc. (xi) Security deposit should be immediately entered in cash book and deposited in bank; a cash receipt is to be prepared and given to vendor. In case of EMD, it can be either en-cashed or the instruments can be held till award of tender and then returned to unsuccessful vendors. Records are to be generated and maintained at each stage. (xii) After selection of technically eligible parties in a two or multi-bid tender or at the time of opening in a single bid tender, the rates quoted against each work order or purchase order item are to be filled in the tender evaluation sheet. (xiii) TOC is to note and/ or authenticate any difference in rates quoted in words and figures, over-writing, cutting, use of white fluid, missing signature, submission of security deposit, earnest money deposit etc. in the tender papers. (xiv) TOC should note and record that each bidder has given a declaration that it has not been put on holiday list. 1037 Compendium of Generic Internal Audit Guides (xv) Total quoted amount in each tender is to be countersigned by all members of TOC. (xvi) For each tender, TOC is to populate the evaluation sheet with rates quoted against each item and the total quoted. Each page of the evaluation sheet is to be signed by members of TOC with date and time. In case of a separate price bid cover, it may not be possible for TOC to fill up the rates. But that fact is to be noted by TOC. (xvii) In case of two or multi-bid tenders, TOC is to note that the covers of the subsequent bids are not opened. After technical evaluation, when the subsequent covers are to be opened, the same procedure is to be followed. (xviii) Safe custody of tender papers is the responsibility of TOC till the entire bunch is handed over to Tender Consideration Committee (TCC). (xix) TOC certification of compliance with tender opening and eligibility criteria is of crucial importance. Hence, TOC must pay attention to minute details, record the findings faithfully without any bias, maintain confidentiality and hand over tender papers/ documents received to TCC and recieve acknowledgement. Evaluation of Price 4.27 The broad guidelines for judging the reasonableness of price are as under: (i) Last purchase price of same (or, in its absence, similar) goods. (ii) Current market price of same (or, in its absence, similar) goods. (iii) Price of raw materials, which go into the production of the goods. (iv) Receipt of competitive offers from different sources. (v) Quantity involved. (vi) Terms of delivery. (vii) Period of delivery. (viii) Cost analysis (material cost, production cost, over-heads, profit margin). NB: Price paid in an emergency purchase or purchase price of goods offered by a firm through ‘distress sale’ (i.e., when the firm clears its excess stock at 1038 Technical Guide on Internal Audit of Tendering Process throw away prices to avoid further inventory carrying cost, etc.) are not accurate guidelines for future use. Lack of Competition 4.28 Sometimes, the purchase organization may not receive sufficient number of tenders. A situation may also arise where, after analyzing the tenders, the purchase organization ends up with one responsive vendor. In such situations, the purchase organization is first to check whether, while floating/ issuing the tender enquiry, all necessary requirements, like, standard tender enquiry conditions, industry friendly specification, wide publicity, sufficient time for formulation of tenders, etc. were fulfilled. If not, the tender is to be re-issued/ re-floated after rectifying the deficiencies. However, if after scrutiny, it is found that all such aspects were fully taken care of and in spite of that the purchaser ends up with one responsive tender only, then contract may be placed on that vendor provided the quoted price is reasonable. CVC in its Circular no. 4/3/07 has explained on negotiations of contract with L1. It has emphasized that post tender negotiations should be avoided. However, negotiations may be done in case of some exceptional situations relating to procurement of proprietary items, items with limited sources of supply, evidence of cartel formation. However, such reasons for negotiations should be documented. In case of unreasonable rates, re- tendering may be conducted, but since re-tendering will lead to higher time procurement might be done for bare minimum quantity for continuing the operations. Delay in decision making may occur due to Negotiation or re- tendering. Hence, competent authority should exercise due diligence while choosing the alternative. Rejection of Tenders 4.29 In NIT (Notice Inviting Tender), eligibility criteria are specified. Non- compliance can make a tender invalid and liable to be rejected without assigning further reasons. A tender may be rejected in following situations: (i) It stipulates its own conditions. (ii) The validity period of bid is less than or differs from that in tender form. (iii) It does not disclose the constitution of the organization. The names, address of offices, directors, partners etc. are not adequately disclosed. 1039 Compendium of Generic Internal Audit Guides (iv) Tender forms are not properly filled. Tender documents, attachments, etc. are not signed on each page, are not certified as required. (v) Bidder does not provide evidence of adequate facilities or does not propose to make available sufficient resources. (vi) Bidder does not attach acceptable proof of past experience and performance. (vii) Bidder does not attach self-certified copies of eligibility certificates like, PAN card, valid income tax clearance certificate, sales tax/ VAT/ excise duty/ custom duty registration details, and registration, deposit details with regional PF commissioner, etc. 4.30 A tender is invalid is rejected outright when: (i) Minimum qualification criteria is not met. (ii) EMD is not deposited before closing date and time of tender. In case of two bid tenders, EMD is to be submitted with technical or commercial bid. (iii) Tender is submitted late. (iv) Bidder is on holiday listed or has been blacklisted. This situation can only arise if holiday listing or black listing is done after purchase of tender papers. (v) Price bid is incomplete. 4.31 Care is to be taken that no valid tender gets rejected. Justification of rejection of any tender is to be placed on record but is not to be communicated to the invalid bidder. If any fraud or forgery is committed, EMD can be forfeited. If a vendor backs out after award of tender or fails to start work within stipulated time without justification, EMD can be forfeited. Scrutiny of Tender Documents and Attachments 4.32 A Tender Consideration Committee (TCC) is constituted to scrutinize tender documents and put up a proposal to the competent authority for award of a work order (WO) or a purchase order (PO). A TCC is usually constituted with members from concerned function, engineering or material and finance department. 4.33 In their first sitting at the appointed place, date and time, TCC deliberate and decide on the course of action for finalization of proceedings. Member from engineering or material department ensures that none of the 1040 Technical Guide on Internal Audit of Tendering Process bidders is either on the black list or holiday list. TCC may proceed in the following manner: (i) Check that the tender evaluation sheet has been completely filled up and verified by all members of TOC together. (ii) Compare the tender papers of individual bidders with the entries made in the evaluation sheet. (iii) Scrutinize the enclosures and attachments that are required to be submitted with the bid papers. For example, if security deposit is to be received, a valid cash receipt should be attached. Any bank guarantee received should conform to the format and requirement of the organization. BGs should be received directly from the issuing bank. (iv) In case of a two-bid or multi-bid tender, TCC should check that the comparative statement relating to the technical bid has been cleared by the concerned function like engineering department, materials department, systems department etc. (v) Similarly, the price bid comparative statement should be signed by the related function and checked by finance department. (vi) Completeness and correctness of the comparative statements need to be ascertained by TCC. (vii) TCC should study and evaluate the experience, technical competence, capacity and financial status of the bidders with reference to evidences produced, submission made etc. (viii) If felt necessary TCC may also inspect the facilities of a vendor, cross refer the credentials submitted with the issuing authorities, examine financial statements, order book, comfort letters from customers of a vendor regarding satisfactory performance etc. (ix) Ask for clarification from, conduct discussion with vendors with due notice to others to establish facts. (x) Conduct inter/ intra-departmental meetings and seek clarifications wherever felt necessary in one go without causing any delay in the tendering calendar. (xi) Opaque, piecemeal and intermittent approach to clarification is to be avoided. 1041 Compendium of Generic Internal Audit Guides (xii) Information contrary to the claims and submissions can render a tender to be rejected. (xiii) Normally, negotiation on tenders by TCC members is not allowed unless TCC has been given prior approval by competent authority in writing to conduct price negotiations with L-1 bidder. No upward price negotiation or post-tender negotiation is allowed (xiv) Once tenders are opened no voluntary/ subsequent rebate/ discount/ reduction in price or quantity discount is to be accepted from any bidder. In case the concerned vendor refuses to withdraw such offers, that bid is to be summarily rejected. (xv) If any unforeseen or unusual circumstances makes it necessary to revise price bids, TCC should insist on approval from the competent authority to consider such revision. (xvi) Then all the bidders should be simultaneously asked to submit revised price bids. Such deliberations need to be recorded in minutes of TCC meeting. No separate correspondence is to be made. (xvii) Such cases are very rare and are not usually entertained by TCC. In case, it becomes unavoidable TCC must establish through records, papers that the sanctity of a price bid has not been compromised by seeking revised price bids. (xviii) No new condition from vendor is to be permitted during negotiation. (xix) Vendors/ vendors are not to be allowed any time to withdraw any counter conditions. All techno- commercial terms need to be deliberated and settled during pre-price bid opening conference. (xx) TCC members are required to prepare and jointly sign the minutes of a meeting on the same day. TCC members are collectively responsible for any recommendations made. So, difference of opinion, if any, must clearly be specified and written down in the proceeds of the meeting. (xxi) TCC recommendations are crucial for the competent authority to accord approval for finalization of a tender. Price variations beyond a certain percentage should be critically evaluated by TCC in line with organization policy. (xxii) If there is a laid down policy that accommodates deviations from estimates to a certain limit TCC may abide by such policies. 1042 Technical Guide on Internal Audit of Tendering Process (xxiii) If deviations are on the higher side then TCC with intimation to all concerned and preferably with approval from competent authority may go for price negotiations. (xxiv) If L-1 bid is lower than the acceptable percentage or it appears to be unworkable TCC may call for clarification from the bidder and insist of indemnity from the bidder to the effect that in case of non- performance the tender can be executed through other vendors at the risk and cost of defaulting L-1. {to attach cvc circular on negotiation with L 1 } Note: An organization may, in certain circumstances engage consultants for floating and finalization of tenders. Usually, a panel of consultants is prepared by the following process: (i) Advertisements are given in newspapers for pre-qualification offers from consultants satisfying the technical, financial, experience qualification parameters. (ii) Empowered committee is to scrutinize offers received, prepare a panel and put it up for approval of competent authority. (iii) For specific assignments, LT may be invited from such empanelled consultants. (iv) Assignment is awarded in line with laid down policy and procedure. (v) Security deposit and liquidated damage clauses are to be included in consultancy contract. (vi) Apart from technical qualification, a consultant is also required to comply with all statutory registrations, requirements. 4.34 In such cases, the contract with the consultant is to be studied to understand the scope and calendar of work, areas of representation and responsibility, fee structure, payout schedule, any clause for damage, etc. After appropriate discussion and understanding the assignment is to be formally awarded to the consultant. The procedural checklist for tendering through a consultant is as follows: (i) Consultant prepares tender enquiry and all tender documents with necessary supporting like work schedule, technical details, rate analysis, drawings etc. and submit to concerned department for correction, amendment, vetting and approval. 1043 Compendium of Generic Internal Audit Guides (ii) After approval consultant will invite PT or LT as advised and in line with the policies and procedures of the organization. (iii) Tenders would, however, be received in the tender box, email address of the organization. (iv) Consultant will arrange opening of tenders. Authorized representatives of the organization will open the bids in presence of bidders and consultants. (v) Consultant scrutinizes tender papers, attachments, enclosures, evaluate technical bids, if required call the bidders to make all the bids at par. He/she will build a comprehensive tender file, prepare a comparative statement of technical bids and submit the final recommendation with complete technical and legal justification for opening of price bids. (vi) Recommendation will be reviewed and considered by client organization and clearance is given to the consultant for arranging opening of price bids. (vii) Consultant ensures that all eligible bidders are duly notified of place, date and time of opening of price bids. (viii) Price bids will be opened by the client’s designated officers from related function and finance with the help of the consultant in presence of eligible parties. (ix) Consultant prepares comparative statement of price bids with recommendations and submits to client for scrutiny. Any price negotiation is to be done by the client organization and not the consultant. (x) With the approval of client, consultant will prepare detailed work/ purchase schedule/order, draft LOI and ask for the clearance of the client. (xi) Client will scrutinize LOI, work/purchase schedule/ order and award tender. Finalisation of a Tender 4.35 Before expiry of the tender validity period, the purchase organization shall notify the successful vendor in writing, by suitable foolproof method, that its tender (briefly indicating therein relevant details, like, quantity, specification of the goods ordered, prices, etc.) has been accepted. In the 1044 Technical Guide on Internal Audit of Tendering Process same communication, the successful vendor is to be instructed to furnish the required Performance Security within a specified period (generally 21 days). 4.36 Promptly after the above notification, the purchase organization is also to issue the contract to the successful vendor asking therein, inter alia, to send its unconditional acceptance of the contract within fifteen days. It should also be made known to the successful vendor that, in case, it does not furnish the required performance security or does not accept the contract within the stipulated target dates, such non-compliance will constitute sufficient ground for forfeiture of its EMD and processing the case for further action against it (the successful bidder). 4.37 Tenders are finalized on the basis of TCC recommendations and approval of competent authority. An LOI (letter of intent) is issued to the successful bidder with the offer. Once bidder accepts the offer, it becomes a binding contract. Awarding a Work Order (WO) or a Purchase Order (PO) (i) A WO or a PO is the most important document in the tendering process. A note is initiated for approval of competent authority to issue a WO/PO. All the pages of the note and subsequent observations, noting, concurrence, approval must be serially numbered. It not only specifies the terms of engagement of a vendor but also defines the contractual rights and obligations of both the parties. A WO also contains the names of the personnel who will supervise the project and their authority and responsibility. Business establishments usually have standard agreement forms. Two sets of duly signed WO and agreement form are given to the selected vendor. The original copies are retained. The duplicate copies are signed by the vendor as an acknowledgement of receipt and understanding and are returned. (ii) Before work commences it is important to ascertain that the site is physically and legally clear and all required permissions and clearances have been taken by the vendor. Non-compliance may lead to cancellation of tender. (iii) Sometimes it is the responsibility of the organization to get a clear title to land and hand it over to the contractor for the work. In hurry or under pressure to meet date lines organizations do not pay due attention to a clear title of land or NOC to start work. Internal audit 1045 Compendium of Generic Internal Audit Guides should verify title deeds of land or premises, NOCs received. A lot of subsequent problems can be avoided if due attention is paid in time. (iv) Registers of WOs and POs need to be created and maintained. In SAP there is a provision for creating WO/PO to monitor progress and payment and exercise budgetary/ cash outlay control. It is important that no work starts or no purchase is made without a valid WO/PO. Small work/purchase may, however, be directly charged to revenue. Undue repetition of such expenditure should raise a red flag. (v) SAP operates on separate modules like finance (FICO), materials (MM), operations (OPS), supply and distribution (S&D), human resources (HR) etc. All the modules are interlinked. In case payment against purchases are not routed through MM module and payment is made directly against invoices through FICO module, physical and book balance of store items will not tally. There will be open goods received (GR) and investment request (IR) items. Moreover, it will not be possible to monitor re-order level (ROP), re-order quantity (ROQ), purchase requisitions (PR) etc. (vi) Each WO or PO should be serially numbered. In SAP serial is auto- generated. The online WO/PO register may be formatted as below: Header:  WO/PO number, date, amount, place, description of work/ purchase, capital/ revenue, approval reference, approving authority, target date.  Name and designation of supervisor.  Details of co-lateral like SD/ EMD/ BG, etc. Table:  Serial number of entry  Running bill number, date, amount  Supervisor’s work completion confirmation  Adjustment of SD  Other deductions like TDS (for service component) etc.  Payment voucher reference  Signature of paying authority. 1046 Technical Guide on Internal Audit of Tendering Process Securities, Co-laterals, Staggered Payments and Liquidated Damages 4.38 Security and co-lateral are usually in the form earnest money deposit (EMD), security deposit (SD) or bank guarantee (BG). 4.39 Earnest money deposit (EMD) is an amount that is to be deposited by vendors at the time submitting quotations as a token of their earnestness to abide by the terms and conditions of the tender and undertake the work, if nominated on the basis of their quotation. Amount of EMD is determined by the estimated cost of the works/purchase. Certain categories of vendors are usually exempted from EMDs. (i) Original equipment manufacturers (OEMs), sole distributors, sloe selling agents, authorized dealers, sole importer, etc. (ii) PSUs/SMEs registered with NSIC, etc. (iii) Consultants providing architectural, taxation, legal services, etc. Tender for services of consultants, CVC has given guidelines for selection of consultant in Circular no. 08/06/11 which may be selected by private enterprise which is annexed in Appendix 2. 4.40 EMD is refundable to a bidder as and when the bid fails to be selected after opening the technical bid or after the price bid. Refund should be made promptly without waiting for a request from the unsuccessful bidder. Utmost care, however, is to be taken at the time of refund. (i) Firstly, the original cash receipt is to be taken in hand. If it is claimed that the original cash receipt has been lost, party is to be asked to furnish an indemnity bond in the prescribed format. (ii) Secondly, bank statement should be referred to ensure that bank account was credited with the EMD amount in due course. (iii) Thirdly, payment is to be released only the credit of the bank account particulars furnished. Due care should be exercised in case of NEFT/RTGS payments. Accounts department must ensure that there is no outstanding liability against the EMD. The refund should either appear as a debit in bank statement or appear in the list of cheques issued but not presented. While auditing EMDs look into the ageing of EMDs and ask for the reason of delay in refund, 1047 Compendium of Generic Internal Audit Guides 4.41 A Security Deposit (SD) is asked from the successful bidder. In complex, large amount tenders, work may be awarded to more than one bidder. All such bidders are required to deposit SD for satisfactory performance of contractual obligations and as a security against defect liability for a mutually agreed period after date of work completion. As such there is no upper limit for SD, but it is usually a percentage of value of work actually done and not on the value of the WO/ PO. 4.42 SD is accepted by banker’s cheque/ DD or by way of deductions from running bills. Needless to say a proper cash receipt is to be issued when SD is received against banker’s cheque/ DD. Receipt of initial security deposit and/or deduction of SD from running bills are to be recorded in the WO/PO register. SD received/deducted is to appear as an outstanding liability with ageing analysis in the SD schedule. Separate SD schedules for works and purchases are prepared. In case of a BG, the entire amount gets locked up but in case of SD, the vendor either pays a percentage of the work done or in case of running bills continues to get paid for the major portion of his bills. Thus the financial burden on the contractor is reasonable. In a computerized system, like SAP, correct vendor and financial coding at every step is very crucial. 4.43 SD becomes refundable on expiry of defect liability period. As in case of EMD, due care is to be taken at the time of refund. In case of acquisition and mergers, books of accounts get merged. Mapping of balances either from legacy systems or from the books of merged entities is to be done very carefully. In case, EMD/ SD balances appear without vendor codes appear, these are to be segregated into a sub-ledger and a memorandum account with whatever available pointers like vendors name/ address/ date, etc. is to be maintained. Any refund from such an account must be done after identification of the payer, receipt of indemnity bond and with approval of competent authority. Ageing of SD is to be audited carefully to detect any non-performance, lapses, etc. 4.44 Bank Guarantee (BG) is another type of co-lateral that can be got executed by the vendor or contractor. In many cases, material, like, steel plates, cement is issued to contractors. Sometimes, mobilization advances are given to contractors so that they can commence work. In such cases, BG is taken to cover the cost of materials issued or mobilization advance given. {CVC circular) 1048 Technical Guide on Internal Audit of Tendering Process 4.45 Given the instances of banking irregularities, certain precautions need to be taken while accepting BGs like: (i) BG from only a scheduled bank is to be accepted. In a computerized system bank details of vendors are uploaded. Whenever it is seen that a vendor wishes to furnish a BG from another bank, reasons thereof should be sought and recorded. (ii) In no case BG is to be received directly from the contractor. (iii) The concerned bank branch should directly send the BG. (iv) As a precautionary measure a confirmation from the bank that the BG had been indeed issued by that branch is to be taken. (v) BG should be in the format prescribed and must contain a clause that on demand bank would allow the BG to be encashed without any demur. (vi) A BG is to remain valid till the work is completed and till expiry of defect liability period. (vii) A composite BG covers both SD amount and mobilization advance. Once mobilization advance is recovered, the value of the BG, on request of contractor, can be reduced to cover the SD amount only. (viii) Arranging a BG is the responsibility of the functional department. Custody of BGs should be with the finance department, preferably with cash section. A BG is a dormant co-lateral in the sense that it does not entail an inflow of cash and does not impact the books. But at the same time it is essential to acknowledge the latent asset and liability against a BG in hand. SAP has designated contra codes for BGs in hand. (ix) BGs in hand should be reviewed on a monthly basis by cash section and BGs that need to be renewed should be handed back to function under acknowledgment at least one month before the date of expiry. (x) Like cash in hand, BGs in hand should also be verified at required intervals like quarterly, half-yearly and annual closing. (xi) Cash section should maintain a BG register in the system. BG register should include the following details. (a) Serial number (b) Name and vendor code of contractor 1049 Compendium of Generic Internal Audit Guides (c) WO/PO reference and a brief description. (d) Name and branch of bank issuing the BG. (e) Purpose, amount and validity of the BG. (f) Date of receipt of BG. (g) Date of confirmation received from issuing bank, as received from function (h) Date and acknowledgment of return of BG to function for either re-validation or surrender. (i) Date and reason of en-cashing a BG. Post Tendering Process 4.46 Since at the time of audit entire process is completed for some tenders, completed tenders could be evaluated. While vouching for the process the internal auditor could also see at the proprietary perspective of internal audit. Variations in the terms of tender could be studied. At times, there are clauses in the awarding document requesting bank guarantees, performance guarantees. Internal Auditor should check whether the post selection requirements were complied. Adequate checks and controls needs to be in place to check for compliance with the post selection requirements. Also the vendors not complying with the same could be considered for being blocked and marked as negative list of vendors, which should not be awarded contracts. General 4.47 No response to tenders: In case, if there is no response to the tender, or when the tenders submitted have been collusive, or not in conformity with the requirements in the tender, than contract may be considered for re-tendering. While awarding to the existing vendor for minimum requirement on condition that the requirements of the initial (previous) tender are not substantially modified in the contract awarded. 4.48 Foreign currency Tenders: For tender comparison purpose, quotations in foreign currencies must be converted in Indian rupees. The conversion may be based on the selling rate of the relevant currency quoted by the RBI on the tender closing date. In order to avoid vendors putting in an unreasonable amount of allowance in their quotations to cover exchange risks for the contract period, departments may allow vendors to quote in foreign currencies. 1050 Technical Guide on Internal Audit of Tendering Process 4.49 Marking system for tendering: As a general rule, buyer shall award contracts to vendors complying with the tender specifications, terms and conditions as specified and who are fully capable of undertaking the contracts and whose price quotations, whether for goods or services, are the lowest tenders. However, there are occasions where the quality of the goods or services to be provided is of such importance that separate assessments of the technical and price aspects, with pre-determined relative weighting attached to particular features, would result in a better value-for-money. Circumstances in which procuring departments may consider adopting a marking scheme include, but are not confined to, the following: (a) Procurement of high-value, complex equipment where there is rapid technological advancement or products with specific requirements such as improved recyclability, greater durability and less energy consumption; and (b) Service contracts which are high-value or involve complex requirements or which are sensitive and call for a high degree of specialization, reliability or co-ordination. When a marking scheme is used to assess the tenders, departments shall award contracts to vendors who obtain the highest overall score 4.50 Dispute redressal mechanism and jurisdiction: The tender document and contract should specify dispute redressal mechanism to be adopted for the contract and in case legal dispute arising out of this tender/ contract, the jurisdiction shall be of which area. Arbitration if followed, it should specify mode of selection of arbitrator. In case of sole arbitrator, the decision of sole arbitrator on the matter in dispute shall be final and binding on the both parties, should be mentioned in contract. Reference to Arbitration and Conciliation Act 1996 may also be drawn. Cancellation of a Contract 4.51 Cancellation means termination of the entire agreement by the act of parties/ law. Generally, the contract specifies the conditions on which the contract shall stand cancelled and also the rights and responsibilities of both the parties in case of a cancellation. This clause is required to prevent any unwanted litigations. It is advisable to have a written mutual cancellation agreement. It formalizes the cancellation of contract and safeguards, the interests of the parties. 1051 Compendium of Generic Internal Audit Guides Holiday Listing of an Empanelled Party 4.52 Legal meaning of terms like “holiday listing”, “black listing”, “banning”, “removal from approved panel” is same. A party may be a bidder, licensor, vendor, sub-vendor, contractor, sub- contractor, consultant, and sub-consultant. 4.53 Putting a party on holiday list is a rather unusual step taken under circumstances that marks that party as an undesirable business associate. Reasons for such a strong measure may be: (i) Repeated failure of contractual obligations, breach of contract, and abandonment of contract. (ii) Refusal to accept LOA, WO or PO in a properly conducted tender. (iii) Nominated as L1 after price bid, but thereafter raises or withdraws the bid within the validity period of the tender. (iv) Repeated failure to repay loans, advances and other dues. (v) Bankruptcy, dissolution of partnership, winding up while within contract period (vi) Failure to deliver in time, in proper quantity, specification, quality, etc., defective, faulty work. (vii) Submission of fake, forged, false documents, certificates. (viii) Malpractices, like fraud, pilferage, corrupt practices, bribery, violent activities, inciting unrest, etc., not necessarily confined to the contractual context. (ix) Unauthorized access to and/ or passing on of official/ confidential documents, information, trademarks, patents, etc. (x) Deliberate violation or evasion of the law of the land. (xi) In case of PSUs, if the concerned administrative ministry puts a party on holiday list, the order becomes applicable in the said PSUs. 4.54 The list of reasons is illustrative, not exhaustive .Holiday listing, however, should be done judiciously. Usually an empowered committee consisting of representatives from related function, finance and legal departments is formed to look into the circumstances. To give the party a fair opportunity, a show cause notice with the approval of competent authority is issued and a reasonable time is allowed for a reply and representation. The committee studies the reply and considers the representation by the party, 1052 Technical Guide on Internal Audit of Tendering Process deliberate on the imperatives and overall effect of putting a party on holiday list and submits its recommendation including the period for which the party should remain on holiday list. 4.55 Effects of holiday listing is as follows: (i) No enquiry, bid, tender is to be issued to a party already on holiday list. (ii) If put on holiday list during a tendering process then no further interaction; if technical bid has been opened, both the opened technical bid and unopened price bid papers along with EMD, BG, etc. are to be returned under acknowledgement. (iii) In case price bid has been opened, it will not be considered and all papers and co-laterals are to be returned under acknowledgement. This practice is to be followed even when the party is L1. (iv) In emergent cases, however, exceptions may be made with approval of competent authority; it is better avoided. (v) All concerned departments, locations, divisions, affiliates are to be notified. Delisting from holiday list comes into effect on expiry of the holiday period. Review of holiday period is technically possible but is not advisable. After expiry of holiday period usually, the party, requests for re-listing. Otherwise, the concerned party may also be notified. 1053 Chapter 5 E-Tendering 5.1 Internet provides a platform for the collaborative procurement of goods, works and services using electronic methods at every stage of the procurement process. Automating the procurement process using electronic tools/ techniques and enabling opportunities to suppliers fully supports the objective of non‐discrimination, fair and open competition. Agencies world over face threats to their online e-procurement platforms and the same are addressed by employing a combination of security features and security best practices which result in reduced threat of data loss, leakage or manipulation. 5.2 E-tendering is a process of carrying out entire tendering cycle online with efficiency and economy. Process followed under e-tender is same as conventional tender except it involves working in IT environment. 5.3 All the steps involved starting from inviting the tenders till decision of selection of vendor will be carried out on the system. Monetary limits are defined by organizations; if the expected tender size exceeds the amount then E-tendering would be essential. 5.4 In E-tendering, digital signature plays a vital role. Tender notice will be approved and authorized for publishing by digital signature certificate by approving authority as per delegation of powers. Digital Signature has the same legal recognition and validity as handwritten signature. Digital signature also ensures that no alterations are made to the data once the document has been digitally signed. 5.5 Several roles would be created in the system, viz,. publisher, admin, bid opener, evaluator, auditor, etc. Adequate rights assigned to this profiles should be ensured. This ensures that tampering/ editing by unauthorized person is not possible. 5.6 Bidders intending to participate have to register with valid mail id and attaching digital signature. Under E-tendering, generally, application fees are paid at the time of submission of tender. It has to be ensured that fees have been received for all the bidders participating. 5.7 Under E-tendering, submission of BG is, generally, made by sending the scan copies of the BG alongwith the tender document or physically 1054 Technical Guide on Internal Audit of Tendering Process sending the document to the purchaser. However, physical document shall be presented in case of scan copy on designated date, failing to which the vendor shall not be allowed to part in future tenders. Benefits of E-tendering 5.8 Benefits to company floating the tender are as follows: (i) Completely Automated Process. (ii) Shortens Procurement Cycle. (iii) Standardized purchasing processes across the organization. (iv) Economical and Environment Friendly. (v) Greater Transparency. (vi) System aided Evaluation process. (vii) Minimize Human errors. Benefits to vendors are as follows: (i) Anytime and Anywhere Bidding. (ii) Fair participation for vendors. (iii) No dependence on Newspaper. (iv) Reduced administrative hassles. (v) Economical – saving on Traveling cost. (vi) Reduces efforts and cost of bidding. (vii) No tenders can be missed because of distance. Challenges in E-tendering 5.9 Challenges in E-tendering are as under: (i) Detecting whether document is tampered or not. (ii) Identifying a person in the faceless world of Internet. (iii) Insufficiently skilled staff. (iv) Document Secrecy. (v) Bidding should not be allowed after due date and time. (vi) Bids cannot be opened before due date and time. (vii) Bids can only be opened by authorized officers. 1055 Compendium of Generic Internal Audit Guides 5.10 At times companies outsource management or infrastructure related facilities to outside companies. Data security risks that arise needs to be justify adequately addressed. SLA monitoring shall ensure that the system is adhering to the agreed upon service related. CVC Guidelines 5.11 Assuming that management issues are taken care of the following aspects of Infrastructure and application are essential to have a fairly secure procurement. Security of E-tender system is essentially an amalgamated output of Security of Infrastructure, Application and Management given in detailed in CVC circular no. 29/909 extract is given as under. (A) Security Infrastructure Level: (i) Issues- Best Practices to achieve security considerations. (ii) Perimeter Defense - Deployment of routers, Firewalls, IPS/IDS, Remote Access and network segmentation. (iii) Authentication- Network authentication through deployment of password policy for accessing the network resources. To minimize unauthorized access to the e procurement system at system level. (iv) Monitoring - Deployment of logging at OS/network level and monitoring the same. (v) Secure configuration of network host - The security of individual servers & workstations is a critical factor in the defense of any environment, especially when remote access is allowed. Workstations should have safeguards in place to resist common attacks. (vi) System patching - As the vulnerability of the system are discovered almost regularly and the system vendors are also releasing the patches. It is expected the host are patched with latest security updates released by the vendors. (vii) Control of malware - Suitable control like anti-virus, anti-spyware ext. should be deployed on the host associated with e-procurement system. However, option for running the services at non-privileged user profile may be looked for. Otherwise, suitable operating system which is immune to virus, Trojan and malware may be deployed. (viii) Structured cabling - The availability of the network services is critically dependent on the quality of interconnection between the hosts through structured including termination and marking. It is 1056 Technical Guide on Internal Audit of Tendering Process expected the e-procurement system has implemented structured cabling and other controls related with network and interconnection. (B) Security at Application Level: Security during Design (i) Issues - Best Practices to achieve security considerations. (ii) Authentication - The authentication mechanism of the e-procurement application should ensure that the credentials are submitted on the pages that are server under SSL. (iii) Access Control - The application shall enforce proper access control model to ensure that the parameter available to the user cannot be used for launching any attack. (iv) Session management - The design should ensure that the session tokens are adequately protected from guessing during as an authenticated session. (v) Error handling - The design should ensure that the application does not present user error messages to the outside world which can be used for attacking the application. (vi) Input validation - The application may accept input at multiple points from external sources, such as users, client applications, and data feeds. It should perform validation checks of the syntactic and semantic validity of the input. It should also check that input data does not violate limitations of underlying or dependent components, particularly string length and character set. All users supplied fields should be validated at the serve site. (vii) Application logging and monitoring - Logging should be enabled across all applications in the environment. Log file data is important for incident and trend analysis as well as for auditing purposes. The application should log failed and successful authentication attempts, changes to application data including user accounts, serve application errors and failed and successful access to resource. When writing log data, the application should avoid writing sensitive data to log files. (C) Security during Application Deployment and Use (i) Issues -Best Practices to achieve security considerations. 1057 Compendium of Generic Internal Audit Guides (ii) Availability Clustering. Load balancing - Depending on the number of expected hits and access the options for clustering of servers and load balancing of the web application shall be implemented. (iii) Application and data recovery - Suitable management procedure shall be deployed for regular backup of application and data. The regularity of data backup shall be in commensurate with the nature of transaction/ business translated into the e-procurement system. (iv) Integrity of Application - Control of source code. Configuration management - Suitable management control shall be implemented on availability of updated source code and its deployment. Strict configuration control is recommended to ensure that the latest software in the production system. (D) Security in Data Storage and Communication (i) Issues - Best Practices to achieve security considerations. (ii) Encryption for data storage - Sensitive data should be encrypted or hashed in the database and file system. The application should differentiate between data that is sensitive to disclosure and must be encrypted, data that is sensitive only to tampering and for which a keyed hash value (HMAC) must be generated, and data that can be irreversibly transformed (hashed) without loss of functionality (such as passwords). The application should store keys used for decryption separately from the encrypted data. Examples of widely accepted strong ciphers are 3DES, AES, RSA, RC4 and Blowfish. Use 128-bit keys (1024 bits for RSA) at a minimum. (E) Data Transfer Security (i) Sensitive data should be encrypted prior to transmission to other components. Verify that intermediate components that handle the data in clear-text form, prior to transmission or subsequent to receipt, do not present an undue threat to the data. The application should take advantage of authentication features available within the transport security mechanism. Specially, encryption methodology like SSL must be deployed while communicating with the payment gateway over public network. (ii) Access control - Applications should enforce an authorization mechanism that provides access to sensitive data and functionality only to suitably permitted users or clients. Role-based access controls should be enforced at the database level as well as at the 1058 Technical Guide on Internal Audit of Tendering Process application interface. This will protect the database in the event that the client application is exploited. Authorization checks should require prior successful authentication to have occurred. All attempts to obtain access, without proper authorization should be logged. Conduct regular testing of key applications that process sensitive data and of the interfaces available to users from the Internet Include both “black box” informed” testing against the application. Determine if users can gain access to data from other accounts. 5.12 Some of the other good practices for implementers of E- procurements to achieve security considerations are as follows: (i) Common unified platform for all departments: A single platform to be used by all departments across a State/ Department/ Organizations reduces the threat to security of data. With a centralized implementation, where in the procurement data is preferably hosted and maintained by the State/ Department/ Organizations itself; concerns of security and ownership of data are well addressed. A common platform further facilitates demand aggregation of common items across State/ Department/ Organizations, and result in economies of scale. (ii) Public key Infrastructure (PK) Implementation: This is of the most critical security features that are required to be implemented in order to establish non-repudiation and to ensure the security of the online system. Under the system, participating contractors and suppliers, as well as the departmental users, are issued a Digital Signature Certificate (DSC) by a licensed Certification Authority. (iii) Third Party Audit: It is recommended that the implemented solution be audited by a competent third party at least once a year. Through the above mentioned steps, the complete security of the system and the transacted data can be ensured and may be communicated to all concerned agencies. 5.13 Guidelines/ Procedure to be followed in introduction of E-procurement Solution (Source GNCTD Guidelines): 1. Notice inviting Tender (NIT)/ Tender documents: The Notice Inviting Tenders (NIT) and Tender documents etc., shall be in the Standard formats as applicable to conventional Tenders and will be finalized/ approved by the officers competent as in the case of conventional Tenders. 1059 Compendium of Generic Internal Audit Guides 2. Publication of NIT: The officers competent to publish NIT in case of conventional Tenders will host the NIT in the http://delhi.govtprocurement.com. Simultaneously, a notification should also be published in the leading newspapers, as per existing rules, in the following format: Name of the Department: ……………………. Name of the work: .........………………………… Estimated cost: Rs.......................................................... Date of release of tender through e-procurement solution: Last date/ Time for receipt of tenders through e-procurement solution: 3. Registration of Contractors: The contractor will register with the department. Department will charge an annual enrollment fee from each vendor willing to participate in e-Tender of department. 4. Digital Certificate: Digital Certificate is required for issuance, opening, evaluation etc. of the Bids. 5. Formation of Evaluation Committee: If required, an evaluation committee can be formed to evaluate the bids as done in the conventional tenders. 6. Payment of cost of Tender Documents: The collection of cost of Tender documents is dispensed away with, as there is no physical supply of tender documents and also to have absolute anonymity of the bidders participating in e- procurement solution. 7. Submission of Bids: The bidders who are desirous of participating in 'e' procurement shall submit their Technical bids, price bids etc., in the standard formats prescribed in the Tender documents, displayed at http://delhi.govtprocurement.com. The bidders should upload the scanned copies of all the relevant certificates, documents etc., and in the http://delhi.govtprocurement.com in support of their Technical bids. The bidder shall sign on all the statements, documents, certificates, uploaded by him, owning responsibility for their correctness/ authenticity. 8. Payment of Bid Security (Earnest Money Deposit): The EMD shall be in the form of DD/ BG from a bank, as per the guideline. Photo- copy of the DD/ BG is to be scanned and uploaded along with the Bid, and the original DD/ BG shall be sent to the concerned Dept. so as to reach before the date of closing of the Bids. Failure to furnish 1060 Technical Guide on Internal Audit of Tendering Process the original DD/ BG before the closing of the bid will entail rejection of bid and blacklisting. 9. Technical Bids/ Price Bids Opening: Technical bids will be opened online by the concerned officer/officers at the time and date as specified in the tender documents. All the Statements, documents, certificates, DD/ BG etc., uploaded by the Bidder will be verified and downloaded, for technical evaluation. The clarifications, particulars, if any, required from the bidders, will be obtained either online or in the conventional method by addressing the bidders. The technical bids will be evaluated against the specified parameters/ criteria, same as in the case of conventional tenders and the technically qualified bidders will be identified. The result of Technical bid evaluation will be displayed on the http://delhi.govtprocurement.com which can be seen by all the bidders who participated in the Tenders. Similarly, at the specified date and time, the price bids of all the technically qualified bidders will be opened online by the concerned officer/officers and the result will be displayed on the http://delhi.govtprocurement.com which can be seen by all the bidders who participated in the Tenders. Till the technical bids are opened, the identity of the bidders who participated in the tenders is to be kept confidential. Similarly, till the price bids are opened, the bid - offers are to be kept confidential 10. Processing of Tenders: The concerned officer/officers will evaluate and process the tenders as done in the conventional tenders and will communicates the decision to the bidder online. 11. Payment of Performance Guarantee: The bidder will submit the Performance Guarantee as done in Conventional Tenders. 12. Participation of Bidders at the time of Opening of Bids: Bidders have two options to participate in tendering process at the time of opening of Bids: (i) Bidders can come at the place of opening of bids (electronically) as done in the conventional tender process. (ii) Bidders can track the process online. 13. Financial Rules for E-procurement: The e-procure system would be applicable for purchase of goods, outsourcing of services and execution of work as prescribed in GFRs/PWD manual. 14. Signing of Agreement: After the award of the contract, an agreement may be signed as done in Conventional tenders. 1061 Chapter 6 About Internal Audit 6.1 Preface to the Standards on Internal Audit, issued by the Institute of Chartered Accountants of India defines the term Internal Audit as follows: “Internal Audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system.” 6.2 The abovementioned definition highlights the following facets of an internal audit: (i) Internal auditor should be independent of the activities they audit. The internal audit function is, generally, considered independent when it can carry out its work freely and objectively. Independence permits internal auditors to render impartial and unbiased judgment essential to the proper conduct of audits. (ii) Internal audit is a management function, thus, it has the high-level objective of serving management’s needs through constructive recommendations in areas such as, internal control, risk, utilization of resources, compliance with laws, management information system, etc. (iii) Internal auditor’s role should be a dynamic one, continually changing to meet the needs of the organization. There is often a need to change audit plans as circumstances warrant. These changes may include coverage of new areas, assistance to management in solving problems, and the development of new internal audit techniques. (iv) An effective internal audit function plays a key role in assisting the board to discharge its governance responsibilities. Thus, it contributes in accomplishment of objectives and goals of the organization through ethical and effective governance. (v) Risk management enables management to effectively deal with risk, associated uncertainty and enhancing the capacity to build value to the entity or enterprise and its stakeholders. Internal auditor plays an 1062 Technical Guide on Internal Audit of Tendering Process important role in providing assurance to management on the effectiveness of risk management. (vi) Internal audit function constitutes a separate component of internal control with the objective of determining whether other internal controls are well designed and properly operated. Thus, the examination and appraisal of controls are normally components, either directly or indirectly, of every type of internal auditing assignment. Factors Contributing to the Evolution of Internal Audit 6. 3 General Guidelines on Internal Audit, issued by the Institute of Chartered Accountants of India, describes the factors contributing the evolution of Internal Audit in India, which are as follows: (i) Increased Size and Complexity of Businesses Increased size and business spread dilutes direct management oversight on various functions, necessitating the need for a full time, independent and dedicated team to review and appraise operations. (ii) Enhanced Compliance Requirements Increase in the geographical spread of the businesses has also led to crossing of political frontiers by businesses in a bid to tap global capital. This has thrown up compliance with the laws of the home country as well as the laws of that land as a critical factor for existence of businesses abroad. (iii) Focus on Risk Management and Internal Controls to Manage Them Internal auditors can carry out their job in a more focused manner by directing their efforts in the areas where there is a greater risk, thereby enhancing the overall efficiency of the process and adding greater value with the same set of resources. (iv) Stringent Norms Mandated by Regulators to Protect Investors The regulators are coming up in a big way to protect the interests of the investors. The focus of the latest regulations being ethical conduct of business enhanced corporate governance and financial reporting requirements, etc. 1063 Compendium of Generic Internal Audit Guides (v) Unconventional Business Models Businesses today use unconventional models and practices, for example, outsourcing of non-core areas, such as accounting. (vi) Intensive Use of Information Technology Information technology (IT) is invariably embedded in all spheres of activities of a modern business enterprise today, from data processing to resource planning to online sales and e-commerce. Use of IT has, however, increased the threat of data thefts or losses on account of systems failure or hacking/espionage, as well as the need to comply with the cyber laws, etc. (vii) An Increasingly Competitive Environment Whereas deregulation and globalization have melted the political as well as other barriers to entry in the markets for goods and services, free flow of capital, technology and know-how among the countries as well as strong infrastructure has helped in bringing down the costs of production and better access to the existing and potential consumers. This in turn, has lured more and more players in the existing markets, thereby, stiffening the competition. Methodology for Internal Audit Standards on Internal Audit 6.4 The Institute of Chartered Accountants of India has till date issued seventeen Standards on Internal Audit (SIAs), which aim to codify the best practices in the area of internal audit and also serve to provide a benchmark of the performance of the internal audit services. While formulating SIAs, the Board takes into consideration the applicable laws, customs, usages, business environment and generally accepted internal auditing practices in India. The list of Standards on Internal Audit (SIAs) is given below: SIA 1 Planning an Internal Audit SIA 2 Basic Principles Governing Internal Audit SIA 3 Documentation SIA 4 Reporting SIA 5 Sampling SIA 6 Analytical Procedures SIA 7 Quality Assurance in Internal Audit 1064 Technical Guide on Internal Audit of Tendering Process SIA 8 Terms of Internal Audit Engagement SIA 9 Communication with Management SIA 10 Internal Audit Evidence SIA 11 Consideration of Fraud in an Internal Audit SIA 12 Internal Control Evaluation SIA 13 Enterprise Risk Management SIA 14 Internal Audit in an Information Technology Environment SIA 15 Knowledge of the Entity and its Environment SIA 16 Using the Work of an Expert SIA 17 Consideration of Laws and Regulations in an Internal Audit Some important aspects on internal audit have been discussed in the following paragraphs: Planning an Internal Audit 6.5 The internal audit plan should be comprehensive enough to ensure that it helps in achieving of the above overall objectives of an internal audit. The internal audit plan should, generally, also be consistent with the goals and objectives of the internal audit function as listed out in the internal audit charter as well as the goals and objectives of the organization. Internal audit plan should cover areas such as: (i) Obtaining the knowledge of the legal and regulatory framework within which the entity operates. (ii) Obtaining the knowledge of the entity’s accounting and internal control systems and policies. (iii) Determining the effectiveness of the internal control procedures adopted by the entity. (iv) Determining the nature, timing and extent of procedures to be performed. (v) Identifying the activities warranting special focus based on the materiality and criticality of such activities, and their overall effect on operations of the entity. (vi) Identifying and allocating staff to the different activities to be undertaken. 1065 Compendium of Generic Internal Audit Guides (vii) Setting the time budget for each of the activities. (viii) Identifying the reporting responsibilities. The internal auditor may refer Standard on Internal Audit (SIA) 1, Planning an Internal Audit for guidance in this regard. Terms of Internal Audit Engagement 6.6 The client is expected to formally communicate the appointment to the internal auditor. Upon receiving the communication, the internal auditor should send an engagement letter, preferably before the commencement of engagement so as to avoid any misunderstandings. The internal auditor and the client/auditee should record the terms of engagement in the letter or other suitable form of contract and it shall also confirm objective and scope of internal audit with the client. The engagement letter should, generally, include reference to the following aspects: (i) Objective of the internal audit; (ii) Management’s responsibilities; (iii) Scope of internal audit (including reference to the applicable legislation, regulation and various pronouncement of ICAI); (iv) Access to records, documents and information required in connection with the internal audit; (v) Expectation to receive management’s written confirmation in respect to representation made in connection with the audit; (vi) Basis on which fees shall be computed and the billing arrangements thereof. Any changes in the terms of the appointment should be communicated in written form. Moreover, the internal audit may be on a continuous basis, monthly, quarterly or even annual. It is important for the internal auditor to ensure that the periodicity of the internal audit is sufficient in the light of overall business condition. The Internal Auditor may refer Standard on Internal Audit (SIA) 8, Terms of Internal Audit Engagement that established Standards and provides guidance in respect of terms of engagement of the internal audit activity whether carried out in house or by an external agency. 1066 Technical Guide on Internal Audit of Tendering Process Knowledge of the Business 6.7 Prior to commencement of internal audit assignment, the internal auditor should have or obtain the knowledge of the business. The internal auditor should acquire sufficient knowledge to enable him to identify and understand the events, transactions and practices that can have significant effect on the internal audit process. Such knowledge shall be helpful to the internal auditor in assessing the inherent risk and control risk and in determining the nature, timing and extent of the internal audit procedures. Knowledge of the business assists the internal auditor in: (i) Assessing the risk and identifying the problems; (ii) Planning and performing the internal audit effectively and efficiently; (iii) Evaluating audit evidence; and (iv) Providing better service to the client. The internal auditor should prepare the flow of events, transactions, processes and practices within the organization. This will help him in gaining better understanding of the process and the existence of the internal controls. They may refer to Standard on Internal Audit (SIA) 15, Knowledge of the Entity and its Environment for detailed guidance on what constitutes knowledge of an entity’s business, its importance to various phases of an internal audit engagement and the techniques to be adopted by the internal auditor in acquiring such knowledge about the client others and its environment. Audit Planning, Materiality and Sampling 6.8 After acquiring the knowledge of business and various laws and regulation applicable to the tendering process the internal auditor should plan out the internal audit activity. Planning helps in achieving the objectives of internal audit function. Adequate planning ensures that: (i) Appropriate attention is devoted to significant areas of audit (ii) Potential problems are identified (iii) Skills and time of the staff are appropriately utilized (iv) Work is carried out in accordance with the applicable pronouncements of ICAI (v) Work is carried out in conformity with the applicable laws and regulation. 1067 Compendium of Generic Internal Audit Guides 6.9 In preparing an internal audit program, an internal auditor should obtain an understanding of the accounting and internal control system prevalent within the entity, exercise preliminary judgment regarding the critical areas to be considered during the internal audit. It also helps the internal auditor in determining the audit materiality, nature and extent of audit procedures to be adopted. While designing an audit sample the internal auditor should consider the specific audit objectives, materiality, population from which the internal auditor wishes to select the sample, area of audit significance and the sample size. The guidance regarding sampling has been provided in Standard on Internal Audit (SIA) 5, Sampling. Internal Control 6.10 Internal controls are a system consisting of specific policies and procedures designed to provide management with reasonable assurance that the goals and objectives it believes important to the entity will be met. “Internal Control System” means all the policies and procedures (internal controls) adopted by the management of an entity to assist in achieving management’s objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information. The internal audit function constitutes a separate component of internal control with the objective of determining whether other internal controls are well designed and properly operated. 6.11 Internal control system consists of following inter-related components: (i) Control (Or Operating) Environment (ii) Risk Assessment (iii) Control Objectivity Setting (iv) Event Identification (v) Control Activities (vi) Information and Communication (vii) Monitoring (viii) Risk Response. 1068 Technical Guide on Internal Audit of Tendering Process 6.12 The system of internal control must be under continuous supervision by management to determine that it is functioning as prescribed and is modified, as appropriate, for changes in environment. The internal control system extends beyond those matters which relate directly to the functions of the accounting system. 6.13 The internal auditor should obtain an understanding of the significant processes and internal control systems sufficient to plan the internal audit engagement and develop an effective internal audit approach. The internal auditor should use professional judgment to assess and evaluate the maturity of the entity’s internal control. The auditor should obtain an understanding of the control environment sufficient to assess management’s attitudes, awareness and actions regarding internal controls and their importance in the entity. 6.14 The internal auditor should examine the continued effectiveness of the internal control system through evaluation and make recommendations, if any, for improving that effectiveness. The importance of internal controls in a tendering process need not be over- emphasized. Internal audit plays a major role in determining the effectiveness of internal controls and highlights areas for improvement. The Internal auditor may also refer to Standard on Internal Audit (SIA) 12, Internal Control Evaluation for a detailed guidance on internal control. Consideration of Fraud in an Internal Audit 6.15 The primary responsibility for prevention and detection of frauds is that of the management of the entity. The internal auditor should, however, help the management fulfill its responsibilities relating to fraud prevention and detection. The internal auditor should obtain an understanding of the various aspects of the control environment and evaluate the same as to the operating effectiveness. The internal auditor should specifically evaluate the policies and procedures established by the management to identify and assess the risk of frauds, including the possibility of fraudulent financial reporting and misappropriation of assets. The internal auditor should assess the operating effectiveness of the policies and procedures established by the management to enable to make timely and effective decisions and discharge their responsibilities efficiently. The internal auditor should assess whether the controls implemented by the management to ensure that the risks identified are responded to as per the policy or the specific decision of the management, as the case may be, are in fact working effectively and whether 1069 Compendium of Generic Internal Audit Guides they are effective in prevention or timely detection and correction of the frauds or breach of internal controls. The internal auditor should evaluate the mechanism in place for supervision and assessment of the internal controls to identify instances of any actual or possible breaches therein and to take corrective action on a timely basis. The Standard on Internal Auditor (SIA) 11, Consideration of Fraud in an Internal Audit covers this aspect. Internal Audit in an Information Technology Environment 6.16 Computer Information System (CIS) environment exists when one or more computer(s) of any type or size is (are) involved in the processing of financial information, including quantitative data and the significance in relation to the audit, whether those computers are operated by the entity or third party. 6.17 The overall objective and scope of internal audit does not change in a CIS environment. However, the use of computer changes the processing, storage, retrieval and communication of financial information and may affect the accounting and internal control systems employed by the entity. Moreover, the risks involved in an internal audit may too undergo a change. The internal auditor should have sufficient knowledge of the CIS environment to plan, direct, supervise, control and review the work performed. 6.18 The data in an Entity operating in CIS environment is, generally, voluminous. The CIS automatically generates material transaction or entries and exchanges transaction automatically with other organization as in electronic data interface (EDI) systems. Source documents, computer files and other evidential matter exist only for short period and in machine readable form. The use of the computer Assisted Audit Technique (CAAT) shall increase the efficiency in the performance and enable the internal auditor to economically apply certain procedures to the entire population or accounts transaction. 6.19 The internal auditor should understand the CIS Environment in designing audit procedures to reduce the audit risk to an acceptable low level. The internal auditor should also document the audit plan, the nature, the timing and the extent of audit procedures performed and the conclusions drawn from the evidence obtained which may be in the electronic form. The internal auditor should ensure that such electronic evidence is adequately and safely stored and is retrievable in its entirety, as and when required. 6.20 The internal auditor may refer to Standard on Internal Audit (SIA) 14, Internal Audit in an Information Technology Environment for guidance on 1070 Technical Guide on Internal Audit of Tendering Process procedures to be followed when an audit is conducted in a computer information systems (CIS) environment. Overview of Compliance 6.21 Compliance means ensuring conformity and adherence to regulatory acts, rules, procedures, laws, regulation, directives and circulars. Standard on Internal Audit (SIA) 17 issued by the ICAI relating to Consideration of Laws and Regulations in an Internal Audit states that when planning and performing audit procedures and in evaluating and reporting the results thereof, the internal auditor should recognize that noncompliance by the entity with laws and regulation may materially affect the financial statements. However, an audit cannot be expected to detect noncompliance with all laws and regulations. Detection of noncompliance, regardless of materiality, requires consideration of the implications for the integrity of management or employees and the possible effect on the other aspect of the audit. 6.22 Non-compliance with laws and regulations could result in financial consequences for the entity such as, fines, litigation, etc. Internal auditor cannot be expected to detect non-compliance with all laws and regulations; however this argument shall not apply to engagements where the internal auditor is specifically engaged to test and report separately on compliance with specific law and regulations. 6.23 The management is responsible to ensure that the entity’s operations are conducted in accordance with laws and regulations. The responsibility for prevention and detection of non-compliance shall be that of the management; however the internal auditor should plan and perform the internal audit recognizing that the internal audit may reveal conditions or events that would lead to questioning whether an entity is complying with laws and regulations. 6.24 The term “Non-compliance” refers to acts of omission or commission by the entity being audited, either intentional or unintentional, which are contrary to the prevailing laws and regulations. Such acts include transactions entered into by, or in name of the entity or on its behalf by the management or employees. However, noncompliance does not include personal misconduct (unrelated to the business activity of the entity) by the entity’s management or employees. Understanding of Laws and Regulations 6.25 Laws and regulation vary considerably in their relation to the financial statements. Some laws or regulations determine the form or content of an 1071 Compendium of Generic Internal Audit Guides entity’s financial statement or the amounts to be recorded or disclosures to be made in financial statements. Other laws or regulation are to be complied with by management or prescribed by the provisions under which the entity is allowed to conduct its business. Non-compliance with laws and regulation could result in financial consequences for the entity such as, fines, litigation, etc. It also has a potential effect on going concern as an entity. 6.26 The internal auditor should plan and perform the audit recognizing that the audit may reveal conditions or events that would lead to questioning whether an entity is complying with laws and regulations. In order to plan the internal audit, the internal auditor should obtain understanding of the legal and regulatory framework applicable to the entity and how the entity is complying with that framework. 6.27 To obtain this understanding, the internal auditor would particularly recognize that non-compliance of some laws and regulations may have a fundamental effect on the operations of the entity and may even cause the entity to cease operation, or call into question the entity’s continuance as going concern. To obtain the understanding of laws and regulations, the internal auditor would ordinarily: (i) Use the existing knowledge of the entity’s industry and business. (ii) Inquire with management as to the laws or regulations that may be expected to have a fundamental effect on the operations of the entity. (iii) Inquire with management concerning the entity’s policies and procedures regarding compliance with laws and regulations. (iv) Discuss with management the policies or procedures adopted for identifying, evaluating and accounting for litigation claims and assessments. 6.28 After obtaining the understanding, the internal auditor should perform procedures to identify instances of non-compliance with those laws and regulations where non-compliance should be considered while preparing financial statements, specifically: (i) Inquiring with management as to whether the entity is in compliance with such laws and regulations. (ii) Inspecting correspondence with the relevant licensing or regulatory authorities. 1072 Technical Guide on Internal Audit of Tendering Process Significance of Compliance 6.29 The significance of compliance is: (a) The benefits to the Industry are: (i) Helps in compliance with legal terms and covenants and thereby reduces penalties and charges (ii) Increased Internal Control (iii) Reduction of internal frauds and losses (iv) More time available for other core activities (v) Increases efficiency in operations (vi) Customer satisfaction. (b) The benefits to the stakeholder are: (i) Ensures risk containment and safer market place (ii) Better investor confidence (iii) Uniform practices (iv) Better image, hence, better value for the investor. 1073 Chapter 7 Risk Based Internal Audit 7.1 Every organization has certain objectives which it strives to achieve. Organizations now-a-days exists in environment which is very turbulent and constantly changing. So this environment can exert risks which could hamper the organization from achieving the objectives. Risk based internal auditing (RBIA) is the methodology which provides assurance that risks are being managed to within the organization’s risk appetite. 7.2 Under risk based audit approach, firstly, a macro level objectives are identified for a particular area or activity in hand. Then risks that may hamper chances to achieve the objectives are identified and documented. Then, the controls that are set taking care of the risks are evaluated by testing the controls. 7.3 The primary objectives of tender procurement are effective and timely supply at reasonable prices and in compliance with laws. There are two elements of risks likelihood and impact. Depending upon the organization, the risk likelihood and impact may vary accordingly. 7.4 Below mentioned table summarizes the Objectives, Risks and Controls for a particular audit under the risk based audit approach: Objective Risk Controls Effective supply Not getting the Effective advertisement of required tender tender in dailies/ news-papers/ response trade magazines. Adequate time gap between date of advertisement and submission of forms. Receiving response Adherence to vendor selection from related party norms. vendors Tender form captures details of persons having controlling and governing interest in vendor enterprise. Purchasing products or services from concern in which 1074 Technical Guide on Internal Audit of Tendering Process employees are interested, follow conflict of interest and disclosure policies. Not able to supply Analysis of vendor supply when required capacity. Reference check. Check on vendors turnover from financial statements Provides inadequate QC checks done at time of material/service receipt of goods. Samples are invited before awarding the tender. Reasonable Awarding tender to Before any tender is price costly vendor advertised, a realistic estimate of the cost is prepared and documented. Review of overall budget, monitoring and reasoning of over shooting documented. Obtained prices/qualities competitive to prices/qualities obtained by other procurement functions/units, comparing obtained or improved value for money. Reasons documented for awarding to other than L1 vendor. Payment to vendor Advance payments monitored without receipt of and reason analysis done for materials long pending advances. Generation of GRN required to process of payment. Effective use Tendered materials Are purchase orders based on and services not used requisitions from authorized signatories Appropriate Quality check done, certificate of 1075 Compendium of Generic Internal Audit Guides installment/completion received. Order for next batch is given only at reorder level of EOQ. Are materials with Expiry date used on FEFO basis (First Expiry First Out) Others Compliance risks Appropriate controls in place to ensure that procurement complies with relevant legislations. Human resource Employees have the necessary constraints skills and experience to carry out procurements efficiently. Periodic training conducted for employees Records not available/ Documented record retention Lack of audit trail policy adhered and mock audited by departmental/ process head. E-tendering Basic principles of All statutory, regulatory and public procurement contractual requirements are compromised explicitly defined, documented, and kept up to date. Efficient IT Spyware & Detection, prevention, and system Unauthorized access- recovery controls to protect Technical against malicious code and vulnerabilities appropriate user awareness procedures implemented. Protection against Where the use of mobile code malicious and mobile is authorized, the configuration code shall ensure that the authorized mobile code operates according to a clearly defined security policy, and 1076 Technical Guide on Internal Audit of Tendering Process unauthorized mobile code shall be prevented from executing Inadequate OS Access Access to operating systems control shall be controlled by a secure log‐on Procedure The controls mentioned herein are suggestive in nature. 7.5 Suggestive ways to identify whether the documents are real or forged: (i) Generally, there would be spelling mistakes in commonly used words and spellings. (ii) They give only a PO Box number for an address, with no street information. If there is also no phone number or email/ website address it could be suspicious. (iii) Editing or modifications in original document may be seem in different ink or writing. (iv) Verifying the credentials, such as, PAN No., Service tax No., Sales Tax no. with its numbering logic and, if possible, with the government database. (v) In case of physical documents which generally arrive in office in a cover and are folded, if they are without any mark of folding, it could be suspicious, especially, where some pages are folded and some are not. 7.6 Post contract deviations should be closely studied and is impact on overall tender should be evaluated. It should be ensured that major modifications do not wipe out the benefits of tendering process. Such modifications should be avoided and be with approval of seniors along-with documented reasons for the same. Strict adherence should be checked for post tendering requirements and deviations in such requirements should, generally, not be accepted. 1077 Chapter 8 Internal Audit Checklist 8.1 A suggestive checklist to help to conduct internal audit is given below: The checklist may be modified depending upon the tendering process at the organization beingaudited. General S.No. Particulars Y N N/A 1 Adequate records are    maintained throughout the procurement process and provide sufficient information to enable an internal audit or independent review. 2 There is a documented policy on    decision making regarding tender 3 Entire process of tendering is    adequately and completely documented. 4 Does the policy document    stipulate action in case of cancellation of contract. 5 Whether issues arising on    previous internal audit adequately resolved. 6 Are issues highlighted by whistle    - blower relating to tendering are adequately resolved. 1078 Technical Guide on Internal Audit of Tendering Process Planning the Purchase S.No. Particulars Y N N/A 1. Appropriate approval to    purchase has been obtained in accordance with the organizations delegation of justify authority. 2. Advertisement is floated long    before the submission date for tenders. 3. Appropriate procedures are in    place to ensure that respondents submitting tenders are dealt with fairly and equitably during the tender process. 4. An estimate of the cost of the    goods/ services has been developed and funding/ approved budget is available. 5. A Procurement Plan has been    developed and the most appropriate procurement methodology has been determined. 6. Market research and    consultation has been undertaken. 7. Specifications have been    justify clearly defined. 8. Specification do not restrict    competition, reflect bias to any brand, or act as a barrier to the consideration of any alternatives and addresses value for money considerations. 1079 Compendium of Generic Internal Audit Guides S.No. Particulars Y N N/A 9. A tender evaluation and probity    plan has been developed. 10. A specific closing time, date    and place of lodgment, has been allocated and communicated. 11. An evaluation committee has    been established and members are familiar with procurement processes. 12. Procedures are in place to deal    with potential conflicts of interest. 13. Confidentiality and conflict of    interest documents have been obtained from all members of the Evaluation Committee and details of action taken to manage any conflicts of interest are recorded 14. Evaluation criteria, weightage    (preferably in %) and an evaluation methodology have been defined. 15. Evaluation criteria have been    based on the specifications. 16. Impact on environment/    Climate Change is included in the evaluation criteria (wherever applicable). 17. A risk assessment and    mitigation plan has been developed. 18. A contract management plan    has been put in place. 1080 Technical Guide on Internal Audit of Tendering Process Documentation S.No. Particulars Y N N/A 1 The RFT documentation    provides all the information necessary to enable potential suppliers to prepare appropriate submissions. The RFT contains: (a) a clear description of the    goods and/or services to be procured; (b) all conditions for    participation; (c) details of the evaluation    criteria to be used in the assessment of tenders, the evaluation methodology and any weightage to be used in the assessment; (d) details of the    information/ documentary evidence that should be provided by suppliers; (e) all other relevant terms    and conditions of the tender; (f) details of any applicable    government policies and principles; (g) details of the agency    contact information; (h) details of the specified    closing time, date and place of lodgment; 1081 Compendium of Generic Internal Audit Guides S.No. Particulars Y N N/A (i) advice on the treatment    of delayed/ late tenders; (j) advice on any pre-tender    briefing sessions; (k) pricing requirements    (e.g., price to be exclusive of GST) including, if applicable, any requirements in relation to out-of-pocket expenses. (l) indication as to whether    alternative tenders will be considered. Inviting Tenders S.No. Particulars Y N N/A 1 The tender has been placed    on the designated Tender website or adequately advertised as per documented procedure. 2 Copies of the Request for    Tender documentation have been sent to identified businesses (in addition to the publication of the notice). 3 Details of businesses issued    with the RFT have been recorded. 4 RFT documentation has been    made available electronically. 5 Sufficient time has been    provided to allow the preparation of tenders. 1082 Technical Guide on Internal Audit of Tendering Process S.No. Particulars Y N N/A 6 If addendum were issued, it    was issued to all suppliers who were issued with the RFT documentation. 7 All potential suppliers to whom    addendum were issued were requested to confirm receipt of the addenda. 8 If addendum were issued,    sufficient time was provided to allow vendors to amend their tender. 9 Any extension of the time limit    for suppliers to respond was applied equally to all suppliers. Receiving Tenders S.No. Particulars Y N N/A 1 Fair and impartial procedures    were in place in relation to opening of tenders. (a) A secure facility for the    receipt of tenders has been provided at the designated tender submission location. (b) The tender documentation    was not opened until after the notified closing time of the tender. (c) Tenders were opened in the    presence of at least three officers, including two senior officers of the Agency. (d) All tenders received were    clearly identified and recorded. 1083 Compendium of Generic Internal Audit Guides S.No. Particulars Y N N/A (e) The vendors signed all    tender forms and tender schedule pages in the appropriate manner as required in the RFT. 2 The procedures for any    delayed/ late tenders have been followed. 3 Check done to ensure fees for    application form is received from all vendors participating. 4 Where potential suppliers have    been provided with an opportunity to correct unintentional errors of form between the opening of submissions and any decision, the same opportunity was provided to all participating potential suppliers. 5 Vendors were advised that    their submissions were received. 6 Information provided by    persons submitting tenders is treated as confidential. 7 Documents have been    secured. Evaluating Tenders S.No. Particulars Y N N/A 1 Tenders are fairly and    equitably evaluated in a manner that is consistent with the Government’s procurement principles. 1084 Technical Guide on Internal Audit of Tendering Process S.No. Particulars Y N N/A 2 Mandatory tender schedules    have been submitted by vendors and checked for compliance. 3 The evaluation criteria,    weightage, and methodology as set out in the tender documents have been used to evaluate the tenders. 4 The recommended vendor is    an acceptable legal entity. 5 The recommended vendor has    complied with the conditions of tender. 6 If a tender is being considered    further, any vendor’s qualifications, documentation departures, commercial conditions, or comments requiring clarification have been noted for resolution. 7 The reasons for not accepting    any tender have been documented on file and are clear and justifiable (e.g. tender substantially not conforming; specified QA requirements not met; vendor has insufficient expertise). 8 The contract is being awarded to the supplier who: (a) satisfies the conditions    for participation; and (b) is fully capable of    undertaking the contract; and 1085 Compendium of Generic Internal Audit Guides S.No. Particulars Y N N/A (c) criteria relating to whose    submission is determined to be the lowest price, the best value, or the most advantageous in accordance with the essential requirements and evaluation criteria specified in the notice of tender and the RFT documentation. 9 A Tender Evaluation Report    has been completed, and signed by all members of the Evaluation Committee. 10 Confirmation has been sought    regarding the availability of budget/funds for the actual cost of the goods/ services. Review Committee 8.2 At this stage, the final Evaluation Report, signed by the Evaluation Committee, needs to be endorsed by the Review Committee prior to advice being provided to suppliers on the outcome of the process and before negotiations with the preferred supplier or the contract is awarded Accepting Successful Tender, Finalising Contract and Unsuccessful Tenders S.No. Particulars Y N N/A 1 A submission was made to the    Review Committee, using the appropriate forms, seeking endorsement of the procurement process. 1086 Technical Guide on Internal Audit of Tendering Process S.No. Particulars Y N N/A 2 The Review Committee    endorsed the process used in the procurement. 3 The recommendation of the    Evaluation Committee has been approved by the appropriate delegated authority (e.g. Secretary, Deputy Secretary). 4 The successful and    unsuccessful vendors have been advised of the outcome of the tender. 5 Documents are stored as per    record retention policy applicable to the enterprise. 6 Was actual expenditure in line    with the amount of contract entered after tendering. 1087 Chapter 9 Pitfalls in Tendering Process 9.1 For a Power Industry, the scope included design, engineering, supply, installation, etc. As per the tender requirements, bidders were required to furnish their detailed design and engineering proposal to suit the requirements of the PSU. The PSU while being aware of the above fact, still invited offers in a single bid format, i.e. only techno-financial bids were invited in a single envelope. When the scope of work includes design, engineering, etc., it is always desirable and advisable to invite offers in a two-bid format or two envelopes, i.e., technical and financial so as to properly evaluate the various options and design philosophy proposed by the various bidders and the price bids of only such bidders whose design and other technical proposals are as per tender requirements should be opened. 9.2 One construction PSU was awarded an offsite area work of a power plant costing ` 31 crores. While going in for a pretender tie up, they invited offers from two arbitrarily chosen firms, M/s A and M/s B. M/s B became the lowest. The PSU then re-invited the bids from these two firms after deleting two items, i.e., structural steel and sheeting. This time the inter-se seniority changed and M/s A became the L-1. Again a revised bid for the third time was invited only from M/s A after adding 1 item of sheeting. M/s A in their revised bid not only quoted higher rates for sheeting, but also increased their rates for other items also. Thus, the total pre-tender tie up was entered into in a non transparent, unfair manner resulting in undue benefit to only one contractor. 9.3 In this case, the original price bid of L1 bidder was checked and it was found that a stamp was put on each page of the price bid, which contained date of opening and signatures of the members of the Tender Opening Committee. However, the column for the number of corrections was kept blank and the number of corrections was not mentioned, thereby giving a chance for manipulation in the price bid at a later stage. 9.4 In another project of a Power Sector PSU, the covering letter of the price bid of one of the bidders to whom the work was finally awarded was having a list of all the documents enclosed in the bid. However, in the same bid, a letter indicating a discount was also enclosed but this letter was not having any mention on the first page of the price bid which was containing 1088 Technical Guide on Internal Audit of Tendering Process the list of all the enclosures. Incidentally, this bidder could become L1 only after considering the discount as per this letter, which leaves enough room for suspicion that the discount letter might have been added at a later stage. 9.5 As per the notified qualification criteria for a housing project costing ` 13 crores, bidders were required to have experience in housing project. Four bidders were qualified. Two bidders M/s A and M/s B were qualified on the basis of their experience in the construction of hospital building and office building respectively. Remaining two bidders M/s C and D were qualified on the basis of their experience in the construction for private firms. Without verifying the credentials, M/s D was awarded the work. The organization should have re-invited the bids with relaxed criteria so that contractors having experience in other type of multi-storied buildings could have also participated. Further, the organization as a matter of policy should verify the credentials and obtain the TDS certificate from the clients for non government works. 9.6 Pre-qualification criteria for a power project costing ` 220 crores was not made exhaustive. Minimum value of work completed by the bidder in support of their past experience was not stipulated. Five reputed and large firms having experience in power projects were excluded from participation on flimsy ground of executing small value works. Since, no minimum value of work was mentioned, this ground of exclusion of these firms was totally unfair. Out of the two firms qualified, one firm PSU ‘B’ was having experience of the work costing only ` 31.00 crores. If the same yard stick was applied uniformly, other excluded firms also would have qualified. The second firm ‘S’ which ultimately became L-1 was qualified on the basis of work in progress against the requirement of completed work. Thus, on one hand eligible firms were disqualified an ineligible firm was qualified on other hand. There appeared to be hardly any competition. The quoted rates of PSU ‘B’ was unreasonably high (Rs.320Crores) as against the L-1’s rates (Rs. 220 crores) clearly indicating its role as a supporting firm only. 9.7 In this case, a PSU issued amended the Qualification Criteria through a corrigendum in such a way that suited a particular firm, i.e., the successful bidder. Normally, the offered equipments are required to have a proven performance for a certain period say two years or one year on the date of opening of the bid. But in this case, the amended qualification criteria did not specify any period and rather envisaged that the equipment should be in satisfactory operation as on the date of bid opening. This requirement was fulfilled by the said firm based on a user certificate stating that the offered 1089 Compendium of Generic Internal Audit Guides equipments were working satisfactorily since November 2000 as against the bid opening date of 4.6.2001. Incidentally, the original Qualification Criteria envisaged a specific technology based equipment having satisfactory operation for at least two years as on the date of opening of bids. The period of successful operation of the equipment was deliberately not specified in the amended qualification criteria to suit a particular firm. 9.8 In Road contracts, a condition was stipulated that entire quantity of bitumen to be used in the work shall be brought by the contractor before commencement of work. At the same time, under escalation clause, it was mentioned that the difference between the actual purchase rate and stipulated rate (for issue of Bitumen by the Department) as and when the Bitumen brought by the contractor shall be paid to the contractor. The two stipulations were ambiguous. But the latter was operated to the benefit of contractor to the tune of ` 1.5 crores on account of escalation in the price of bitumen. 9.9 In a Railway project, the tender documents were issued to all the applicants without checking the criteria of selection specified in tender notice. This resulted in opening of price bids of ineligible applicants also. Subsequently, the work was awarded to an ineligible contractor on the pretext of being the lowest. The same resulted in inordinate delay and rescission of the contract. 9.10 One Government Department awarded the work to a PSU and the above PSU in turn awarded the work to a contractor (without inviting tender) at 5% lower than the tendered amount accepted by the Govt. Department. In the above illustration, following irregularities were observed – (i) The Govt. Department awarded the work at higher rates; (ii) Govt. Department allowed the PSU to sublet the contract against the provisions in the agreement; and (iii) The PSU awarded the work without call of tenders to a favorite contractor. 9.11 In a hydel work, insurance for flood was not obtained by the contractor even though specific provision exists in the agreement resulting in large saving to the contractor. During execution, flood occurred resulting in huge loss to the department that could not be recovered from the contractor. 9.12 In one of the works being executed by a PSU, no provision was made for issue of machinery to the contractor. On contractor’s failure to deploy the required machinery, the machinery was issued by the Department and hire charges were fixed at a much lesser rate than the prevailing market rates resulting in undue advantage to the contractor. 1090 Technical Guide on Internal Audit of Tendering Process 9.13 In one work, the contract was rescinded due to delay on the part of the contractor in completion of building. The work was awarded to another contractor on single tender basis with additional liability of approx. ` 44.0 lakhs. No action was taken by the department to encash the various bank guarantees to recover the additional liability from the defaulting contractor resulting in undue favor to the contractor. 9.14 In one building work, RCC structure was substituted with structural steel and pre-cast slab and the requirement was justified by showing urgency in completion. The extra cost on account of substitution was ` 1.00 crore (approx.) but the work could not be completed in the revised period of completion. Thus, the substitution was aimed to favor the contractor. 1091 Appendix 1 No. 008/CRD/013 Government of India Central Vigilance Commission Satarkta Bhawan, Block-A, GPO Complex, INA, New Delhi-110023. Dated: 18/5/09 Circular No. 10/5/09 Subject: Adoption of Integrity Pact-Standard Operating Procedure- reg. The Commission has formulated "Standard Operating Procedure" for adoption of Integrity Pact in major Govt. Department/organizations. A copy of the same is enclosed for information and necessary action. Sd/- (Shalini Darbari) Director All Chief Vigilance Officers NOTE: SECTION 6.02 (i) & 6.02 (ii) OF THE SOP ON INTEGRITY PACT HAS BEEN DELETED WITH CIRCULAR No. 31/08/10 DATED 13.8.10. 1092 Technical Guide on Internal Audit of Tendering Process Subject: - Adoption of Integrity Pact -Standard Operating Procedure-reg. 1.0 Background 1.01 The Central Vigilance Commission has been promoting Integrity, transparency, equity and competitiveness in Government/PSU transactions and as a part of vigilance administration and superintendence. Public procurement is a major area of concern for the Central Vigilance Commission and various steps have been taken to put proper systems in place. Leveraging technology, especially wider use of the web sites for disseminating information on tenders, clearly defining the pre qualification criteria and other terms and conditions of the tender are some of the steps recently taken at the instance of the Commission. In this context, Integrity Pact (IP), a vigilance tool conceptualized and promoted by the Transparency International, has been found to be useful. The Commission has, through its Office Orders No. 41/12/07 dated 04.12.07 and 43/12/07 dated 28.12.07 and Circulars No. 18/05/08 dated 19.05.08 and 24.08.08 dated 05.08.2008 (copies appended), recommended adoption of Integrity Pact and provided basic guidelines for its implementation in respect of major procurements in the Government Organizations. 2.0 Integrity Pact 2.01 The pact essentially envisages an agreement between the prospective vendors/bidders and the buyer, committing the persons/officials of both sides, not to resort to any corrupt practices in any aspect/stage of the contract. Only those vendors/bidders, who commit themselves to such a Pact with the buyer, would be considered competent to participate in the bidding process. In other words, entering into this Pact would be a preliminary qualification. The essential ingredients of the Pact include: Promise on the part of the principal not to seek or accept any benefit, which is not legally available; Principal to treat all bidders with equity and reason;  Promise on the part of bidders not to offer any benefit to the employees of the Principal not available legally;  Bidders not to enter into any undisclosed agreement or understanding with other bidders with respect to prices, specifications, certifications, subsidiary contracts, etc.  Bidders not to pass any information provided by Principal as part of business relationship to others and not to commit any offence under PC/ IPC Act; 1093 Compendium of Generic Internal Audit Guides  Foreign bidders to disclose the name and address of agents and representatives in India and Indian Bidders to disclose their foreign principals or associates;  Bidders to disclose the payments to be made by them to agents / brokers or any other intermediary.  Bidders to disclose any transgressions with any other company that may impinge on the anti corruption principle. 2.02 Integrity Pact, in respect of a particular contract, would be operative from the stage of invitation of bids till the final completion of the contract. Any violation of the same would entail disqualification of the bidders and exclusion from future business dealings. 3.0 Implementation procedure: 3.01 Adoption of IP is voluntary for any organization, but once adopted, it should cover all tenders /procurements above a specified threshold value. 3.02 The threshold value for the contracts to be covered through IP should be decided after conducting proper ABC analysis and should be fixed so as to cover 90-95% of the total procurements of the organization in monetary terms. 3.03 Apart from all high value contracts, any contract involving complicated or serious issues could be brought within the ambit of IP, after a considered decision of the management 3.04 The Purchase / procurement wing of the organization would be the focal point for the implementation of IP. 3.05 The Vigilance Department would be responsible for review, enforcement, and reporting on all related vigilance issues. 3.06 It has to be ensured, through an appropriate provision in the contract, that IP is deemed as part of the contract so that the parties concerned are bound by its provisions. 3.07 IP should cover all phases of the contract, i.e. from the stage of Notice Inviting Tender (NIT)/pre-bid stage till the conclusion of the contract, i.e. the final payment or the duration of warranty/guarantee. 3.08 IP would be implemented through a panel of Independent External Monitors (IEMs), appointed by the organization. The IEM would review independently and objectively, whether and to what extent parties have complied with their obligations under the Pact. 1094 Technical Guide on Internal Audit of Tendering Process 3.09 Periodical Vendors' meets, as a familiarization and confidence building measure, would be desirable for a wider and realistic compliance of the principles of IP. 3.10 Information relating to tenders in progress and under finalization would need to be shared with the IEMs on monthly basis. 4.0 Role/ Functions of IEMs: 4.01 IEM would have access to all Contract documents, whenever required. Ideally, all IEMs of an organization should meet in two months to take stock of the ongoing tendering processes. 4.02. It would be desirable to have structured meeting of the IEMs with the Chief Executive of the organization on a monthly basis to discuss/review the information on tenders awarded in the previous month. 4.03 The IEMs would examine all complaints received by them and give their recommendations/views to the Chief Executive of the organization, at the earliest. They may also send their report directly to the CVO and the Commission, in case of suspicion of serious irregularities requiring legal/administrative action. 4.04 At least one IEM should be invariably cited in the NIT. However, for ensuring the desired transparency and objectivity in dealing with the complaints arising out of any tendering process, the matter should be examined by the full panel of IEMs, who would look into the records, conduct an investigation, and submit their joint recommendations to the Management 4.05 The recommendations of IEMs would be in the nature of advice and would not be legally binding. At the same time, it must be understood that IEMs are not consultants to the Management. Their role is independent in nature and the advice once tendered would not be subject to review at the request of the organization. 4.06 The role of the CVO of the organization shall remain unaffected by the presence of IEMs. A matter being examined by the IEMs can be separately investigated by the CVO in terms of the provisions of the CVC Act or Vigilance Manual, if a complaint is received by him or directed to him by the Commission. 5.0 Appointment of IEMs 5.01 The IEMs appointed should be eminent personalities of high integrity and reputation. The Commission would approve the names of IEMs out of the panel of names, initiated by the organization concerned, in association/consultation with the CVO. 1095 Compendium of Generic Internal Audit Guides 5.02 While forwarding the panel, the organization would enclose detailed bio- data in respect of all names proposed. The details would include postings before superannuation, special achievements, experience, etc., in Government sector. It is desirable that the persons proposed possess domain experience of the PSU activities or the relevant field with which they may be required to deal. 5.03 A maximum of three IEMs would be appointed for Navratna PSUs and up to two IEMs for others. 5.04 Organizations could propose a panel of more than three names for the consideration of the Commission. 5.05 Persons appointed as IEMs in two organizations would not be considered for a third organization. 5.06 For PSUs having a large territorial spread or those having several subsidiaries, there could be more IEMs, but not more than two IEMs would be assigned to one subsidiary. 5.07 Remuneration payable to the IEMs would be equivalent to that admissible to an Independent Director in the organization. This remuneration would be paid by the organization concerned. 5.08 The terms and conditions of appointment, including the remuneration payable to the IEMs, should not be included in the Integrity Pact or the NIT. They could be communicated individually to the IEMs concerned. 5.09 The normal term of appointment for an IEM would be 3 years, and it would be subject to renewal by the Commission thereafter. 6.0 Review System: 6.01 An internal assessment of the impact of IP shall be carried out periodically by the CVOs of the organizations and reported to the Commission. 6.02 Two additional reviews are envisaged for each organization in due course. (i) Financial impact review, which could be conducted through an independent agency like auditors, and (ii) Physical review, which could be done through an NGO of tested credibility in the particular field. 6.03 It is proposed to include the progress in the implementation of IP in the Annual Report of the Commission. CVOs of all organizations would keep the Commission posted with the implementation status through their monthly reports or special reports, wherever necessary. 1096 Technical Guide on Internal Audit of Tendering Process 7.0 All organizations are called upon to make sincere and sustained efforts to imbibe the spirit and principles of the Integrity Pact and carry it to its effective implementation. Enclosures: All earlier guidelines, issued by the Central Vigilance Commission, on the subject. ****** No.007/VGL/033 Government of India Central Vigilance Commission Satarkta Bhawan, Block-A GPO complex, INA, New Delhi-110023 Dated the 4th December 2007 Office Order No.41/12/07 Subject: Adoption of Integrity Pact in major Government Procurement Activities- regarding. 1. Ensuring transparency, equity and competitiveness in public procurement has been a major concern of the Central Vigilance Commission and various steps have been taken by it to bring this about. Leveraging technology specially wider use of the web-sites for disseminating information on tenders, tightly defining the pre-qualification criteria and other terms and conditions of the tender are some of the steps recently taken at the instance of the Commission in order to bring about greater transparency and competition in the procurement/award of tender. 2. In this context, Integrity Pact, a vigilance tool first promoted by the Transparency International, has been found to be useful. The Pact essentially envisages an agreement between the prospective vendors/bidders and the buyer committing the persons/officials of both the parties, not to exercise any corrupt influence on any aspect of the contract. Only those vendors/bidders who have entered into such an Integrity Pact with the buyer would be competent to participate in the bidding. In other words, entering into this Pact would be a preliminary qualification. The Integrity Pact in respect of a particular contract would be effective from the stage of invitation of bids till the complete execution of the contract. 3. The Integrity Pact envisages a panel of Independent External Monitors (IEMs) approved for the organization. The IEM is to review independently and 1097 Compendium of Generic Internal Audit Guides objectively, whether and to what extent parties have complied with their obligations under the Pact. He has right of access to all project documentation. The Monitor may examine any complaint received by him and submit a report to the Chief Executive of the organization, at the earliest. He may also submit a report directly to the CVO and the Commission, in case of suspicion of serious irregularities attracting the provisions of the PC Act. However, even though a contract may be covered by an Integrity Pact, the Central Vigilance Commission may, at its discretion, have any complaint received by it relating to such a contract, investigated. 4. The Commission would recommend the Integrity Pact concept and encourage its adoption and implementation in respect of all major procurements of the Govt. organizations. As it is necessary that the Monitors appointed should be of high integrity and reputation, it has been decided that the Commission would approve the names of the persons to be included in the panel. The Government Organizations are, therefore, required to submit a panel of names of eminent persons of high integrity and repute and experience in the relevant field, through their administrative Ministry, for consideration and approval by the Commission as Independent External Monitors. The terms and conditions including the remuneration payable to the Monitors need not be a part of the Integrity Pact and the same could be separately communicated. It has also to be ensured by an appropriate provision in the contract, that the Integrity Pact is deemed as part of the contract in order to ensure that the parties are bound by the recommendation of the IEMs, in case any complaint relating to the contract, is found substantiated. 5. A copy of the Integrity Pact, which the SAIL got vetted by the Addl. Solicitor General is available on the Commission's web-site i.e. www.cvc.nic.in as an attachment to this Office Order in downloadable form, which may be used in original or may be suitably modified in order to meet the individual organization's requirements. Sd/- (Vineet Mathur) Deputy Secretary All Secretaries to the Govt. of India All CMDs of PSUs All CMDs of PSBs All CVOs 1098 Technical Guide on Internal Audit of Tendering Process Steel Authority of India Limited (SAIL) hereinafter referred to as "The Principal". And hereinafter referred to as "The Bidder/Contractor" Preamble The Principal intends to award, under laid down organizational procedures, contract/s for ___________The Principal values full compliance with all relevant laws of the land, rules, regulations, economic use of resources and of fairness/transparency in its relations with its Bidder(s) and /or Contractor(s). In order to achieve these goals, the Principal will appoint an Independent External Monitor (IEM), who will monitor the tender process and the execution of the contract for compliance with the principles mentioned above. Section 1: Commitments of the Principal 1. The Principal commits itself to take all measures necessary to prevent corruption and to observe the following principles: a. No employee of the Principal, personally or through family members, will in connection with the tender for, or the execution of a contract, demand, take a promise for or accept, for self or third person, any material or immaterial benefit which the person is not legally entitled to. b. The Principal will during the tender process treat all Bidder(s) with equity and reason. The Principal will in particular, before and during the tender process, provide to all Bidder(s) the same information and will not provide to any Bidder(s) confidential/additional information through which the Bidder(s) could obtain an advantage in relation to the process or the contract execution. c. The Principal will exclude from the process all known prejudiced persons. 2. If the Principal obtains information on the conduct of any of its employees which is a criminal offence under the IPC/PC Act, or it there is a substantive suspicion in this regard, the Principal will inform the Chief Vigilance Officer and in addition can initiate disciplinary actions. Section2: Commitments of the Bidder(s)/ Contractor(s) 1. The Bidder(s)/Contractor(s) commit himself to take all measures necessary to prevent corruption. He commits himself to observe the following principles during his participation in the tender process and during the contract execution. 1099 Compendium of Generic Internal Audit Guides a. The Bidder(s) / contractor(s) will not, directly or through any other persons or firm, offer promise or give to any of the Principal's employees involved in the tender process or the execution of the contract or to any third person any material or other benefit which he/she is not legally entitled to, in order to obtain in exchange any advantage or during the execution of the contract. b. The Bidder(s)/Contractor(s) will not enter with other Bidders into any undisclosed agreement or understanding, whether formal or informal. This applies in particular to prices, specifications, certifications, subsidiary contracts, submission or non submission of bids or any other actions to restrict competitiveness or to introduce cartelization in the bidding process. c. The Bidder(s)/Contractor(s) will not commit any offence under the relevant IPC/PC Act; further the Bidder(s) /Contractors will not use improperly, for purposes of competition or personal gain, or pass on to others, any information or document provided by the Principal as part of the business relationship, regarding plans, technical proposals and business details, including information contained or transmitted electronically. d. The Bidder(s)/Contractor(s) of foreign origin shall disclose the name and address of the Agents/representatives in India, if any. Similarly, the bidder(s)/contractor(s) of Indian Nationality shall furnish the name and address of the foreign principals, if any. Further details as mentioned in the "Guidelines on Indian Agents of Foreign Suppliers" shall be disclosed by the Bidder(s)/Contractor(s). Further, as mentioned in the Guidelines all the payments made to the Indian agent/representative have to be in Indian Rupees only. e. The Bidder(s)/Contractor(s) will, when presenting his bid, disclose any and all payments he has made, is committed to or intends to make to agents, brokers or any other intermediaries in connection with the award of the contract. 2. The Bidder(s)/Contractor(s) will not instigate third persons to commit offences outlined above or be an accessory to such offences. Section 3: Disqualification from tender process and exclusion from future contracts If the Bidder(s)/Contractor(s), before award or during execution has committed a transgression through a violation of Section 2, above or in any other form such 1100 Technical Guide on Internal Audit of Tendering Process as to put his reliability or credibility in question, the Principal is entitled to disqualify the Bidder(s)/Contractor(s) from the tender process or take action as per the procedure mentioned in the "Guidelines on Banning of business dealings". Section 4: Compensation for Damages 1. If the Principal has disqualified the Bidder(s) from the tender process prior to the award according to Section 3, the Principal is entitled to demand and recover the damages equivalent to Earnest Money Deposit/Bid Security. 2. If the Principal has terminated the contract according to Section 3, or if the Principal is entitled to terminated the contract according to Section 3, the Principal shall be entitled to demand and recover from the Contractor liquidated damages of the Contract value or the amount equivalent to Performance Bank Guarantee. Section 5: Previous Transgression 1. The Bidder declares that no previous transgressions occurred in the last three years with any other company in any country conforming to the anti corruption approach or with any other public sector enterprise in India that could justify his exclusion from the tender process. 2. If the bidder makes incorrect statement on this subject, he can be disqualified from the tender process for action can be taken as per the procedure mentioned in "Guidelines on Banning of business dealings". Section 6: Equal treatment of all Bidders/Contractors/Subcontractors. 1. The Bidder(s)/Contractor(s) undertake(s) to demand from all subcontractors a commitment in conformity with this Integrity Pact, and to submit it to the Principal before contract signing. 2. The Principal will enter into agreements with identical conditions as this one with all bidders, contractors and subcontractors. 3. The Principal will disqualify from the tender process all bidders who do not sign this Pact or violate its provisions. Section 7: Criminal charges against violation Bidder(s)/ Contractor(s)/Sub contractor(s). If the Principal obtains knowledge of conduct of a Bidder, Contractor or Subcontractor, or of an employee or a representative or an associate of a Bidder, Contractor or Subcontractor which constitutes corruption, or if the Principal has 1101 Compendium of Generic Internal Audit Guides substantive suspicion in this regard, the Principal will inform the same to the Chief Vigilance Officer. Section 8: Independent External Monitor/Monitors 1. The Principal appoints competent and credible Independent External Monitor for this Pact. The task of the Monitor is to review independently and objectively, whether and to what extent the parties comply with the obligations under this agreement. 2. The Monitor is not subject to instructions by the representatives of the parties and performs his functions neutrally and independently. He reports to the Chairman, SAIL. 3. The Bidder(s)/Contractor(s) accepts that the Monitor has the right to access without restriction to all project documentation of the Principal including that provided by the Contractor. The Contractor will also grant the Monitor, upon his request and demonstration of a valid interest, unrestricted and unconditional access to his project documentation. The same is applicable to Subcontractors. The Monitor is under contractual obligation to treat the information and documents of the Bidder(s)/Contractor(s)/Subcontractor(s) with confidentiality. 4. The Principal will provide to the Monitor sufficient information about all meetings among the parties related to the Project provided such meetings could have an impact on the contractual relations between the Principal and the Contractor. The parties offer to the Monitor the option to participate in such meetings. As soon as the Monitor notices, or believes to notice, a violation of this agreement, he will so inform the Management of the Principal and request the Management to discontinue or take corrective action, or to take other relevant action. The monitor can in this regard submit non-binding recommendations. Beyond this, the Monitor has no right to demand from the parties that they act in a specific manner, refrain from action or tolerate action. The Monitor will submit a written report to the Chairman, SAIL within 8 to 10 weeks from the date of reference or intimation to him by the Principal and, should the occasion arise, submit proposals for correcting problematic situations. Monitor shall be entitle to compensation on the same terms as being extended to/ provided to Independent Directors on the SAIL Board. If the Monitor has reported to the Chairman SAIL, a substantiated suspicion of an offence under relevant IPC/PC Act, and the Chairman SAIL has not, within the reasonable time taken visible action to proceed against such offence or reported 1102 Technical Guide on Internal Audit of Tendering Process it to the Chief Vigilance Officer, the Monitor may also transmit this information directly to the Central Vigilance Commissioner. The word 'Monitor' would include both singular and plural. Section 9 - Pact Duration This pact begins when both parties have legally signed it. It expires for the Contractor 10 months after the last payment under the contract, and for all other Bidders & months ---- the contract has been awarded. If any claim is made / lodged during this time, the same shall be binding and continue to be valid despite the lapse of this pact as specified above, unless it is discharged / determined by Chairman of SAIL. Section 10 - Other provisions This agreement is subject to Indian Law, Place of performance and jurisdiction is the Registered Office of the Principal, i.e. New Delhi. Changes and supplements as well as termination notices need to be made in writing. Side agreements have not been made. If the Contractor is a partnership or a consortium, this agreement must be signed by all partners or consortium members. Should one or several provisions of this agreement turn out to be invalid, the remainder of this agreement remains valid. In this case, the parties will strive to come to an agreement to their original intentions. _____________________________ ____________________________ (For & on behalf of the Principal) (For & On behalf of Bidder/ Contractor) (Office Seal) (Office Seal) Place ------------------ Date ------------------ Witness 1: (Name & Address) _______________________ Witness 2: (Name & Address)_______________________ 1103 Compendium of Generic Internal Audit Guides No.007/VGL/033 Government of India Central Vigilance Commission Satarkta Bhawan, Block-A GPO complex, INA, New Delhi-110023 Dated the 28th December 2007 Office Order No.43/12/07 Subject: Adoption of Integrity Pact in major Government Procurement Activities- regarding. Reference is invited to Commission's office order no. 41/12/2007 circulated vide letter of even no. dated 4/12/2007 on the aforementioned subject. 2. The Commission vide Para 4 of the aforementioned office order had directed that the organizations were required to forward a panel of names of the eminent persons of high integrity through their administrative ministries for consideration and approval by the Commission as IEMs. 3. The matter has been reconsidered by the Commission and in order to simplify the procedure and avoid delay, it has been decided that the organizations may forward the panel of names of eminent persons for appointment and consideration as IEMs directly to the Commission for approval. 4. Para 4 of the Commission's circular cited above stands amended to this extent. Sd/- (Vineet Mathur) Deputy Secretary All Chief Vigilance officers 1104 Technical Guide on Internal Audit of Tendering Process No. 008VGL/001 Government of India Central Vigilance Commission Satarkta Bhawan, Block-A GPO complex, INA, New Delhi-110023 Dated, the 19th May, 2008 Circular No.18/05/08 Sub: - Adoption of Integrity Pact in major Government Procurement Activities- regarding. The Commission vide its office order no. 41/12/07 dated 4/12/07 had circulated a letter no. 007/vgl/033 emphasizing the need to adopt Integrity Pact (IP) by government organizations in respect of their major procurement activities. The Commission had also directed that in order to ensure compliance with the obligations under the pact by the parties concerned, Independent External Monitors (IEMs) are to be appointed after obtaining approval of the Commission for the names to be included in the panel. 2. As the role of IEMs is very important in ensuring implementation of the IP, it is necessary that the persons recommended for appointment have adequate experience in the relevant fields and are of high integrity and reputation. 3. The Commission would, therefore, direct that the organizations, while forwarding the names of the persons for empanelment as IEMs should sent a detailed bio-data in respect of the each of the persons proposed. The bio-data should, among other things, include the postings during the last ten years before the superannuation of the persons proposed as IEMs, in case the names relate to persons having worked in the government sector. The bio-data should also include details regarding experience older than ten years before superannuation of the persons proposed as IEMs, if they have relevant domain experience in the activities of PSUs where they are considered as IEMs. This may be noted for future compliance. Sd/- (Rajiv Verma) Under Secretary All Chief Vigilance Officers 1105 Compendium of Generic Internal Audit Guides No. 007/VGL/033 Government of India Central Vigilance Commission Satarkta Bhawan, Block-A GPO complex, INA, New Delhi-110023 Dated the 5th August 2008 Circular No.24/8/08 Subject: - Adoption of Integrity Pact in major Government procurement activities. The Commission, vide its Circulars No. 41/12/07, dated 4.12.07 and 18/5/08 dated 19.5.08, has emphasized the necessity to adopt Integrity Pact (IP) in Government organizations in their major procurement activities. The Commission had also directed that in order to oversee the compliance of obligations under the Pact, by the parties concerned, Independent External Monitors (IEMs) should be nominated with the approval of the Commission, out of a panel of names proposed by an Organization. 2. As more and more organizations begin to adopt the Integrity Pact, several queries and operational issues have been raised. The Commission has examined these issues and suggested the following guidelines: i. Adoption of Integrity Pact in an organization is voluntary, but once adopted, it should cover all tenders/procurements above a specified threshold value, which should be set by the organization itself. ii. IP should cover all phases of the contract i.e., from the stage of Notice Inviting Tender(NIT)/pre-bid stage to the stage of last payment or a still later stage, covered through warranty, guarantee etc. iii. IEMs are vital to the implementation of IP and at least one IEM should be invariably cited in the NIT. However, for ensuring the desired transparency and objectivity in dealing with the complaints arising out of any tendering process, the matter should be referred to the full panel of IEMs, who would examine the records, conduct the investigation and submit a report to the management, giving joint findings. iv. A maximum of three IEMs would be appointed in Navratna PSUs and upto two IEMs in other Public Sector Undertakings. The organizations may, however, forward a panel of more than three names for the Commission's approval. For the PSUs having a large territorial spread or 1106 Technical Guide on Internal Audit of Tendering Process those having several subsidiaries, the Commission may consider approving a large number of IEMs, but not more than two IEMs would be assigned to any one subsidiary. v. Remuneration payable to the IEMs may be similar to the Independent Directors in the organization. vi. In view of limited procurement activities in the Public Sector Banks, Insurance Companies and Financial Institution, they are exempted from adopting IP. 3. It needs no reiteration that all organizations must make sustained efforts to realize the spirit and objective of the Integrity Pact. For further clarifications on its implementation or the role of IEMs, all concerned are advised to approach the Commission. Sd/- (Rajiv Verma) Under Secretary All CVOs 1107 Appendix 2 1108 Appendix 2 1109 1110 G-10 TECHNICAL GUIDE ON INTERNAL AUDIT OF INTANGIBLE ASSETS Compendium of Generic Internal Audit Guides 1112 Internal Audit of Intangible Assets Foreword In the knowledge-driven global marketplace, where intangible assets such as intellectual property, brand, customer relationship and talent hold much more value than tangible ‘visible’ assets such as capital, land, building, factories, etc, India emerges as one of the leading intangible economies. Wealth and growth in modern economies are driven primarily by the astute deployment of intangible assets. Thus, recognition of the role of intangibles in the value chain facilitates better organisational strategy, and more aggressive management of intangible resources. I am pleased to note that the Internal Audit Standards Board of the Institute is issuing Technical Guide on Internal Audit of Intangible assets. This Guide would help not only the members engaged as internal auditors in gaining profound knowledge about the internal audit of intangible assets, but also to others engaged in other capacities to develop understanding on this area thereby assisting them in playing an important role in efficient and effective management of such assets. I wish to place my appreciation to CA. Shanti Lal Daga, Chairman, Internal Audit Standards Board, for bringing out this Guide on Internal Audit of Intangible Assets. I am pleased to note that the scope and structure of the Technical Guide is appropriately framed which is well suited to cater the professional needs of the members. I am sure that the Guide would prove useful to members, in practice and in industry, as well as others in gaining essential knowledge of various critical aspects related to intangible assets. May 27, 2009 CA. Uttam Prakash Agarwal New Delhi President, ICAI 1113 Compendium of Generic Internal Audit Guides Preface The major driver behind the recent surge in intangible assets is the unique combination of three related economic forces - intensified business competition brought about by the globalisation of trade, the far-reaching deregulation in key economic sectors and the acceleration of information technologies, most recently exemplified by the Internet. The importance of intangible assets is magnified by the fact that they are not restricted only to high technology industries but are also dominant in every well run organisation. In view of the above, effective management and control of intangible assets is attaining significance and an internal auditor can play a vital role in this area. Leading organisations are looking for the internal audit function to assume a leadership role in assessing and managing their strategic risks, adding value to the organisation and identifying operational improvement opportunities. This Technical Guide on Internal Audit of Intangible Assets has been written with the primary objective of discussing the role that the internal audit function can play in efficient and effective management of intangible assets. This Guide has been structured into eight chapters which covers all aspects relevant to internal audit of intangible assets. The first chapter provides an introduction on significance of intangible assets. The second chapter provides an overview of the legal framework relating to intangible assets in India with special reference to managerial and internal audit perspectives. The third chapter provides guidance on effective and efficient management of intangible assets. The fourth chapter discusses the overall approach to internal audit of intangible assets. The fifth chapter discusses the approach to internal audit of various internal controls relating to intangible assets. The sixth chapter deals with internal audit of accounting aspects relating to intangible assets. The seventh chapter illustrates the application of the above in internal audit of different types of intangible assets. The eighth chapter contains a 1114 Internal Audit of Intangible Assets fairly comprehensive illustrative internal audit programme for computer software. At this juncture, I am grateful to Dr. Kamal Gupta, CA. Archana Bhutani, CA. Deepa Agarwal and CA. Shruti Tiwari for squeezing out time out of their professional and personal commitments and preparing the basic draft of this Technical Guide. I also wish to thank CA. Uttam Prakash Agarwal, President and CA. Amarjit Chopra, Vice President for their continuous support and encouragement to the initiatives of the Board. I must also thank my colleagues from the Council at the Internal Audit Standards Board, viz., CA. Rajkumar S. Adukia, CA. Ved Jain, CA. Abhijit Bandyopadhyay, CA. Bhavna G Doshi, CA. Pankaj I. Jain, CA. Sanjeev K. Maheshwari, CA. Mahesh P. Sarda, CA. S. Santhanakrishnan, CA. S. Gopalakrishnan, CA. Vijay K. Garg, Shri Manoj K. Sarkar and Shri K. P. Sasidharan for their vision and support. I also wish to place on record my gratitude for the co- opted members on the Board, viz., CA. N. K. Aneja, CA. Verendra Kalra, CA. M. Guruprasad, CA. Dilip Kumar Vadilal Shah and CA. K. S. Sundara Raman as also special invitees on the Board, viz., CA. K. P. Khandelwal, CA. S. Sundarraman, CA. Ravi H. Iyer, CA. Rajiv Dave, CA. Pawan Chagti, CA. Ram Mohan Johri and CA. Arindam Guha for their devotion in terms of time as well as views and opinions to the cause of the professional development. I also wish to place on record the efforts put in by CA. Jyoti Singh, Secretary, Internal Audit Standards Board and CA. Arti Aggarwal, Senior Executive Officer, for their inputs in giving final shape to the publication. I firmly believe that this publication would serve as a basic guide for the members and other readers interested in the subject. June 10, 2009 CA. Shanti Lal Daga Hyderabad Chairman, Internal Audit Standards Board 1115 Compendium of Generic Internal Audit Guides Contents Chapter 1 Significance of Intangible Assets ............... 1117 Chapter 2 An Overview of Legal Framework Relating to Intangible Assets ...................... 1125 Chapter 3 Managing Intangible Assets ....................... 1155 Chapter 4 Approach to Internal Audit of Intangible Assets ........................................ 1175 Chapter 5 Internal Audit of Internal Controls Relating to Intangible Assets ...................... 1191 Chapter 6 Internal Audit of Accounting for Intangible Assets ......................................................... 1201 Chapter 7 Internal Audit of Principal Classes of Intangible Assets ........................................ 1212 Chapter 8 Illustrative Internal Audit Programme for Computer Software ..................................... 1238 1116 Internal Audit of Intangible Assets Chapter 1 Significance of Intangible Assets 1.1 The last few decades have witnessed a rapid and radical transformation of major economies around the world from predominantly manufacturing economies to service-oriented and knowledge-based economies. The end of the cold war, acceptance of the philosophy of globalisation almost throughout the world and advances in telecommunication and information technology (IT) have brought service sector to a place of prominence in most world economies. Even in the case of manufacturing concerns, the increasing competition has resulted in a much greater emphasis being placed on search for new and improved materials and manufacturing processes, innovative products, and greater customer satisfaction. In this changed scenario, tangible assets (plant and machinery, buildings, furniture and fixtures, office equipment, etc.) and financial assets (debtors, financial investments, etc.), the traditional drivers of a business entity’s performance have been joined by another class of assets, viz., the intangible assets. Intangible assets are customer-centric or technology- or market-based and include diverse items such as, computer software; copyrights in respect of such items as motion pictures, sound recordings, plays, books and designs; know-how; patents; licences; brand equity; customer databases; distribution networks; non-compete agreements; experienced staff exclusivity; and special rights such as service- concession agreements. Knowledge-based intangible assets are sometimes also referred to as intellectual capital. 1.2 The increasing significance of intangible assets has manifested itself in a number of ways as would be evident from the following: l A study carried out a few years back estimated that by 2007, intangible assets will account for more than 90 percent of the value of the Global 2000 enterprises, up from 20 percent in 1978 and 70 percent in 1998. 1117 Compendium of Generic Internal Audit Guides l A recent study of trends in total market capitalisation of Standard & Poor (S&P) 500 companies in the US concluded that the percentage of intangible assets to total market capitalisation had grown over the last three decades or so as shown by the following table: Trend in Standards Book value of intangible assets or the Year as percentage of total market capitalisation 1975 16.8 1985 32.4 1995 68.4 2005 79.7 l Closer home, as per the Department of Industrial Policy and Promotion of the Government of India statistics, the filing of patent applications in India increased from 4,824 in the year 1999-2000 to 28,882 in the year 2006-07, i.e., by approximately 500%. l Likewise: u As against only 8,010 registrations in the year 1999- 2000, 13 times more trademarks (1,09,361) were registered in the year 2006-07. u 3.38 lakh trademark certificates were issued between the years 2004-05 and 2006-07 whereas only 1.65 lakh trademarks were registered in 64 years up to and including the year 2003-04. u 39 Geographical Indication Products have been registered since September, 2003. These include Darjeeling Tea, Chanderi Saree, Solapur Chaddar, Mysore Silk and Kullu Shawl. u The filing of applications for designs increased from 2,874 in the year 1999-2000 to 5,372 in the year 2006-07. 1118 Internal Audit of Intangible Assets Given the above scenario, it will not be incorrect to conclude that the success of a modern entity no longer depends just upon its production facilities and financial capital but also on intangible assets. Systems of Managing Intangible Assets and its Benefits 1.3 While the significance of intangible assets has increased in the recent times, organisational systems and processes for accounting, controlling and managing them have not kept pace with the changing economic realities. Consequently, the largest portion of business entities’ economic activities, with which they create value for stakeholders, is not captured and managed systematically. Since intangible assets are not visible, their importance can easily be, and often is, overlooked. 1.4 Effective management of intangible assets can enable an entity to extract as much value from them as possible, such as in the form of: l Revenue derived from new licensing opportunities; l Cost savings derived from increased productivity; l Cost savings from reduced maintenance and filing fees; l Minimising loss of revenue from unauthorised use/sale of intangible assets of the entity by unscrupulous employees and external parties; and l Avoidance of penalties against unauthorised use of intangible assets by others. 1.5 There are a number of examples of how some leading companies have reaped the benefits of effective management of their intangible assets. l Dow Chemical Company, by aligning its intellectual assets with business strategies, reduced its annual costs for obtaining and maintaining patents by $1.5 million. By reducing 1119 Compendium of Generic Internal Audit Guides its patents portfolio from 12,000 patents to 8,500 patents between 1993 and 1999, Dow saved an estimated $40 million in maintenance taxes. l IBM has increased patent licensing royalty revenues 3,300% from $30 million in 1990 to $1 billion. This recurring revenue stream represents 1/9th of IBM’s pre-tax profits and equates to $20 billion in product sales revenue. l Philips Electronics, which receives a significant amount of income from licensing, increased licensing revenue by 45%. l Within the first six months of its new IP licensing strategy, British Telecom generated close to $14 million in new licensing revenue by data mining its patents portfolio and unlocking new sources of revenue. Entities’ Concern with Intangible Assets 1.6 The concern of different types of entities with intangible assets differs. l For entities that are engaged in innovation, research and development, artistic or literary activities (e.g., those engaged in pharmaceutical research, computer software or hardware development, motion picture or music companies, etc.), one of the utmost concern is to safeguard the intellectual property against loss, destruction, unauthorised use, etc. To such entities, intangible assets like patents, copyrights, trademarks, trade secrets, industrial designs, know-how, and geographical indications are likely to be far more valuable than any of their tangible or financial assets. l Other entities, that are users rather than creators of intangible assets, are concerned, inter alia, with ensuring that their resources deployed in intangible assets like, computer software, special processes, designs, know-how, formulas are put to an efficient use and are adequately protected. Besides, with the increasing awareness about the need for protection of intellectual property rights, it is also a major concern 1120 Internal Audit of Intangible Assets of such entities that they do not inadvertently infringe the provisions of laws such as the Patents Act 1970, the Copyright Act 1957, the Trade Marks Act 1999, or the Designs Act 2000. Special Features of Intangible Assets 1.7 One of the reasons for the general lack of effective management systems for intangible assets is that many of such assets are not recognised in books of account since they do not meet the criteria for their recognition as assets in financial statements. Common examples of intangible assets that remain completely unrecognised as assets in accounting are internally generated goodwill, brands, mastheads, publishing titles, customer lists, etc. Many entities in the drugs and pharmaceuticals industry charge off the entire expenditure on development of new formulations as expenses in the profit and loss account in the year of incurrence, even though some of the development projects may eventually succeed. Even where internally-generated assets are recognised as intangible assets, the stringent rules governing their recognition and measurement result in only a portion of the total cost incurred on related research and development activities being recognised as asset, with the remaining expenditure being charged off as expense in the profit and loss account in the year of incurrence. While there are good reasons underlying the rules of accounting that govern recognition and measurement of intangible assets, from an economic and managerial perspective, items not recognised as intangible assets in accounting may be as (or even more) valuable as those so recognised. Likewise, the true worth of many of the intangible assets may far exceed the amount at which they are reflected in the financial statements. 1.8 Effective management and control of intangible assets (whether or not so recognised in accounts) requires appropriate and adequate management processes to be applied at all stages in the life cycle of an intangible asset, starting from the stage of planning its acquisition or in-house development till its eventual expiration or disposal. For example, at the preliminary stage of a computer software project, an entity is likely to be confronted with the following issues: (a) Make strategic decisions to allocate resources between 1121 Compendium of Generic Internal Audit Guides alternative projects. For example, whether programmers should develop a new payroll system or direct their efforts toward correcting existing problems in an operating payroll system. (b) Determine the performance requirements and systems requirements for the proposed computer software project. (c) Explore alternative means of achieving specified performance requirements. For example, should the entity make or buy the software. (d) Determine whether the technology needed to achieve performance requirements exists. (e) Select a consultant to assist in the development and/or installation of the software. Once the preliminary project stage is over and acquisition or in- house development of the computer software starts, management systems and processes are needed, among others, to ensure timely availability of requisite resources of right quality and in sufficient quantity, and monitoring the actual progress against budgets or other pre-determined targets in terms of time, consumption or use of resources, performance parameters, etc. Similarly, once the acquisition or development of the software is complete, management systems and processes need to ensure, among others: (a) availability of the software on a continuing basis including resolution of problems in its functioning and periodic upgrades; (b) availability of other resources to operate the software such as, computer and network systems and qualified personnel; (c) efficient utilisation of software; (d) preventing authorised access to, or use of, the software as well as its accidental loss or destruction; 1122 Internal Audit of Intangible Assets (e) complying, on a continuing basis, with contractual, legal and regulatory requirements relating to ownership and operation of the software. Scope and Structure of the Technical Guide 1.9 As the above discussion shows, effective management and control of intangible assets is a vast subject. The scope of this Technical Guide is confined to discussing the role that the internal audit function can play in this regard. Internal audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggesting improvements thereto and adding value to and strengthening the overall governance mechanism of the entity, including the entity’s risk management and internal control system. Thus, through its appraisal of management processes concerning intangible assets, internal audit can be of great assistance in efficient and effective management of such assets. 1.10 The Technical Guide has been divided into eight chapters, including the present one: Chapter 1 deals with the significance of intangible assets in the current economic scenario. Chapter 2 provides an overview of the legal framework relating to intangible assets in India with special reference to managerial and internal audit perspectives. The provisions of the laws relating to intangible assets are of direct and critical importance to management since failure to comply with them may mean loss of legal rights over valuable intangible assets or stringent penal consequences. Chapter 3 focusses on how an entity can manage its intangible assets efficiently and effectively. In the context, the chapter discusses the management processes relating to: l Acquisition/development of intangible assets l Identifying and recording intangible assets l Safeguarding intangible assets 1123 Compendium of Generic Internal Audit Guides l Optimising the deployment/use of intangible assets l Mitigating risks related to litigation. Chapter 4 seeks to discuss the overall approach to internal audit of intangible assets, including objectives and scope, methodology, reporting and follow-up. This chapter highlights the fact that the objectives and scope of internal audit of intangible assets would be determined primarily by the perceptions of those responsible for governance and management of an entity. However, the objectives and scope have to be sufficiently wide to enable an entity to effectively discharge its legal and regulatory responsibilities. Chapter 5 discusses the approach to internal audit of various internal controls relating to intangible assets. Thus, this chapter focuses on how an internal auditor can evaluate the internal control environment and other components of internal control. Chapter 6 deals with approach to internal audit of accounting aspects relating to intangible assets. In this context, the requirements of Accounting Standard 26, Intangible Assets, are quite significant and are, therefore, analysed in this chapter. Chapter 7 discusses the application of the above in internal audit of different types of intangible assets. Chapter 8 contains a fairly comprehensive illustrative internal audit programme for computer software, covering all relevant aspects, to serve as a basic reference for development of appropriate internal audit programmes for different kinds of intangible assets and under different situations. 1124 Internal Audit of Intangible Assets Chapter 2 An Overview of Legal Framework Relating to Intangible Assets 2.1 An asset, by definition, is a resource controlled by an entity. The control of a resource by an entity ensures that economic benefits arising from use, sale, etc. of the resource flow to the entity. Control of intangible resources often poses a much bigger challenge than control of tangible resources primarily due to the fact that for many intangible resources, the ability of an entity to obtain economic benefits from their exploitation depends on its ability to prevent others from accessing or using them. For example, an entity’s ability to benefit from its brand depends on its ability to prevent others from using its brand name. Similarly, the ability to benefit from computer software developed for sale depends on the ability to prevent others from making or using unauthorised copies of the software. 2.2 The need for according protection to inventors, developers, owners, etc. of resources of the above kind has long been recognized in most countries, including India. Consequently, most countries have enacted specific laws to protect many of the intellectual and market-related resources of individuals and entities from unauthorized access, use or sale. Besides, treaties have also been reached at an international level to provide cross- border protection in respect of such resources. An example is the agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) which is an international agreement administered by the World Trade Organization that sets down minimum standards for regulation of many forms of intellectual property. Specifically, TRIPS contains requirements that national laws must meet in respect of intellectual property, including the rights of producers of intangible assets e.g., sound recordings, computer software, geographical indications, industrial designs, integrated circuit layout-designs, patents, trademarks, etc. Thus, TRIPS lays down a set of minimum standards which are required to be complied with by member countries. 1125 Compendium of Generic Internal Audit Guides 2.3 In India, the first legal initiative towards protection of intangible resources was taken almost a century back by the enactment of the Patents and Designs Act, 1911, followed soon by the enactment of the Indian Copyright Act, 1914. Presently, the legislation for protection of intangible resources consists principally of the following: l Copyright Act, 1957 l Patents Act, 1970 l Trade Marks Act, 1999 l Designs Act, 2000 Besides, there are also some other enactments such as the Geographical Indications of Goods (Registration and Protection) Act, 1999 and the Semi-conductor Integrated Circuits Layout Design Act, 2000 that seek to provide protection in respect of the specified kind of intangible resources. 2.4 This chapter is devoted to discussing the salient features of the four principal enactments listed above. This is followed by a brief look at the recent trends in legislative and judicial view of intellectual property rights in India. Consistent with the purpose and scope of this Technical Guide, the ensuing discussion focuses on provisions that deal with the rights and obligations arising under the particular enactment and the effects of non- compliance with its provisions and that are, therefore, of direct relevance from an internal audit perspective. However, this discussion is meant only to provide an overview and, therefore, reference must be made to the complete law for guidance on any practical issue. Copyright Act, 1957 2.5 The Copyright Act, 1957 is an independent self-contained law on the subject of copyright. It seeks to protect the rights of the developers/owners/authors of literary and artistic works (including computer programmes) and the like. It also seeks to meet the country’s obligations as a signatory to international treaties. From 1126 Internal Audit of Intangible Assets the point of view of the internal auditor, this Act is significant to identify: (a) an entity’s legal rights relating to its copyrights. Action can be initiated if there is a misuse of a copyright belonging to the entity; and (b) legal consequences to which the entity would be exposed if either through oversight or due to slack controls, the entity infringes the copyrights of others. Meaning of ‘Work’ and ‘Copyright’ 2.6 A copyright is in respect of a particular work. The term ‘work’ is defined under the Act as follows: (a) a literary, dramatic, musical or artistic work; (computer programmes and computer databases are included in the definition of literary work) (b) a cinematograph film; (c) a sound recording. 2.7 The term ‘copyright’ is defined in Section 14 of the Act as the exclusive right subject to the provisions of this Act, to do or authorise the doing of any of the acts as specified in the Act in respect of a work or any substantial part thereof. The definition lays down that in the case of a literary, dramatic or musical work, not being a computer programme, this exclusive right relates to the following: (i) to reproduce the work in any material form including the storing of it in any medium by electronic means; (ii) to issue copies of the work to the public not being copies already in circulation; (iii) to perform the work in public, or communicate it to the public; (iv) to make any cinematograph film or sound recording in respect of the work; (v) to make any translation of the work; 1127 Compendium of Generic Internal Audit Guides (vi) to make any adaptation of the work; (vii) to do, in relation to a translation or an adaptation of the work, any of the acts specified in relation to the work in sub- clauses (i) to (vi). Similarly, in the case of a computer programme, the definition specifies the exclusive right: (i) to do any of the acts specified above1; (ii) to sell or give on commercial rental or offer for sale or for commercial rental any copy of the computer programme, provided that such commercial rental does not apply in respect of computer programmes where the programme itself is not the essential object of the rental. Likewise, the Act also specifies what constitutes copyright in respect of an artistic work, cinematograph film and sound recording. Owner of ‘Copyright’ 2.8 The right to reproduce the work, issue copies to public (not being already in circulation), perform the work in public, make any film or sound recording, translation, adoption or sell or give on commercial rental are exclusive rights of the owner, which if infringed, attract serious penal consequences. Section 17 of the Act provides that subject to the provisions of this Act, the author of a work shall be the first owner of the copyright therein. It is provided that, in the case of a work made in the course of the author’s employment under a contract of service or apprenticeship, the employer shall, in the absence of any agreement to the contrary, be the first owner of the copyright therein. 2.9 Copyright is a property right (as opposed to a personal right) which can be assigned by the owner to any person, either wholly or partially and, either generally or subject to limitations, and either for the whole term of the copyright or any part thereof. However, in case of the assignment of copyright in any future work, the 1 As specified in the case of a literary, dramatic or musical work, not being a computer programme. 1128 Internal Audit of Intangible Assets assignment shall take effect only when the work comes into existence. Licences 2.10 Section 30 empowers the owner of a copyright to grant to any other person any interest in his exclusive rights in writing, i.e., by granting a licence. The licence may relate to an existing work or a future work; in the latter case, however, the licence takes effect only when the work comes into existence. Term of Copyright 2.11 Chapter V of the Act, comprising Sections 22 to 29, lays down the term of copyright in different kinds of work. Accordingly, the term of copyright is broadly as follows: l Published literary, dramatic, musical or artistic work or computer programmes – within life time of the author and until sixty calendar years following the year in which the author dies; l Photographs, cinematograph films, sound recordings – sixty calendar years following the year of publication. International Copyright 2.12 Section 40 of the Act empowers the Central Government to extend copyright to foreign works. Accordingly, the Central Government may, by order published in the Official Gazette, direct that all or any of the provisions of the Act shall apply: (a) to works first published in any territory outside India to which the order relates in like manner as if they were first published within India; (b) to unpublished works, or any part thereof, the authors whereof were at the time of the making of the work, subjects or citizens of a foreign country to which the order relates, in like manner as if the authors were citizens of India; 1129 Compendium of Generic Internal Audit Guides (c) in respect of domicile in any territory outside India to which the order relates in like manner as if such domicile were in India; (d) to any work of which the author was at the date of the first publication thereof, or, in a case where the author was dead at that date, was at the time of his death, a subject or citizen of a foreign country to which the order relates in like manner as if the author was a citizen of India at that date or time. The copyright protection to foreign works is sought to be provided only on a reciprocal basis, i.e., the works of Indian authors must also be provided suitable protection in the respective foreign countries. Registration of Copyright 2.13 The copyright of a person in a work arises from his being the author or owner thereof and does not necessarily require any registration. However, registration of a copyright provides a more effective protection against its infringement. For this purpose, a Copyright Office has been established under the Act. The Office is under the immediate control of the Registrar of Copyrights. A Copyright Board has also been constituted under the Act to perform the specified functions. 2.14 The Register of Copyrights, kept at the Copyright Office, contains the names or titles of works and the names and addresses of authors, publishers and owners of copyrights, and other prescribed particulars. As per Section 45, the author or publisher or owner of a work or other interested person therein may make an application in the prescribed form accompanied by the prescribed fee to the Registrar for entering particulars of the work in the aforesaid Register. On receipt of the application, the Registrar may, after holding such inquiry as he may deem fit, enter the particulars of the work in the Register. Every entry made in the Register is required to be published in the Official Gazette or in such other manner as the Registrar may deem fit. 1130 Internal Audit of Intangible Assets Infringement of Copyright 2.15 The Act contains an elaborate description of what constitutes an infringement of a copyright. According to Section 51, copyright in a work shall be deemed to be infringed in the following situations: (a) When any person, without a licence granted by the owner of the copyright or the Registrar of Copyrights or in contravention of the conditions of a licence so granted or of any condition imposed by a competent authority under the Act: (i) does anything, the exclusive right to do which is conferred upon the owner of the copyright; or (ii) permits for profit any place to be used for the communication of the work to the public where such communication constitutes an infringement of the copyright in the work, unless he was not aware and had no reasonable ground for believing that such communication to the public would be an infringement of copyright. (b) When any person: (i) makes for sale or hire, or sells or lets for hire, or by way of trade displays or offers for sale or hire, or (ii) distributes either for the purpose of trade or to such an extent as to affect prejudicially the owner of the copyright, or (iii) by way of trade exhibits in public, or (iv) imports into India any infringing copies of the work (one copy of any work for the private and domestic use of the importer is exempt). Acts not Constituting Infringement 2.16 Section 52 lists more than thirty acts which do not constitute an infringement of copyright. Some significant examples in the 1131 Compendium of Generic Internal Audit Guides case of a literary, dramatic, musical or artistic work, not being a computer programme, are as follows: l Fair dealing for the purposes of private use, including research, or for criticism or review. l Fair dealing for reporting current events in a newspaper, magazine or similar periodical, or by broadcast or in a cinematograph film or by means of photographs. l Reproduction for judicial proceeding/supply in accordance with any law in force. l Publication of short passages in a collection, mainly composed of non copyright matter, for bonafide use of educational institutions. l Reproduction by a teacher/ pupil in the course of instruction examination. l Any matter in Official Gazette/ Act and Rules/Report of Government bodies/ court judgements. Likewise, it is not an infringement for a lawful possessor of a computer programme to make copies of, or adapt the computer programme: l In order to utilise the computer programme for the purpose for which it was supplied. l To make back-up copies purely as a temporary protection against loss, destruction or damage in order only to utilise the computer programme for the purpose for which it was supplied. l Doing any act necessary to obtain information essential for operating inter-operability of an independently created computer programme with other programmes provided that such information is not otherwise readily available. l Observation, study or test of functioning of the computer programme in order to determine the ideas and principles which underlie any elements of the programme while 1132 Internal Audit of Intangible Assets performing such acts necessary for the functions for which the computer programme was supplied. l Making of copies or adaptation of the computer programme from a personally legally obtained copy for non-commercial personal use. 2.17 It would be seen from the above that the scope of what constitutes an infringement is very wide. For example, where a stage play is performed in a theatre without permission of the copyright holder, even the theatre owner may be liable for infringement unless it is proved that he was not aware and had no reasonable ground for believing that the performance of the play would be an infringement of copyright. Likewise, using a software acquired under a single-user licence on more than one computer at the same time or using an unlicenced copy of the software or an unlicenced copy of a music or video album would be an infringement of copyright. Similarly, making copies of or adapting a computer programme otherwise than in accordance with the exceptions listed above would be an infringement of copyright. Civil Remedies 2.18 Chapter XII of the Act, comprising Sections 54-62, deals with civil remedies for infringement of copyright. It is provided, inter alia, that where copyright in any work has been infringed, the owner of the copyright is entitled, except as otherwise provided by the Act, to all such remedies by way of injunction, damages, accounts and otherwise as are or may be conferred by law for the infringement of a right. However, if the defendant proves that at the date of the infringement he was not aware and had no reasonable ground for believing that copyright subsisted in the work, the plaintiff is not entitled to any remedy other than an injunction in respect of the infringement and a decree for the whole or part of the profits made by the defendant by the sale of the infringing copies as the court may deem reasonable. Where, in the case of a literary, dramatic, musical or artistic work, a name purporting to be that of the author or the publisher, as the case may be, appears on copies of the work as published, or, in 1133 Compendium of Generic Internal Audit Guides the case of an artistic work, appeared on the work when it was made, the person whose name so appears or appeared is presumed to be the author or the publisher of the work, as the case may be. Chapter XIII of the Act, comprising Sections 63-70, deals with offences. Patents Act, 1970 2.19 A patent is an exclusive legal right granted to a person who has made an invention to use or sell it for a specified period. In India, the law relating to patents is contained in the Patents Act, 1970. Non-patentable Inventions 2.20 Inventions means a new product or process involving an inventive step and capable of industrial application. Section 3 of the Act specifies that the following inventions are not inventions within the meaning of this Act: l An invention which is frivolous or which claims anything obviously contrary to well established natural laws. l An invention the primary or intended use or commercial exploitation of which would be contrary to public order or morality or which causes serious prejudice to human, animal or plant life or health or to the environment. l The mere discovery of a scientific principle or the formulation of an abstract theory or discovery of any living thing or non- living substance occurring in nature. l The mere discovery of any new property or new use for a known substance or the mere use of a known process, machine or apparatus unless such known process results in a new product or employs at least one new reactant. l Substance obtained by a mere admixture resulting only in the aggregation of the properties of the components thereof or a process for producing such substance. 1134 Internal Audit of Intangible Assets l The mere arrangement or re-arrangement or duplication of known devices each functioning independently of one another in a known way. l A method of agriculture or horticulture. l Any process for the medicinal, surgical, curative, prophylactic, diagnostic, therapeutic or other treatment of human beings or any process for a similar treatment of animals to render them free of disease or to increase their economic value or that of their products. l Plants and animals in whole or any part thereof other than micro-organisms but including seeds, varieties and species and essentially biological processes for production or propagation of plants and animals. l A mathematical or business method or a computer programme per se or algorithms2. l A literary, dramatic, musical or artistic work or any other aesthetic creation whatsoever including cinematographic works and television productions3. l A mere scheme or rule or method of performing mental act or method of playing game. l A presentation of information. l Topography of integrated circuits4. l An invention which, in effect, is traditional knowledge or which is an aggregation or duplication of known properties of traditionally known component or components. l Inventions relating to atomic energy. 2 These may, however, be subject of a copyright. See discussion on Copyright Act, 1957. 3 Ibid. 4 Reference may be made in this regard to the Semi-conductor Integrated Circuits Layout-design Act, 2000, which deals with registration of layout of elements in a semiconductor integrated circuit. 1135 Compendium of Generic Internal Audit Guides Registration of Patents 2.21 An application for a patent for an invention may be made by the ‘true and first’ inventor of the invention, or any other person who is the assignee of the true and first inventor, or legal representative of any deceased person who immediately before his death was entitled to make such an application. 2.22 The application for patent should state the name of the true and first inventor, the complete or provisional specification of the invention (in the form and manner prescribed by the Act) accompanied by a declaration that the applicant is in possession of the invention and believes that the person so named is the true and first inventor. Where a provisional specification is filed at the time of making the application, a complete specification should be filed within 12 months (extendable by three months on application) from the date of filing provisional specification, failing which the application shall be deemed to be abandoned. The complete specification should: (a) fully and particularly describe the invention and its operation or use and the method by which it is to be performed; (b) disclose the best method of performing the invention which is known to the applicant and for which he is entitled to claim protection; (c) end with a claim or claims defining the scope of the invention for which protection is claimed; and (d) be accompanied by an abstract to provide technical information on the invention. An elaborate procedure is prescribed in the Act to ensure that patents are granted only to proper claimants. A patent is granted, subject to certain prescribed conditions, only for one invention and is effective throughout India. Subject to the other provisions of the Act, a patent is dated as of the date of filing of the application therefor. 1136 Internal Audit of Intangible Assets Register of Patents 2.23 Every patent granted by the Controller General of Patents, Designs and Trademarks, who has been designated as the Controller of Patents for the purposes of the Act, is required to be entered into the Register of Patents which contains details such as the names and addresses of grantees of patents; notifications of assignment and transmission of patents, of licences under patents, extension and revocation of patents; and matters affecting validity or proprietorship of patents, etc. Rights Conferred by a Patent 2.24 Section 48 of the Act lays down that subject to certain conditions, a patent confers the following rights on the patentee during its term: (a) Where the subject matter of the patent is a product, the exclusive right to prevent third parties, who do not have his consent, from the act of making, using, offering for sale, selling or importing for those purposes that product in India. (b) Where the subject matter of the patent is a process, the exclusive right to prevent third parties, who do not have his consent, from using that process, and from the act of using, offering for sale, selling or importing for these purposes the product obtained directly by that process in India. A patent is a property right (as opposed to a personal right) and can be assigned. Likewise, the patentee has a right to grant licence to another party for use of the patent. Term of a Patent 2.25 Section 53 lays down that subject to the provisions of this Act, the term of a patent granted is 20 years commencing from the date of filing of the application for the patent. A patent ceases to have effect on the expiration of the said period or on the failure of the company to pay the renewal fee within the stipulated time frame. On such cessation, the subject matter covered by the said 1137 Compendium of Generic Internal Audit Guides patent is no longer entitled to any protection. However, where such cessation occurs due to non-payment of renewal fee, an application for restoration of the lapsed patent may be filed within 18 months from the date on which the patent ceased to have effect. But no suit or other proceedings can be filed in respect of an infringement of a patent committed between the date of expiry of the original patent and the date of restoration thereof. Patents of Addition 2.26 The Act also contains provisions with respect to grant of ‘patents of addition’, i.e., a patent in respect of any improvement in or modification of an invention (‘main invention’) where the applicant has also applied for a patent for the main invention or is a patentee thereof. The term of a patent of addition is equal to the unexpired term of the main invention, and shall remain in force during that term or until the previous cesser of the patent for the main invention and no longer. Revocation of Patents 2.27 Section 64 of the Act lists a number of grounds on which a patent may be revoked on a petition of any person interested or of the Central Government. Some of these are: l The invention was claimed in a valid claim of earlier priority date contained in the complete specification of another patent granted in India. l The patent was granted on the application of a person not entitled under the provisions of this Act to apply therefor. l The patent was obtained wrongfully in contravention of the rights of the petitioner. l The subject of the claim is not an invention as defined by the Act. l The subject of the claim is not patentable under the Act. 1138 Internal Audit of Intangible Assets l The invention as claimed is not new having regard to what was publicly known or publicly used in India before the priority date of the claim. l The invention as claimed is obvious or does not involve any inventive step, having regard to what was publicly known or publicly used in India or what was published in India or elsewhere before the priority date of the claim. l The invention is not useful. l The complete specification does not sufficiently and fairly describe the invention and the method by which it is to be performed. l The scope of the claim is not sufficiently and clearly defined or that the claim is not fairly based on the matter disclosed in the specification. l The patent was obtained on a false suggestion or representation. l The complete specification does not disclose or wrongly mentions the source or geographical origin of biological material used for the invention. The Act also provides for revocation of patent in public interest by the Central Government, if it is of the opinion that a patent or the mode in which it is exercised is mischievous to the State or generally prejudicial to the public. However, prior to such revocation, an opportunity to be heard is required to be given to the patentee. Infringement of Patents 2.28 A patentee or exclusive licencee (and in certain cases, a non-exclusive licencee) may institute a suit if the patent is infringed. For this purpose, however, the following acts are not considered as infringement of patent rights: (i) Any act of making, constructing, using, selling or importing a patented invention solely for uses reasonably related to the 1139 Compendium of Generic Internal Audit Guides development and submission of information required under any law in India, or in a country other than India, that regulates the manufacture, construction, use, sale or import of any product. (ii) Importation of patented products by any person from a person who is duly authorised under the law to produce and sell or distribute the product. Relief for Infringement of a Patent 2.29 The relief in a suit for infringement of patent rights may be by way of injunction and, at the option of the plaintiff, either damages or an account of profits. However, damages or an account of profits shall not be granted if the defendant proves that at the date of the infringement, he was not aware and had no reasonable grounds for believing that the patent existed. The court can also seize, forfeit or destroy goods which are found to be infringing or are used in the creation of infringing goods, without payment of any compensation. Penalties 2.30 The Act provides specific penalties for non-compliance, including for unauthorised claim of patent rights by falsely representing that any goods sold are patented in India or subject of an application for patent in India. Depending upon the nature of non-compliance, the penalty may be only fine, or fine or imprisonment, or both. International Arrangements 2.31 Cross-border patenting of inventions has been greatly facilitated by Patents Cooperation Treaty (PCT) of 1970. Prior to this treaty, virtually the only means by which protection of an invention could be obtained in several countries was to file a separate application in each country. Each application being dealt with in isolation involved repetition of work of examination in each country. The PCT is aimed at establishing an international system which enables the filing, with a single Patent Office (the Receiving 1140 Internal Audit of Intangible Assets Office), of a single application (the International Application) having effect in each of the countries which are party to the PCT which the applicant names in his application. The PCT provides for the formal examination of an International Application by the Receiving Office and for subjecting each International Application to an international search which results in a report citing the relevant prior art (mainly published patent documents relating to previous inventions) which may have to be taken into account in deciding whether the invention is patentable. The PCT provides the national patent offices with the benefit of reducing their work since they have the benefit of internationally centralized procedures and, thus, need not duplicate those efforts. 2.32 The Patents Act, 1970 contains specific provisions to facilitate compliance with India’s obligations as a member of PCT. There is a separate chapter in the Act on ‘international arrangements’. Trade Marks Act, 1999 2.33 In commercial parlance, a ‘trade mark’ denotes a word, phrase, numeral, logo, or other graphic symbol used by a manufacturer or seller or service provider to distinguish its product or service from that of others. The main purpose of a trade mark is to guarantee the genuineness of a product or service. In effect, the trademark is the commercial substitute for one’s signature. In India, the law relating to trade marks is contained in the Trade Marks Act, 1999. The Act, which replaced the Trade and Merchandise Marks Act, 1958, consolidates the law relating to trade marks, to provide for registration and better protection of trade marks for goods and services, and seeks to prevent the use of fraudulent trade marks. Meaning of ‘Trade Mark’ 2.34 The term ‘trade mark’ is defined under the Act as “a mark capable of being represented graphically and which is capable of distinguishing the goods or services of one person from those of others and may include shape of goods, their packaging and combination of colours”. 1141 Compendium of Generic Internal Audit Guides The term ‘mark’ used in the above definition includes a device, brand, heading, label, ticket, name, signature, word, letter, numeral, shape of goods, packaging or combination of colours or any combination thereof. Collective and Certification Trade Marks 2.35 The term ‘trade mark’ also includes ‘collective marks’ and ‘certification trade marks’. A collective mark is a trade mark distinguishing the goods or services of members of an association of persons (not being a partnership within the meaning of the Indian Partnership Act, 1932) which is the proprietor of the mark from those of others. A certification trade mark is a mark capable of distinguishing the goods or services in connection with which it is used in the course of trade which are certified by the proprietor of such mark as possessing certain characteristics (e.g., those relating to quality, accuracy or material) from goods or services not so certified. Common examples of certification trade marks are Woolmark and Agmark. The Act contains special provisions for collective marks and certification trade marks. Registration of Trade Marks 2.36 Chapter II of the Act, comprising Sections 3 to 17, contains provisions relating to maintenance of register of trade marks and the conditions for registration of trade marks. Accordingly, the Controller General of Patents, Designs and Trade Marks, who is appointed by the Central Government shall be the Registrar of Trade Marks for the purposes of this Act. Further provision has been made for establishment of a Trade Marks Registry and its branch offices. A Register of Trade Marks is required to be kept at the Trade Marks Registry to record particulars relating to all registered trade marks, viz., names, addresses and description of the proprietors, notifications of assignment and transmissions, the names, addresses and descriptions of registered users, and conditions, limitations and such other matters relating to registered trade marks as may be prescribed. 2.37 Any person claiming to be the proprietor of a trade mark used or proposed to be used by him, who is desirous of registering 1142 Internal Audit of Intangible Assets it, is required to apply in writing to the Registrar in the prescribed manner. Subject to the provisions of the Act, the Registrar may refuse the application or may accept it absolutely or subject to such amendments or conditions as he may think fit. The Registrar shall, unless the Central Government otherwise directs, register a trade mark as of the date of the making of the application therefor. Grounds for Refusal of Registration 2.38 Section 9 of the Act lists the following as ‘absolute’ grounds for refusal of registration of a trade mark: l The trade mark is devoid of any distinctive character, i.e., not capable of distinguishing the goods or services of one person from those of another person. However, it has been provided that a trade mark shall not be refused registration if before the date of application for registration it has acquired a distinctive character as a result of the use made of it or is a well-known trade mark. l It consists exclusively of marks or indications which may serve in trade to designate the kind, quality, quantity, intended purpose, values, geographical origin or the time of production of the goods or rendering of the service or other characteristics of the goods or service. l It consists exclusively of marks or indications which have become customary in the current language or in the bona fide and established practices of the trade. l It is of such nature as to deceive the public or cause confusion. l It contains or comprises of any matter likely to hurt the religious susceptibilities of any class or section of the citizens of India. l It comprises or contains scandalous or obscene matter. l Its use is prohibited under the Emblems and Names (Prevention of Improper Use) Act, 1950. 1143 Compendium of Generic Internal Audit Guides l It consists exclusively of: (a) the shape of goods which results from the nature of the goods themselves; or (b) the shape of goods which is necessary to obtain a technical result; or (c) the shape which gives substantial value to the goods. 2.39 Section 11 lists the following as ‘relative’ grounds for refusal of registration of a trade mark: l If, because of its identity/similarity with an earlier trade mark and similarity of goods or services covered by the trade mark, there exists a likelihood of confusion on the part of the public, which includes the likelihood of association with the earlier trade mark. This is, however, subject to the exception provided in Section 12 according to which, in the case of honest concurrent use or of other special circumstances which in the opinion of the Registrar, makes it proper to do so, he may permit the registration by more than one proprietor of the trade marks which are identical or similar, subject to such conditions as the Registrar may think fit to impose. l If the trade mark: (a) is identical with or similar to an earlier trade mark; and (b) is to be registered for goods or services which are not similar to those for which the earlier trade mark is registered in the name of a different proprietor if or to the extent the earlier trade mark is a well-known trade mark in India and the use of the later mark would take unfair advantage of or be detrimental to the distinctive character or repute of the earlier trade mark. The above ground of refusal applies only if objection is raised in opposition proceedings by the proprietor of the earlier trade mark. l If, or to the extent that, the use of the trade mark in India is liable to be prevented: 1144 Internal Audit of Intangible Assets (a) by virtue of any law, in particular the law of passing off protecting an unregistered trade mark used in the course of trade; or (b) by virtue of law of copyright. This ground of refusal applies too only if objection is raised in opposition proceedings by the proprietor of the earlier trade mark. Term of a Trade Mark 2.40 As per Section 25, the registration of a trade mark shall be for a period of ten years, but may be renewed from time to time for a period of ten years at a time. Renewal, Removal and Restoration of Registration 2.41 At the prescribed time before the expiration of the last registration of a trade mark, the Registrar shall send notice in the prescribed manner to the registered proprietor of the date of expiration and the conditions as to payment of fees and otherwise upon which a renewal of registration may be obtained. If at the expiration of the prescribed time, those conditions have not been duly complied with, the Registrar may remove the trade mark from the register unless an application is made in the prescribed form not later than six months from the expiration of the last registration of the trade mark in which case the Registrar shall renew the registration of the trade mark. Where a trade mark has been removed from the register of trade marks for non-payment of the prescribed fee, the Registrar shall, after six months and within one year from the expiration of the last registration of the trade mark, on receipt of an application in the prescribed form and on payment of the prescribed fee, if satisfied that it is just so to do, restore the trade mark to the register and renew the registration of the trade mark either generally or subject to such conditions or limitations as he thinks fit to impose. The restoration is for a period of ten years from the expiration of the last registration. 1145 Compendium of Generic Internal Audit Guides 2.42 Where a trade mark has been removed from the register for failure to pay the fee for renewal, it shall nevertheless, for the purpose of any application for the registration of another trade mark during one year, next after the date of the removal, be deemed to be a trade mark already on the register, unless the tribunal (Registrar Appellate Board) is satisfied that– (a) there has been no bona fide trade use of the trade mark which has been removed during the two years immediately preceding its removal; or (b) no deception or confusion would be likely to arise from the use of the trade mark which is the subject of the application for registration by reason of any previous use of the trade mark which has been removed. Rights Conferred by Registration 2.43 Articulating the rights conferred by registration of a trade mark, Section 28 states that subject to the other provisions of the Act, the registration of a trade mark shall, if valid, give to the registered proprietor of the trade mark the exclusive right to use it and to obtain relief in case of infringement of the trade mark in the manner provided by the Act. However, the aforesaid exclusive right shall be subject to any conditions and limitations to which the registration is subject. Registration, thus, confers an exclusive legal right which is not available to the proprietor of an unregistered trade mark. A distinct disadvantage of non- registration is that no person is entitled to institute any proceeding to prevent, or to recover damages for, the infringement of an unregistered trade mark. A trade mark is a property right which can be assigned. Besides, the owner of the trade mark can permit another person to use the trade mark. Registration as Registered User 2.44 Sections 48 and 49 facilitate the use of a registered trade mark by a person other than the registered proprietor. Accordingly, where it is proposed that a person should be registered as a 1146 Internal Audit of Intangible Assets registered user of a trade mark, the registered proprietor and the proposed registered user are required to jointly apply in writing to the Registrar in the prescribed manner. Section 52 provides that subject to any agreement subsisting between the parties, a registered user may institute proceedings for infringement in his own name as if he were the registered proprietor. The rights and obligations of the registered user in such case are concurrent with those of the registered proprietor. As per Section 54, the registered user does not have any right of assignment or transmission of his right to use the trade mark. Infringement of a Trade Mark 2.45 Section 29 lists the following as infringements of registered trade marks by a person: l Where a person, who is not a registered proprietor or is not a person using the trade mark by way of permitted use, uses in the course of trade, a mark which is identical with, or deceptively similar to, the trade mark in relation to goods or services in respect of which the trade mark is registered. l Where a person, who is not a registered proprietor or is not a person using the trade mark by way of permitted use, uses in the course of trade, a mark which is likely to cause confusion on the part of the public, or which is likely to have an association with the registered trade mark because of its identity/similarity with the registered trade mark and the identity/similarity of the goods or services covered by such registered trade mark. l Where a person, who is not a registered proprietor or is not a person using the trade mark by way of permitted use, uses in the course of trade, a mark which: (a) is identical with or similar to the registered trade mark; and (b) is used in relation to goods or services which are not similar to those for which the trade mark is registered; and 1147 Compendium of Generic Internal Audit Guides (c) the registered trade mark has a reputation in India and the use of the mark without due cause takes unfair advantage of or is detrimental to the distinctive character or repute of the registered trade mark. l Where a person uses a registered trade mark, as his trade name or part of his trade name, or name of his business concern or part of the name of his business concern dealing in goods or services in respect of which the trade mark is registered. l Where a person applies a registered trade mark to a material intended to be used for labelling or packaging goods, as a business paper, or for advertising goods or services, provided such person, when he applied the mark, knew or had reason to believe that the application of the mark was not duly authorised by the proprietor or a licensee. l Where any advertising of the trade mark: (a) takes unfair advantage of and is contrary to honest practices in industrial or commercial matters; or (b) is detrimental to its distinctive character; or (c) is against the reputation of the trade mark. Removal of Trade Mark 2.46 Section 47 contains provisions for removal of a trade mark from the Register of Trade Marks on ground of non-use. For this purpose, an application in the prescribed manner has to be made by an aggrieved person to the Registrar or the Appellate Board established under the Act. Penalties 2.47 Chapter XII of the Act, comprising Sections 101 to 121, deals with offences, penalties and procedure. Section 103 provides 1148 Internal Audit of Intangible Assets for imprisonment for a term of six months to three years and fine of Rs.50,000 to Rs.2,00,000 for a person who: (a) falsifies any trade mark; or (b) falsely applies to goods or services any trade mark; or (c) makes, disposes of, or has in his possession, any die, block, machine, plate or other instrument for the purpose of falsifying or of being used for falsifying, a trade mark; or (d) applies any false trade description to goods or services; or (e) applies to any goods to which an indication of the country or place in which they were made or produced or the name and address of the manufacturer or person for whom the goods are manufactured is required to be applied under Section 139 of the Act, a false indication of such country, place, name or address; or (f) tampers with, alters or effaces an indication of origin which has been applied to any goods to which it is required to be applied under Section 139 of the Act; or (g) causes any of things above-mentioned to be done. In any such proceeding, it would be a defence that the person concerned acted without intent to defraud. Further, the court may, for adequate and special reasons to be mentioned in the judgement, impose a sentence of imprisonment for a term of less than six months or a fine of less than Rs. 50,000. Offences by Companies 2.48 Section 114 deals with offences by companies and provides that if the person committing an offence is a company, the company as well as every person in charge of, and responsible to, the company for the conduct of its business at the time of the commission of the offence shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly. It is also provided that where it is proved that the offence has been committed with the consent or connivance of, or 1149 Compendium of Generic Internal Audit Guides that the commission of the offence is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of that offence and shall be liable to be proceeded against and punished accordingly. However, a person shall not be liable to any punishment if he proves that the offence was committed without his knowledge or that he exercised all due diligence to prevent the commission of such offence. Designs Act, 2000 2.49 The Designs Act, 2000, which has replaced the Designs Act, 1911, seeks to protect the intellectual property in designs. Like works that are literary, dramatic, musical, artistic, etc. in nature, designs such as those of a new car or cellphone or a new pattern to be printed on dress material also represent the outcome of exercise of intellectual faculties of their creators/owners and merit legal recognition as their intellectual property. Meaning of ‘Design’ 2.50 Section 2(d) of the Act defines the term ‘design’ as: “..... only the features of shape, configuration, pattern, ornament or composition of lines or colours applied to any article whether in two dimensional or three dimensional or in both forms, by any industrial process or means, whether manual, mechanical or chemical, separate or combined, which in the finished article appeal to and are judged solely by the eye; but does not include any mode or principle of construction or anything which is in substance a mere mechanical device, and does not include any trade mark as defined in Clause (v) of Sub-section (1) of Section 2 of the Trade and Merchandise Marks Act, 1958 or property mark as defined in Section 479 of the Indian Penal Code or any artistic work as defined in clause (c) of Section 2 of the Copyright Act, 1957”. The above definition emphasises the ‘appeal to eye’. Accordingly, the term ‘design’ refers only to external appearance of an article and not to its functional or engineering design. The design is not 1150 Internal Audit of Intangible Assets the article itself, but a feature or an idea applied to an article e.g., novel shape of a car. Registration of Designs 2.51 The Controller General of Patents, Designs and Trade marks has been designated under Section 3 of the Designs Act, 2000 as the Controller of Designs. The Controller may on the application of any person claiming to be the proprietor of any new or original design register the design. In the following cases, a design shall not be registered: (a) It is not new or original. (b) It has been disclosed to the public anywhere in India or in any other country by publication in tangible form or by use or in any other way prior to the filing date, or where applicable, the priority date of the application for registration. (c) It is not significantly distinguishable from known designs or combination of known designs. (d) It comprises or contains scandalous or obscene matter. 2.52 Upon registration of a design, the Controller shall grant a certificate of registration to the proprietor of the design. Under Section 10, the patent office is required to maintain a Register of Designs containing particulars of registered designs, viz., names and addresses of proprietors of registered designs, notifications of assignments and of transmissions of registered designs, and such other matter as may be prescribed and such register may be maintained wholly or partly on computer floppies or diskettes, subject to such safeguards as may be prescribed. Effects of Registration 2.53 Upon registration of a design, the registered proprietor of the design has, subject to the provisions of the Act, copyright in the design during ten years from the date of registration. If, before the expiry of the said period of ten years, application for the extension of the period of copyright is made to the Controller in 1151 Compendium of Generic Internal Audit Guides the prescribed manner, the Controller shall, on payment of the prescribed fee, extend the period of copyright for a period of five years from the expiration of the original period of ten years. Restoration of Lapsed Designs 2.54 Where a design has ceased to have effect by reason of failure to pay the fee for the extension of copyright, the proprietor of the design or his legal representatives and where the design was held by two or more persons jointly, then with the leave of the controller one or more of them without joining the others, may make an application for the restoration of the design in the prescribed manner. Such application can be made within one year from the date on which the design ceased to have effect. Piracy of Registered Designs 2.55 Piracy of a registered design has been made an offence under Section 22 of the Act by providing that during the existence of copyright in any design, it shall not be lawful for any person: (a) for the purpose of sale to apply to any article in any class of articles in which the design is registered, the design or any fraudulent or obvious imitation thereof (except with the license or written consent of the registered proprietor) or to do anything with a view to enable the design to be so applied; or (b) to import for the purposes of sale, without the consent of the registered proprietor, any article belonging to the class in which the design has been registered, and having applied to it the design or any fraudulent or obvious imitation thereof; or (c) knowing that the design or any fraudulent or obvious imitation thereof has been applied to any article in any class of articles in which the design is registered without the consent of the registered proprietor, to publish or expose or cause to be published or exposed for sale that article. 1152 Internal Audit of Intangible Assets If any person acts in contravention of the above then he shall be liable for every contravention: (a) to pay to the registered proprietor of the design a sum not exceeding Rs.25,000 recoverable as a contract debt, or (b) if the proprietor elects to bring a suit for the recovery of damages for any such contravention, and for an injunction against the repetition thereof, to pay such damages as may be awarded and to be restrained by injunction accordingly. It is provided that the total sum recoverable in respect of any one design under clause (a) shall not exceed Rs.50,000. Recent Trends 2.56 The awareness about the intellectual property rights has increased globally over the last two decades or so, with India being no exception. Among others, the Indian law relating to trade marks and designs has undergone a thorough revision (with new Acts substituting the earlier Acts) over this period and laws have been enacted to deal with areas untouched earlier (e.g., Semi- conductor Integrated Circuit Layout Design Act, 2000). 2.57 Indian judiciary too has played a significant role in protecting the genuine rights of owners of intellectual property as would be evident from the following judicial cases: l In Time Incorporated v Lokesh Srivastava & Anr ((2005) 30 PTC 3 (Del)), the Delhi High Court awarded Time Inc Rs.5,00,000 in damages for the imitation of its famous trademark TIME (transliterated into Hindi) and its unique and well-known red border design. The court also drew a distinction between punitive and compensatory damages, extending the use of punitive damages to acts having a criminal propensity. Basing punitive damages on the theory of corrective justice, the court upheld the prayer for punitive damages on the ground that the courts must intervene on behalf of the public, who suffer from the infringement, while making the persons guilty of infringement realise that they 1153 Compendium of Generic Internal Audit Guides will be exposed to financial penalties for infringing the IP rights of a third party. l In Tata Sons Limited v Fashion ID Ltd ((2005) 30 PTC 182), and Buffalo Networks Pvt Ltd v Manish Jain ((2005) 30 PTC 242) the Delhi High Court awarded the plaintiffs Rs.1,00,000 each for violation of their respective trade marks through the unauthorised use of domain names incorporating these marks. l In a series of three cases involving the infringement of copyrights and the ADIDAS trademark, the Delhi High Court awarded a total of Rs1.5 million in damages. In Yahoo! Inc v Sanjay V Shah & Ors ((2006) 32 PTC 263) the court awarded Yahoo! Inc Rs.5,00,500 upon finding that the defendant had been selling tobacco products under the well-known trademark YAHOO!. l In Amarnath Sehgal v Union of India ((2005) 30 PTC 260 and 263), the Delhi High Court awarded damages against the Government of India for violation of the moral rights of a famous sculptor. The government was directed to pay Rs.5,00,000 in damages to the sculptor for violation of his moral rights by the Government’s acts of distortion, damage and mutilation of a large bronze mural commissioned by the Government many years earlier. The Government was also directed to return the mural to the sculptor. The Delhi High Court in Microsoft Corporation v Yogesh Popat ((2005) 30 PTC 245) awarded Microsoft Corporation Rs1.975 million for piracy of its software products. This judgement is significant in as much as it was not only the highest-ever award of damages in any IP matter in India, but also the first award of damages in any software piracy litigation. (There have been some more case involving software piracy where damages have been awarded.) 1154 Internal Audit of Intangible Assets Chapter 3 Managing Intangible Assets 3.1 Intangible assets of an entity are now well recognised as its primary drivers in today’s knowledge-based and service-oriented economies. As, in Peter Drucker’s words, organisations move from the paradigm of “make and move” to “knowledge and service”, efficient and effective management of intangible assets assumes critical significance. Yet, as indicated earlier in Chapter-1, the management processes relating to intangible assets have by and large not kept pace with the increasing significance of such assets to entities. Possibly because they do not have a physical existence and/or because most of them either do not appear, or appear at far less than their real values in balance sheets, intangible assets often receive less managerial attention than they deserve. It is, therefore, not surprising to find entities discovering to their dismay that they have invested in intangible assets that they either do not need or that do not meet their requirements. It is also not unusual to come across situations of sub-optimal use of intangible assets. While unoccupied portion of a building or unutilised capacity of a machinery causes a lot of concern to management, unutilised functionalities of an intangible asset, say a computer software, go unnoticed for years. Then there is the issue of gross misuse of an entity’s intangible assets by its employees and by unauthorised use of its copyrights, patents, trade marks or designs e.g., unauthorised use of computer software or illegal copies being made of CDs of motion pictures or sound recordings or illegal use of a patented process for manufacture of a drug. Similarly, while on one hand, entities find themselves incurring maintenance costs for intangible assets like, patents which they are not using, there are others who lament not getting adequate return on the substantial investment made by them in intangible assets. Finally, lack of attention to use of unauthorised intellectual property of others within an entity can lead to serious legal consequences for the entity and its personnel. 3.2 In some cases, lack of adequate attention, specially to laws and regulations relating to intangible assets, can be disastrous. A 1155 Compendium of Generic Internal Audit Guides case in question is that of Kodak which, in 1986, allegedly infringed several of Polaroid’s instant photography patents and had to pay $925 million in damages and $100 million in legal fees. A further $500 million was spent to buy back 16 million instant cameras. Kodak also had to shut down its entire instant photography division and close its $1.5 billion manufacturing plant. The above discussion underlines the need for an entity to have in place management processes that are commensurate with the significance of intangible assets to it with a view to enhancing the entity’s value through the creation of competitive advantages. Connotation of ‘Intangible Assets’ from a Managerial Perspective 3.3 According to the criteria for recognition of an intangible asset in the balance sheet, as per generally accepted principles of financial accounting, many valuable resources can not be recognised as intangible assets. Therefore, for the purpose of managing intangible resources, a wider definition is required. Accordingly, from a managerial perspective, an intangible asset is construed as an identifiable non-monetary resource without physical substance which: (a) is held by the entity for use in the production or supply of goods or services, for sale or rental to others or for administrative purposes, and (b) has operational, financial, legal or regulatory implications for the entity. For example, a company engaged in business of providing cellular services obtains a licence from the telecom authorities. The licence so obtained is an intangible asset which has legal and operational implications since it is essential for the company to conduct its business of providing cellular services in the identified circles, and any non-compliance with the terms of the licence may impact its operations. 1156 Internal Audit of Intangible Assets The above may be useful for management of an entity in instituting appropriate management processes relating to intangible assets, including internal audit. Framework for Management of Intangible Assets 3.4 An intangible asset needs to be managed efficiently and effectively during its entire lifecycle. The framework for management of intangible assets rests on following four key components: l Policies which denote an entity’s commitment to a formal management process covering all business areas. l Procedures which provide the mechanism for implementing the policies. l People needed for a successful rollout of policies and procedures. People within the entity need to be educated about the purpose and significance of the policies and procedures by communicating relevant issues and providing necessary training. l Technology acts as an enabler. It can be used as a means of automating the management process and monitoring the asset usage. These four components need to be integrated in each phase of the life cycle of an intangible asset by following an appropriate approach. Thus, an intangible asset should be managed during each stage of its lifecycle by using adequate policies, procedures, people and technology. 3.5 Best practices, concepts and policies (i.e., framework/ governance models) have been designed to manage and protect certain intangible assets critical to business of various entities. For example, to ensure that IT (information technology) processes deliver the information that the entity needs to achieve its objectives, there are IT governance models such as Information 1157 Compendium of Generic Internal Audit Guides Technology Infrastructure Library (ITIL)1 and Control Objectives for Information and related Technology (COBIT)2. The International Organisation for Standardization (ISO) has developed a standard called the ISO 19770–1 which lays out a three-partprocess for managing software assets3. These processes include organisational management process, core Software Asset Maturity (SAM) process and primary interfaces for SAM and allow the entity to fine tune its infrastructure against industry standards, and help it develop efficient and effective processes for managing software assets. Key Aspects 3.6 This chapter discusses some key aspects of management of intangible assets, viz: l Acquisition/development of intangible assets l Identifying and recording intangible assets (including those which do not qualify for accounting recognition as intangible assets) 1 The Information Technology Infrastructure Library (ITIL) is a set of concepts and policies for managing IT infrastructure, development and operations. ITIL is published in a series of books, each of which covers an IT management topic. ITIL gives a detailed description of a number of important IT practices with comprehensive checklists, tasks and procedures that can be tailored to any IT organisation. 2 The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in an entity. COBIT was first released in 1996. Its mission is “to research, develop, publicise and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.” 3 ISO/IEC 19770-1:2006 is a framework of Software Asset Management (SAM) processes which has been developed to enable an organisation to prove that it is performing software asset management (SAM) to a standard sufficient to satisfy corporate governance requirements and ensure effective support for IT service management overall. ISO/IEC 19770-1:2006 is intended to align closely to, and to support, ISO/IEC 20000. Good practice in SAM should result in several benefits, and certifiable good practice should allow management and other organisations to place reliance on the adequacy of these processes. 1158 Internal Audit of Intangible Assets l Safeguarding intangible assets l Optimum deployment/use of intangible assets l Mitigating risks related to litigation It may be emphasised that the discussion in the following paragraphs is generic and only indicative in nature. Each entity will need to devise management processes relating to intangible assets by considering its own requirements, circumstances and resources. Acquisition/ Development of Intangible Assets 3.7 The first stage in acquisition/development of an intangible asset is the planning stage. At this stage, a careful evaluation needs to be made, inter alia, of the purpose(s) for which the asset is proposed to be acquired/developed; whether that purpose can be met from any of the existing assets; if not, whether the asset should be acquired from outside or developed in-house (where possible); does the entity have enough resources to finance the acquisition/development; and whether the benefits expected from the asset exceed the resources expected to be expended thereon. For only illustrative purposes, one may postulate that planning stage for acquisition/development of computer software would involve the following, inter alia: (a) Making strategic decisions to allocate resources between alternative projects at a given point in time. For example, should in-house programmers develop a new payroll system or direct their efforts toward correcting existing problems in an operating payroll system. (b) Determining the performance requirements (i.e., what it is that they need the software to do) and systems requirements for the computer software project proposed to be undertaken. (c) Exploring alternative means of achieving specified performance requirements. For example, should the entity make or buy the software. (d) Determining whether the technology needed to achieve performance requirements exists. 1159 Compendium of Generic Internal Audit Guides It is important that at the planning stage, consultations are held with the various departments/individuals who would be affected by the ultimate decision. For example, in the case of computer software, the requirements of various users should be determined, i.e., what functionalities and/or controls each user would require for his/her purpose. It has been observed that, quite often, adequate attention is not given to determining the users’ requirements and the result is the acquisition of assets which soon need to be replaced or supplemented for obvious reasons. 3.8 The next stage is the execution of the plan, i.e., accumulating the resources and setting them in motion to achieve the planned results. For example, in the case of acquisition of a computer software from a third party, would, generally, involve the following principal activities. l Identification of vendors of the software and assessing the general standing and repute of the vendors from whom quotations are invited/planned to be invited. While this aspect is not per se peculiar to acquisition of intangible assets, it acquires added significance in the context of such assets due to the legal framework governing them. For example, as per the Copyright Act, purchase or use of unauthorised or unlicenced software may attract severe penalties including imprisonment. Similarly, the legislation relating to trade marks, patents and designs lays down severe consequences of misuse of these intangible assets. To minimise the possibility of getting stuck up with unauthorised intangible assets, only authorised dealers or distributors should be selected. l Obtaining price quotations, product specifications, delivery and credit terms, after-sale warranty and maintenance terms, and the like. In particular, due attention should be given to determining which product suits the requirements of the entity. Generally speaking, additional features come at a cost and involve complexity of operation. Therefore, a product that meets the current and reasonably foreseeable future requirements may be better than one with esoteric features – it is quite likely that the entity may never use these features. 1160 Internal Audit of Intangible Assets l Evaluating the proposals of the vendors. This may be a particularly complex and delicate stage where the product offered by different vendors is not a standard off-the-shelf product and therefore a trade-off among different parameters may have to be made. l Finalising the vendor and the final terms and placement of order. It is important to ensure compliance with the legal framework while acquiring, developing, maintaining, using or selling intangible assets. To this end, it should be ensured that the documented terms of the acquisition are such that they provide a clear and unencumbered right of ownership or use of the asset to the entity. The restrictions or limitations on such right should also be clearly agreed and documented. Besides, the documentation should make it abundantly clear that in the event of a defect in the title or rights of the vendor in relation to the asset in question, the vendor would be liable to reimburse the entity for any resultant fines or penalties levied on the latter. l Receipt of software and payment of price. In-house Development 3.9 Execution of a project for in-house development of an intangible asset involves many stages. For example, the development of computer software would involve the following broad stages: (a) Design including detailed programme design is the process of detailed design of computer software that takes product function, feature, and technical requirements to their most detailed, logical form and is ready for coding. (b) Coding which includes generating detailed instructions in a computer language to carry out the requirements described in the detailed programme design. The coding of computer software may begin prior to, concurrent with, or subsequent to the completion of the detailed programme design. 1161 Compendium of Generic Internal Audit Guides At the end of these stages of the development activity, the enterprise has a working model, which is an operative version of the computer software capable of performing all the major planned functions, and is ready for initial testing (‘beta’ version). (c) Testing is the process of performing the steps necessary to determine whether the coded computer software product meets function, feature, and technical performance requirements set forth in the product design. At the end of the testing process, the enterprise has a master version of the software, which is a completed version together with the related user documentation and the training material. 3.10 Development of an intangible asset (whether in-house or through a third party under a contract) needs to be managed properly. For example, among others: l The progress of development needs to be constantly monitored against budgeted targets and the viability of the project from various angles (e.g., technical, commercial, financial) needs to be constantly re-assessed. l Compliance with the applicable legal framework needs to be ensured. For example, where development involves use of intellectual property of other parties, the licence or written permission of those parties should be obtained and adequately documented. Identifying and Recording Intangible Assets 3.11 Entities often rely on their accounting system to identify and record their assets e.g., the fixed assets register normally provides the basis for control of tangible fixed assets. In the case of intangible assets, however, an accounting system does not often reflect all the intangible assets of the entity. This is due to the fact that as per the present generally accepted accounting principles relating to intangible assets, stringent criteria are applied before an intangible asset qualifies for accounting recognition. Many valuable 1162 Internal Audit of Intangible Assets intangible assets fail to meet these criteria. However, from a managerial and control perspective, it is equally important to identify and record even those intangible assets such as the following which may not qualify for recognition as intangible assets in an entity’s financial statements: Self-generated Intangible Assets (a) Most entities generate a number of intangible assets in the course of their day-to-day operations (many a time without even recognising this fact). For example, customer lists and terms of dealings with them often represent a valuable intangible asset which cannot, generally, be recognised as an asset, but which is susceptible to misuse by employees or others, for example by providing the customer lists or terms of contracts with key customers to competitors. Similarly, many innovations are introduced in the production and other processes. Similar is the case of internally generated recipes, formulae, mixes, styles, etc. One of the problems in the case of these self-generated intangible assets is that, generally, their cost cannot be distinguished from the cost of running day-to-day operations. Accordingly, these do not often qualify for accounting recognition as intangible assets. Even where there is a specific project/programme for developing an intangible asset (e.g., a defined research and development project), the extant generally accepted accounting principles lay down certain criteria, must be satisfied before the entity recognises an intangible asset arising from such project or programme. Thus, until these criteria are satisfied, no intangible asset is recognised. In case of many projects for internal development of intangible assets, the aforesaid criteria may be satisfied at a very late stage in the development process. Even after these criteria are satisfied, the amount recognised as asset is limited to the expenditure incurred on development from the time when the aforesaid criteria are met. 1163 Compendium of Generic Internal Audit Guides Another problem is that Indian generally accepted accounting principles preclude revaluation of intangible assets subsequent to their initial recognition. Thus, the amounts ascribed to intangible assets in a balance sheet (historical costs less accumulated amortisation) may be far out of sync with the real values of many such assets. Acquired Intangible Assets not Recognised in Accounting (b) Apart from many self-generated intangible items as discussed above, there are a number of acquired assets which may not find place in an entity’s balance sheet. These may include: l intangibles which are not in use e.g., a discarded software; l intangibles in use which have been fully amortised; l intangible assets acquired in a business combination. The acquired entity may have intangible assets that do not appear on its balance sheet, e.g., internally- generated goodwill, patents, brands and customer lists, long-term agreements with key employees or employee associations, profitable contracts with suppliers or customers, and so on. Lack of accounting recognition of these assets may make their identification difficult by the acquirer. Identification 3.12 From a managerial perspective (as opposed to a purely accounting perspective), it is of utmost importance that all intangible assets belonging to the entity are identified and recorded, whether or not they satisfy the accounting criteria for recognition as intangible assets. Identification of intangible assets acquired in a stand-alone acquisition transaction or developed under discrete internal projects is relatively easy and straight forward. However, identification of other intangible assets such as those referred to often poses difficulties. The following procedures would be useful in this regard: (a) There should be an institutional mechanism whereby all 1164 Internal Audit of Intangible Assets suggestions, improvements or modifications to materials, devices, projects, processes, systems or services are reviewed by competent officials to determine whether any of them could potentially be intellectual property. Among others, this requires a good understanding of what constitutes, and what does not constitute, intellectual property as per the law of the land, as per accounting norms; and as per managerial perspective of what is a valuable resource of the entity. (b) A periodic verification exercise (just like physical stock- taking of tangible assets) should be undertaken whereby all computer software programs, designs, processes, products, special rights, patents, copyrights, trade marks, designs, etc. are reviewed to evaluate the adequacy of controls over their use and the adequacy of title of the entity. The exercise should also identify and document intangible assets which are fully amortised but in use as well as those which have been discarded. (c) In the case of a business combination, a detailed review of the acquired entity should be made – its history, projects, production processes, systems, contracts, and the like. Here too, the acquired entity may have intellectual property assets that it failed to identify and record. Many a time, such intangibles are not separately identified but clubbed in the overall pool of goodwill. Documentation 3.13 Appropriate records and documents should be maintained in respect of all identified intangible assets whether or not they qualify for recognition as intangible assets in the entity’s financial statements. The exact nature of records and documents to be maintained would differ from case to case, depending upon the nature of the asset in question and the management’s requirements. However, in general, the records and documents should be such as would facilitate proper accounting of intangible assets; and also control and compliance with applicable legal and regulatory requirements. To this end, documents evidencing the 1165 Compendium of Generic Internal Audit Guides ownership or other interests of the entity (e.g., licence) in the intangible assets should be carefully maintained so as to protect the entity in the event of a litigation. These records should contain the following particulars, inter alia: l Sufficient description of the asset. For example, patents, trade marks and designs are normally identifiable by the purchase agreements or the letters granting patent and by registration references. Similarly, computer software may be identified by its title version and serial number, e.g., ‘Microsoft Office 2007’ and licence number. l Class of assets to which the asset pertains. A class of assets is a grouping of assets of a similar nature and use in an enterprise’s operations. Common classes of intangible assets are: (a) brand names (b) mastheads and publishing titles (c) computer software (d) licences and franchises (e) copyrights (f) patents (g) designs service and operating rights (h) service rights (i) recipes, formulae, models, and prototypes (j) customer/vendor lists and contracts (k) other intangibles. l Location, i.e., the name of division, branch or department where the asset is located. This is of primary relevance for intangible assets like computer software which are physically in operation at different locations. 1166 Internal Audit of Intangible Assets l Quantity, i.e., number of units. This would be relevant for items like standard computer software where more than one unit may have been acquired. l Original cost. In this regard, it may be emphasised that the cost of an internally generated intangible asset is the sum of expenditure incurred from the time when the intangible asset first meets the criteria for such recognition as per the applicable accounting norms. For assets which do not qualify for recognition in accounting, no value may be ascribed. l Date on which the asset becomes available for use. This date is significant inasmuch as it marks the commencement of period of amortisation. l Subsequent expenditure on the asset that is included in its carrying amount, along with the date of incurrence of the expenditure. l Method of amortisation. l Amortisation period (or rate of amortisation). l Amount of amortisation for the period. l Amount of accumulated amortisation as at the beginning and end of the period. l Particulars of impairment loss (if any) and any reversal of such impairment loss – date, amount for the period and accumulated amount as at the beginning and end of the period. l Particulars of retirement, disposal, etc. – date and amount. l Particulars of registration – name of registration authority and date of registration. l Period of validity of registration and date of expiry of registration. l Particulars of renewal/maintenance fee (if any) – scheduled date(s) of payment, amount, particulars of actual payment(s). 1167 Compendium of Generic Internal Audit Guides l Particulars of any licence or other similar right in the asset granted to third parties, e.g., use rights in a trade mark. Such particulars would include name and address of the counterparty, nature and period of rights granted, other key terms and conditions, consideration received/receivable, details of registration with authority concerned, etc. 3.14 The exact manner of maintaining the aforesaid records (whether manually or on computer, whether in the form of a loose- leaf book or a bound register, whether on a centralised or decentralised basis, etc.) is a matter for each entity to decide depending upon its specific circumstances and requirements. For the above records to be meaningful, entries should be made therein on a timely basis. For example, in the case of acquisition of, say, computer software, it should be recorded within a reasonable time of receiving the software from the vendor. Many entities, such as those in pharmaceutical research and software development are constantly engaged in projects for internal development of intangible assets. From both accounting and control perspectives, it is important that costs relating to each such project are separately identified and recorded. Such costs comprise all expenditure that can be directly attributed, or allocated on a reasonable and consistent basis, to making the asset ready for its intended use. In identifying costs attributable to each internal project for development of an intangible asset, regard should be had to the well-known principles and practices of cost accounting. For example, each project may be assigned a unique project number, and all costs associated with the project identified and accumulated with reference to the project number so assigned. Safeguarding Intangible Assets 3.15 An entity needs to safeguard all its assets, tangible or intangible, from unauthorised access, use or disposal as well as from accidental loss, destruction, etc. However, in the case of intangible assets, this might be a more difficult task. The very nature of intangible assets, advances in information and telecommunication technology specially the advent of internet, the relative ease and low cost of replicating many intangibles and 1168 Internal Audit of Intangible Assets other similar factors make intangible assets far more susceptible to unauthorised access, use or disposal than the tangible ones. For example, sensitive information relating to a new drug formulation under development or an improved manufacturing process under testing may get divulged to third parties through hacking of computer data, electronic eavesdropping, competitors hiring employees having access to sensitive information, theft by employees, bribery, etc. A failure to secure or protect intangible assets may lead to loss of competitive advantage, market share, revenue, R & D costs, loss of image, increased legal costs, legal fees associated with loss of third-party information, etc. Therefore, the need for appropriate and adequate measures to safeguard intangible assets of an entity can hardly be over emphasised. 3.16 Effective safeguarding of intangible assets involves, inter alia, an organisational environment where the significance of intangibles is well-understood and there is a culture of respecting the confidentiality of sensitive information. Similarly, there should be sensitivity to the unethical aspects and awareness of legal consequences arising from unauthorised use of intellectual property of others. A strong compliance mechanism to protect the entity’s rights (including recourse to legal protection wherever required) is also necessary. More specifically, the methods employed by an entity to safeguard its intangible assets may include one or more of the methods discussed in the following paragraphs. Information Security Policy 3.17 An information security policy is a statement setting out an entity’s stance on information security issues. It should address security practices and procedures pertaining to the protection of entity’s secrets, information and documents. Furthermore, it should address enforcement and penalties. The document should be clear, unambiguous and widely distributed within the entity. The policy should make it clear that anyone who deals with the entity, either as an employee, supplier, consultant, contractor or customer has a responsibility to protect information. Acknowledgment of this document should be included in business agreements and employment contracts. 1169 Compendium of Generic Internal Audit Guides Training and Awareness 3.18 One of the most effective methods of protecting sensitive information is to implement an awareness programme to ensure that all employees understand and discharge their responsibility to protect sensitive information of the entity. Legal Protection and Contracts 3.19 The contracts with employees, consultants, contractors, vendors, etc., should be carefully drafted to incorporate the relevant provisions addressing the ownership of intellectual property rights with the entity. It should be ensured that arrangements are such that the ownership or other rights in intangible assets arising in the course of engagement of employees, contractors, consultants, vendors, etc., vest with the entity, except as specifically provided to the contrary. Before commencing any work, all such persons should be required to sign written agreements transferring ownership of all works of authorship produced by them during the course of their work with the entity and all intellectual property rights therein. The agreements should also provide that these persons will not make unauthorised use of intellectual property or other legal rights of third parties. There should be appropriate non-disclosure agreements with all relevant parties. 3.20 Protection offered by various laws e.g., Patents Act 1970, Copyright Act 1957, etc. should be availed by ensuring that the entity’s right to the asset is appropriately registered with the relevant authority. The entity should consult legal experts to ensure that the registration formalities are properly complied with and the documentation is in order. There should a system of periodically reviewing the different types of intellectual property e.g., new processes, softwares in use, to ensure that these are under proper licences so that no adverse legal consequences can arise. Business Continuity Plan/ Disaster Recovery Plan 3.21 Business Continuity Planning (BCP) is an interdisciplinary concept used to create and validate a logistical plan for how an entity will recover and restore partially or completely interrupted 1170 Internal Audit of Intangible Assets critical (urgent) function(s) within a predetermined time after a disaster or extended disruption. In plain language, BCP is working out how to stay in business in the event of disaster. Incidents include local incidents like, building fires; regional incidents like, earthquakes; or national incidents like, pandemic illnesses or war. BCP includes planning for aspects such as, key personnel, facilities, crisis communication and reputation protection. 3.22 Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organisation after a natural or human- induced disaster. Disaster recovery planning is a subset of BCP and should include planning for resumption of applications, data, hardware, communications (such as, networking), IT infrastructure and other intangible assets. An entity should have a BCP/DRP to respond to situations of loss of intangible assets where these are strategic to its operations. Other Measures 3.23 Other measures may include the following: l Secure disposal of sensitive documents and other materials– either internally using a shredder or through a trusted third- party contractor who has been security vetted. Alternatively, sensitive material should be rendered unreadable. All the relevant discs and hard drives should be suitably overwritten or destroyed. l Background checks for employees, especially, those involved in the development process and those with access to sensitive information, vendors, contractors, etc. l Exit interviews and non-compete arrangements is also a good measure. During the exit interview, the employee should be specifically advised about his obligation not to disclose or use confidential business information for his own benefit or for the benefit of others without the express written consent of the company. A written confirmation should be obtained and, where required, a non-compete arrangement should be 1171 Compendium of Generic Internal Audit Guides executed. If the employee was given access to an intangible asset owned by the entity, it should be ensured that the same has been returned or the access rights revoked. l Appropriate physical security measures should be taken such as a clear desk policy, perimeter protection such as fencing and lighting, intruder detection systems, access control systems, locks, keys, safes, vaults and manned security guarding. l Appropriate security measures for protection such as use of passwords on computers, those to be followed while travelling or working off-site and those to be used for sharing information in presentations, exhibitions etc,. should be laid down. l Periodic audit of the security measures should be undertaken to assess their effectiveness. Optimising the Deployment/Use of Intangible Assets 3.24 To a considerable extent, the efficacy of acquisitions/ development policy of an entity in relation to intangible assets determines the extent to which they are utilised post-acquisition or development. However, subsequent changes in markets, business plans, priorities, etc. also often result in certain intangible assets not being utilised sufficiently. Unutilised intangible assets entail a cost to the entity in the form of maintenance (e.g., renewal fee for a registered trade mark) and/or in the form of loss of opportunity to earn revenue from use, sale or licencing of the asset. The following are some examples: l According to an estimate by British Telecom, it only uses a quarter of its patents in its existing products. l Phillips Electronics only uses between 35 and 40 percent of its intellectual property portfolio. By identifying their unutilised or under-utilised intangible assets, entities can undertake appropriate remedial measures. 1172 Internal Audit of Intangible Assets 3.25 A periodic assessment of the use to which each intangible asset is being put would enable an entity to identify unutilised or under-utilised intangible assets. For such assets, the entity would need to explore the possibility of new or alternative uses such as licensing out of a patent for a medicine which the entity itself is no longer manufacturing. In some known cases, entities have adopted even innovative modes for exploiting their intangible assets – in recent times, some black and white blockbuster movies of the 1950s and 1960s have been relaunched in India in a coloured version. Where an intangible asset is unlikely to contain any worthwhile potential to generate future economic benefits for the entity and its maintenance involves periodic costs, its relinquishment should be considered. Mitigating the Litigation Risk 3.26 An entity can become a party to litigations relating to intangible assets in either of the following ways: (a) An intangible asset belonging to the entity is subject of unauthorised access, use or disposal by another party, e.g., a suit filed by the producer entity of a motion picture against a television channel for exhibiting the picture on the channel without obtaining the entity’s consent. Unauthorised use of an entity’s intangible assets may often entail huge opportunity loss. This risk can be mitigated by adopting measures such as those discussed earlier under the heading ‘safeguarding intangible assets’. (b) The entity itself is alleged to have accessed, used or disposed of an intangible asset claimed by another party as belonging to the latter, e.g., a suit against the entity for alleged use of unauthorised computer software. This may involve physical cash outflows on account of resultant fines and penalties or even imprisonment in some cases. Loss of reputation is perhaps an even bigger consequence. 3.27 The above risk arises from lack of controls in the entity itself and can, therefore, be mitigated to a large extent by instituting appropriate policies and procedures, putting them into operation, 1173 Compendium of Generic Internal Audit Guides and monitoring their compliance on an on-going basis. Among others, such policies and procedures may include the following: l Monitoring legal requirements. l Instituting and operating appropriate internal controls. l Developing, publicising and implementing a Code of Conduct, containing standard instructions to be followed by employees for ensuring compliance with laws, regulations and entity’s policies relating to intangible assets with particular reference to the stipulation that there should be no unauthorised use of intangible assets of others. l Ensuring that employees are properly trained and that they understand the Code of Conduct. l Monitoring compliance with the Code of Conduct and acting appropriately to discipline employees who fail to comply with it. l Maintaining a record of complaints in respect of non- compliance of intellectual property rights both against and by the entity. Role of Internal Audit 3.28 The policies and procedures relating to intangible assets can be supplemented by assigning appropriate responsibilities to the internal audit function. Among others, internal audit can: l Review the internal controls related to all stages of lifecycle of intangible assets, monitor their operation and recommend improvements thereto. l Review the efficiency and effectiveness of use of intangible assets. Monitor compliance with laws and regulations relating to intangible assets with particular reference to unauthorised use of intangible assets of others, e.g., patents, trademarks, computer software, etc. 1174 Internal Audit of Intangible Assets Chapter 4 Approach to Internal Audit of Intangible Assets 4.1 To be effective, internal audit in any situation has to be properly planned and executed. In this context, this chapter discusses the overall approach to internal audit of intangible assets. Legal and Regulatory Requirements 4.2 Even though the overall approach of any internal audit assignment depends on the need and perception of the entity’s management, of late certain legal requirements and regulatory prescriptions relating to corporate governance have assumed importance in this regard. Increasingly internal auditors are being asked to constantly review processes of compliance with these requirements and evaluate their efficacy. Not only does this provide assurance to the management and also to those charged with governance (e.g., Board of directors) but it also helps in improving corporate governance practices. The following legal and regulatory requirements are noteworthy in the context of determining the overall approach to internal audit in general, and to internal audit of intangible assets in particular. Requirements of Section 217(2AA) of Companies Act, 1956 4.3 Under Section 217(2AA) of the Companies Act 1956, the annual report of the Board of Directors of a company to its members has to include a Directors’ Responsibility Statement wherein the directors have to make, inter alia, the following assertion: (iii) ”that the directors had taken proper and sufficient care for the maintenance of adequate accounting records in accordance with the provisions of this Act for safeguarding the assets of the company and for preventing and detecting fraud and other irregularities” 1175 Compendium of Generic Internal Audit Guides It is clear from the above that the directors have a responsibility for safeguarding the assets of the company and for preventing and detecting fraud and other irregularities. This would cover both violation of legal rights of other parties attached to intangible assets used by the entity and violation by others of the intellectual property rights of the entity. Requirements of Listing Agreement 4.4 The Securities and Exchange Board of India (SEBI) has introduced certain mandatory as well as certain recommendatory corporate governance provisions in Clause 49 of the Listing Agreement applicable to listed entities. Some of the important requirements are as follows: l The Audit Committee is required to review: v The adequacy of the internal audit function, if any, including the structure of internal audit department, staffing and seniority of the official heading the department, reporting structure, coverage and frequency of internal audit, including appointment, removal and terms of remuneration of the chief internal auditors. v Internal audit reports relating to internal control weaknesses. v The finding of any internal investigations by the internal auditors into matters where there is a suspected fraud or irregularity or a failure of internal control systems of a material nature and reporting the matter to the Board. l The Audit Committee is also required to discuss with the internal auditors any significant findings and follow up thereon. l The CEO and CFO have to certify to the Board of Directors: v That financial statements as well as cash flow statement for the period: 1176 Internal Audit of Intangible Assets v Do not contain any materially untrue statement or omit any material fact or contain statements that might be misleading. v Present a true and fair view. v Are in compliance with the existing Accounting Standards, applicable laws and regulations. v No transactions were entered into by the company, which were fraudulent, illegal or violative of the company’s code of conduct. v That they accept responsibility for effectiveness of internal controls and that they have disclosed to the auditors and the Audit Committee deficiencies in the design and operation of the internal controls and steps taken for rectification of the same. v That they have indicated to the Audit Committee and the internal as well as external auditors as to the following aspects: u Any significant changes in internal controls. u Any significant changes in the accounting policies and instance of significant fraud, if any, and that the same have been disclosed in the notes to the financial statements. u Instances of any significant fraud and involvement, if any, therein of the management or any employee having a significant role in the internal control systems of the company l The Listing Agreement also requires that the Board should be informed about Risk Management Framework (including assessment and minimisation procedures). Further, the Management Discussion and Analysis Report (forming part of Annual Report) is also required to disclose ‘risks and concerns’. 1177 Compendium of Generic Internal Audit Guides 4.5 Thus, effective internal controls and internal audit including in relation to intangible assets are essential for the management and those charged with governance to successfully discharge their responsibilities. Unauthorised use of the entity’s intangible assets by others would constitute an illegal transaction and would be indicative of control deficiencies. Similarly, if the entity is exposed to the risk of breach of laws relating to intellectual property belonging to others e.g., misuse of patent rights or unauthorised use of software, the directors and the management of the company are exposed to serious consequences. Often such infringements are unintentional, but a good internal audit programme would highlight all these risks and trigger corrective action. Requirements of CARO, 2003 4.6 The Companies (Auditor’s Report) Order, 2003 (CARO) requires the Statutory Auditor to report on the following: “Whether in case of listed companies and/or other companies having paid-up capital and reserves exceeding Rs.50 lakh at the commencement of the financial year concerned, or having an average annual turnover exceeding five crore rupees for a period of three consecutive financial years immediately preceding the financial year concerned, whether the company has an internal audit system commensurate with its size and nature of its business”. Apart from the above, the following requirements of CARO are also of relevance to internal audit. “Whether any fraud on or by the company has been noticed or reported during the year. If yes, the nature and the amount involved is to be indicated.” “Is there an adequate internal control system commensurate with the size of the company and the nature of its business, for the purchase of inventory and fixed assets and for the sale of goods and services? Whether there is a continuing failure to correct major weaknesses in internal control system.” 1178 Internal Audit of Intangible Assets Other Requirements 4.7 In addition to the above, for companies exploring the international capital market, especially those seeking listing on US stock exchanges like, NASDAQ, NYSE etc., a strong internal audit function (extending to intangible assets also) would be required to meet the stringent corporate governance and internal control requirements of those stock exchanges. Approach to Internal Audit 4.8 Standard on Internal Audit (SIA) 7, “Quality Assurance in Internal Audit”, issued by the Institute of Chartered Accountants of India, requires that a proper system should exist for assuring quality in internal audit to provide reasonable assurance that the internal auditors comply with professional standards, regulatory and legal requirements, so that the reports issued by them are appropriate in the circumstances. The system of quality control should include policies and procedures addressing specified elements including ethical requirements, engagement performance and monitoring. Standard on Internal Audit (SIA) 8, “Terms of Internal Audit Engagement” requires that an internal auditor and the auditee should agree on the terms of the engagement before its commencement and the agreed terms should be recorded in an engagement letter. Keeping in view the above legal and regulatory requirements and the general perception of those responsible for management and governance of entities, the overall approach to internal audit of intangible assets is as discussed below. Stages in Internal Audit 4.9 As in the case of any other area, internal audit of intangible assets involves the following stages: (a) Establishing audit objectives and scope of work. (b) Planning audit including obtaining background information, determining the resources necessary to perform the audit, 1179 Compendium of Generic Internal Audit Guides communicating with relevant persons, performing on-site survey and designing audit programme. (c) Obtaining evidence which also includes use of analytical procedures and test checking/statistical sampling techniques for obtaining sufficient and appropriate audit evidence, and maintenance of proper working papers. (d) Reporting i.e., communication of results. (e) Appropriate follow-up. Each of the above stages is discussed in detail in the succeeding parts of this chapter. Establishing Audit Objectives and Scope of Work 4.10 Keeping in view the legal requirements as discussed above and the requirements of entities in general, an appropriate internal audit approach relating to intangible assets should cover the following aspects: (a) Safeguarding of intangible assets: The internal audit should review the means of safeguarding intangible assets. This assumes particular importance since the system of maintenance of records and of providing management information (MIS) relating to intangible assets does not often have a proper formal structure, generally, intangible assets are not even identified properly and so a proper listing of intangible assets is not available. Once the system is properly implemented, a periodical review of the existence and value of such assets should be conducted. (b) Compliance with laws, regulations, contracts, management policies and procedures: Internal audit should review the systems established to ensure compliance with laws, regulations, contracts, management policies and procedures relating to intangible assets including copyrights, trade marks, patents and designs to determine whether the entity has complied with them or not. Existence of effective system in this area is important since even an unwitting non- 1180 Internal Audit of Intangible Assets compliance may entail serious legal consequences (reference may be made to Chapter 2 for a detailed discussion). Similarly, the internal audit should aim to review contracts which result in acquisition or transfer of intangible rights. Finally, in-house procedures for protecting intangible assets e.g., implementation of code of conduct to be followed by employees, vendors, consultants, etc. should also be reviewed. (c) Efficiency and effectiveness of operations: Internal audit should appraise the efficiency and effectiveness with which intangible assets are employed. The role of the internal audit in this regard should be to determine whether: (i) operating standards have been established by the management for measuring efficiency and effectiveness; (ii) established operating standards are understood and being met by the concerned employees; (iii) deviations from operating standards are identified, analysed and communicated to those responsible for corrective action; and (iv) corrective action is taken on a timely basis. Audits related to efficient and effective use of intangible assets should identify such conditions such as, underutilisation and also non-productive assets and procedures which are not justifiable on cost-benefit considerations. Planning the Internal Audit 4.11 Standard on Internal Audit (SIA) 1, “Planning an Internal Audit”, issued by the Institute of Chartered Accountants of India, requires that the internal auditor should, in consultation with those charged with governance, including the audit committee, develop and document a plan for each internal audit engagement to help him conduct the engagement in an efficient and timely manner. 1181 Compendium of Generic Internal Audit Guides Similarly, Standard on Internal Audit (SIA) 2, “Basic Principles Governing Internal Audit”, requires the internal auditor to plan his work to enable him to conduct an effective internal audit in a timely and efficient manner, ensuring that appropriate attention is devoted to significant areas of audit, identification of potential problems and appropriate utilisation of skills and time of the staff. Further, the internal auditor should exercise due professional care, competence and diligence expected of him while carrying out the internal audit. 4.12 Standard on Internal Audit (SIA) 15, “Knowledge of the Entity and its Environment”, requires that the internal audit plan should be based on the knowledge of the business of the entity, its operating environment, including its regulatory environment and the industry in which it operates, sufficient to enable the internal auditor to review the key risk and the entity-wide processes, systems, procedures and controls. In an initial engagement for internal audit of intangible assets, examples of key areas include: l Nature of the entity – ownership and management, products or services and markets, location of production facilities, organisational structure, control environment, related parties, etc. l Intangible assets – nature and extent, mode of acquisition – whether self-generated or purchased or acquired under user licences, whether in own-use or licenced out, etc. l Legal and regulatory framework applicable to entity’s intangible assets; any known past cases of non-compliance. l Accounting standards or other accounting principles and practices applicable to entity’s intangible assets. 4.13 Other aspects to be normally covered in the internal audit plan would be as follows: l A description of the nature, timing and extent of audit procedures for each class of intangible assets. 1182 Internal Audit of Intangible Assets l The resources to be deployed for specific audit areas, such as the use of appropriately experienced team members for high risk areas. l How such resources are to be managed, directed and supervised, such as when team briefing and debriefing meetings are expected to be held, and how engagement partner and manager reviews are expected to take place (for example, on-site or off-site). l Whether there is any requirement to obtain technical advice and assistance from competent experts if the internal audit team does not possess the necessary knowledge, skills, expertise or experience needed to perform all or part of the internal audit engagement. When the internal auditor uses the work of an expert, he should satisfy himself about the competence, objectivity and the independence of such expert in accordance with Standard on Internal Audit (SIA) 16, “Using the Work of an Expert”. Obtaining Evidence 4.14 With respect to audit evidence, Standard on Internal Audit (SIA) 2, “Basic Principles Governing Internal Audit”, issued by the Institute of Chartered Accountants of India, states as below: “The internal auditor should, based on his professional judgement, obtain sufficient appropriate evidence to enable him to draw reasonable conclusions therefrom on which to base his opinion or findings. Factors affecting the professional judgment include the activity under audit, possible errors and their materiality and the risk of occurrence of such errors.” 4.15 As per Standard on Internal Audit (SIA) 12, “Internal control Evaluation”, the internal auditor should examine the continued effectiveness of the internal control system through evaluation and make recommendations, if any, for improving that effectiveness. Further, Standard on Internal Audit (SIA) 13, “Enterprise Risk Management” establishes standards and provides guidance on review of an entity’s risk management system during an internal 1183 Compendium of Generic Internal Audit Guides audit or such other review exercise with the objective of providing an assurance thereon. Thus, depending on the objectives and scope of internal audit in a particular situation, this stage may involve an evaluation of both the design effectiveness and operational effectiveness of various processes and controls. 4.16 Standard on Internal Audit (SIA) 11, “Consideration of Fraud in an Internal Audit”, provides that even though the primary responsibility for prevention and detection of frauds is that of the management of the entity, however, the internal auditor should help the management fulfill its responsibilities relating to fraud prevention and detection. 4.17 As discussed in the preceding chapter, the framework for management of intangible assets rests on policies, procedures, people, and technology. Effectiveness of design and operation of management processes is evaluated with reference to each of these factors. For example, while evaluating internal controls relating to a computerised application system, the internal auditor should strive to find answers to the following, inter alia: l the objective of the control; l the risks it helps to mitigate; l how it is performed; l how frequently it is applied; l whether it is documented by management; l the knowledge, experience and expertise of the person performing it (if a manual control); and l whether the control has an IT component. 4.18 In line with the above, Standard on Internal Audit (SIA) 10, “Internal Audit Evidence”, requires an internal auditor to evaluate whether he has obtained sufficient appropriate audit evidence before he draws his conclusions therefrom. The procedures to be 1184 Internal Audit of Intangible Assets employed by the internal auditor in evaluating the design and implementation of systems, procedures and controls may include: l inspection of documents and records; l observation of actual performance; l inquiries of appropriate personnel (alone, this procedure is not sufficient to provide appropriate evidence and, therefore, should be supplemented by other procedures); l performing a ‘walkthrough’ where a transaction is traced through each step; and l application of analytical procedures. Standard on Internal Audit (SIA) 6, “Analytical Procedures”, issued by the Institute of Chartered Accountants of India establishes standards on the application of analytical procedures during on internal audit. These procedures should be applied at the planning as well as at the overall review stages of internal audit. 4.19 Standard on Internal Audit (SIA) 5, “Sampling”, issued by the Institute of Chartered Accountants of India establishes standards on the design and selection of an audit sample and provides guidance on the use of sampling in internal audit engagements. It also deals with the aspects of evaluation of sample results. SIA 5 applies to both statistical and non-statistical sampling methods. In determining the extent of application of various audit procedures, due regard should be given to the principles enunciated in SIA 5. 4.20 In accordance with Standard on Internal Audit (SIA) 16, “Using the Work of an Expert”, the internal auditor should seek reasonable assurance that the expert’s work constitutes appropriate evidence in support of the overall conclusions formed during the internal audit engagement, by considering: l the source data used. l the assumptions and methods used and, if appropriate, their consistency with the prior period. 1185 Compendium of Generic Internal Audit Guides l the results of the expert’s work in the light of the internal auditor’s overall knowledge of the business and of the results of his audit procedures. The process to be followed by an internal auditor for examination and evaluation of the specific propositions under audit is the subject matter of detailed discussion in subsequent chapters. Documentation 4.21 The internal auditor should document matters, which are important in providing evidence that the audit was carried out in accordance with the standards on internal audit and support his findings or the report submitted by him. Standard on Internal Audit (SIA) 3, “Documentation” requires that audit documentation should record the internal audit charter, the internal audit plan, the nature, timing and extent of audit procedures performed, and the conclusions drawn from the evidence obtained. In case the internal audit is outsourced, the documentation should include a copy of the internal audit engagement letter, containing the terms and conditions of the appointment. Reporting 4.22 The primary deliverable in an internal audit engagement is the internal audit report, communicating the findings of internal audit together with the suggestions for corrective or remedial measures or for improvement in prescribed systems, procedures and controls. In this regard, Standard on Internal Audit (SIA) 2, “Basic Principles Governing Internal Audit”, states as below: “The internal auditor should carefully review and assess the conclusions drawn from the audit evidence obtained, as the basis for his findings contained in his report and suggest remedial action. However, in case the internal auditor comes across any actual or suspected fraud or any other misappropriation of assets, it would be more appropriate for him to bring the same immediately to the attention of the management.” 1186 Internal Audit of Intangible Assets 4.23 The nature of findings to be reported in an internal audit report is obviously dependent on the objectives and scope of the engagement. For example, the nature of findings to be reported in an engagement aimed at determining compliance with applicable legal and regulatory framework will be totally different from that in an engagement aimed at determining whether the patents owned by the entity and licenced out by it are generating sufficient licencing revenues. Likewise, the nature of findings would be totally different in an internal audit engagement where the objective of the engagement is to determine in which of the four maturity levels (Basic, Standardised, Rationalised and Dynamic) do the Software Asset Management (SAM) policies and practices of the entity fall based on the following characteristics of each of the maturity levels: l Basic – the entity has only a low control over what IT assets are being used and lacks policies, procedures, resources, and tools. l Standardised – processes as well tool/data repository exist. l Rationalised – the entity has a vision, policy, procedures, and tools which are used to manage intangible asset life cycle. l Dynamic – the entity uses SAM on a near real-time basis, aligning itself with changing business needs and realising business competitive advantage through SAM. 4.24 Due to the very nature of internal audit function, it has a serious potential of creating behavioural issues within an entity. Recognising this, Standard on Internal Audit (SIA) 4, “Reporting”, requires that to facilitate communication and ensure that the recommendations presented in the final report are practical from the point of view of implementation, the internal auditor should discuss the draft with the entity’s management prior to issuing the final report. According to SIA 4, the different stages of communication and discussion should be as under: (a) Discussion Draft – At the conclusion of field work, the internal auditor should draft the report after thoroughly 1187 Compendium of Generic Internal Audit Guides reviewing his working papers. The discussion draft so prepared should also be carefully reviewed before it is presented to the entity’s management for auditee’s comments. This discussion draft should be submitted to the entity’s management for review before the exit meeting. (b) Exit Meeting – The internal auditor should discuss with the management of the entity his findings, observations, recommendations, and text of the discussion draft. At this meeting, the entity’s management should comment on the draft and the internal audit team should work to achieve consensus and reach an agreement on the internal audit findings. (c) Formal Draft – The internal auditor should then prepare a formal draft, taking into account any revision or modification resulting from the exit meeting and other discussions. When the changes have been reviewed by the internal auditor and the entity management, the final report should be issued. (d) Final Report – The internal auditor should submit the final report to the appointing authority or such members of management, as directed. The periodicity of the Report should be as agreed in the scope of the internal audit engagement. The internal auditor should mention in the Report, the dates of discussion draft, exit meeting, Formal Draft and Final Report. Thus, the internal auditor should maintain effective two-way communication throughout the internal audit process by clearly communicating his responsibilities and overview of the planned scope, obtaining relevant information from the management, providing timely observations arising from the internal audit. Standard on Internal Audit (SIA) 9, “Communication with Management” also provides guidance on form, timing, adequacy and documentation of communication process. 1188 Internal Audit of Intangible Assets Appropriate Follow-up 4.25 The final stage in an internal audit is the review of actions taken on internal audit findings and suggestions. The actions taken are reviewed with a view to determining their appropriateness, adequacy and timeliness. It is also examined whether they have had the desired effect. Where compliance of law is involved, the matter may need to be reviewed in-depth and discussions should be held with top management. Internal Audit Team 4.26 As the above discussion indicates, depending upon the exact terms of reference for an internal audit engagement relating to intangible assets, the internal audit team may need to comprise of individuals with sufficient knowledge, skills and experience in a multitude of disciplines such as financial accounting, cost accounting, law, computer hardware or software or other engineering disciplines, and so on. A sufficient number of persons possessing the requisite degree of proficiency in the relevant disciplines is a major determinant of the effectiveness with which an internal audit of intangible assets is performed. Importance of Top-level Support 4.27 The commitment and support of senior management to internal audit function is of paramount importance to motivate all involved to respond positively and constructively to internal audit findings and recommendations, apart from ensuring the availability of sufficient resources. An internal audit programme in an entity is less likely to be successful when it does not have the top- management support and commitment. In entities where internal audit consistently delivers good results, the corrective action process is likely to be institutionalised as a result of the management support. 4.28 To ensure that the internal audit function has the requisite degree of support of the top-level and is also so perceived within the entity, the leader of the internal audit team should be a 1189 Compendium of Generic Internal Audit Guides personmn of sufficient seniority in the organisational hierarchy (where the internal audit is carried out by an internal audit department within the entity). He should have direct communication with the top management and the governing body, e.g., with audit committee. He should submit activity reports to senior management and to the board (or to the audit committee) highlighting significant audit findings and recommendations and should regularly attend and participate in those meetings of the audit committee which relate to its oversight responsibilities for auditing, financial reporting, governance, and control. 1190 Internal Audit of Intangible Assets Chapter 5 Internal Audit of Internal Controls Relating to Intangible Assets 5.1 As noted in Chapter 4, in carrying out an internal audit of intangible assets, the internal auditor has to evaluate the adequacy of the risk management and internal control framework relating to such assets and suggest improvements. Standard on Internal Audit (SIA) 12, “Internal Control Evaluation” and SIA 13, “Enterprise Risk Management” are relevant in this context. SIA 12 establishes standards and provide guidance on the procedures to be followed by the internal auditor in evaluating the system of internal control in an entity and for communicating weaknesses therein to those charged with governance. SIA 13 deals with review of an entity’s risk management system during an internal audit with the objective of providing an assurance thereon. 5.2 The internal auditor’s evaluation of risk management and internal control framework involves the following aspects: l Review of policies relating to intangible assets; l Assessment of control environment; l Evaluation of entity’s risk assessment process; l Review of information system and communication; and l Evaluation of control activities. Review of Policies Relating to Intangible Assets 5.3 The internal auditor needs to understand and evaluate the entity’s policies relating to intangible assets, e. g., l To what extent or in which areas the entity emphasises internal development of intangible assets and to what extent 1191 Compendium of Generic Internal Audit Guides it depends on procurement of fully developed intangible assets from vendors. l In the case of technology-related intangible assets, does the entity follows a proactive approach by constantly striving to innovate and improve its products and processes or it’s approach is to follow rather than to lead. l In the case of customer or market-related intangible assets, does the entity constantly monitors its market share, customer loyalty, customers’ satisfaction levels, etc. and takes appropriate action to maintain and enhance them. l Whether it have a clear cut policy regarding registration or otherwise ensuring legal protection of its intangible assets. Similarly, what is the entity’s attitude towards use of intellectual property of others without proper authorisation? 5.4 Based on his understanding of the relevant policies, the internal auditor needs to evaluate how far they are consistent with the objectives of the entity. For example, a policy of outsourcing the entire research and development in the high-end technology field may be in order for an entity whose objective is primarily to be a mass manufacturer of products but it is unlikely to work for another entity whose objective is to rank among the industry leaders in innovation. The internal auditor also needs to review whether the policies are regularly reviewed to ensure that they remain effective in the ever-changing external and internal environment, thereby mitigating the risks posed and exploiting the opportunities. 5.5 A policy is implemented through a procedure or set of procedures, carried out by people with the aid of technology, where available and cost-effective. The design and operation of an effective internal control system is a pre-requisite for ensuring that the policies and procedures of the management are implemented as prescribed. The term ‘internal control system’ (or simply ‘internal control’) is a very wide term that encompasses all processes, procedures, etc. designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s 1192 Internal Audit of Intangible Assets objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. Therefore, the next stage in internal audit of intangible assets is to evaluate internal controls in respect of each of the stages of the life cycle of an intangible asset. Assessment of Control Environment 5.6 The Standard on Internal Audit (SIA) 12, “Internal Control Evaluation” describes control environment as “the overall attitude, awareness, and actions of director and management regarding the internal control system and its importance in the entity.” The control environment also includes the governance and management functions and sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for effective internal control, providing discipline and structure. 5.7 In evaluating the design of the entity’s control environment, the internal auditor should consider the following elements: (a) Communication and enforcement of integrity and ethical values – These are essential elements which influence the effectiveness of the design, administration and monitoring of controls e.g., management’s commitment to prevent or permit misuse of intellectual property. (b) Commitment to competence – This is evidenced by management’s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge. This is of particular relevance to intangible assets which are essentially knowledge based and innovative. (c) Participation by those charged with governance – Some of the factors which should be considered are for example, the independence of the directors a company from management, their experience and stature, the extent of their involvement and scrutiny of activities, the information they receive, the degree to which difficult questions are raised and pursued with management and their interaction with 1193 Compendium of Generic Internal Audit Guides internal and external auditors. In the context of the growing emphasis on corporate governance norms, it is important for the Board of Directors and its Audit Committee to pay due attention to controls over intangible assets through periodical review of internal audit of intangible assets of the entity. (d) Management’s philosophy and operating style – This refers to management’s approach to taking and managing business risks and management’s attitudes and actions towards financial reporting, information processing and accounting functions and personnel. (e) Organisational structure – A properly designed organisational structure provides the framework within which an entity’s activities for achieving its objectives are planned, executed, controlled and reviewed. (f) Assignment of authority and responsibility – The procedure by which authority and responsibility for operating activities are assigned and the reporting relationships and authorisation hierarchies are established is also important. (g) Human resource policies and practices – These include recruitment, orientation, training, evaluating, counselling, promoting, compensating and remedial actions. In understanding the control environment elements, the internal auditor also should consider how effectively they have been implemented. Ordinarily, the auditor obtains relevant audit evidence through a combination of inquiries, analytical procedures and other risk assessment procedures, for example, corroborating inquiries through observation or inspection of documents. Evaluation of Entity’s Risk Assessment Process 5.8 An entity’s risk assessment process is its process for identifying and responding to business risks and the results thereof. As per Standard on Internal Audit (SIA) 13, “Enterprise Risk Management”, the internal auditor has to review the structure, 1194 Internal Audit of Intangible Assets effectiveness and maturity of an enterprise risk management system. The internal auditor needs to obtain an understanding of the entity’s process for identifying business risks relevant to the scope of his work and deciding about actions to address those risks, and the results thereof. Thus, in an internal audit of intangible assets, he needs to obtain an understanding of the various risks associated with acquisition, development, deployment, maintenance and retirement or disposal of intangible assets, and also of ways the entity addresses these risks. The internal auditor also needs to evaluate the results of entity’s related actions. The aforesaid risks would include, besides others, the risk of existence of unrecorded intangible assets and risk of non-compliance with the applicable laws and regulations. Review of Information System and Communication 5.9 An information system consists of infrastructure (physical and hardware components), software, people, procedures, and data. Standard on Internal Audit (SIA) 14, “Internal Audit in an Information Technology Environment”, requires an internal auditor to consider the effect of an IT environment on the internal audit engagement, inter alia: (a) the extent to which the IT environment is used to record, compile, process and analyse information; and (b) the system of internal control in existence in the entity with regard to: l the flow of authorised, correct and complete data to the processing centre; l the processing, analysis and reporting tasks undertaken in the installation; and l the impact of computer-based accounting system on the audit trail that could otherwise be expected to exist in an entirely manual system. 1195 Compendium of Generic Internal Audit Guides 5.10 Standard on Internal Audit (SIA) 14 requires the internal auditor to review whether the information technology system in the entity considers the confidentiality, effectiveness, integrity, availability, compliance and validity of data and information processed. The internal auditor should also review the effectiveness and safeguarding of IT resources, including – people, applications, facilities and data. In an internal audit of intangible assets, the internal auditor needs to obtain an understanding of the entity’s information system associated with acquisition, development, deployment, safeguarding and retirement or disposal of intangible assets. 5.11 The internal auditor should obtain an understanding of the information system relevant to financial reporting of intangible assets, e.g.: l The procedures, by which transactions relating to intangible assets are initiated, recorded, processed and reported in the financial statements. l The related accounting records, supporting information, and specific accounts in the financial statements, in respect of initiating, recording, processing and reporting the relevant transactions. 5.12 In addition, the internal auditor should pay attention to system of capturing and controlling those intangible assets also which are not recognised in financial statements as intangible assets e.g., the reporting system designed to monitor the status of each project for development of a new drug so that projects that are unlikely to succeed may be identified in a timely manner. The internal auditor also needs to obtain an understanding of how the entity communicates roles and responsibilities and significant matters. Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control and may take such forms as policy and operations manuals. It also includes measures to ensure that personnel understand how their activities relate to the work of others, as well the means of reporting exceptions to an appropriate higher level within the entity. 1196 Internal Audit of Intangible Assets Evaluation of Control Activities 5.13 Control activities are the policies and procedures that help ensure that management directives are carried out; for example, that necessary actions are taken to address risks that threaten the achievement of the entity’s objectives. Control activities have various objectives and are applied at various organisational and functional levels. Examples of specific control activities include those relating to the following: (a) Segregation of duties: Assigning different personnel the responsibilities of authorising transactions, recording transactions, and maintaining custody of assets is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of his/her duties. Accordingly, the internal auditor should examine whether the various duties relating to intangible assets are properly segregated, e.g., the authority to approve the acquisition of an intangible asset should not be assigned to the person who is responsible for executing its purchase. Even within the accounting and finance function, the duties of various personnel should be properly segregated, e.g., the person having the authority of approving a disbursement should be different from the person responsible for recording the same. (b) Performance reviews: These control activities include reviews and analyses of actual performance versus budgets, forecasts, and prior period performance; relating to different sets of data – operating or financial – to one another, together with analyses of the relationships and investigative and corrective actions; comparing internal data with external sources of information; and review of functional or activity performance. The internal auditor should examine how far such reviews and analyses are carried out in relation to intangible assets. (c) Information processing: The internal auditor should review the efficacy of controls over information processing, i.e., 1197 Compendium of Generic Internal Audit Guides controls aimed at checking the accuracy, completeness, and authorisation of transactions relating to intangible assets. The exact form that these controls take would depend largely on whether the information system is manual or IT-enabled. For example, periodic preparation/reconciliation of trial balance is a major check on mathematical accuracy of accounting records in a manual environment. In an IT-enabled environment, on the other hand, the mathematical accuracy of accounting records is extremely unlikely to be a significant risk area. However, in an IT-enabled environment, the controls over information processing would comprise application controls and general IT-controls. Application controls apply to the processing of individual applications. Examples of application controls include automated controls such as, edit checks of input data and numerical sequence checks, and manual follow-up of exception reports. General IT-controls are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General IT- controls commonly include controls over data centre and network operations; system software acquisition, change and maintenance; access security; and application system acquisition, development, and maintenance. Examples of general IT-controls are programme change controls, controls that restrict access to programmes or data, controls over the implementation of new releases of packaged software applications, and controls over system software that restrict access to or monitor the use of system utilities that could change financial data or records without leaving an audit trail. (d) Physical controls: The internal auditor should examine whether there are sufficient controls for the physical security of intangible assets, including adequate safeguards such as, secured facilities; controls over access to assets and records; authorisation for access to computer programs and data files; and periodic counting and comparison with amounts shown on control records. 1198 Internal Audit of Intangible Assets Testing Design Effectiveness 5.14 For each internal control, as prescribed, the internal auditor should ascertain the following, inter alia: (a) How is it required to be performed? (b) When and/or how frequently is it required to be performed? (c) What purpose does it seek to achieve? (d) What are the types of experience, knowledge and expertise required of the person who has to perform the control? (e) Whether the control has an IT component. 5.15 It may be emphasised that at this stage, the internal auditor is concerned with the design of internal controls (rather than their actual operation). In testing the design effectiveness, the internal auditor seeks to find answers to questions such as the following: (a) How likely it is that the control as designed would succeed in achieving the purpose for which it is designed? (b) Does the cost of implementing the control exceed the benefits expected from its performance? (c) Does the entity have persons with the requisite experience, knowledge and expertise for performing the procedure? Likewise, does it have appropriate technology to implement the control? To illustrate, consider the case of an internal auditor’s evaluation of the design of the procedure laid down in an entity for purchase of computer software. After understanding the procedure, the auditor would evaluate whether (assuming it is implemented as prescribed) it is likely to result in acquisition of the right software at right price and at right time from authorised suppliers of the software who also have the requisite infrastructure to meet the after-sales service requirements of the entity. In doing so, the internal auditor would particularly evaluate the efficacy of internal controls built 1199 Compendium of Generic Internal Audit Guides into the purchase procedure, e.g., whether the procedure involves inviting quotations from sufficient number of vendors such that the entity can acquire the software at a competitive price. The internal auditor would also evaluate the adequacy and competence of personnel in the purchase department as well as the efficacy of IT-enabled components of the purchase procedure. 5.16 The internal auditor’s evaluation of the design of the various internal controls helps him to identify those which are: l defective in design such that it is unlikely that they would be effective in achieving their stated purpose; l redundant, i.e., they serve no useful purpose. This may often be the case where the controls do not keep pace with changes in internal and external environment such as changes in technology; or l inefficient, i.e., the cost of implementing the control exceeds the benefits arising from its implementation. Testing Operating Effectiveness of Controls 5.17 After evaluating the design of internal controls, the internal auditor ascertains the continuity and effectiveness of their actual implementation, e.g., whether the prescribed controls have actually been applied continuously throughout the period. Departures from prescribed controls could be indicative, among others, of any one or more of the following: l The control has not been communicated properly to, or understood properly by, people responsible for performing it. l The people responsible for implementing it lack the requisite skills to perform it properly. l The control is defective in design and is therefore impracticable to apply. Depending on the internal auditor’s assessment of the causes of departures, he may suggest the remedial measures in his report. 1200 Internal Audit of Intangible Assets Chapter 6 Internal Audit of Accounting for Intangible Assets 6.1 A common area of internal audit is the review of financial information and the means used to identify, measure, classify and report such information. The objective of such a review is to ascertain whether: (a) financial records and statements contain accurate, reliable, timely and complete information; and (b) controls over record keeping and reporting are adequate and effective. By reviewing the financial accounting process right from the stage of basic record keeping to preparation of annual financial statements, internal audit seeks to provide assurance to the board of directors and senior management on whether or not the requirements of the Companies Act, 1956 relating to accounts are being complied with. 6.2 In the above context, the internal auditor has to examine whether the assertions underlying financial statements are valid or not. For this purpose, he examines whether internal controls relating to accounting system are effective and were operative throughout the period. He also examines whether the intangible assets have been accounted for in accordance with the generally accepted accounting principles in India. It may be mentioned that, apart from the above, an internal auditor would also need to examine whether a non-compliance or potential non-compliance with laws and regulations relating to intangible assets (e.g., a legal case against the entity for alleged unauthorised use of a computer software or patent) has been properly dealt with in the financial statements. For example, a potential non-compliance may warrant disclosure of a contingent liability in accordance with Accounting Standard (AS) 29,“Provisions, Contingent Liabilities and 1201 Compendium of Generic Internal Audit Guides Contingent Assets” issued by the Institute of Chartered Accountants of India. Internal Auditor's Examination of Complience with GAAP 6.3 The primary source of Indian GAAP relating to intangible assets is Accounting Standard (AS) 26, “Intangible Assets”. The Standard applies in accounting for all intangible assets except the following: (a) intangible assets that are covered by another Accounting Standard. Examples of such assets are: l intangible assets held by an enterprise for sale in the ordinary course of business (covered by AS 2, Valuation of Inventories, and AS 7, Construction Contracts); l deferred tax assets (covered by AS 22, Accounting for Taxes on Income); l leases that fall within the scope of AS 19, Leases; and l goodwill arising on an amalgamation (covered by AS 14, Accounting for Amalgamations) and goodwill arising on consolidation (covered by AS 21, Consolidated Financial Statements). (b) financial assets; (c) mineral rights and expenditure on the exploration for, or development and extraction of, minerals, oil, natural gas and similar non-regenerative resources; and (d) intangible assets arising in insurance enterprises from contracts with policyholders. 6.4 Besides, the Standard also does not apply in accounting for: (a) termination benefits payable to employees on termination of employment before the normal retirement date. 1202 Internal Audit of Intangible Assets (b) discount or premium relating to borrowings and ancillary costs incurred in connection with the arrangement of borrowings, share issue expenses and discount allowed on the issue of shares. The primary areas of concern to the internal auditor in examining compliance with AS 26 are discussed below. Do Recognised Intangible Assets Meet Definition and Recognition Criteria? 6.5 The internal auditor should examine whether items included as intangible assets in the financial statements meet the definition of, and recognition criteria for, intangible assets laid down in AS 26. As already pointed out in Chapter 1, not all intangible items qualify to be recognised as assets in the balance sheet e.g., costs of research or internally-generated brands or mastheads or customer lists, etc. 6.6 As per the definition and recognition criteria of AS 26, to qualify for recognition as an ‘intangible asset’ in the balance sheet, an item should satisfy the following criteria (apart from being non- monetary, lacking physical substance and being held by the entity for use in the production or supply of goods or services, for rental to others, or for administrative purposes): (a) It should be identifiable. (b) It should be an asset of the enterprise, i.e., it should be controlled by the enterprise and economic benefits from it should be expected to flow to the enterprise in future. The capacity of an entity to control the future economic benefits from an intangible asset would normally stem from legal rights that are enforceable in a court of law. In the absence of legal rights, existence of control can be demonstrated only in exceptional circumstances. The standard specifically notes that usually an entity has insufficient control over the expected future economic benefits arising from a team of skilled staff and from training to consider that these items meet the definition of an intangible asset. Further, in the 1203 Compendium of Generic Internal Audit Guides absence of legal rights to protect, or other ways to control, the relationships with customers or the loyalty of the customers to the entity, the entity usually has insufficient control over the economic benefits from customer relationships and loyalty. Therefore, such items (portfolio of customers, market shares, customer relationships, customer loyalty) do not meet the definition of intangible assets. (c) It is probable that the future economic benefits that are attributable to the asset will flow to the enterprise. (d) The cost of the asset can be measured reliably. Have Intangible Assets been Properly Measured at Cost? 6.7 The cost of an intangible asset that is acquired separately comprises its purchase price, including any import duties and other taxes (other than those subsequently recoverable by the entity from the taxing authorities), and any directly attributable expenditure on making the asset ready for its intended use. If an intangible asset is acquired in exchange for shares or other securities of the reporting enterprise, the asset is recorded at its fair value, or the fair value of the securities issued, whichever is more clearly evident. How have Internally Generated Intangible Assets been Dealt With? 6.8 Where the entity has recognised internally generated intangible assets, the internal auditor should examine whether the criteria laid down in this regard in AS 26 have been applied properly. AS 26 notes that determining whether the definition and recognition criteria are met sometimes poses difficulties in the case of internally generated intangible items. These difficulties relate to: (a) identifying whether, and the point of time when, there is an identifiable asset that will generate probable future economic benefits; and (b) determining the cost of the asset reliably. In some cases, the cost of generating an intangible asset internally cannot 1204 Internal Audit of Intangible Assets be distinguished from the cost of maintaining or enhancing the enterprise’s internally generated goodwill or of running day-today operations. 6.9 For the purpose of applying the definition and recognition criteria to internally generated intangible assets, the standard requires the process of generation of the asset to be divided into - research phase and development phase. If an entity cannot distinguish the research phase from the development phase, the expenditure on the project should be treated as if it were incurred in the research phase only. 6.10 Research is original and planned investigation undertaken with the prospect of gaining new scientific or technical knowledge and understanding. The following are examples of research activities: (a) activities aimed at obtaining new knowledge; (b) the search for, evaluation and final selection of, applications of research findings or other knowledge; (c) the search for alternatives for materials, devices, products, processes, systems or services; and (d) the formulation, design, evaluation and final selection of possible alternatives for new or improved materials, devices, products, processes, systems or services. 6.11 Development is the application of research findings or other knowledge to a plan or design for the production of new or substantially improved materials, devices, products, processes, systems or services prior to the commencement of commercial production or use. The following are examples of development activities: (a) the design, construction and testing of pre-production or pre- use prototypes and models; (b) the design of tools, jigs, moulds and dies involving new technology; 1205 Compendium of Generic Internal Audit Guides (c) the design, construction and operation of a pilot plant that is not of a scale economically feasible for commercial production; and (d) the design, construction and testing of a chosen alternative for new or improved materials, devices, products, processes, systems or services. 6.12 AS 26 lays down that, in the research phase of a project, an entity cannot demonstrate that an intangible asset exists from which future economic benefits are probable. Therefore, this expenditure is recognised as an expense when it is incurred. The Standard recognises that development phase of a project is further advanced than the research phase and, therefore, in the development phase of a project, an entity may be able to identify an intangible asset and demonstrate that future economic benefits from the asset are probable. Accordingly, the standard requires that an intangible asset arising from the development phase should be recognised if, and only if, an enterprise can demonstrate all of the following: (a) the technical feasibility of completing the intangible asset so that it will be available for use or sale; (b) its intention to complete the intangible asset and use or sell it; (c) its ability to use or sell the intangible asset; (d) how the intangible asset will generate probable future economic benefits. Among other things, the entity should demonstrate the existence of a market for the output of the intangible asset or the intangible asset itself or, if it is to be used internally, the usefulness of the intangible asset; (e) the availability of adequate technical, financial and other resources to complete the development and to use or sell the intangible asset; and (f) the entity’s ability to measure the expenditure attributable to the intangible asset during its development reliably. 1206 Internal Audit of Intangible Assets 6.13 The cost of an internally generated intangible asset is the sum of expenditure incurred from the time when the intangible asset first meets the above recognition criteria. Apart from materials, services, labour and other costs that are directly attributable to generating the asset, the cost of an internally generated intangible asset also includes overheads that are necessary to generate the asset and that can be allocated on a reasonable and consistent basis to the asset (for example, an allocation of the depreciation of fixed assets, insurance premium and rent). However, the following are not part of the cost of an internally generated intangible asset: (a) selling, administrative and other general overhead expenditure unless this expenditure can be directly attributed to making the asset ready for use; (b) clearly identified inefficiencies and initial operating losses incurred before an asset achieves planned performance; and (c) expenditure on training the staff to operate the asset. Have Certain Specified Items of Expenditure been Expensed? 6.14 The internal auditor should examine that, as required by AS 26, expenditure on an intangible item is recognised as an expense when it is incurred except in the following cases: (a) the expenditure forms part of the cost of an intangible asset that meets the recognition criteria; or (b) the item is acquired in an amalgamation in the nature of purchase and cannot be recognised as an intangible asset. If this is the case, this expenditure (included in the cost of acquisition) should form part of the amount attributed to goodwill (capital reserve) at the date of acquisition. 6.15 Examples of expenditures that need to be expensed in accordance with the above are: l Internally generated goodwill. 1207 Compendium of Generic Internal Audit Guides l Internally generated brands, mastheads, publishing titles, customer lists and items similar in substance – on the basis that the expenditure on these items cannot be distinguished from the cost of developing the business as a whole and, therefore, the criterion regarding reliable measurement of cost is not met. l Expenditure on start-up activities (start-up costs), unless this expenditure is included in the cost of an item of fixed asset under AS 10. Start-up costs may consist of preliminary expenses incurred in establishing a legal entity such as legal and secretarial costs, expenditure to open a new facility or business (pre-opening costs) or expenditures for commencing new operations or launching new products or processes (pre- operating costs). l Expenditure on training activities. l Expenditure on advertising and promotional activities. l Expenditure on relocating or re-organising part or all of the entity. 6.16 The internal auditor should also examine that expenditure on an intangible item that was initially recognised as an expense in previous annual financial statements or interim financial reports is not recognised as part of the cost of an intangible asset at a later date. For example, expenditure on research phase of an internal project for generation of an intangible asset (which is required to be expensed as incurred) cannot be capitalised later as an asset if the criteria for recognition of an intangible asset are later met during the development phase (this equally applies to development phase expenditure incurred prior to meeting the specified criteria). Has Subsequent Expenditure been Properly Accounted for? 6.17 It is required that subsequent expenditure on an intangible asset after its purchase or its completion should be recognised as an expense when it is incurred unless: 1208 Internal Audit of Intangible Assets (a) it is probable that the expenditure will enable the asset to generate future economic benefits in excess of its originally assessed standard of performance; and (b) the expenditure can be measured and attributed to the asset reliably. The internal auditor should examine whether the subsequent expenditure has been added to the cost of the intangible asset only if the above conditions are met. Is Amortisation Proper? 6.18 The depreciable amount (i.e., cost less residual value) should be allocated on a systematic basis over the best estimate of its useful life. Amortisation should commence when the asset is available for use. The Standard makes a rebuttable presumption that the useful life of an intangible asset will not exceed ten years from the date when the asset is available for use. However, where there is persuasive evidence that the useful life of an intangible asset will be a specific period longer than ten years, this presumption is rebutted and the asset is amortised over the best estimate of its useful life. However, in such a case, the entity is required to: (a) estimate the recoverable amount of the intangible asset at least annually in order to identify any impairment loss; and (b) disclose the reasons why the presumption is rebutted and the factor(s) that played a significant role in determining the useful life of the asset. 6.19 In the case of intangible assets involving legal rights that have been granted for a finite period, (e.g., patents and trade marks), the useful life of the intangible asset should not exceed the period of the legal rights unless rights are renewable and renewal is virtually certain. 6.20 The Standard does not leave the amortisation method for an intangible asset to management’s discretion as an accounting policy choice. It clearly requires that the amortisation method used should 1209 Compendium of Generic Internal Audit Guides reflect the pattern in which the asset’s economic benefits are consumed by the entity. If that pattern cannot be determined reliably, the straight-line method should be used. 6.21 Given the nature of intangible assets, the standard requires that the residual value of an intangible asset should be assumed to be zero unless: (a) there is a commitment by a third party to purchase the asset at the end of its useful life; or (b) there is an active market for the asset and: (i) residual value can be determined by reference to that market; and (ii) it is probable that such a market will exist at the end of the asset’s useful life. In the above situation, an estimate is made of the residual value based on prices prevailing at the date of acquisition of the asset. The estimate is not subsequently increased for changes in prices or value. As amortisation period and amortisation method represent accounting estimates, both are required to be reviewed at least at each financial year end. Has Recoverable Amount been Determined for Certain Intangible Assets? 6.22 AS 28, Impairment of Assets requires the recoverable amount of an asset falling within its scope to be formally determined only if there is an indication that this may be less than the carrying amount of the asset. AS 26 requires that, in addition, the recoverable amount of the following intangible assets should be estimated at least at each financial year end even if there is no indication that the asset is impaired: 1210 Internal Audit of Intangible Assets (a) an intangible asset that is not yet available for use; and (b) an intangible asset that is amortised over a period exceeding ten years from the date when the asset is available for use. Are Retirement/ Disposals Accounted for Correctly? 6.23 The internal auditor should examine whether an intangible asset is derecognised (eliminated from the balance sheet) on disposal or when no future economic benefits are expected from its use and subsequent disposal. Gains or losses arising from the retirement or disposal of an intangible asset should be determined as the difference between the net disposal proceeds and the carrying amount of the asset and should be recognised as income or expense in the statement of profit and loss. Have Proper Disclosures been Made? 6.24 It should be examined by the internal auditor whether the disclosures required by AS 26 have been properly made which includes disclosures such as, the useful lives or the amortisation rates used, the amortisation methods used, the gross carrying and the accumulated amortisation at the beginning and end of the period, etc. 1211 Compendium of Generic Internal Audit Guides Chapter 7 Internal Audit of Principal Classes of Intangible Assets 7.1 The nature of different intangible assets varies – some intangible assets represent intellectual property (e.g., motion pictures, sound recordings, computer software), some relate to customers or markets (brand names, trade marks) and some others represent valuable operating rights such as licences, quotas or service-concession agreements. The nature of an intangible asset is one of the factors influencing its internal audit. For example, in the case of intellectual property assets, legal protection against their use by others may either not be available to the entity unless those assets are registered (e.g., innovations patentable under the Patents Act, 1970) or may not be sufficiently effective (e.g., copyright in computer software). Accordingly, one of the primary concerns of the internal auditor in respect of such assets is whether or not the entity has in place appropriate policies and procedures to obtain their registration under relevant laws on a timely basis. On the other hand, in auditing assets like licences, the emphasis may be on determining whether or not the entity’s policies and procedures provide sufficient assurance of compliance with the conditions of the licences and whether the entity actually is in compliance thereof. 7.2 This chapter seeks to discuss the salient aspects of internal audit of some principal classes of intangible assets. It may, however, be noted that the emphasis in the following discussion is primarily on the distinctive aspects of internal audit of different classes of intangible assets. The discussion is not intended to provide a comprehensive internal audit programme for the relevant class of assets which would include normal internal audit procedures in respect of aspects which are common with other assets. This has been illustrated in the fairly detailed internal audit programme for computer software in Chapter 8 which may serve as a basic reference for development of appropriate internal audit programmes for different classes of intangible assets and under different 1212 Internal Audit of Intangible Assets situations. It may also be emphasised that the relative significance of different aspects as discussed herein may differ from entity to entity depending upon its particular circumstances. Besides, certain aspects not mentioned herein may also be significant for a particular entity in view of its peculiar circumstances. Copyrights 7.3 For entities developing or owning computer software, publishing books and magazines, producing films/music/videos or other artistic and literary work, the internal audit of copyrights is very significant. In the case of others, the internal auditor may concentrate on whether inadvertently or otherwise, no third party copyright has been infringed. An internal audit of copyrights may inter alia include the following aspects: (i) Ascertain whether the entity maintains an up-to-date documentation of copyright law applicable to it. Also ascertain whether salient features of the copyright law are communicated properly to personnel concerned (including, where applicable, the entity’s relevant consultants, contractors, sub-contractors, etc.), e.g., those involved in creation of works (within the meaning of the Copyright Act, 1957) or their registration. Depending upon the nature of involvement of different personnel, the aspects of copyright law to be communicated may include: (a) Nature of copyright; (b) Party/parties whose rights are protected by copyright; (c) The rights of a copyright holder; (d) Different classes of works for which copyright protection is available in India; (e) Requirements for registration of copyrights; (f) Mode of assigning copyright; 1213 Compendium of Generic Internal Audit Guides (g) Period of copyright; (h) Protection of copyright of foreign works in India; (i) Offences and penalties; (j) Special provisions with regard to rights in computer programmes. (ii) Determine the policy of the entity with regard to registration of copyrights, i.e., whether registration of copyrights is obtained in all eligible cases or whether this is determined on a case-to-case basis. If latter, are the parameters to be applied to determine the issue specifically laid down or is the decision subjective and intuitive? Are the policy and parameters referred to above, if in existence, adequately documented and properly communicated? (iii) Determine whether sufficient measures are taken by the entity to prevent its claim of being the first owner of copyright in a work being contested. For example, is sufficient care taken in drafting the agreements with employees to ensure that an employee does not have a claim to the copyright in a work arising during the course of his employment? Similarly, where consultants, contractors or sub-contractors are hired and it is intended that the copyright in the work arising in the course of their engagement rests with the entity, are the agreements with them drafted with sufficient care to ensure that their legal effect is as intended? (iv) Ascertain and evaluate the measures adopted by the entity to ensure the secrecy of a work under development, e.g., confidentiality clauses in agreements with employees, consultants, contractors, physical safeguards, etc. (v) Ascertain whether the entity is maintaining adequate documents and records to support its claim (or oppose the claims of others) for copyright in a work in any legal proceedings. (vi) Ascertain whether before asserting the entity’s copyright in a work or seeking registration thereof, it is ensured that the 1214 Internal Audit of Intangible Assets work does not involve an infringement of copyright of others. For example: (a) is it ensured that the work is not substantially similar to an existing work of another party so that there is no infringement of copyrights by the entity? (b) is a confirmation obtained from the employees, consultants, contractors, etc., involved in the development of the work that no part of their contribution includes any pre-existing material? (c) where an existing material is used, is it ascertained whether such work is in the public domain or is owned by a third party? Is permission for use of the work obtained from third parties in relevant cases? (vii) Ascertain whether the legal requirements relating to registration are complied with promptly and with exercise of requisite diligence and care. Also ascertain whether the registration process includes review procedures to identify any possible errors, omissions, etc. in the registration documents. (viii) Ascertain whether any intangible assets are in use which may involve copyright of others. If so, whether action is being taken to obtain the assignment of copyright so that serious legal penalties are not attracted. (ix) Where a copyright has been acquired from its previous owner by means of its assignment in favour of the entity, ascertain whether the agreement for assignment: (a) includes significant terms and conditions; (b) states whether the assignment is conditional or unconditional; (c) has been properly executed; (d) has been registered with appropriate authorities as required; 1215 Compendium of Generic Internal Audit Guides (e) is being complied with. (x) Ascertain whether a proper copyright notice appears on all publicly distributed copies of the entity’s work to effectively communicate its ownership by the entity. (xi) Ascertain and evaluate the procedures in place to identify and deal with known instances of infringement of the entity’s copyright by others and infringement of copyrights of others by employees of the entity. Are such procedures sufficient and appropriate to ensure that: (a) cases of infringement are reported to the appropriate level of management on a timely basis; (b) legal advice is taken if required by the circumstances; (c) potential impact is examined and appropriate remedial action is taken by the entity. (xii) Ascertain the manner in which the entity is dealing with the work in which it has a copyright and identify those that are unused. Obtain information and explanations as to entity’s plans in respect of such works, e.g., whether the entity intends to sell (assign) them or enter into licencing arrangements in respect thereof. (xiii) Ascertain whether the process through which the question of compliance with the criteria for recognition of an internally- generated copyrighted work is determined is appropriate, e.g., is it such as is likely to result in a reliable measurement of cost of such an asset. (AS 26 precludes recognition of an intangible asset unless the prescribed criteria are satisfied. One of these is reliable measurement of cost which often poses difficulties in the case of internally generated intangible assets.) Among others, examine: (a) how the entity demonstrates that an intangible asset will generate probable future economic benefits. 1216 Internal Audit of Intangible Assets (b) how the entity demonstrates the availability of resources to complete, use and obtain the benefits from the intangible asset. (This can be demonstrated by, for example, a business plan showing the technical, financial and other resources needed and the enterprise’s ability to secure those resources. In certain cases, the availability of external finance may be demonstrated by obtaining a lender’s indication of its willingness to fund the plan.) (c) whether the expenditure incurred prior to meeting the criteria for capitalisation is expensed and is not reinstated, if and when the aforesaid criteria are met? (xiv) Ascertain whether the period of amortisation of copyrighted works is reasonable. (The period for which the copyright in a work subsists under law does not necessarily represent its useful life. For example, for a motion picture that is expected to generate revenues only over a period of five years from the release date, the amortisation period would be five years notwithstanding that the period of legal validity of copyright is much longer. The amortisation period can differ from one copyrighted work to another.) (xv) Ascertain whether the method of amortisation of a copyrighted work reflects the pattern in which the asset’s economic benefits are consumed by the entity. (For example, in the case of a motion picture, the periodic amortisation charge may be based on the proportion of revenue from the motion picture during the period to estimated total revenue from its exploitation. Different methods of amortisation may be appropriate for different copyrighted works). (xvi) In case of assignment/licencing of its copyrights by the entity to various parties on lease or for use against consideration, ascertain that this is done only through written agreements/ licences. Do such agreements/licences contain clear terms and conditions? 1217 Compendium of Generic Internal Audit Guides (xvii) Ascertain whether the agreements/licences are implemented effectively to ensure that the parties are discharging their obligations properly. (xviii) Ascertain whether the agreements/licences are reviewed periodically for modification in the light of the experience of implementation. Patents 7.4 Patents Act, 1970 grants an exclusive legal right to a person who has made an invention to use or sell it for a specified period in India. Since a patent can be obtained for both, a new product or a new process which is capable of industrial use, it is imperative for any entity engaged in research and development to carefully monitor the results of this activity so that no opportunity is lost in lodging a claim for a patent. This is particularly important since in India this aspect is often ignored. Apart from own patents, entities use processes or manufacture and sell products which may infringe patents of third parties. Keeping these in mind, the internal audit of patents may include the following aspects: (i) Ascertain whether the entity maintains an up-to-date documentation of patents law applicable to it. Also ascertain whether salient features of the patents law are communicated properly to personnel concerned (including, where applicable, the entity’s relevant consultants, contractors, sub-contractors, etc.) e.g., those directly involved in inventions (within the meaning of Patents Act, 1970) or their registration. Depending on the nature of involvement of different personnel, the aspects of law relating to patents to be so communicated may include: (a) Nature of patents; (b) Party/parties whose rights are protected by patents; (c) The rights of a patent holder; 1218 Internal Audit of Intangible Assets (d) Invention for which patent protection is available in India as well as inventions that are not so patentable; (e) Requirements and procedure for registration of patents; (f) Mode of assigning patents or granting licences in patents; (g) Term of patents; (h) Offences and penalties. (ii) Determine the policy of the entity with regard to registration of patents, i.e. whether registration is obtained in all eligible cases or whether this is determined on a case-to-case basis. If latter, are the parameters to be applied to determine the issue specifically laid down? Is it clearly understood within the entity that an unregistered invention has no legal protection against its use or sale by others? Are the policy and parameters referred to above, if in existence, adequately documented and properly communicated? (iii) Determine whether sufficient measures are taken by the entity to prevent its claim of being the true and first owner of an invention being contested. For example, is sufficient care taken in drafting the agreements with employees to ensure that an employee does not have a claim to be the first owner of an invention arising during the course of his employment? Similarly, where consultants, contractors or sub-contractors are hired and it is intended that the entity would be the true and first owner of any invention arising in the course of their engagement, are the agreements with them drafted with sufficient care to ensure that their legal effect is as intended? (iv) Ascertain and evaluate the measures adopted by the entity to ensure the secrecy of new processes, products, etc. under development, e.g., confidentiality clauses in agreements with employees, physical safeguards, etc. 1219 Compendium of Generic Internal Audit Guides (v) Ascertain whether the entity is maintaining adequate documents and records to support its claim (or oppose the claims of others) for ownership of an invention in any legal proceedings. (vi) Ascertain whether before seeking registration of a patent in respect of an invention, it is ensured that it is a patentable invention under the Patents Act, 1970 and it does not involve an infringement of patents of others. For example, is a search made to identify similar patents granted already? Likewise, is a confirmation obtained from the employees/consultants/ contractors, etc. involved in the activities leading to invention that no part of their contribution infringes an existing patent? (vii) Ascertain whether the legal requirements relating to registration are complied with promptly and with exercise of requisite diligence and care. Also ascertain whether the registration process includes review procedures to identify any possible errors, omissions, etc. in the registration documents. (viii) Where a patent has been acquired from its owner by means of its assignment in favour of the entity, ascertain whether the agreement for assignment: (a) includes significant terms and conditions; (b) states whether the assignment is conditional or unconditional; (c) has been properly executed; (d) has been registered with appropriate authorities as required; (e) is being complied with. (ix) Ascertain whether a proper notice of patent appears on all articles manufactured using the patented process to effectively communicate ownership of patent by the entity. 1220 Internal Audit of Intangible Assets (x) Ascertain and evaluate the procedures in place to identify and deal with known instances of infringement of the entity’s patents by others and infringement of patents of others by the entity. Are such procedures sufficient and appropriate to ensure that: (a) cases of infringement are reported to the appropriate level of management on a timely basis; (b) legal advice is taken if required by the circumstances; (c) potential impact is examined and appropriate remedial action is taken by the entity. (xi) Ascertain the manner in which the entity is dealing with the registered patents and identify those that are unused. Obtain information and explanations as to entity’s plans in respect of such patents, e.g., whether the entity intends to sell (assign) them or enter into licencing arrangements in respect thereof. (xii) Ascertain whether the process through which compliance with the criteria for recognition of an internally-generated copyrighted work is determined is appropriate, e.g., is it such as is likely to result in a reliable measurement of cost of such an asset. Among others, examine: (a) how the entity demonstrates that an intangible asset will generate probable future economic benefits. (b) how the entity demonstrates the availability of resources to complete, use and obtain the benefits from the patent. (This can be demonstrated by, for example, a business plan showing the technical, financial and other resources needed and the enterprise’s ability to secure those resources. In certain cases, the availability of external finance may be demonstrated by obtaining a lender’s indication of its willingness to fund the plan.) (c) whether the expenditure incurred prior to meeting the criteria for capitalisation is expensed and is not reinstated, if and when the aforesaid criteria are met? 1221 Compendium of Generic Internal Audit Guides (xiii) Ascertain whether the period of amortisation of patents is reasonable. (The period for which a patent is granted under law does not necessarily represent its useful life. For example, for a newly invented article that is expected to have a life cycle of only seven years from the date of commercial release, the amortisation period would be seven years notwithstanding that the period of legal validity of the patent is longer. The amortisation period can differ from one patent to another. (xiv) Ascertain whether the method of amortisation of a patent reflects the pattern in which the patent’s economic benefits are consumed by the entity. (Different methods of amortisation may be appropriate for different patents.) (xv) In case of assignment/licencing of its patents by the entity to various parties, ascertain that this is done only through written agreements/licences. Do such agreements/licences contain clear terms and conditions? (xvi) Ascertain whether the agreements/licences are implemented effectively to ensure that the parties are discharging their obligations properly. (xvii) Ascertain whether the agreements/licences are reviewed periodically for modification in the light of the experience of implementation. Non-compete Agreements 7.5 A non-compete agreement1 is a promise, usually in a sale of business, partnership, or employment contract, not to engage in the same type of business for a stated time in the same market as the buyer, partner, or employer. These agreements are expected to provide economic benefits to the entity by restricting the other party from performing similar work for a specific period of time within a certain geographical area. The internal auditor may undertake the following procedures while examining such agreements. 1 Definition as Black’s Law Dictionary 1222 Internal Audit of Intangible Assets (i) Obtain an understanding of: (a) the conditions under which a non-compete agreement was entered into. For example, an entity may enter into a non-compete, agreement with business partners, employees, contractors or in the situation of a business restructuring such as merger, acquisition, de-merger, spin-off, etc.; (b) the parties/ people/ entities with whom the agreement are entered into; and (c) the rights that are protected by way of non-compete agreement. (ii) Ascertain whether the entity’s process of entering into such an agreement includes obtaining competent legal advice to ensure that it would comply with the law applicable to the entity. For example, in drafting a non-compete agreement in India, it may need to be specifically ensured that the agreement does not militate against the provisions of the Indian Contract Act, 1872 in respect of agreements in restraint of trade and/or other applicable law, e.g., the Competition Act. Similarly, ascertain whether legal and professional advice is obtained to ensure that the interests of the entity are adequately protected. For example, is there a provision whereby an individual who is prohibited from engaging into an identical or similar business is not able to circumvent the prohibition by owning (through relatives, friends, etc.) a company that engages into the prohibited business? (iii) Ascertain whether the scope, terms and conditions of the agreement are stated in a clear and explicit manner including the rights and obligations of each party to the contract, the specific business or services or other subject matter, the period for which and/ or the geographical limits within which the agreement would be binding upon the contracting parties. Similarly, does the agreement specify the amount of the consideration and the mode of payment and payment schedule and whether these stipulations are being adhered to? 1223 Compendium of Generic Internal Audit Guides (iv) Ascertain whether the persons signing the agreement on behalf of the entity have due authority such as power of attorney to sign the agreement. Also ascertain whether the entity takes adequate safeguards to ensure that the person(s) signing the agreement on behalf of the counterparty are properly authorised to do so. Is the documentary evidence in this regard, e.g., authority letters/ power of attorney carefully examined and got vetted from legal department/ attorneys and kept on record for future reference? (v) Is there an effective process to ensure that the agreements are being complied with by the counterparties. (One such measure may be to provide in the agreement that the counterparty would be required to provide the entity with a confirmation in the prescribed form periodically about its continuing compliance with the conditions of the non- compete agreement, duly vetted by its statutory auditors.) (vi) Ascertain whether there are any known cases of non- compliance and whether appropriate measures have been taken by the entity. Where such cases indicate a systemic weaknesses in the entity (e.g., persistent or widespread drafting deficiencies), is action taken to remedy the situation? Is such action timely and effective? Licences 7.6 A licence represents a contractual right from the perspective of the licencee (contractual obligation from the perspective of the licensor) to carry out some act that would otherwise be unlawful. A licence may be granted by a government or a regulatory authority (e.g., an import licence) or by a private party (e.g., a licence granted by the owner of a registered trade mark to another person permitting the latter to use the said trade mark). (i) Obtain a list of licences in which the entity is the licencee and examine whether the licences are supported by an underlying agreement in writing? 1224 Internal Audit of Intangible Assets (ii) Ascertain whether the licencing agreements are prepared with due diligence and care to ensure that the entity’s interests are sufficiently protected and to minimise the chances of subsequent disputes or litigation (since licences create legal rights and obligations, involvement of persons with legal expertise in the relevant area is imperative). In particular: (a) ascertain whether the scope of each licence is stated in a very clear and explicit manner including the rights and obligations of each party, the specific business or services or other subject matter, the period for which and/or the geographical limits within which the agreement would be binding upon the contracting parties. (b) ascertain whether the agreement specifies the amount of the consideration and the mode of payment and payment schedule. (c) ascertain whether there are clauses clarifying the ownership of any technology improvements made by the licencee. (iii) Ascertain whether due diligence and care was exercised by the entity to ensure that the licencor owns the rights that are proposed to be provided by it to the entity under the licence. (iv) Ascertain whether there is an effective process to ensure that the agreements are being complied with by both parties, e.g., review the correspondence of the entity with the concerned authorities or counterparties. In the event of non- compliance by either party: (a) are such cases of non-compliance reported to an appropriate level of management on a timely basis? (b) is legal advice taken if required by the circumstances? (c) is potential impact examined and appropriate remedial action taken by the entity? 1225 Compendium of Generic Internal Audit Guides (v) Inquire whether renewal fees, if any, are being deposited in time after due approval by authorised person. Is the system of monitoring renewal of rights effective especially for time- bound licences? Designs 7.7 ‘Design’ refers to shape, configuration, pattern, composition of lines or colours like, that of a car or phone. The Designs Act, 2000 seeks to protect the intellectual property in new and unpublished designs, if registered. The internal audit of this intangible asset may inter alia include the following aspects: (i) Ascertain whether the entity maintains an up-to-date documentation of law relating to designs applicable to it. Also ascertain whether salient features of such law are communicated properly to personnel concerned (including, where applicable, the entity’s relevant consultants, contractors, sub-contractors, etc.) e.g., those involved in creation of designs (within the meaning of the Designs Act, 2000) or their registration. Depending on the nature of involvement of different personnel, the aspects of law relating to designs to be so communicated may include: (a) Meaning of design; (b) Party/parties whose rights are protected by law; (c) Requirements for registration of designs; (d) Mode of assigning copyright in designs; (e) Period of copyright in designs; (f) Renewal/ restoration of registration of designs; (g) Offences and penalties. (ii) Determine the policy of the entity with regard to registration of designs, i.e., whether registration of designs is obtained in all eligible cases or whether this is determined on a case- 1226 Internal Audit of Intangible Assets to-case basis. If latter, are the parameters to be applied to determine the issue specifically laid down? Is it clearly understood within the entity that (unlike ‘works’ within the meaning of the Copyright Act, 1957) an unregistered design has no legal protection against use by others? Are the policy and parameters referred to above adequately documented and property communicated? (iii) Determine whether sufficient measures are taken by the entity to prevent its claim of being the proprietor of a design being contested. For example, is sufficient care taken in drafting the agreements with employees to ensure that an employee does not have a claim to the design arising during the course of his employment? Similarly, where consultants, contractors or sub-contractors are hired and it is intended that the copyright in any design arising in the course of their engagement rests with the entity, are the agreements with them drafted with sufficient care to ensure that their legal effect is as intended? (iv) Ascertain and evaluate the measures adopted by the entity to ensure the secrecy of designs under development, e.g., confidentiality clauses in agreements with employees, physical safeguards, etc. (v) Ascertain whether the entity is maintaining adequate documents and records to support its claim (or oppose the claims of others) for copyright in a design in any legal proceedings. (vi) Ascertain whether before seeking registration of a design, it is ensured that the design does not involve an infringement of right of others. For example: (a) is it ensured that the design is not substantially similar to an existing design of another party? (b) is a confirmation obtained from the employees, consultants, contractors, etc. involved in the development of the design that no part of their contribution includes a pre-existing design? 1227 Compendium of Generic Internal Audit Guides (vii) Ascertain whether the legal requirements relating to registration are complied with promptly and with exercise of requisite diligence and care. Also ascertain whether the registration process includes review procedures to identify any possible errors, omissions, etc. in the registration documents. (viii) Where a copyright in a design has been acquired from its previous owner by means of its assignment in favour of the entity, ascertain whether the agreement for assignment is in writing and: (a) includes significant terms and conditions; (b) states whether the assignment is conditional or unconditional; (c) has been properly executed; (d) has been registered with appropriate authorities as required; and (e) is being complied with. (ix) Ascertain whether applications for renewal of registration of designs made only after a careful assessment of the need for such renewal. Is such assessment made and renewal sought on a timely basis to prevent lapse of registration? (x) Ascertain whether, where practicable, a proper copyright notice appears on all relevant publicly distributed materials (e.g., owner’s manual of a car) to effectively communicate the ownership of the design by the entity. (xi) Ascertain and evaluate the procedures in place to identify and deal with known instances of infringement of the entity’s designs by others and infringement of designs of others by employees of the entity. Are such procedures sufficient and appropriate to ensure that: (a) cases of infringement are reported to the appropriate level of management on a timely basis; 1228 Internal Audit of Intangible Assets (b) legal advice is taken if required by the circumstances; (c) potential impact is examined and appropriate remedial action is taken by the entity? (xii) Ascertain the manner in which the entity is dealing with the registered designs and identify those that are unused. Obtain information and explanations as to entity’s plans in respect of such works, e.g., whether the entity intends to sell (assign) them? (xiii) Ascertain whether the process through which the cost of an internally-generated design is determined is such as is likely to result in a reliable measurement of such cost. (If the cost of an intangible asset cannot be measured reliably, AS 26 precludes its recognition as an intangible asset. Reliable measurement of cost poses difficulties primarily in the case of internally-generated intangible assets.) Among others, examine: (a) How the entity demonstrates that an intangible asset will generate probable future economic benefits? (b) How the entity demonstrate the availability of resources to complete, use and obtain the benefits from the design. (This can be demonstrated by, for example, a business plan showing the technical, financial and other resources needed and the enterprise’s ability to secure those resources. In certain cases, the availability of external finance may be demonstrated by obtaining a lender’s indication of its willingness to fund the plan.) (c) Whether the expenditure incurred prior to meeting the criteria for capitalisation is expensed and is not reinstated if and when the aforesaid criteria are met? (xiv) Ascertain whether the period of amortisation of registered designs is reasonable. (The period for which the copyright in a design subsists under law does not necessarily represent 1229 Compendium of Generic Internal Audit Guides its useful life. The amortisation period can differ from one design to another.) (xv) Ascertain whether the method of amortisation of a design reflects the pattern in which its economic benefits are consumed by the entity. (Different methods of amortisation may be appropriate for different designs.) Trade Marks 7.8 In India, the law relating to trade marks is contained in Trade Marks Act, 1999. A ‘trade mark’ denotes a word, phrase, numeral, logo or other graphic symbol used to distinguish a product or service from others. The internal audit of trade marks owned by an entity is similar to that of its copyrights and includes the following aspects: (i) Ascertain whether the entity maintains an up-to-date documentation of law relating to trade marks applicable to it and communicates it to personnel concerned. The aspects of trade marks law to be documented and communicated may include: (a) Nature of trade mark; (b) Party/ parties who can apply for registration of a trade mark (c) The rights of owner of a registered trade mark; (d) Procedures for registration, renewal and restoration of trade marks; (e) Mode of assigning trade marks or granting right of use of trade marks; (f) Duration of trade marks; (g) Offences and penalties. 1230 Internal Audit of Intangible Assets (ii) Determine whether the entity has sought registration of all its trade marks? Is it clearly understood within the entity that an unregistered trade mark has no legal protection against its use by others? (iii) Ascertain whether before using a trade mark or seeking registration of a trade mark, it is ensured that it does not involve an infringement of a registered trade mark, i.e., is a search made of identical or similar trade marks registered already? (iv) Ascertain whether the legal requirements relating to registration are complied with promptly and with exercise of requisite diligence and care. Also ascertain whether the registration process includes review procedures to identify any possible errors, omissions, etc. therein. (v) Where a trade mark has been acquired from its previous owner by means of its assignment in favour of the entity, ascertain whether the agreement for assignment is in writing and: (a) includes significant terms and conditions; (b) states whether the assignment is conditional or unconditional; (c) has been properly executed; (d) has been registered with appropriate authorities as required; (e) is being complied with. (vi) Ascertain whether a proper notice appears on all publicly distributed articles carrying the trade mark that the trade mark is owned by the entity (or that the entity is registered user of the trade mark). (vii) Ascertain and evaluate the procedures in place to identify and deal with known instances of infringement of the entity’s 1231 Compendium of Generic Internal Audit Guides trade marks by others and infringement of trade marks of others by employees of the entity. Are such procedures sufficient and appropriate to ensure that: (a) such cases of infringement are reported to the appropriate level of management on a timely basis; (b) legal advice is taken if required by the circumstances; (c) potential impact is examined and appropriate remedial action is taken by the entity? (viii) Ascertain that internally generated trade marks are also registered but are not recognised as assets in financial statements. (ix) Ascertain whether the period(s) of amortisation of trade marks is reasonable. (The period for which the entity’s ownership of a trade mark subsists under law does not necessarily represent its useful life. For example, for a product that is expected to have a remaining life cycle of 10 years from the date of acquisition of the related trade mark, the amortisation period would be 10 years notwithstanding that the period of legal validity of trade mark (including renewals that are regarded by the entity as virtually certain) may be much longer. The amortisation period can differ from one trade mark to another.) (x) Ascertain whether the method of amortisation of a trade mark reflects the pattern in which its economic benefits are consumed by the entity. (Different methods of amortisation may be appropriate for different trade marks.) Service Concession Arrangements in the Nature of Intangible Assets 7.9 In the last two decades, central and state governments have introduced contractual service arrangements to attract private sector participation in the development, financing, operation and maintenance of infrastructural facilities for public services such as 1232 Internal Audit of Intangible Assets roads, bridges, tunnels, hospitals, airports, dams, water distribution facilities, energy supply and telecommunication networks. For example, an expressway may be built by a private operator who may also maintain and operate it for a specified period, say 30 years. The operator may be entitled to charge toll from the users of the expressway during this period. 7.10 Such an arrangement is often described as a ‘build-operate- transfer’, or ‘rehabilitate-operate-transfer’ or a ‘public-to-private’ service concession arrangement. While the operations and assets/ liabilities of such arrangements would be subjected to normal internal audit procedures, it is important for the internal auditor to recognise that if such arrangements have the features discussed below, their accounting would involve special treatment.2 In all such cases, the following aspects of accounting recognition and disclosure should, therefore, be specifically examined by the internal auditor. Assets Involved are not Tangible Fixed Assets 7.11 Most of these service concession arrangements involve significant physical assets e.g., ports, bridges, roads. However, the various classes of assets of these infrastructural facilities should not be recognised as tangible fixed assets of the operator if the main features of a service concession arrangement satisfy the prescribed criteria. The prohibition on the various categories of physical assets being classified as tangible fixed assets or property, plant and equipment is on the rationale that the service concession Service Concession arrangement does not convey to the operator, the right to control the use of the public service infrastructural facilities. The operator only has access to operate the infrastructural facilities to provide the public service on behalf of the grantor in accordance with the terms specified in the contract. As the grantor regulates the price of the services to be charged, it (i.e., the grantor) is considered to control the services to be provided. Moreover, the grantor is the 2 Reference may be made to the proposed “Guidance Note on Accounting for Arrangements” to be issued by the Institute of Chartered Accountants of India. 1233 Compendium of Generic Internal Audit Guides owner of significant residual interest in infrastructural facilities at the end of the term of the arrangement. Distinguish Construction Services from Operation Services 7.12 Under the terms of contractual arrangement, the operator acts as a service provider. If the operator constructs or upgrades the infrastructure and also operates/maintains the same, the operator is providing two separate kinds of services: (a) Construction or upgrade services: For this service, the operator should recognise and measure revenue in accordance with Accounting Standard (AS) 7, “Construction Contracts”. (b) Operation services: The operator operates and maintains the infrastructural facilities (operation services) for a specified period of time. For this service, the operator should recognise revenue in accordance with Accounting Standard (AS) 9, “Revenue Recognition”. If the operator performs more than one service under a single contract or arrangement, consideration received or receivable should be allocated by reference to the relative fair values of the services delivered, when the amounts are separately identifiable. The nature of the consideration determines its subsequent accounting treatment. Financial Asset 7.13 The nature of consideration receivable by the operator may be of two types. One possibility is that the operator has an unconditional contractual right to receive cash or another financial asset from or at the direction of the grantor as consideration for rendering services. In such a case, the operator should recognise a financial asset. For example if the operator is paid Rs.200 crores for building the expressway and Rs.10 crores each year for maintaining and collecting specified toll on behalf of grantor, the arrangement results in a financial asset (say accounts receivable) 1234 Internal Audit of Intangible Assets for the operator. The rationale is that the grantor has no discretion to avoid payment of the above because the agreement is enforceable by law. The operator has an unconditional right to receive cash if the grantor contractually guarantees to pay the operator (i) specified or determinable amounts or (ii) the shortfall, if any, between amounts received from users of the public service and specified or determinable amounts, even if payment is contingent on the operator ensuring that the infrastructural facilities meet specified quality or efficiency requirements. Intangible Asset 7.14 If the operator does not get a contractual right to receive cash or other financial asset as discussed above but gets the right (a licence) to charge the users of the public service as per the regulated rates, the operator should recognise an intangible asset. A right to charge the users of the public service is not an unconditional right to receive cash because the amounts are contingent on the extent that the public uses the service. 7.15 It must be noted that the intangible asset would not be recognised at an amount equal to the cost incurred to construct the infrastructure. Instead the fair value of the constructed asset would be recognised (ordinarily, fair value would be measured as normal cost of construction plus a fair margin of profit, which a normal construction contractor would have charged). The difference between the fair value and the actual cost of construction would be treated as arising from construction of the infrastructure and recognised in accordance with AS 7. Further, instead of depreciation being charged on individual categories of tangible fixed assets, the intangible asset would be amortised over the period of arrangement. 7.16 The operator may have contractual obligations it must fulfill as a condition of its licence (i) to maintain the infrastructural facilities to a specified level of serviceability or (ii) to restore the infrastructural facilities to a specified condition before these are handed over to the grantor at the end of the service arrangement. This may also involve replacement of assets which have a shorter useful life than 1235 Compendium of Generic Internal Audit Guides the period of arrangement. These contractual obligations to maintain or restore infrastructural facilities should be recognised and measured in accordance with AS 29, “Provisions, Contingent Liabilities and Contingent Assets”, i.e., at the best estimate of the expenditure that would be required to settle the present obligation at the balance sheet date. 7.17 If the grantor provides some assets to the operator that the operator can keep or deal with as it wishes after the period of concession and if such assets form part of the consideration payable by the grantor for the services, they are not government grants as defined in AS 12, “Accounting for Government Grants”. They are recognised as assets of the operator, measured at fair value on initial recognition. The operator should recognise a liability in respect of unfulfilled obligations it has assumed in exchange for the assets. Customer Related Intangible Assets 7.18 Customer related intangible assets are those intangible assets that occur as a result of interactions with outside parties such as customer lists, order backlogs, and other contractual and non- contractual customer relationships. These do not qualify for recognition in the accounting records (and, therefore, in the financial statements) unless they have been purchased from a third party. However, from the perspective of the management, even such intangibles may often be valuable. 7.19 A customer relationship may be either contractual or non- contractual. A customer contract is, generally, a fixed term contract with customers that includes contractual rights to future revenue that are legally enforceable, and as such, the entity has the ability to control the economic benefits arising out of such contracts. For example, entity A enters into an exclusive purchase agreement with entity B under which A will purchase inventory only from B’s catalogue of products for five years. If A purchases inventory from another supplier, then it would be required to pay a penalty to B. Similarly, order backlog represents contracts in the form of sales orders for the entity’s products and services. 1236 Internal Audit of Intangible Assets Customer lists are specified information about customers. Even where these do not confer legal or other contractual rights, such lists are valuable and are, therefore, prone to misuse through clandestine sale. 7.20 Internal audit of customer related intangible assets may include the following specific procedures. (i) Obtain a list of customer contracts. (ii) Ascertain whether the entity has a system to monitor compliance of terms of customer contracts. (iii) Ascertain whether the entity executes a confidentiality/non- disclosure agreement with the concerned employees or other parties to safeguard against unauthorised use of customer related intangibles, i.e., customer lists, customer contracts, correspondence with customers, etc. Does the agreement extend to post-employment period? (iv) Ascertain whether the entity has taken adequate steps to protect its customer related intangibles (e.g., customer lists) against unauthorised use or sale e.g. restricting access to database to a few personnel only. 1237 Compendium of Generic Internal Audit Guides Chapter 8 Illustrative Internal Audit Programme for Computer Software 8.1 To illustrate how an internal audit programme for a class of intangible assets may be prepared for a particular engagement, this chapter outlines an internal audit programme for computer software which is now one of the most common intangible assets in business entities. It is assumed that the situation is that of a large entity that uses a fairly large variety and number of computer software programs (both internally-developed and standardised off- the-shelf programs) in its operations. This illustration further assumes that the scope of internal audit of computer software as determined by the management is fairly comprehensive and covers the following areas: (a) Whether financial and operating records and reports contain accurate, timely and complete information relating to computer software. (b) Whether controls over record-keeping and reporting relating to computer software are adequate and effective. (c) Whether effective systems have been established to ensure compliance with laws, regulations, contracts, policies and procedures relating to computer software with special reference to exposure to consequences of unauthorised use of computer software. (d) Whether the computer software is adequately protected against accidental loss, unauthorised use, loss of legal rights, etc. (e) Whether the computer software is being used economically and efficiently. 1238 Internal Audit of Intangible Assets (f) Internal auditor’s evaluation of software asset management (SAM) of the entity in terms of ISO 19770-1. (The four SAM maturity levels have been described in Chapter 4.) 8.2 It is assumed that the internal audit team comprises sufficient number of persons with requisite technical proficiency, that the engagement has clear support of the top management and audit committee, and that the internal audit work is properly planned and the work of assistants is duly directed, supervised and reviewed. 8.3 The programme may be suitably modified for other classes of intangible assets (refer to Chapter 7 for specific aspects relating to major intangible assets). Similarly, it may be modified for use in the case of medium and small entities e.g., such entities may only be acquiring off-the-shelf software from vendors and not developing any software in-house. Policy 8.4 The following should be verified by the internal auditor for this purpose: (i) Whether there is a clear and enforceable policy on software and whether the policy deals with all relevant aspects including the extent of computerisation, in-house development v. acquisition, maintenance of records, assignment of responsibilities regarding software and its upgradation, retirement and disposal, misuse of entity’s software and prohibition on use of pirated or unauthorised software. (ii) Whether the policy is documented and conveyed to all concerned. Organisational Structure 8.5 The following should be verified by the internal auditor for this purpose: (i) Whether qualified persons have been assigned duties of management of computer software with well defined responsibilities. 1239 Compendium of Generic Internal Audit Guides (ii) Whether responsibilities for the following have been assigned to different persons (to the extent possible): (a) authorisation of acquisition/ in-house development and disposals. (b) execution of transactions relating to acquisitions and disposals. (c) physical custody of items. Authorisation of Acquisition/ In-house Development 8.6 The following should be verified by the internal auditor for this purpose: (i) Whether there exists a system of capital budgeting for computer software and evaluate its efficacy, particularly with regard to the following aspects: (a) are proposals invited from various departments well-in- time? (b) are proposals received in a properly laid down format which provides for complete details about the financial, commercial and technical aspects? (c) are the proposals scrutinised by a committee consisting of qualified personnel and then a composite budget put up to the top management or governing body for approval? (d) is the approved budget communicated in writing to various departments including the purchase department and the accounts department? (ii) The Parameters used for evaluating a proposal for acquisition/ in-house development of a computer software and evaluate their appropriateness and adequacy. In particular, examine 1240 Internal Audit of Intangible Assets whether in evaluating a proposal, a careful assessment is made of the following: (a) the function that the software is intended to perform. (b) how the entity will benefit from the software (c) can an existing software be modified or upgraded to perform the desired function. (d) availability of alternate softwares in the market that can perform same functions and their comparative evaluation in terms of cost of acquisition, cost of operation, manpower and hardware resources required for operation, ease of operation, and upgradeability. (e) whether the software should be acquired from outside or developed in-house. This decision should be made by considering, inter alia, the following factors: l availability of resources for in-house development vs availability of software with requisite features in the market place or degree of customisation required in the case of acquired software. l opportunities for selling or licencing out internally developed software. l relative ease of operation of developed vs acquired software. l comparative costs–initial as well as recurring. (iii) Whetherthere is a periodic comparison of capital expenditure incurred with the capital budget. In cases where the amounts actually expended indicate the likelihood of cost over-runs, whether supplementary budgets are prepared and got approved from a competent authority. 1241 Compendium of Generic Internal Audit Guides Purchase of Software 8.7 The following should be verified by the internal auditor for this purpose: (i) The procedure prescribed for acquisition of software from outside and evaluate its adequacy in respect, inter alia, of the following: (a) does the procedure provide for invitation of competitive bids? If not, evaluate the validity of the reasons therefor? (b) is a list of approved vendors maintained for the purpose of inviting competitive bids? If yes: l are the parameters for approving vendors adequate including whether the vendor is an authorised distributor or dealer of the software? l is the list updated periodically? l does the list show clearly whether a supplier is a related party and, if so, the nature of relationship? (c) is the process of inviting bids appropriate? (d) is the evaluation of bids carried out by a committee which has appropriate representation of user department and finance department apart from the department responsible for making the purchases? (e) if the bid accepted is not one with the lowest price terms, are reasons for accepting the bid required to be documented? (ii) The procedure in respect of placement of purchase order for computer software and evaluate its appropriateness. (iii) The procedure in respect of receipt of software against purchase orders and evaluate its appropriateness. 1242 Internal Audit of Intangible Assets (a) on receipt, is computer software checked for genuineness, e.g., where the box or the media containing software is supposed to carry a hologram of a particular shape or appearance, is the existence of the hologram checked? Similarly, if a PC is purchased with pre-loaded operating system such as Windows XP, is proof of licence for OEM version of the software checked? (This may comprise Certificate of Authenticity, CD/DVD jewel case, documentation and end-user licence agreement.) (b) are particulars of receipt of all computer software entered immediately in records? In-house Development of Software 8.8 The following should be verified by the internal auditor for this purpose: (i) Whether there is a separate department for development of software (including modifications to the existing ones) or is software development carried out by each user department in respect of its sphere of operations. (ii) The systems development and documentation process and evaluate its efficacy, particularly with respect to the following aspects: (a) is there sufficient consultation with the user groups before the technical specifications of a software proposed to be developed are finalised? (b) apart from the user groups, are views and suggestions also sought from internal and external auditors as to audit trail and controls needed in the proposed software? (c) are the programmes test-run and the test-run reports reviewed by the systems analyst before the programs are put into actual operation? 1243 Compendium of Generic Internal Audit Guides (d) is there adequate documentation of new computer programs? Does the documentation include flow charts, a description of the purpose of each part of the program, the detailed program, and program run instructions (specifying the nature and format of input, the detailed operating instructions, possible errors, and the nature and format of output)? (e) is there a strict control over program changes? Are program files ‘compiled’ to ensure that the computer operators cannot alter them? If a need for an alteration in a program arises, is the alteration made only with the authorisation of the systems analyst and is it properly documented? Does the documentation show the reasons for alteration, the details of alteration, the results of test-run of the altered program, and the authorisation of the systems analyst for putting the altered program in operation? Deployment Process 8. 9 The following should be verified by the internal auditor for this purpose: (i) Whether the systems is in place to track the software usage. (ii) Whether the entity permits personally owned software to be installed on the entity’s computers. If so, under what conditions. (iii) The access to deployment records and to ensure that only approved users have access to the deployment summary reports. (iv) Whether the entity has a policy to protect its software against misuse and infringement. What action is taken by the entity in case of infringement of its software by persons external or internal to the entity? Does the entity maintain a track of reported cases of infringement of software owned by it. 1244 Internal Audit of Intangible Assets (v) Whether the entity enters into appropriate agreements with its employees, consultants etc., inter alia for ensuring that there is no illegal use of software of the entity. (vi) Whether the entity has instituted a formal system of obtaining feed back and suggestions from the users periodically about the computer software in use: (a) if a standardised format is used for feedback and suggestions, review whether the format is designed so as to obtain the users’ response on all relevant aspects, specially the suitability of the software for their requirements, ease of operation, extent of usage, and the users’ suggestions as to modifications required. (b) examine whether the feedback and suggestions given by the users result in appropriate action and whether such action is timely. (c) obtain further feedback and suggestions of users through discussions with a carefully selected sample. Use of Unauthorised Software 8.10 The internal auditor for this purpose should examine whether policy and controls aimed at preventing the use of pirated or unauthorised software are properly implemented: (i) Obtain a listing of all work stations attached to the network. Compare the number of Client Access Licences to the number of workstations. Investigate any difference between the number of licenses and number of workstations. (ii) Obtain a listing of all PCs/other computers. Compare the number of computers against the number of licences the unit has for basic applications (e.g., MS Word, MS Excel). Investigate any difference between the numbers. (iii) What action is taken if use of unlicenced software is detected? 1245 Compendium of Generic Internal Audit Guides Retirement 8.11 For this purpose, the internal auditor should ascertain the policies and procedures relating to retirement, disposal, etc. of computer software and evaluate their efficacy. To this end, internal auditor should ascertain: (i) Whether computer software is retired from use or disposed of only on the basis of written authorisation of specified managers. (ii) Whether any legal or contractual restrictions on the ability of the entity to dispose of a computer software are duly complied with. (iii) Whether there are proper controls over disposal of computer software, particularly with regard to invitation of quotations, approval of prices, etc. (iv) Whether there is proper documentation of retirement or disposal of computer software and the system ensures that all such retirements and disposals are recorded in the books of account promptly. (v) Whether the retired hardware assets are tracked in a way to enable the software on them to be reused, if possible. In such cases, the software inventory should be simultaneously updated. (vi) Whether there is a periodical review of softwares to identify those which are no longer of any use or from which no future benefits are expected. Record-keeping and Accounting 8.12 For this purpose, the internal auditor should ascertain what records and documents are maintained by the entity in respect of computer software and evaluate their appropriateness and adequacy. 1246 Internal Audit of Intangible Assets 8.13 In the case of software acquired from outside, are sufficient documents maintained to evidence the entity’s ownership of, or other interest in, the computer software including agreement with the supplier (or licencing agreement), invoice of the supplier and supporting documents and evidence of payment. In this regard, pay special attention to the following: (i) Evaluate the policies and procedures established to ensure the completeness and accuracy of licence entitlement records? (ii) Examine whether the purchase agreement for all licence entitlements have been properly executed by each party to the transaction? (iii) Evaluate whether entitlement records are accessible to interested parties e.g., IT operators, end-users, legal department, etc. only through approved usage rights? 8.14 In the case of software developed internally within the entity, examine the evidence of its registration with relevant authorities, where applicable. 8.15 For this purpose, the internal auditor should also examine whether the records contain sufficient details including the following: (i) Sufficient description of the asset. (ii) Location, i.e. the name of division, branch or department where the asset is located. (iii) Quantity, i.e. number of units. (iv) Original cost. (v) Date on which the asset becomes available for use. (vi) Subsequent expenditure on the asset that is included in its carrying amount, along with the date of incurrence of the expenditure. (vii) Method of amortisation. 1247 Compendium of Generic Internal Audit Guides (viii) Amortisation period (or rate of amortisation). (ix) Amount of amortisation for the period. (x) Amount of accumulated amortisation as at the beginning and end of the period. (xi) Particulars of impairment loss (if any) and any reversal of such impairment loss – date, amount for the period and accumulated amount as at the beginning and end of the period. (xii) Particulars of retirement, disposal, etc. – date and amount. (xiii) Particulars of licence. (xiv) Particulars of registration – name of registration authority and date of registration along with period of validity of registration and date of expiry. (xv) Particulars of renewal/ maintenance fees (if any) – scheduled date(s) of payment, amount, particulars of payment(s). (xvi) Particulars of any licence or other similar right in the asset granted to third parties. 8.16 The internal auditor should also examine whether entries are made in the aforesaid records on a timely basis. 8.17 The internal auditor should also verify whether computer software is accounted for and disclosed in the financial statements appropriately e.g., in accordance with Accounting Standard (AS) 26, “Intangible Assets”. The following aspects may be particularly examined in this regard: (i) Is the computer software recognised at cost? (ii) Does the cost of a computer software acquired from outside comprise: (a) purchase price, including any import duties and other taxes but excluding any trade discounts and rebates; and 1248 Internal Audit of Intangible Assets (b) any directly attributable expenditure on making the asset ready for its intended use e.g., professional fees for legal services? (iii) In the case of internally-developed computer software: (a) is the expenditure on research phase recognised as expense when it is incurred? (b) is the expenditure on development phase recognised as an intangible asset only when the entity demonstrates all of the following: l technical feasibility of completing the software so that it will be available for use or sale; l its intention to complete the software and use or sell it; l its ability to use or sell the software; l how the software will generate probable future economic benefits; l availability of adequate technical, financial and other resources to complete the development and to use or sell the software; and l its ability to measure the expenditure attributable to the software during its development reliably? (c) does the cost of an internally generated computer software comprise only the expenditure incurred from the time when the asset first meets criteria listed above and that can be directly attributed or allocated on a reasonable and consistent basis, to creating, producing and making the software ready for its intended use? (d) if the entity cannot distinguish the research phase from the development phase, does it treat expenditure on that project as expense in the period of incurrence? 1249 Compendium of Generic Internal Audit Guides (iv) Are the following excluded from the cost of a computer software: (a) selling, administrative and other general overhead expenditure unless this expenditure can be directly attributed to making the software ready for use; (b) clearly identified inefficiencies and initial operating before software achieves planned performance; and (c) expenditure on training the staff to operate the software? (v) Is subsequent expenditure on a computer software after its purchase or its completion recognised as an expense when it is incurred unless: (a) it is probable that the expenditure will enable the software to generate future economic benefits in excess of its originally assessed standard of performance; and (b) the expenditure can be measured and attributed to the software reliably? If the above conditions are met, the subsequent expenditure should be added to the carrying amount of the software. (vi) Is the depreciable amount of a computer software allocated on a systematic basis over the best estimate of its useful life? (vii) Does the amortisation period(s) of computer software appear reasonable on a consideration of various factors affecting its useful life? (viii) Is the amortisation method used appropriate? (ix) Is a computer software derecognised (eliminated from the balance sheet) on disposal or when no future economic benefits are expected from its use and subsequent disposal? 1250 Internal Audit of Intangible Assets Safeguarding 8.18 For this purpose, the internal auditor should ascertain the procedures employed by the entity to safeguard the computer software against deliberate misuse, alteration, disposal, etc., as well as against accidental loss such as due to fire, floods or computer virus or malfunctioning of hardware, and evaluate their appropriateness and adequacy. Among others, the following aspects should be examined: (i) Have procedures such as the following been laid down and are these effectively in operation: (a) are software access rights of different users well defined and commensurate with the functions performed by them? (b) depending on the criticality or sensitivity of a software application, have sophisticated access control tools like passwords, smart cards, fingerprinting, voice printing, etc. been applied and are these effective? (ii) Is the importance of maintaining the integrity of computer software and preventing its use by unauthorised persons or for unauthorised purposes made clear to computer system users and reinforced from time to time? (iii) Are source codes, flow charts, program documentation, program run instructions, and master tapes or compact disks containing master copies of computer software kept in safe custody of computer librarian and with proper environmental controls such as air-conditioning? (iv) Subject to any legal, regulatory or contractual restrictions in this behalf, are back-up copies made of purchased computer software? (v) For critical or expensive software programs, is an effective procedure of off-site back-up in operation? For such software, have arrangements been made with the manufacturer or vendors to provide replacement copies in case of need? 1251 Compendium of Generic Internal Audit Guides (vi) Are documents evidencing the entity’s ownership of, or other interest in, computer software kept in safe custody and are these verified physically at periodic intervals? (vii) Has adequate insurance cover been taken against the various risks associated with ownership and use of computer software, e.g., risk of accidental loss or destruction and legal risks? Is the renewal premium paid in time to ensure continuity of the insurance cover? (viii) Is there a periodic verification of computer software assets? Is the procedure for such verification appropriate and adequate? Is frequency of such verification reasonable? Have internal audit’s suggestions in this regard been implemented? Is a representative of internal audit part of the verification team? Compliance with Laws, Regulations and Contractual Requirements 8.19 For this purpose, the internal auditor should ascertain the legal, regulatory and contractual requirements insofar as they are applicable to the computer software owned, maintained or used by the entity, evaluate the extent of compliance with the aforesaid requirements and determine the potential consequences of non- compliance. In particular: (i) Obtain a general understanding of the legal and regulatory framework applicable to computer software. (As noted in chapter 2, computer software attracts the provisions of the Copyright Act, 1957. An understanding of the provisions of the Act is essential to evaluate whether or not the entity is in compliance thereof.) (ii) Obtain an understanding of the limitations, restrictions, obligations, etc. cast upon the entity in the agreements for purchase or licencing of software entered into by it. (iii) Based on the above understanding, the discussions with the entity’s legal counsel or other relevant personnel, identify 1252 Internal Audit of Intangible Assets key areas of risk of non-compliance and potential consequences of non-compliance. (iv) Ascertain whether the entity’s policies and procedures address the identified risks. Carry out the following procedures in this regard: (a) is the overall control environment within the entity conducive to securing compliance with the relevant laws, regulations and contractual requirements? (b) are the attitudes and actions of those responsible for governance and management towards compliance with legal, regulatory and contractual requirements l reflective of total commitment, l moderate, l permissive? (c) what specific procedures have been instituted to secure compliance with relevant laws, regulations and contractual requirements and how effectively are they in operation? (d) does the entity have a formal Code of Conduct for employees (either generally or specifically with reference to computer software). If yes: l are the instructions relating to “do’s and dont’s” such that, if followed, they would ensure compliance with relevant laws and regulations? (As mentioned earlier, the Copyright Act, 1957 is directly relevant to computer software. Therefore, it would be useful if the Code of Conduct includes a detailed illustrative list of what would or may tantamount to non-compliance of the Act. In framing the Code of Conduct, it should be clearly borne in mind that law is a specialised and complex discipline and, therefore, its implications may not 1253 Compendium of Generic Internal Audit Guides be obvious to a user of computer software. For example, it is not uncommon to come across cases where entities purchase one (single-user) copy of a software and use it on a number of computers simultaneously without realising that they are violating the Copyright Act. Likely situations such as these should be foreseen and specifically dealt with in the Code of Conduct.) l do induction training programmes for new employees give adequate coverage to the existence of the Code of Conduct, its principal elements, the need to comply with it and the potential consequences for the entity (and the employee concerned) in the event of non- compliance? Are the above aspects reinforced from time to time at training programmes, through circulars, etc? l have procedures been instituted to identify cases of non-compliance with the Code of Conduct (e.g., random checks to determine whether or not the computer software programs running on a computer are licenced) or whether discovery of such cases is only accidental? l how are cases of non-compliance dealt with? Is action taken commensurate with the frequency and/or seriousness of non-compliance? l in case the entity hires consultants or contractors and their actions could potentially tantamount to non-compliance by the entity with laws and regulations relating to software: - are adequate steps taken to create awareness among the consultants, contractors etc., about the entity’s policies and procedures concerning compliance with laws and regulations and are they required to ensure compliance with them? 1254 Internal Audit of Intangible Assets - are the related agreements so drafted that the entity’s exposure in the event of non- compliance is reduced as far as possible, including specific provisions requiring the counterparties to indemnify the entity for any loss or damage to it on account of their non- compliance? 8.20 The internal auditor should also ascertain whether in case of a non-compliance or potential non-compliance, a proper assessment has been made of the financial effect (fines, damages, etc.) that the situation may entail. Also ascertain whether the situation has been properly dealt with in the financial statements; for example, a potential non-compliance may warrant disclosure of a contingent liability in accordance with Accounting Standard (AS) 29, “Provisions, Contingent Liabilities and Contingent Assets”. SAM Maturity Assessment 8.21 ISO 19770-1 represents a significant initiative towards establishing a framework for managing an intangible asset like, computer software. An entity’s current software asset management (SAM) maturity is assessed as Basic, Standardised, Rationalised or Dynamic (refer Chapter 4 for a description of what each maturity level signifies). The assessment is with reference to ten key performance indicators (KPI). Each KPI is assessed for Test of Design and Operational Effectiveness. l Test of design effectiveness is the current state assessment of the organisational SAM process around people, process and technology. l Test of operational effectiveness is the determination of how effectively the SAM processes are working in monitoring and inventorising the software licences being used. 1255 Compendium of Generic Internal Audit Guides 8.22 In a mature SAM deployment, the software is managed by using adequate people, processes and technology during each of the stages of its life cycle, viz., acquisition, deployment, maintenance and retirement. The approach to a SAM review is sought to be illustrated below with the help of a sample work paper relating to this aspect of internal audit of computer software. 1256 ISO 19770-1 Key Risk Current Current State Self Action Item to Improve (Initial) Categories Competency Maturity Observation Assessment Maturity Observation Notes Organisational a. SAM SAM is not Basic SAM roles and 1 For each infrastructure Management throughout being responsibilities group within the Organisation actively are not defined. organisation identify who managed as Software has direct management a priority by tracking is not responsibility for each qualified implemented unique SAM inventory individuals. throughout the throughout the organisation (in organisation. Specifically every identify: 1) all locations, infrastructure 2) estimated quantity of 1257 group). each hardware platform at each location, 3) a functional description of each group, 4) a representative with direct responsibility for the group’s SAM processes, and 5) a description of the SAM process and/or tool used for the group. b. SAM A SAM Basic There is no plan 1 Develop a SAM self Improvement improvement for implementing improvement plan with Internal Audit of Intangible Assets ISO 19770-1 Key Risk Current Current State Self Action Item to Improve (Initial) Categories Competency Maturity Observation Assessment Maturity Observation Notes Plan plan is not SAM; or no SAM defined funding/budget approved. improvement which specifically defines plan has been scope, schedule, and completed within resources for SAM. the organisation with executive sponsorship and budget. SAM Inventory a. Hardware Inventory Basic The % of total 1 Establish a centralised and Software records are hardware and hardware inventory that 1258 Inventory not kept or software tracked contains between 68% are inaccurate. in a and 95% of all Servers Configuration and between 68% and Management 95% of all PCs that have Compendium of Generic Internal Audit Guides D a t a b a s e installed software owned (CMDB) is not by the entity. tracked but is Establish a centralised less than 68% software inventory representing products consisting of 68% to 95% of entity software spend. The software inventory ISO 19770-1 Key Risk Current Current State Self Action Item to Improve (Initial) Categories Competency Maturity Observation Assessment Maturity Observation Notes should include software deployments from all hardware in the hardware inventory. b. Accuracy Inventory Basic Inventory details 1 Once a year or more, of Inventory records are are reconciled reconcile the centralised not kept or with the original software asset inventory are source rarely or with other independent inacurate. ad-hoc sources to verify that it accurately includes all 1259 applicable software and hardware metrics required to reconcile software deployments and software usage to licence entitlement. SAM a. Licence Entitlement Basic The % of licence 1 Establish a centralized Verification Entitlement records are entitlement in a entitlement inventory for Records not kept or repository is not each infrastructure group organised. tracked but is or business unit. likely less than Inventory should 68%. completely and Internal Audit of Intangible Assets ISO 19770-1 Key Risk Current Current State Self Action Item to Improve (Initial) Categories Competency Maturity Observation Assessment Maturity Observation Notes accurately include all records required to reconcile software deployments and software usage to deployment inventory. b. Periodic Periodic Basic Deployment and 1 Perform a yearly (or more Self SAM entitlement frequent) executive Evaluation reporting is reconciliation is review and sign-off of not done rarely or SAM reports; reports 1260 occurring. ad-hoc. should include at least a deployment and entitlement reconciliation of high risk software Compendium of Generic Internal Audit Guides titles. SAM Operations SAM tools Basic Operations 1 Establish policies and Operations Management are not in Management procedures for operations Management Interfaces place or not functions management functions and integrated. generally do not (i.e., IT support, financial Interfaces use software fixed asset tracking, and hardware security, and network inventories. administration) to each ISO 19770-1 Key Risk Current Current State Self Action Item to Improve (Initial) Categories Competency Maturity Observation Assessment Maturity Observation Notes manage their inventories and track the assets they control. Lifecycle a. Software Standardised The % is not 2 Base all software Process Acquisition purchasing tracked but is entitlement contract Interfaces Process is not between 68% purchases on periodic managed or to 95%. deployment/entitlement controlled. reconciliation reports. Ensure entitlement information is 1261 communicated to IT Operations and all entitlement records are accessible to IT Operations and other organisational stakeholders (i.e., End- users, Legal, HR, Chief Intelligence Officer (CIO)) with detailed approved usage rights. Internal Audit of Intangible Assets ISO 19770-1 Key Risk Current Current State Self Action Item to Improve (Initial) Categories Competency Maturity Observation Assessment Maturity Observation Notes b. Software Standardised The % is not 2 Establish a system that Deployment deployment tracked but is provides organisational Process is not between 68% to stakeholders with access managed or 95%. to software deployment controlled. summary reports and provides summary information on product usage rights. (Stakeholders with access should include 1262 Procurement, IT Operations, End-users, Legal, HR, CIO). c. Software on Basic The % of 1 Establish a process to Retirement retired hardware assets accurately update Compendium of Generic Internal Audit Guides Process machines is that are retired software inventory when and recorded in not being hardware and software a way to enable uninstalled the software on assets are retired. and/or them to be reused. reused is not tracked but is likely less than 68%.