Internal Audit Consulting Service in IT Software Industry

Governing Regulations

India’s software development and IT enabled services (ITES) industry has emerged as one of the most dynamic and vibrant sectors in the country, with a focus on quality, domain knowledge, and exposure to various platforms and systems.

National Association of Software and Services Companies (NASSCOM)

The Indian Information Technology (IT) and Business Process Outsourcing (BPO) industry is represented by the National Association of Software and Services Companies, a trade association.

NASSCOM, a global trade organisation with over 1200 members, which includes 250 global companies, advocates for global free trade in India. The software development and IT-enabled services industry, which is known for its quality IT (ITES), domain knowledge, and expertise, has become one of India's most dynamic sectors.

Regulations Applicable toSoftware Industry

Compliance with a variety of regulations is a requirement for software companies, including:

General business regulations: Companies Act, Partnership Act/LLP Act, Shops and Establishments Act, Sale of Goods Act, Negotiable Instruments Act, Income Tax Act, Service Tax, Indian Contract Act, Sales Tax Act, Foreign Exchange Management Act.

Industry-specific regulations: Information Technology Act, Central Excise and Customs Act.

Internal audit is an independent management function that helps the organisation achieve its objectives by providing objective assurance and consulting services on governance, risk management, and internal control.

Standards on Internal Audit

Internal auditors can get guidance on how to conduct their work from the 18 Standards on Internal Audit (SIAs) issued by the Institute of Chartered Accountants of India (ICAI). These standards cover a wide range of topics, including planning, documentation, reporting, sampling, analytical procedures, quality assurance, terms of engagement, communication with management, internal audit evidence, consideration of fraud, internal control evaluation, enterprise risk management, internal audit in an IT environment, etc.

Internal auditing in Software companies is an important tool for managing risks and improving performance. The Institute of Internal Auditors (IIA) has developed a set of standards and best practices to guide internal auditors in their work. These standards are designed to promote professionalism and ensure that internal audits are conducted effectively.

Internal Control Evaluation

Standards on Internal Audit (SIA), 12 Internal Control Evaluation states that “Internal controls are a system consisting of specific policies and procedures, the purpose is to give management reasonable assurance that the objectives and goals it believes are important to the entity will be met.”

Internal Control System (ICS) is a set of policies and procedures that help organisations achieve their objectives, safeguard assets, prevent fraud and error, ensure accurate and complete financial records, and reliable financial information. Internal audit is a component of ICS that evaluates the effectiveness of other ICS.

The following areas are reviewed by internal auditors to evaluate ICS:

• Mission, vision, ethics, and values
• Personnel allocation, appraisal, and development
• Accounting and financial reporting policies and compliance
• Objectives and key performance indicators
• Documentation standards
• Risk management structure
• Operational framework
• Processes and procedures
• Management supervision

Internal Audit in IT Environment

The objectives and scope of internal audit are the same in a CIS environment, but the use of computers has an impact on the processing, storage, retrieval, and communication of financial information, accounting and internal control systems, and audit risks. The CIS environment must be well-understood by internal auditors and their impact on the audit engagement must be taken into account:

• The extent to which IT is employed in processing and analysing information.

• The internal control system over the flow of authorised, correct, and complete data to the processing centre, the processing, analysis, and reporting tasks undertaken in the installation, and the impact of computer-based accounting systems on the audit trail.

Reviewing the IT environment's robustness and considering any weaknesses or deficiencies in the design and operation of IT controls is a necessary task for internal auditors:

• System audit reports, reports of system breaches, unsuccessful login attempts, compromised passwords, and other exception reports are all part of system audits.
• Reports of network failures, virus attacks and threats to perimeter security.
• General controls like segregation of duties, physical access records and logical access controls.
• Application controls like input, output, processing, run-to-run controls.

Internal Controls

Indian software companies, subsidiaries of foreign companies, subsidiaries of foreign companies, must follow SOX Act requirements. Other Indian IT Companies voluntarily follow SOX.

The act requires an internal control report to attest to the accuracy of financial data and the effectiveness of internal controls. The auditor must review controls, policies and procedures during Section 404 audit to protect investors.

Business Risk

Uncertainty in profits, the risk of loss, and unforeseen events are among the business risks that can pose a risk in the future. Business risks can be categorised as, internal risks which arise from the events taking place within the organisation and external risks which arise from the events taking place outside the organisation.

They can further be categorised into the followings:

• Strategic Risk: Changes in supply can lead to the creation of strategic risks, which are related to industry operations and board decisions. Organisations may accept strategic risks in the short term to expand or continue in the long term.
• Economic/ Financial Risk: Financial risks in an industry include the possibility of shareholder losses from debt obligations and insufficient cash flow to meet financial obligations.
• Operational Risk: Misappropriation of assets, theft of information, and financial errors are some of the operational and administrative risks that can occur in any industry.
• Compliance/ Legal Risk: Software companies are required to adhere to various government regulations, which can result in fines and penalties if they do not comply.
• Brand Reputation Risk: Companies develop reputations over time, but they can be quickly destroyed. They must invest in structures, activities, staff and should also measure their reputation in the market through brand valuation.
• Technology Risk: Companies are at risk of technology risk due to outdated technology, which can lead to a loss of value and competitive disadvantage. By ensuring that the company's IT systems and processes are up to date and effective, internal audits can help mitigate this risk.
• Human Capital Risk: The Indian IT sector faces a skills gap, with demand for good resources exceeding supply. This has led to high salaries and attrition rates, as well as a decline in the quality of talent. Companies are struggling to find new resources and are considering other options, such as preparing science graduates.

Risk Mitigation

During internal audits an auditor evaluates the software industry involving assessment based on identification of vulnerabilities in software development processes, addressing security gaps, ensuring data privacy compliance, and validating adherence to coding standards.

This proactive approach minimises cybersecurity threats, legal liabilities, and potential software failures, enhancing overall product quality and reliability.

Asset Verification

Internal auditors are tasked with verifying that assets are used properly and periodically verified, particularly leased assets, to ensure that the entity maintains adequate control over its assets.

Checklist for verification of fixed assets are as follow:

• Physical verification of assets/ update of fixed assets/ update of fixed assets registers at regular intervals.

• Insurance coverage for assets of the entity.

• Revaluation of assets value and useful life at regular intervals by independent professional valuers.

• Confirm that the calculation of depreciation, amortisation, and capitalization of expenses incurred is accurate.

• Segregation of responsibility among employees handling custodian and verification activities.

Ensure accurate accounting records, asset safety, and efficient usage by verifying assets during internal auditing of software companies. Both tangible (such as computers, servers, and networking equipment) and intangible assets (such as software licences, intellectual property, and customer relationships) are valuable and need to be properly managed.

Loans and Borrowings

IT Companies borrow money from banks, financial institutions, members and directors. Special audit procedures are necessary for the representation of these liabilities by documentary evidence from third parties.

Checklist of internal auditors might perform would include:

• Verify the credit/ borrowing limits of the boards of directors.

• Verify whether all the statutory compliances have been met by the entity with respect to borrowings.

• Ensure the terms of the borrowing is prejudiced against the interest of the entity.

• Make sure the closing balance with the confirmation letter given by the entity who has provided the loan.

Foreign Currency Transactions

An increase in foreign currency inflows has resulted from the influx of foreign companies setting up branches in India due to globalisation.

The model checklist on foreign currency transactions is essential to ensure compliance with regulations and protect the company's financial interests.

Given below is the checklist to ensure proficiency of foreign currency transactions:

• Ensure that cross-border transactions are compliant with RBI/FEMA compliance.

• Check FCNR and other non resident accounts.

• Compliance with Income Tax/ Service Tax regulations on payments made to non-resident.
• Tax issues on satellite/optic fibre transmission companies/ foreign companies.

• Compliance with DTAA/foreign tax reliefs on taxation of foreign income earned by the resident production houses.

Financial analysis, control, and reporting evaluate a firm's use of funds, efficiency, and profitability of operations, and whether it achieves desired returns. Financial analysis and reporting encompass the management of funds, project accounting, profitability analysis, and management reporting.

Funds Management

• Verify if the funds are applied in the assets as approved by the management.
• Verify that the disbursement of large amounts is vested only with the top management.

Project Accounting

• Make sure that the books are kept in a manner that allows you to understand the financial status of every individual project.
• Verify that the common costs are apportioned to every individual project in a proportionate manner.

Profitability Analysis

• Verify that if the company is handling multiple projects whether it is maintaining a profitability analysis for each of the projects.
• If any of the projects is not profitable, verify if the reasons for the same have been disclosed.
• Ensure that the steps taken to correct any ongoing losses in any of the projects are accurate.

Management Reporting

• Ensure that the company has a policy for preparing and sending a monthly management information system (MIS).
• Ensure that the MIS is accurate and frequency is consistent.
• Check if any action has been taken by management based on the MIS reports.

Information Security and Privacy of Data

In the IT industry, data security is a significant aspect. The entity will lose a significant amount of money if data is lost or misused. These days security is also a major problem in this industry. The following various types of the ways of threat to data security:

Natural Calamity: Fire, flood, earthquake, etc., can cause damage to hardware including server, computers and other physical storage devices.

Data Theft: Employees who have access to digital devices are the primary perpetrators of data theft, which is a growing problem. While employed, employees may feel entitled to copy, delete, or misuse company information. Copying contact databases for their next job is a common scenario for sales personnel.

Hacking: Weak system security exposes entities to hacking risks. Hackers may access confidential data and publish or sell it, causing reputational and financial damage.

Computer Assisted Audit Techniques (CAATs)

The use of computers to enhance the effectiveness and efficiency of audit procedures is the practice. They are the computer programs used by auditors as a part of audit procedures to process data of audit significance, contained in an entity’s information systems.

Below given are the tools that can be used by internal auditor during audit process:

• Microsoft Excel: A spreadsheet application that enables calculation, graphing, and data analysis. Sectioning data allows for the discovery of dependencies from different perspectives.

• Microsoft Access: A database management system (DBMS) with a graphical user interface (GUI) and software development tools, storing data in its own format and importing or linking to data in other applications and databases.

• ERPs like SAP, etc. :By centralising information, reducing redundancy, and automating review and approval, electronic work papers facilitate global integration and real-time insights.

• SaaS: Self-service access to audit information, real-time audit procedures, and tamper-proof audit trails is provided to internal auditors by cloud-based ERP systems, resulting in a reduction in internal audit time.

• Crystal Reports: Various data sources are used to create and generate reports in the business intelligence application, which allows users to graphically design data connections and report layouts.