Direct Tax Home Refresher Course – 5 Know More

Internal Auditing – Venturing beyond mandated boundaries

Traditional Auditing is good but not sufficient

Traditional internal audit methods and approaches may have yielded reasonably good results for decades after management discovered and instituted the internal auditing function. Increased complexity, unimaginable scale and breath-taking speed of doing business left the internal auditor using only traditional tools gasping for breath. The internal auditor reinvented himself by adopting sampling methodology, computer assisted testing, analytics to screen massive data, trend analysis and more. However, with growing human ingenuity and greed, it may be increasingly difficult for the internal audit fraternity to deliver internal audit output that matches expectations of stakeholders and society at large using the present suite of audit procedures. The human ingenuity in breaking through the myriads of controls ethically or unethically, with the objective of merely challenging the system or defrauding the organization, has thrown up unprecedented challenges for the management and the internal auditors.

In India, the currency notes and coins made way for electronic payments and now the electronic payments may be fast replaced by the Retail Digital Rupee recently  introduced by the RBI – just imagine, if the internal auditor still believes in counting cash by physical verification of currency?? We have also seen the typed hand-delivered postal letters being replaced by faxes and emails and now by sharing of scanned images over WhatsApp – can the internal auditor still rely on the paper trail and neatly filed physical documents in these times of seamless electronic exchanges and digital trails?

Through this blog, I wish to share some of the unconventional methods derived from lateral adaptation that are fit to be added to the internal auditor’s toolkit – these require creativity, are easy to implement and are sure to add excitement within the IA team as also deliver delight to the key stakeholders. Be it blunders or plunders, these methods will help in uncovering some of them, with minimal efforts.

Need to look beyond

Management and auditors alike cannot regulate human behaviour and books of accounts don’t reflect human emotions and behaviour. Regulations and policies are made with the intent of regulating human behaviour and cultivating ethical culture in the organization, however, situations, control deficiencies and circumstances create exceptions and opportunities to commit unintended blunders or even frauds. Auditors form their insights and opinions based on information reviewed and made available from the records maintained by the management. If they go beyond the books of accounts and standard audit procedures, they may discover additional facts and information that be valuable for their opinion making.

Risk Assessments have limitations

One of the most significant tools in the auditing evolution has been Risk Assessments. Stakeholders and auditors, alike, realised that 100% transaction auditing is not a robust solution, so contemporary audit methods lay emphasis on risk assessments and risk-based approaches to narrow down on vulnerable areas thereby providing early warning alerts to the Board and Audit Committees on what can go wrong; however, they have limitations in the form of management and auditor’s ability to anticipate all critical risk factors impacting the organization. If the risk assessment is not comprehensive and creative, Boards and Audit Committees may err even more in case of un-predictable human behaviour.

Combining market research techniques with internal audit activities

There is no full proof auditing approach, however, internal auditors should be empowered by the Boards to go beyond the books, records, and pre-set templatized auditing approaches. Internal Auditors also have the responsibility to seek due authorization to use innovative techniques beyond the standard audit procedures to supplement the quality of audit findings.

Introducing customized mystery reviews, target surveys, scenario play, and snap checks would be good auditing supplements that may provide meaningful insights to auditors and management on the behaviour of people. Mystery reviews, target surveys and snap checks have the potential to unearth deep rooted cultural and behavioural issues that may go unnoticed for several years. If management empowers the internal auditors to carry out such reviews in addition to the popular auditing methods, they will provide auditors with the opportunity to first-hand experience process, products, and services from a customer/ employee perspective, better known as reality check!!!

Author has used mystery reviews successfully as part of internal auditing activities to discover behavioural outliers. Procurement is one of the most vulnerable processes in any organization and mystery vendor visits help discover behavioural patterns of buyers. Targeted surveys of exited employees provide very good governance insights that are so difficult to identify in business-as-usual auditing situations. Decoy customer visits unravels several customer service facts that may not be imagined in a risk assessment matrix.

Combining internal auditing with market research techniques would provide a great combination to improve the overall audit output. While fraudsters have no boundaries, can auditors be bound by templatized audit approaches?

@Managements -Empower your internal auditors, to go beyond the mandated auditing boundaries!

@Internal Auditors – discover new techniques and tools to enhance audit quality and be ready to challenge the mandated boundaries!!

P.S. Have you fastened your seat belt?

The news of the sad and untimely demise of Mr. Cyrus Pallonji Mistry is tragic and shocking. The accident has been widely covered by news and social media and moving eulogies have been written about the gentleman who left the world too early. Amidst the feeling of sadness that surrounds the incident, one thing that keeps coming up in conversations and WhatsApp forwards is the importance of fastening the seat belt, even in the rear seat.

My mind goes back to a tragedy that hit my family in 1987, when my sister, at the age of 26 years, was the victim of a road accident that took her life; a tragedy that could have been avoided had there been seat belts and air bags. That was the time when the cars in India had no seat belts.

The two incidents together, reviewed from the perspective of risks and controls, highlight two vastly different situations – the latter, where controls were not instituted and the former, where the controls existed but were not operational. This has led me to examine the various controls that are instituted for our safety, but we have somehow not made them operational; particularly those that are not mandated by law.

I share a few examples here, that has made me introspect:

Fire extinguishers in residential houses and societies – many residential houses and societies, particularly in urban areas, now have fire extinguishers placed in visible location. At the time of installation, a small demo is also given, attended sparsely and soon forgotten. In the unfortunate event that a fire occurs in our residence, would we know how to operate the fire extinguisher? And, have we made sure that the extinguisher is refilled periodically, as required?

Air travel and life jackets – the quantum of air travel has increased manifold  and in countries like India, we have many first-time fliers. Airlines, at least in India, continue to follow the protocol of explaining the safety measures comprising of seat belts, oxygen masks and life jackets…. But like the warning given in mutual fund T V advertisements, these instructions are often delivered at a fast speed, in a mechanical manner – adequate to serve as a reminder to a seasoned flier, but perhaps not fully understood by first-time or infrequent fliers. In case of a real emergency, would there be chaos, or would the passengers be able to operate the safety measures with ease?

Pandemics and Masks – the covid pandemic that hit the world in 2020, saw the whole world getting in the habit of wearing masks and using hand sanitizers; we became aware and cautious about what we touch, whom we meet and whom we allow into our houses/offices. While the initial masks (N-95/N-99) were functional, plain, and effective, soon, even when the 2nd wave made its way, the masks became colourful, well-coordinated with clothes and perhaps very superficial in their effectiveness. The effective control of a medically tested mask was soon replaced to preserve the appearance of safety, while sacrificing the effectiveness. Are there controls around you that have been diluted, so that they give a false comfort?

The familiarity trap – “Approximately 52 percent of all car accidents occur within a five-mile radius of home, and 69 percent of all collisions happen within a 10-mile radius from home. The implications are that shorter trips closer to home are among the highest for car accidents” reveals a study by National Highway Traffic Safety Administration (NHTSA), USA. In familiar territory, we tend to lower our guard, become more distracted and perhaps over-confident. The same is true about certain practices that we have seen around us and never questioned. For example, a traditional belief that a chubby, fat child is a healthy child; or, that without sugary sweets celebrations remain incomplete. And, what about the incidences of a familiar ‘home beautician’ walking away with gold bangles and mobile phones? A risk aware culture encourages examination of biases, beliefs and trends to reassess risks and plug the gaps.

Senior safeguards – with aging population, the risk of a fall increases, both, in likelihood and its impact. Femur bone fractures and hip ball replacement account for many emergency operations. We hear of so many cases of senior, aged persons falling in a locked bathroom and not receiving help for hours, till the bathroom door is forced open. And we see public spaces having stairs that have no railings, pavements that are difficult to maneuver without sports shoes and a huge reluctance amongst elders to use the basic safety measure – a walking stick.  We see these occurrences all around us, but we act only when an accident hits us directly. Much of health care costs and agony can be saved with proper publicity of the risks and the implications.

As I conclude, I prod you to sit back and think of all the day to day activities where you see risks being undermined, controls being absent or ignored…. So that together we can create an environment of greater safety, fewer regrets and a lot less agony.

P.S.– have you fastened your seat belt? Please do, because you are precious!

The Blog solely reflects the personal views and opinions of the author(s).

Organising BCAS RRC – Learnings for Internal Audit

In initial years of my Practice, much before learning and understanding Internal Audit as a practice area, I got an opportunity to be a part of the organizing team of Residential Refresher Course (RRC) of Bombay Chartered Accountants Society (BCAS).  Then, I realized that this is my Passion. Once I found my passion, my entire approach to Planning RRCs changed. Passion always helps you getting extraordinary results whether it’s a Planning for RRC or conducting an Internal Audit Assignment. So, the first question that we must ask ourselves as Internal Auditors is “Am I passionate about Internal Audit?” Excellence demands passion – so to excel, developing passion for the subject makes a huge difference.

My journey of organizing BCAS RRC’s for last 35 years has taught me a lot and this process of learning is still on. I find it interesting to observe that many of the things that I learnt while organizing RRCs made me a better Internal Auditor. I can correlate so many of my experiences and learnings from RRC to the field of Internal Audit.

What are the common factors that lead to Success and give exceptional results whether it’s RRC or Internal Audit?

A.      Study of Human Nature

Understanding a person is necessary, be it Vendor, Service Provider, your Own Staff or Auditee and Auditees’ staff.  When you understand the persons with whom you are dealing, you develop the art of getting the best from each relationship. Understanding human nature, putting yourself in their shoes, helps you get a better perspective and also find workable solutions to the problems.  Be polite but remain firm on your views, so that you do not compromise the quality and yet maintain impeccable relationships. Your technical skills help you spot lapses and problems, but it is your interpersonal skills that make the stakeholder accept the problems and work towards a solution.

B.      Communication

Document everything as the evidence is necessary.  Whatever is not documented is considered as not done. But even more than the written communication, the quality of oral communication needs to be paid attention to. Communication eliminates assumptions. Communication creates connections. The BCAS RRCs requires us to communicate with a wide variety of people and agencies – ranging from senior paper writers and panelists, Past Presidents, pan-India participants across age groups, venue management staff, BCAS staff members, catering contractors, printers, audio visual service providers, et al. Communicating with each of these at a personal level, forming a pleasant connection, helped me and my team in ensuring that each agency delivered better than what the contract demanded and each of the participant went back enriched with a great learning experience.

Applying this analogy to Internal Audit, I realized that while it is important to maintain the written documentation trail impeccably; it is utmost necessary to supplement with oral communication – that adds charm and ease at every level in Internal Audit. Here too, different approach is required when talking to auditee, HODs, Audit Committee members, IT system specialists or the canteen staff at the audit location (after all, we all need those late evening snacks and strong coffee at the time of audit closures!!)

C.      Holistic Approach To Deliver Exceptional Serivces

Like in all RRC’s, an important factor in Internal Audits is the best use of available time which is always limited.  The entire RRC event is planned in a manner that maximum benefit goes to the participants, and they go back with not only better technical knowledge but also with great memories, lasting friendships, and lot of laughter. Planning technical sessions alongside networking and entertainment sessions, and excursions to experience the local culture are an integral part of each RRC.

For an Internal Audit engagement also, effective time allocation and planning ensures that not only the agreed scope is covered, but the assignment ends with an atmosphere of mutual trust and respect, and a high acceptance rate for valuable recommendations and suggestions made. This requires equitable time allocation to planning the audit, execution, communication, presentation, validation and persuasion. Going beyond the scope, delivering beyond expectations often creates the “Wow” in an internal audit assignment. Keeping the team morale high by adding that occasional outing, celebrating small wins and sharing some lighter moments makes the team member interested in the subject and deliver beyond expectations.

D.      SWOT Analysis – Talent Optimization

When we form the Team of volunteers in RRC, SWOT Analysis helps in getting desired results since the specific talent and aptitude of each person is engaged effectively. While forming the team for Internal Audit such analysis leads to desired results – not everyone in the team may be adapt at data analytics or drafting of reports, but a balanced team with optimal allocation of responsibilities creates a favourable working environment and gives most astounding outcomes, while helping team members to sharpen their skills in areas where they may be lacking.

E.      Operation Research (OR) Techniques

I had studied OR techniques in CA Final Examination.  At that time, I never fully understood the use of PERT, CPM, SIMO charts etc.  Now, when I use these techniques in somewhat modified form in organizing RRC’s as well as in conducting Internal Audits I realize how best we can optimize the use of resources to avoid duplication and save time.  These techniques help a lot in planning human and other resources. They also help in maintaining close attention to the project timelines and help in resource allocation in an objective manner. Monitoring progress to ensure timely completion becomes much easier with the help of these tools and approach.

F.      Checklists

Each Internal Audit Assignment should be treated as a fresh assignment even though it is similar or identical to other assignments handled in the past.  Checklist to carry out each assignment should be prepared afresh.  ‘Copy paste’ should be avoided.  Team leaders should not impose their ideas while making the checklists but should throw the ideas open for discussion.  The final checklist will certainly be a quality product and each team member will feel an ownership of that audit.  The same method is applied at BCAS RRC, treating each RRC as if it is the first one.  That gives the feeling to the participants that each RRC is Unique, as the planning is not constrained by old formats and thinking.

G.      Risk and Crisis Management  

In one of the RRC’s a senior participant suffered a Cardiac Arrest.  We realized that ambulance was not available at that Hill Station nor were adequate medical facilities. We learnt a hard lesson on not anticipating possible risks adequately. For all RRCs held thereafter, we ensured that the venue had adequate infrastructure for dealing with medical emergencies. RRCs invariably lead to some ‘fire-fighting’ situations – a last minute flight cancellation due to which a speaker does not arrive for the session, power failures or unseasonal rains at the venue which require relocation of outdoor sessions, etc. – overtime, the RRC organizing team has incorporated all such hiccups in their plans and are able to handle these situations with ease.

Taking a clue from this, Internal Auditor, while reviewing the efficacy of the risk management processes of the organization must consider such rare possibilities also, particularly when the impact could be disastrous. For risk events that have occurred during the period, suitable enhancement to the risk identification and assessment needs to be ensured. To be taken by surprise once is perhaps pardonable but missing out a second and a third time is a serious failure.

H.      Group Discussion

Group discussion is the soul of BCAS RRC’s. Papers written by scholars are discussed in smaller groups, led by a group leader. The role of the group leader is to moderate the discussion as also, to give opportunity to each of the group members to express their views. It is not uncommon that the best of the inputs come from the most unassuming or the very young members of the group.

Encouraging a group review in Internal Audit provides a great forum to encourage younger and newer team members to have a voice and also, for them to observe and learn from the more experienced members.

I.       Personal and Professional Growth

Like nature gives each season different hues and colours, each RRC adds to the personal and professional growth of the participants in different ways. As a part of the organizing team, I have drawn valuable lessons from each RRC and can say this with confidence, that for a participant each RRC has brought a different flavour and a most unique experience. I have seen the young shy participants of yesteryears become group leaders or even paper writers/panelists in later RRCs.

In a similar manner, each Internal Audit engagement has a unique flavour and adds to our experience bank. A keen learner with an open mind gains the most from each engagement. And just like the RRC, the junior team member soon becomes the team leader or even the engagement partner…. the trick is in approaching each engagement with curiosity and openness, and spending time after each assignment in internalizing the key learnings.

Both, RRC and Internal Audit, help one to develop human qualities of empathy, teamwork, collaboration, agility, responsiveness, communication and more – thus, the professional growth is invariably coupled with personal growth of the individual.

As a Professional and CA in Practice, I am not a hard-core Internal Auditor but whatever assignments of Internal Audit that I have handled, I have tried to co-relate my experiences of unstructured learnings from RRC.

To conclude, Internal Audit is an integral part of our lives – the principles of Internal Audit can be applied to many aspects of our lives and experiences gained through different activities in life can be applied to internal Audit – what is required is the passion and the creativity to observe, capture, innovate and integrate these experiences seamlessly.

This is my first attempt to write a BLOG.  In fact, I was inspired by a blog written by Mitalee Chovatia, where she shared her experiences from travelling for Internal Audit Assignments and co-related the same effectively with her journey as an Internal Auditor. This got me thinking about my RRC planning experiences of decades and the parallels with Internal Audit engagement.

Thanks to Mitalee, I have penned my very first blog combining two subjects close to my heart – BCAS RRC and Internal Audit!

The Blog solely reflects the personal views and opinions of the author(s).

A bag full of ideas… An Internal Auditor’s journey

It is hard to appreciate the treasure trove of lessons that travelling for audit work can bring to you when you’re a starving vegetarian walking for miles in the bitter cold of a Korean winter; but a global pandemic certainly helps to put things into perspective. As I reflect on my journey as an internal auditor I realise that somewhere between my dwindling ‘thepla’ supply (a Gujarati vegetarian snack/lifeline) and increasing ‘to-do’ list, I picked up lessons no text book on audit could have taught me. I also gained an appreciation for the subtle nuances of culture and how those can also have a significant impact on your success as an auditor. From successfully avoiding being the junior auditor sent to photocopy pages and pages of meeting materials by highlighting  how we Asians prefer to ‘go green’ to watching my colleagues meet up for a 7.30 am breakfast to start the audit after an 18 hour flight at 8 am sharp; I may have taught a few things, but have certainly learnt so many more from my colleagues around the world.

Here I present to you a short synopsis of my journey as an auditor and as a traveller, a few anecdotes that may not be entirely relevant to my story as an auditor but certainly helped shape my overall professional outlook.

Perks of being in Pondicherry- I begin this blog with full disclosure, my views and love for taking up assignments outside of my home city are entirely biased because of this single experience. You see, when I was an intern there was a story going around the office that anyone who went to this particular audit in Pondicherry would pass their CA exam that attempt. As luck would have it, I was asked if I would like to go, I accepted and… I passed. So, you can see how my views may be slightly coloured when it comes to stepping out for an ‘outstation’ audit.

As a young intern, the lessons I learnt on this Pondicherry audit formed the very foundation of my professional persona. It felt like a crash course on being a team player even as an auditor. From making it in time for all of us to take one rickshaw to the audit place to joining my colleagues for lunch at the ‘Mami Mess’ where this lady who was called ‘Mami’ would serve you the most delicious meal, but there was only one caveat – asking for a spoon was taboo. I would sheepishly avoid looking like the brat from Bombay and try to blend in with this new culture. I realised that if I didn’t join my colleagues and auditees at their side of the table, I would not be viewed as someone who understood their world and business. In all cultures, and specifically in our Indian culture, breaking bread together is an integral part of starting a healthy relationship, be it professional or personal –  and I am a big proponent of the same.

After clearing my CA I moved on to roles in Internal audit that invariably involved opportunities to travel and I lapped those up.

Getting creative in China– One of my first international assignments and perhaps the single most humbling experience I have had as an auditor has been when I realised the phrase ‘let me look that up’ was no longer an option. No Google, no WhatsApp and zero Mandarin skills :  I was terrified of how I would get by. Two weeks into the audit, I was surprised how effectively I could ‘Baidu’(the Chinese equivalent of Google) my way through regulations and how effectively I learnt to delve deeper into the areas where my questions were parried by my auditees rapidly communicating with each other in Mandarin before responding to me in English. I learnt to look for non-verbal communication cues to help guide me through audit process, as also to observe my surroundings more closely.

As I moved along from audit to audit, I also had the opportunity of working with audit leads who would visit from their home country to cover certain specific assignments. One such audit was that in Korea.

Kindness in Korea- One of the nicest lessons I have learnt from an ex-boss and a senior auditor was that on kindness. I think it’s easy to forget (especially if you’re a career auditor) how intimidating it is to have an auditor visit you, however, routine or ordinary the audit may be. I recall several instances of watching my ex-boss interview someone new in a country he has never been to before, by immediately putting them at ease. After introducing himself, he would also outline his goal from the meeting and often add that he wasn’t there to issue ‘parking tickets’. For detailed walkthroughs he would encourage me to email my questions in advance to give an opportunity to  the auditee to prepare. With this one move, we gained the auditees trust, and more often a very fruitful discussion without the air of a policeman interrogating a suspect.

Besides the leadership lessons, I also picked up a few lessons that I find especially handy in the current work from home environment where it’s easier to replace turning on the video with a drab email exchange

 Hiking in Hongkong– I say this tongue-in-cheek, although I did learn a few lessons while hiking up to the big Buddha tourist attraction (mostly on my lack of fitness levels). My key lesson by using the hiking analogy was on the importance of a walkthrough in audit. With the increased sophistication of data analytics, one may be tempted to trade off a walkthrough with running an extra query. However, my travelling experience has taught me that there really is no substitute to sitting down with the auditees and requesting them to walk you through their process. You never know how a simple remark on the auditees dexterity on MS-Excel could lead to a candid discussion on the lack of automation in the process and the need for better systems.

As I look at my experiences as an auditor there has been one lesson that really stands out – and it is that of embracing diversity. An auditors journey for the most part is a lonely one, however, it is made much less lonely when one accepts two seemingly contradictory yet distinct truths– first, It’s a humbling fact when you remind yourself that your auditees do their role on a daily basis, and, your view, while fresh and different, may still need to be guided by their voice which must be heard; second,  You can’t audit your teacher so ensure that your saw is sharpened off your knowledge. While these statements may sound somewhat contradictory, here is some food for thought…I find that while it is empirically important to form your view backed by your information and knowledge , it is equally crucial to have a dialogue and an open mind to your auditees views. As a young auditor, I have often felt insulted and frustrated when my auditee would dismiss my arguments over the need for tighter controls with their wisdom and experience as trump cards. Having spent more time being an auditor I learnt that respect is a two-way street. Once I started to keep an open mind, I felt I could come up with stronger recommendations that were easier to implement as well.

As I conclude this blog, I would like to champion the cause of taking any chance you get to travel or ‘work from home’ on an assignment that introduces you to work with people outside of your comfort zone and into unfamiliar territories and cultures. You will be surprised at how much you grow as an auditor as you clock in those hours and in post-covid times hopefully some ‘miles’.  Finally, I’d like to invite you all to share your biggest lessons learnt as an internal auditor from fellow colleagues from across the country / world and from those beloved ‘outstation’ audits in the comments section for all of us to learn.

The Blog solely reflects the personal views and opinions of the author(s).

Internal Audit: A Case for Advocacy

I entered the profession of Chartered Accountancy in 1984 and started calling myself ‘primarily an Internal Auditor’ somewhere in early 1990s. At that time, Internal Audit was at a nascent stage in India, and not many people understood what an internal Auditor really did.

Fast forward to 2022, and strange as it may seem, one thing that has not changed over these three decades is that even today, not many people in India understand what an Internal Auditor really does. I accept that Internal Audit has strongly anchored itself in multinationals, regulated industries (mainly BFSI sector), and public sector corporations – yet, for many large-listed companies, the role of an Internal Auditor remains somewhat hazy; and for most of the small and medium sized businesses the Internal Audit function exists only in name, if at all. For public at large, ‘Internal Audit’ holds no specific meaning.

At the other end of the spectrum, a question keeps cropping up in my mind – is the Internal Audit profession an attractive choice for young graduates starting their careers, or even mid-level professionals considering career shifts? Are there avenues for exploring the subject or a keenness to know more? I acknowledge, somewhat reluctantly, that ‘Internal Audit’ is not a word that one commonly hears amongst young professionals from different fields exploring their first job or internship, or from a mid-career professional as a sought-after career option.

What could be the reason? Well, there could be several reasons, but to my mind, the prominent reason is lack of systematic, well-thought-out efforts for advocacy.

Advocacy of a profession essentially means creating awareness about the existence and the relevance of the profession, in a concerted, strategic manner. It involves engaging with the stakeholders – regulators, organizations, aspiring professionals, Boards and CEOs, to drive home the potential of a well-structured Internal Audit function and the value that an Internal Auditor can add. Advocacy is best spearheaded by professional associations that are set up with the primary objective of promoting one or more professions and are led by experienced professionals who have a wide network and followers. But advocacy can also be done by committed Internal Auditors who believe in the value of Internal Audit, or stakeholders who have experienced the value of Internal Audit.

Advocacy of Internal Audit would mean reaching out to those who are not Internal Auditors but can promote or strengthen Internal Audit. It would mean engaging with organizational leaders and decision makers, reaching out to campuses, career counsellors and HR professionals. Engaging with media for rightful publicity or awareness campaigns, and with social media to create the right amount of curiosity about Internal Audit would help greatly.

In the past decade, and even more so in the post-covid era of lockdowns and virtual interactions, there have been a huge number of webinars and long duration training courses for skill enhancement for Internal Auditors. Various professional associations, such as the Bombay Chartered Accountants’ Society (BCAS), the Institute of Internal Auditors (IIA) and the Institute of Chartered Accountants of India (ICAI) have created great learning opportunities on virtual platforms for internal auditors to hone new skills, to adapt technology, to embrace analytics and to become the ‘change agents’ in this rapidly transforming world. And many Internal Auditors pan India have made good use of these opportunities – be it webinars, conferences, certifications, or long duration courses – to better equip themselves on various fronts.

With the Internal Audit profession in India raring to go, it is time for advocacy – for connecting with our stakeholders effectively, systematically, and consistently. It is also time to create the right amount of curiosity amongst young professionals so that the best talent would find its way into Internal Audit teams. The profession cannot prosper if starved of good talent and if it is not endorsed by its key stakeholders.

As I end this blog, let me nudge all the Internal Auditors out there to become the ambassadors of our profession and engage in effective advocacy at every opportunity. Advocacy can start with each one of us – when we talk with pride about Internal Audit at dinner tables; when we talk about value proposition of Internal Audit at business conferences; when we engage with Board members to update them on the changing face of Internal Audit; when we articulate effectively during cross functional meetings on the potential of Internal Audit; and when we work with professional associations to create awareness about Internal Audit. It is through interesting interactions and dialogues with those outside the profession, through collaborative actions and strategic thinking, that we will be able to raise Internal Audit to the place that it deserves.

For Internal Auditors in India, if 2020 was the year of rapidly adapting to a changing world, 2021 was the year of rapid learning, then, can we make 2022 the year of advocacy? This is a win-win proposition.

We invite you to share your ideas and suggestions. Your comments will give life to this blog.

The Blog solely reflects the personal views and opinions of the author(s).

Idle internal auditor patient spots control gaps, entirely unnecessarily

Empty vessels make most sound. Idle mind is devil’s workshop. And an internal auditor as a patient (me) in isolation ends up spotting service deficiencies, leading to control gaps  – quite unnecessarily and definitely unsolicited. So please bear with me and read this blog.

Covid struck. And it struck all of us at home. With my fever continuing by the evening of Day 4, the doctors decided that I needed to be hospitalised if fever did not subside through the night. Duly next morning I reached the hospital.  After a few inquiries I reached the Covid OPD and I was taken in quickly, after sighting my RTPCR report on my mobile. All usual examinations began. But along with the examinations, the admission process had to be completed. So with an IV attached to me, there I was, filling up the admission forms and digitally sending to the hospital number my Aadhar and my PAN information. (Control Gap No. 1 – the hospital had no process in place to assist a solo patient to fill up the forms).

I had a cashless insurance policy (courtesy my employer), but the hospital insisted that I pay a deposit of Rs. 50,000/-. And, for this, they expected a relative to come over to their office. I informed them that I am alone. Nobody could accompany me as all immediate family was Covid positive, and I did not want to risk of exposure requesting some friend or relative to accompany me. Ultimately, the girl with the credit card machine came over to the Covid OPD and requested (nay, insisted) that I hand over my card and the PIN to her so she could swipe it. I refused. She refused. I refused. She blinked first, when the OPD nurse told her that the machine could be sanitised. The girl had no qualms of holding my credit card in her hand to swipe it, but did not want me to touch the machine to enter the PIN. Sense prevailed ultimately, and payment went through. I was now officially an in-patient of the hospital with a number allotted!!!  I requested that I be allowed to pay through net banking. The girl said that it would be difficult as she would need to wait for the Unique Transaction Reference (UTR) to confirm my admission. (Control Gap No. 2 – the hospital’s refusal to embrace technology).

What foxed me in this admission process was the lack of trust between the hospital and the insurance company. The insistence on payment of an initial deposit, when a cashless insurance cover existed, defied logic. The hospital said that the deposit would be their succour, in the event the insurer did not pay the entire amount. I thought about it later that the deposit would be to cover expenses not covered by insurance. However, at that moment the realisation that it is “not entirely cashless” sunk in.  (Control Gap No. 3 – lack of communication by the insurer as well as the hospital with the customer. Both entities on their website mention the convenience of cashless; fact is contrary). I now fully comprehended the phrase – The devil lies (pun intended) in the detail!!

A few days later, (with some excellent medical care given to me) the Doctor-in-charge (DIC!!) said I could get discharged. Well, it wasn’t so simple. The process involved a chain of communication – the Covid ward informing the billing department; the billing department informing the corporate department since I was a cashless insurance patient; the corporate department informing the insurer’s TPA (third party administrator); the TPA authorising the payment and all the way back. You would assume all this would be seamless but in reality, far from it!!. After all there was a TAT that was promised to us when we took the insurance cover. Reality, alas is something else. I waited for eternity.

Almost six hours later, with utter exasperation, I approached the nurse of the Covid ward and requested her to inquire about the discharge status. She nonchalantly mentioned that the TPA process always takes 3 to 4 hours and, if information comes in late and the hospital’s corporate department had closed for the day (their day ends at 3 PM!!!), then I will have to spend one more night at the hospital. Shudder! That also implied adding a day’s charges I guessed. She also said that the hospital had intimated the TPA about 4 hours ago. I got my office colleagues to speak with the insurer, who spoke to the TPA and, wonders be all, the TPA representative called me up  to confirm that they had cleared the claim an hour ago. (Control Gap No. 4 – customer convenience and service timelines were disregarded by both, the hospital as well as the insurer. Did someone mention reputation risk? Both, apparently, were blissfully unaware of that.).

In all this, I got a call from an official of the hospital where he insisted to speak with my relative. I told him that I am the patient. He said he was aware of it but, as a process, he needed to speak to the relative. The relative had to visit his department. I told him that I was unaccompanied, and I was in the Covid ward eagerly waiting to go home. He simply declared that if my relative did not meet him, I would not be able to go home. Period. I tried explaining in English, Hindi and Marathi that I am a solo unaccompanied patient, and whatever paperwork that was to be done could be digitally done. He was puzzled and bewildered!! It was nigh impossible for him to accept that there could be a solo patient who, along with taking care of himself, had to do all paperwork too. Somehow, finally, it dawned on him, and he signed off digitally, asking me to send an e-mail confirmation on a particular aspect. Thankfully, with that the discharge process was concluded, and I was permitted to leave the hospital. (Control Gap No. 5 – the hospital had no process in place to deal with a solo unaccompanied patient).

The last piece of the item is that the hospital has withheld Rs.10,000/- and said they will repay it after 45 days in case the TPA has some adjustments to be done. Everything of my claim is done and dusted. I have confirmed with the insurer and there is nothing else left to be done. The hospital has a free float for 45 days.

All in all, an interesting and memorable experience! The internal auditor in me had to spot these control gaps. It set me thinking – over the past 18-20 months we have the #newnormal. And, here, a couple of well-established entities were clueless and had not moved on with the #newnormal. The hospital has to realize and provide for a process for solo unaccompanied patients who need to be cared for. Processes need to be redesigned. Similarly, the insurer also needs to have more trust in the hospital as well as the insured and redesign its processes to ensure cashless works, as intended and, the promised TAT is achieved.

Amidst all this, lest I forget, let me thank the entire Covid ward staff for all their help and care. They were wonderful.

The Blog solely reflects the personal views and opinions of the author(s).

Relevance of Post Qualification Professional Certifications

When I cleared my final Chartered Accountancy (CA) examination in 1997, I thought I have THE ultimate qualification and that I have taken the very last examination of my professional career. And indeed, the CA qualification accompanied by a rigorous articleship had equipped me to conduct statutory audits, tax engagements and similar assignments. Soon thereafter, as I started exploring various areas of professional practice and became interested in Internal Audit, I felt the need for deeper understanding of subjects like Internal Audit, IT systems Audit, Forensic reviews or other similar specializations. For many years, I ‘learnt on the job’ and gathered deeper understanding about risks, controls, resource optimization, governance and similar areas. However, all along, I missed not having the foundation – a structured framework of knowledge on which to position the superstructure of experience.

My hunger for structured learning took me to several post qualification courses offered by the Institute of Chartered Accountants of India (ICAI) and also, some international certifications offered by global organizations such as the Institute of Internal Auditors (IIA) and the Institute of Systems Audit and Controls Association (ISACA), etc. I gravitated towards the Certified Internal Auditor (CIA) certification as that was most relevant to me in the field of Internal Audit. Now, I was a working professional, with practical experience in the field of Internal Audit, opening text books and examination study material in the midst of a busy work life. I was delighted to find that the study material made intuitive sense as I could correlate my professional experience to the theory and principles stated therein – it helped me put my years of professional experience into a logical framework of understanding. Some misgivings got cleared, and I emerged well equipped, not just to execute the internal audit assignments, but also to explain the rationale to the stakeholders. It added immensely to my confidence, as I realized that my understanding and methodology were backed by a global body of professionals.

The CIA examination was different – I did not enter the exam halls with the fluttering in my heart as I had done during the CA exams; but with the confidence of a professionals whose understanding had been validated and who had enjoyed the learning process. The CIA certification thus, was a journey of consolidating my unstructured understanding into a systematic body of knowledge.

Encouraged by the experience of CIA, and observing the wide scale adoption of technology across clients, I took up the post-qualification course DISA (Diploma in Information System Audit) conducted by ICAI. At the beginning, it was more about being back in the classroom on weekends, group studies and exchanging knowledge with other professionals. As the course progressed, I learnt various facets of Information Technology and I got an in-depth understanding of the technology related risks/controls. This understanding came very handy for the process review and process re-engineering assignments as reliance on Information Technology was inevitable. Post that, I went on to do Certified Information Systems Auditor (CISA) conducted by ISACA, USA. Both, the DISA and CISA certification helped me to take up assignments that required in-depth understanding of IT systems and related controls.

The CIA certification helped me consolidate my knowledge in an area that I was already involved with, namely, Internal Audit; whereas the DISA and CISA certifications enabled me to develop new specializations and branch out to Systems Audits.

By now, I became addicted to challenging myself to learn and develop new areas through taking up courses and examinations. The recent years thus, saw me enrol for the Forensic Audits and Fraud Detection (FAFD) course offered by ICAI and the Independent Directors’ examination offered by The Indian Institute of Corporate Affairs (IICA).

So, here’s my take based on my experience – a professional certification will help you grow in different ways – through consolidation of knowledge, by exposure to new opportunities, by widening of network, by exploring the depths of a topic with focus, by becoming a student once again! I am a strong advocate for being a lifelong learner, and till we have the luxury and feasibility of ‘going back to school’, professional certifications offer the best opportunity for expanding our horizon during our work life.

I believe that our busy schedules don’t allow us to do in-depth study of any new subject unless it is goal-driven and time bound. These certification exams help achieving that. It facilitates widening the horizon on the subjects, which can be put to application in our day-to-day work. It offered me opportunities to interact and network with the professionals from other specializations such as Engineers, IT specialists and learn technical aspects from them which were difficult to visualise with my background and experience.

As said by Abraham Lincoln, “If I had eight hours to cut down a tree, I’d spend six hours sharpening my axe”; these certifications also work on similar lines for the aspiring Internal Auditors.

For those pursuing a career in Internal Audit, the certifications offered by the IIA, USA provide a great opportunity for  ‘sharpening the axe’. What is more, right now, for a very limited period, there is a window of opportunity open for Chartered Accountants (Members of ICAI) to take the CIA Challenge Examination that combines three different modules in a single examination paper and gain an international certification. On September 18, 2021, BCAS hosted a curtain-raiser event to create awareness about the CIA Challenge Examination opportunity open to members of ICAI for a limited period.

Here’s the link to the recording of the curtain-raiser event on BCAS YouTube Channel: https://youtu.be/_vt6kbuj5Ww. For those interested in knowing more, here’s the link to the relevant information on the IIA India website: https://www.iiaindia.co/cia-challenge.

The Blog solely reflects the personal views and opinions of the author(s).

A to Z of a Good Internal Auditor

The IA-101 is one of the flagship programmes at the BCAS Internal Audit Committee. We delve into the basics of what is internal audit and what is expected of an internal auditor. And what better to share my thoughts on what can be the traits of a good internal auditor, other than doing it alphabetically. So here it goes the A to Z of a good internal auditor.

A Audit That is what we are required to do. First, foremost and last. Let us keep executing to the best of our abilities with the sole focus that audit objectives are achieved.
B Books of Account Whatever happens in a commercial entity finally resides in the books of account. Even when we are reviewing processes, the final outcome of that process has to flow into the financial statements and these emanate from books of account. As auditors, we can go back to the golden rules of accounting to determine if this impact is properly captured.
C Curiosity Curiosity may have killed the cat; but the cat has 9 lives. An internal auditor has 1 life and needs to harness his / her curiosity to reach an audit conclusion. Right curiosity levels to seek right answers will only enhance audit value.
D Diligent, not Dogmatic As an internal auditor we definitely do need to be diligent and not dogmatic. Businesses are dynamic, innovative, keep changing courses and keep changing processes. Internal auditors need to be equally diligent, if not more agile and innovative to keep pace with the business. It is only then audit objectives will be met.
E Enthusiasm Approach each aspect of the IA cycle with enthusiasm. Lack of enthusiasm will drive down the outcome of the audit. An auditor needs to be excited of the audit tasks to be done to deliver an effective report.
F Forensic The next frontier for us internal auditors. As demands of stakeholders change, we need to gear ourselves to foray into the domain of forensics.
G Gravitas A quality that has to be inherent in an internal auditor without which delivery of audit planning, execution and reporting will not be achieved.
H Humility A trait that is pre-requisite for being an efficient and effective internal auditor. We need to set aside our egos and not boast of our achievements. Humility is what will drive home the auditor’s point.
I Internal This is something an internal auditor should never forget. We are internal to the organization. Period. We may be out-sourced / co-sourced but our responsibilities are and will always remain “internal” to the auditee entity, albeit within the independence domain of an auditor.
J Juggler We should categorise our role in various jobs to be done. As expectations rise the jobs to be done by us rise too. We need to juggle them effectively. We may handle them one at a time or if required, simultaneously. Focus remains on the end objective of internal audit as we go about these jobs.
K Keenness We need to have the keenness for details. The devil lies in it. An alert eye and ear (goes without saying, we are auditors!!) is required to deliver the audit.
L Learn Ron Weber says that an auditor needs to know more about the business then the businessman himself. Whether it is true or not is a different matter but as auditors there is no option but to learn and keep learning. It is an ever ascending requirement that needs to be met on continuous basis.
M Moderation We love to hold our views, especially when the audit report carries our recommendation. Please practice moderation. Learn to appreciate the other view. It will only lead to better quality output.
N NexGen Child is the father of man. Applies to experienced auditors. Listen to the next generation and learn from them. As businesses become more technology driven the NexGen will have an edge for better understanding of processes. Use their knowledge and mix it with your experience of risks and controls. Audit outcome will surely end up a notch or two higher.
O Objectivity Objectivity is an ingrained trait in an internal auditor. I have experienced in discussions of tricky control issues and initially not acceptable recommendations; the objective attitude of the internal auditor does become infectious and changes the tone of the deliberations for better.
P Pleasure Audits have to be pleasurable. The moment the internal auditor feels that audit is a drudgery, the effectiveness will not just diminish, but can vanish too. It is upto us to devise techniques and practices that makes audits a pleasure.
Q Query Basic principle of audit – raise a query when you notice something in your audit execution. Do not hesitate. It is fine even if the query is something mundane or basic. The skill lies in you being guided by your experienced seniors on how to convert the query into an effective audit observation.
R Re-learn As internal auditors we need to accept that re-learning is a continuous task. We need to keep unlearning and relearning as businesses, processes, techniques and technology evolve. There is no stopping here. Ever!
S Style Each internal auditor needs to develop his / her individual style. As we conduct more and more audits, it is our style that will be our identity. The style of internal audit will need to transcend across compliance with auditing standards, professionalism and communication. Once the style is developed, the auditee will also be aware of it and will know what to expect.  This will help make the audit process smoother.
T Technology There is no escape from technology if the internal auditor has to remain relevant. There is hardly, if ever anything at all that is not touched by technology. As internal auditors we need to embrace all new technologies relevant to us as auditors as well as understand the new technologies implemented by the auditee. This will ensure that the auditee respects the internal auditor and the internal auditor has the confidence to deliver a high quality output.
U Utilitarian We need to be utilitarian. Our conduct and performance need to be of such standards that the auditee sees the utility in us. A conscious effort is required  by us to establish this and be recognized for it.
V Vigilant We need to remain vigilant throughout the audit cycle. Vigilant to the business atmosphere, the activities that are going around, the requirements of audit, the data & information that is presented. In short, everything. This vigilance is a fantastic tool to achieve audit objectives.
W Wind down Wind down by having regular de-brief sessions with the auditee.  Such sessions need to be at all levels of auditee management – operations to executive to the top. This gives an opportunity of understanding better the nuances of business, risks, controls and expectations of audit.
X Xenolith Internal auditors are like xenolith – a fragment of rock differing in origin, composition, structure etc., from the igneous rock enclosing it. We remain internal to the business but yet independent of it. This differential makes us deliver what we are required to do in the overall scheme of controls of an entity.
Y Yorker In cricket a yorker is a delivery by a bowler that bounces just beneath the bat or feet of a batsman. A yorker does not allow a batsman to play a shot freely. Like wise the audit findings need to be yorker length to be effective. The auditee, of course, gets to defend and dig the delivery out. A reasonable discussion later the auditor and auditee agree on the finding and the recommendations, if any.
Z Zeal Zeal is what will keep all us, internal auditors, going on. A zeal to excel; a zeal to learn, unlearn and relearn; a zeal to be relevant. That’s how internal audit will remain a fulcrum of business.

We could convert the above into a maturity model.  Give yourself 1 mark for each of the 26 traits. You score 26 you are the best!!!. For anything other than 26, design your own matrix. All it means is that there is room for improvement. Track yourself and have fun. We are jolly good folks at the end of the day.

The Blog solely reflects the personal views and opinions of the author(s).

An Internal Auditor’s Tale

I sat in a corner,

quiet and meek

Ready to give assistance,

that no one would seek


A one-person department,

I was the “Internal Auditor”

Asked to review vouchers

To find petty faults, like a class monitor.


An invitee to the Audit Committee,

Because the law said so,

I was given FULL 5 minutes

To summarize the entire year on the go.


My CEO said “We are in trouble,”

Sales are dipping, competition severe”

“I look at the vouchers, nothing more I do,

I am just an Internal Auditor, what can I do?”


Then came a mentor who took me aside,

Wise words she spoke that made me realize,

“YOU are the Internal Auditor, with your canvass so wide,

Be fearless and fair, you will have insights to emphasize.”


I left my lonely corner

And started looking around

Across functions and activities,

And Oh! There was so much to be found.


I met with many folks

In cabins and on shopfloors

No longer to find their faults

But to ease their woes


Analyzed the sales, studied the competition,

Read research reports and understood the global trends

Armed with my insights, with the CEO I met,

“If you don’t change your ways, your business is dead!”


Angered by my words, yet worried to the core,

I got an audience with the CEO and many more,

“Technology is changing our world in ways unseen,

Today’s thieves don’t break the locks, they enter through your screen”


“Opportunities are many and so are the threats,

May I take you through some gaps that must surely make you fret?”

And allow me to show you the ways to succeed

With risks and controls and culture and ethics


Invited to the Board Room, no longer as a pest

I laid bare my reviews, with utmost grit and zest

My presentations enchanting, few words to read,

They spoke with urgency through pictures, charts and reels


As I unfold this session

Here’s what remember must you,

If you want the world to change,

The change must start with YOU!